The following describes the provisions in the final regulation, and the changes we make to the proposed provisions section-by-section. Following each section are our responses to the comments to that section. This section of the preamble is organized to follow the corresponding section of the final rule, not the NPRM.
We received many comments on the rule overall, not to a particular provision. We respond to those comments here. Similar comments, but directed to a specific provision in the proposed rule, are answered below in the corresponding section of this preamble.
Comment: Many commenters expressed the opinion that federal legislation is necessary to protect the privacy of individuals' health information. One comment advocated Congressional efforts to provide a comprehensive federal health privacy law that would integrate the substance abuse regulations with the privacy regulation.
Response: We agree that comprehensive privacy legislation is urgently needed. This administration has urged the Congress to pass such legislation. While this regulation will improve the privacy of individuals' health information, only legislation can provide the full array of privacy protection that individuals need and deserve.
Comment: Many commenters noted that they do not go to a physician, or do not completely share health information with their physician, because they are concerned about who will have access to that information. Many physicians commented on their patients' reluctance to share information because of fear that their information will later be used against them.
Response: We agree that strong federal privacy protections are necessary to enhance patients' trust in the health care system.
Comment: Many commenters expressed concerns that this regulation will allow access to health information by those who today do not have such access, or would allow their physician to disclose information which may not lawfully be disclosed today. Many of these commenters stated that today, they consent to every disclosure of health information about them, and that absent their consent the privacy of their health information is "absolute." Others stated that, today, health information is disclosed only pursuant to a judicial order. Several commenters were concerned that this regulation would override stronger state privacy protection.
Response: This regulation does not, and cannot, reduce current privacy protections. The statutory language of the HIPAA specifically mandates that this regulation does not preempt state laws that are more protective of privacy.
As discussed in more detail in later this preamble, while many people believe that they must be asked permission prior to any release of health information about them, current laws generally do not impose such a requirement. Similarly, as discussed in more detail later in this preamble, judicial review is required today only for a small proportion of releases of health information.
Comment: Many commenters asserted that today, medical records "belong" to patients. Others asserted that patients own their medical information and health care providers and insurance companies who maintain health records should be viewed as custodians of the patients' property.
Response: We do not intend to change current law regarding ownership of or responsibility for medical records. In developing this rule we reviewed current law on this and related issues, and built on that foundation.
Under state laws, medical records are often the property of the health care provider or medical facility that created them. Some state laws also provide patients with access to medical records or an ownership interest in the health information in medical records. However, these laws do not divest the health care provider or the medical facility of its ownership interest in medical records. These statutes typically provide a patient the right to inspect or copy health information from the medical record, but not the right to take the provider's original copy of an item in the medical record. If a particular state law provides greater ownership rights, this regulation leaves such rights in place.
Comment: Some commenters argued that the use and disclosure of sensitive personal information must be strictly regulated, and violation of such regulations should subject an entity to significant penalties and sanctions.
Response: We agree, and share the commenters' concern that the penalties in the HIPAA statute are not sufficient to fully protect individuals' privacy interests. The need for stronger penalties is among the reasons we believe Congress should pass comprehensive privacy legislation.
Comment: Many commenters expressed the opinion that the proposed ruled should provide stricter privacy protections.
Response: We received nearly 52,000 comments on the proposed regulation, and make substantial changes to the proposal in response to those comments. Many of these changes will strengthen the protections that were proposed in the NPRM.
Comment: Many comments express concerns that their health information will be given to their employers.
Response: We agree that employer access to health information is a particular concern. In this final regulation, we make significant changes to the NPRM that clarify and provide additional safeguards governing when and how the health plans covered by this regulation may disclose health information to employers.
Comment: Several commenters argued that individuals should be able to sue for breach of privacy.
Response: We agree, but do not have the legislative authority to grant a private right of action to sue under this statute. Only Congress can grant that right.
Comment: Many commenters urged the Department not to create a government database of health information, or a tracking system that would enable the government to track individuals health information.
Response: This regulation does not create such a database or tracking system, nor does it enable future creation of such a database. This regulation describes the ways in which health plans, health care clearinghouses, and certain health care providers may use and disclose identifiable health information with and without the individual's consent.
Comment: Many commenters objected to government access to or control over their health information, which they believe the proposed regulation would provide.
Response: This regulation does not increase current government access to health information. This rule sets minimum privacy standards. It does not require disclosure of health information, other than to the subject of the records or for enforcement of this rule. Health plans and health care providers are free to use their own professional ethics and judgement to adopt stricter policies for disclosing health information.
Comment: Some commenters viewed the NPRM as creating fewer hurdles for government access to protected health information than for access to protected health information by private organizations. Some health care providers commented that the NPRM would impose substantial new restrictions on private sector use and disclosure of protected health information, but would make government access to protected health information easy. One consumer advocacy group made the same observation.
Response: We acknowledge that many of the national priority purposes for which we allow disclosure of protected health information without consent or authorization are for government functions, and that many of the governmental recipients of such information are not governed by this rule. It is the role of government to undertake functions in the broader public interest, such as public health activities, law enforcement, identification of deceased individuals through coroners' offices, and military activities. It is these public purposes which can sometimes outweigh an individual's privacy interest. In this rule, we specify the circumstances in which that balance is tipped toward the public interest with respect to health information. We discuss the rationale behind each of these permitted disclosures in the relevant preamble sections below.
Comment: Many commenters objected to the establishment of a unique identifier for health care or other purposes.
Response: This regulation does not create an identifier. We assume these comments refer to the unique health identifier that Congress directed the Secretary to promulgate under section1173(b) of the Social Security Act, added by section 262 of the HIPAA. Because of the public concerns about such an identifier, in the summer of 1998 Vice President Gore announced that the Administration would not promulgate such a regulation until comprehensive medical privacy protections were in place. In the fall of that year, Congress prohibited the Department from promulgating such an identifier, and that prohibition remains in place. The Department has no plans to promulgate a unique health identifier.
Comment: Many commenters asked that we withdraw the proposed regulation and not publish a final rule.
Response: Under section 264 of the HIPAA, the Secretary is required by Congress to promulgate a regulation establishing standards for health information privacy. Further, for the reasons explained throughout this preamble above, we believe that the need to protect health information privacy is urgent and that this regulation is in the public's interest.
Comment: Many commenters express the opinion that their consent should be required for all disclosure of their health information.
Response: We agree that consent should be required prior to release of health information for many purposes, and impose such a requirement in this regulation. Requiring consent prior to all release of health information, however, would unduly jeopardize public safety and make many operations of the health care system impossible. For example, requiring consent prior to release of health information to a public health official who is attempting to track the source of an outbreak or epidemic could endanger thousands of lives. Similarly, requiring consent before an oversight official could audit a health plan would make detection of health care fraud all but impossible; it could take health plans months or years to locate and obtain the consent of all current and past enrollees, and the health plan would not have a strong incentive to do so. These uses of medical information are clearly in the public interest.
In this regulation, we must balance individuals' privacy interests against the legitimate public interests in certain uses of health information. Where there is an important public interest, this regulation imposes procedural safeguards that must be met prior to release of health information, in lieu of a requirement for consent. In some instances the procedural safeguards consists of limits on the circumstances in which information may be disclosed, in others the safeguards consist of limits on what information may be disclosed, and in other cases we require some form of legal process (e.g., a warrant or subpoena) prior to release of health information. We also allow disclosure of health information without consent where other law mandates the disclosures. Where such other law exists, another public entity has made the determination that the public interests outweigh the individual's privacy interests, and we do not upset that determination in this regulation. In short, we tailor the safeguards to match the specific nature of the public purpose. The specific safeguards are explained in each section of this regulation below.
Comment: Many comments address matters not relevant to this regulation, such as alternative fuels, hospital reimbursement, and gulf war syndrome.
Response: These and similar matters are not relevant to this regulation and will not be addressed further.
Comment: A few commenters questioned why this level of detail is needed in response to the HIPAA Congressional mandate.
Response: This level of detail is necessary to ensure that individuals' rights with respect to their health information are clear, while also ensuring that information necessary for important public functions, such as protecting public health, promoting biomedical research, fighting health care fraud, and notifying family members in disaster situations, will not be impaired by this regulation. We designed this rule to reflect current practices and change some of them. The comments and our fact finding revealed the complexity of current health information practices, and we believe that the complexity entailed in reflecting those practices is better public policy than a perhaps simpler rule that disturbed important information flows.
Comment: A few comments stated that the goal of administrative simplification should never override the privacy of individuals.
Response: We believe that privacy is a necessary component of administrative simplification, not a competing interest.
Comment: At least one commenter said that the goal of administrative simplification is not well served by the proposed rule.
Response: Congress recognized that privacy is a necessary component of administrative simplification. The standardization of electronic health information mandated by the HIPAA that make it easier to share that information for legitimate purposes also make the inappropriate sharing of that information easier. For this reason, Congress included a mandate for privacy standards in this section of the HIPAA. Without appropriate privacy protections, public fear and instances of abuse would make it impossible for us to take full advantage of the administrative and costs benefits inherent in the administrative simplification standards.
Comment: At least one commenter asked us to require psychotherapists to assert any applicable legal privilege on patients' behalf when protected health information is requested.
Response: Whether and when to assert a claim of privilege on a patient's behalf is a matter for other law and for the ethics of the individual health care provider. This is not a decision that can or should be made by the federal government.
Comment: One commenter called for HHS to consider the privacy regulation in conjunction with the other HIPAA standards. In particular, this comment focused on the belief that the Security Standards should be compatible with the existing and emerging health care and information technology industry standards.
Response: We agree that both this regulation and the final Security Regulation should be compatible with existing and emerging technology industry standards. This regulation is "technology neutral." We do not mandate the use of any particular technologies, but rather set standards which can be met through a variety of means.
Comment: Several commenters claimed that the statutory authority given under HIPAA cannot provide meaningful privacy protections because many entities with access to protected health information, such as employers, worker's compensation carriers, and life insurance companies, are not covered entities. These commenters expressed support for comprehensive legislation to close many of the existing loopholes.
Response: We agree with the commenters that comprehensive legislation is necessary to provide full privacy protection and have called for members of Congress to pass such legislation to prevent unauthorized and potentially harmful uses and disclosures of information.
The response to comments on the definition of "business partner," renamed in this rule as "business associate," is included in the response to comments on the requirements for business associates in the preamble discussion of § 164.504.
Comment: A number of commenters urged the Department to expand or clarify the definition of "covered entity" to include certain entities other than health care clearinghouses, health plans, and health care providers who conduct standard transactions. For example, several commenters asked that the Department generally expand the scope of the rule to cover all entities that receive or maintain individually identifiable health information; others specifically urged the Department to cover employers, marketing firms, and legal entities that have access to individually identifiable health information. Some commenters asked that life insurance and casualty insurance carriers be considered covered entities for purposes of this rule. One commenter recommended that Pharmacy Benefit Management (PBM) companies be considered covered entities so that they may use and disclose protected health information without authorization.
In addition, a few commenters asked the Department to clarify that the definition includes providers who do not directly conduct electronic transactions if another entity, such as a billing service or hospital, does so on their behalf.
Response: We understand that many entities may use and disclose individually identifiable health information. However, our jurisdiction under the statute is limited to health plans, health care clearinghouses, and health care providers who transmit any health information electronically in connection with any of the standard financial or administrative transactions in section 1173(a) of the Act. These are the entities referred to in section 1173(a)(1) of the Act and thus listed in § 160.103 of the final rule. Consequently, once protected health information leaves the purview of one of these covered entities, their business associates, or other related entities (such as plan sponsors), the information is no longer afforded protection under this rule. We again highlight the need for comprehensive federal legislation to eliminate such gaps in privacy protection.
We also provide the following clarifications with regard to specific entities.
We clarify that employers and marketing firms are not covered entities. However, employers may be plan sponsors of a group health plan that is a covered entity under the rule. In such a case, specific requirements apply to the group health plan. See the preamble on § 164.504 for a discussion of specific "firewall" and other organizational requirements for group health plans and their employer sponsors. The final rule also contains provisions addressing when an insurance issuer providing benefits under a group health plan may disclose summary health information to a plan sponsor.
With regard to life and casualty insurers, we understand that such benefit providers may use and disclose individually identifiable health information. However, Congress did not include life insurers and casualty insurance carriers as "health plans" for the purposes of this rule and therefore they are not covered entities. See the discussion regarding the definition of "health plan" and excepted benefits.
In addition, we clarify that a PBM is a covered entity only to the extent that it meets the definition of one or more of the entities listed in § 160.102. When providing services to patients through managed care networks, it is likely that a PBM is acting as a business associate of a health plan, and may thus use and disclose protected health information pursuant to the relevant provisions of this rule. PBMs may also be business associates of health care providers. See the preamble sections on §§ 164.502, 164.504, and 164.506 for discussions of the specific requirements related to business associates and consent.
Lastly, we clarify that health care providers who do not submit HIPAA transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on their behalf. The provider could not circumvent these requirements by assigning the task to a contractor.
Comment: Many commenters urged the Department to restrict or clarify the definition of "covered entity" to exclude certain entities, such as department-operated hospitals (public hospitals); state Crime Victim Compensation Programs; employers; and certain lines of insurers, such as workers' compensation insurers, property and casualty insurers, reinsurers, and stop-loss insurers. One commenter expressed concern that clergy, religious practitioners, and other faith-based service providers would have to abide by the rule and asked that the Department exempt prayer healing and non-medical health care.
Response: The Secretary provides the following clarifications in response to these comments. To the extent that a "department-operated hospital" meets the definition of a "health care provider" and conducts any of the standard transactions, it is a covered entity for the purposes of this rule. We agree that a state Crime Victim Compensation Program is not a covered entity if it is not a health care provider that conducts standard transactions, health plan, or health care clearinghouse. Further, as described above, employers are not covered entities.
In addition, we agree that workers' compensation insurers, property and casualty insurers, reinsurers, and stop-loss insurers are not covered entities, as they do not meet the statutory definition of "health plan." See further discussion in the preamble on § 160.103 regarding the definition of "health plan." However, activities related to ceding, securing, or placing a contract for reinsurance, including stop-loss insurance, are health care operations in the final rule. As such, reinsurers and stop-loss insurers may obtain protected health information from covered entities.
Also, in response to the comment regarding religious practitioners, the Department clarifies that "health care" as defined under the rule does not include methods of healing that are solely spiritual. Therefore, clergy or other religious practitioners that provide solely religious healing services are not health care providers within the meaning of this rule, and consequently not covered entities for the purposes of this rule.
Comment: A few commenters expressed general uncertainty and requested clarification as to whether certain entities were covered entities for the purposes of this rule. One commenter was uncertain as to whether the rule applies to certain social service entities, in addition to clinical social workers that the commenter believes are providers. Other commenters asked whether researchers or non-governmental entities that collect and analyze patient data to monitor and evaluate quality of care are covered entities. Another commenter requested clarification regarding the definition's application to public health agencies that also are health care providers as well as how the rule affects public health agencies in their data collection from covered entities.
Response: Whether the professionals described in these comments are covered by this rule depends on the activities they undertake, not on their profession or degree. The definitions in this rule are based on activities and functions, not titles. For example, a social service worker whose activities meet this rule's definition of health care will be a health care provider. If that social service worker also transmits information in a standard HIPAA transaction, he or she will be a covered health entity under this rule. Another social service worker may provide services that do not meet the rule's definition of health care, or may not transmit information in a standard transaction. Such a social service worker is not a covered entity under this rule. Similarly, researchers in and of themselves are not covered entities. However, researchers may also be health care providers if they provide health care. In such cases, the persons, or entities in their role as health care providers may be covered entities if they conduct standard transactions.
With regard to public health agencies that are also health care providers, the health care provider "component" of the agency is the covered entity if that component conducts standard transactions. See discussion of "health care components" below. As to the data collection activities of a public health agency, the final rule in § 164.512(b) permits a covered entity to disclose protected health information to public health authorities under specified circumstances, and permits public health agencies that are also covered entities to use protected health information for these purposes. See § 164.512(b) for further details.
Comment: A few commenters requested that the Department clarify that device manufacturers are not covered entities. They stated that the proposal did not provide enough guidance in cases where the "manufacturer supplier" has only one part of its business that acts as the "supplier," and additional detail is needed about the relationship of the "supplier component" of the company to the rest of the business. Similarly, another commenter asserted that drug, biologics, and device manufacturers should not be covered entities simply by virtue of their manufacturing activities.
Response: We clarify that if a supplier manufacturer is a Medicare supplier, then it is a health care provider, and it is a covered entity if it conducts standard transactions. Further, we clarify that a manufacturer of supplies related to the health of a particular individual, e.g., prosthetic devices, is a health care provider because the manufacturer is providing "health care" as defined in the rule. However, that manufacturer is a covered entity only if it conducts standard transactions. We do not intend that a manufacturer of supplies that are generic and not customized or otherwise specifically designed for particular individuals, e.g., ace bandages for a hospital, is a health care provider. Such a manufacturer is not providing "health care" as defined in the rule and is therefore not a covered entity. We note that, even if such a manufacturer is a covered entity, it may be an 'indirect treatment provider' under this rule, and thus not subject to all of the rule's requirements.
With regard to a "supplier component," the final rule addresses the status of the unit or unit(s) of a larger entity that constitute a "health care component." See further discussion under § 164.504 of this preamble.
Finally, we clarify that drug, biologics, and device manufacturers are not health care providers simply by virtue of their manufacturing activities. The manufacturer must be providing health care consistent with the final rule's definition in order to be considered a health care provider.
Comment: A few commenters asked that the Department clarify that pharmaceutical manufacturers are not covered entities. It was explained that pharmaceutical manufacturers provide support and guidance to doctors and patients with respect to the proper use of their products, provide free products for doctors to distribute to patients, and operate charitable programs that provide pharmaceutical drugs to patients who cannot afford to buy the drugs they need.
Response: A pharmaceutical manufacturer is only a covered entity if the manufacturer provides "health care" according to the rule's definition and conducts standard transactions. In the above case, a pharmaceutical manufacturer that provides support and guidance to doctors and patients regarding the proper use of their products is providing "health care" for the purposes of this rule, and therefore, is a health care provider to the extent that it provides such services. The pharmaceutical manufacturer that is a health care provider is only a covered entity, however, if it conducts standard transactions. We note that this rule permits a covered entity to disclose protected health information to any person for treatment purposes, without specific authorization from the individual. Therefore, a covered health care provider is permitted to disclose protected health information to a pharmaceutical manufacturer for treatment purposes. Providing free samples to a health care provider does not in itself constitute health care. For further analysis of pharmacy assistance programs, see response to comment on § 164.501, definition of "payment."
Comment: Several commenters asked about the definition of "covered entity" and its application to health care entities within larger organizations.
Response: A detailed discussion of the final rule's organizational requirements and firewall restrictions for "health care components" of larger entities, as well as for affiliated, and other entities is found at the discussion of § 164.504 of this preamble. The following responses to comments provide additional information with respect to particular "component entity" circumstances.
Comment: Several commenters asked that we clarify the definition of covered entity to state that with respect to persons or organizations that provide health care or have created health plans but are primarily engaged in other unrelated businesses, the term "covered entity" encompasses only the health care components of the entity. Similarly, others recommended that only the component of a government agency that is a provider, health plan, or clearinghouse should be considered a covered entity.
Other commenters requested that we revise proposed § 160.102 to apply only to the component of an entity that engages in the transactions specified in the rule. Commenters stated that companies should remain free to employ licensed health care providers and to enter into corporate relationships with provider institutions without fear of being considered to be a covered entity. Another commenter suggested that the regulation not apply to the provider-employee or employer when neither the provider nor the company are a covered entity.
Some commenters specifically argued that the definition of "covered entity" did not contemplate an integrated health care system and one commenter stated that the proposal would disrupt the multi-disciplinary, collaborative approach that many take to health care today by treating all components as separate entities. Commenters, therefore, recommended that the rule treat the integrated entity, not its constituent parts, as the covered entity.
A few commenters asked that the Department further clarify the definition with respect to the unique organizational models and relationships of academic medical centers and their parent universities and the rules that govern information exchange within the institution. One commenter asked whether faculty physicians who are paid by a medical school or faculty practice plan and who are on the medical staff of, but not paid directly by, a hospital are included within the covered entity. Another commenter stated that it appears that only the health center at an academic institution is the covered entity. Uncertainty was also expressed as to whether other components of the institution that might create protected health information only incidentally through the conduct of research would also be covered.
Response: The Department understands that in today's health care industry, the relationships among health care entities and non-health care organizations are highly complex and varied. Accordingly, the final rule gives covered entities some flexibility to segregate or aggregate its operations for purposes of the application of this rule. The new component entity provision can be found at §§ 164.504(b)-(c). In response to the request for clarification on whether the rule would apply to a research component of the covered entity, we point out that if the research activities fall outside of the health care component they would not be subject to the rule. One organization may have one or several "health care component(s)" that each perform one or more of the health care functions of a covered entity, i.e., health care provider, health plan, health care clearinghouse. In addition, the final rule permits covered entities that are affiliated, i.e., share common ownership or control, to designate themselves, or their health care components, together to be a single covered entity for purposes of the rule.
It appears from the comments that there is not a common understanding of the meaning of "integrated delivery system." Arrangements that apply this label to themselves operate and share information many different ways, and may or may not be financially or clinically integrated. In some cases, multiple entities hold themselves out as one enterprise and engage together in clinical or financial activities. In others, separate entities share information but do not provide treatment together or share financial risk. Many health care providers participate in more than one such arrangement.
Therefore, we do not include a separate category of 'covered entity' under this rule for "integrated delivery systems" but instead accommodate the operations of these varied arrangements through the functional provisions of the rule. For example, covered entities that operate as 'organized health care arrangements' as defined in this rule may share protected health information for the operation of such arrangement without becoming business associates of one another. Similarly, the regulation does not require a business associate arrangement when protected health information is shared for purposes of providing treatment. The application of this rule to any particular 'integrated system' will depend on the nature of the common activities the participants in the system perform. When the participants in such an arrangement are 'affiliated' as defined in this rule, they may consider themselves a single covered entity (see § 164. 504).
The arrangements between academic health centers, faculty practice plans, universities, and hospitals are similarly diverse. We cannot describe a blanket rule that covers all such arrangements. The application of this rule will depend on the purposes for which the participants in such arrangements share protected health information, whether some or all participants are under common ownership or control, and similar matters. We note that physicians who have staff privileges at a covered hospital do not become part of that hospital covered entity by virtue of having such privileges.
We reject the recommendation to apply the rule only to components of an entity that engage in the transactions. This would omit as covered entities, for example, the health plan components that do not directly engage in the transactions, including components that engage in important health plan functions such as coverage determinations and quality review. Indeed, we do not believe that the statute permits this result with respect to health plans or health care clearinghouses as a matter of negative implication from section 1172(a)(3). We clarify that only a health care provider must conduct transactions to be a covered entity for purposes of this rule.
We also clarify that health care providers (such as doctors or nurses) who work for a larger organization and do not conduct transactions on their own behalf are workforce members of the covered entity, not covered entities themselves.
Comment: A few commenters asked the Department to clarify the definition to provide that a multi-line insurer that sells insurance coverages, some of which do and others which do not meet the definition of "health plan," is not a covered entity with respect to actions taken in connection with coverages that are not "health plans."
Response: The final rule clarifies that the requirements below apply only to the organizational unit or units of the organization that are the "health care component" of a covered entity, where the "covered functions" are not the primary functions of the entity. Therefore, for a multi-line insurer, the "health care component" is the insurance line(s) that conduct, or support the conduct of, the health care function of the covered entity. Also, it should be noted that excepted benefits, such as life insurance, are not included in the definition of "health plan." (See preamble discussion of § 164.504).
Comment: A commenter questioned whether the Health Care Financing Administration (HCFA) is a covered entity and how HCFA will share data with Medicare managed care organizations. The commenter also questioned why the regulation must apply to Medicaid since the existing Medicaid statute requires that states have privacy standards in place. It was also requested that the Department provide a definition of "health plan" to clarify that state Medicaid Programs are considered as such.
Response: HCFA is a covered entity because it administers Medicare and Medicaid, which are both listed in the statute as health plans. Medicare managed care organizations are also covered entities under this regulation. As noted elsewhere in this preamble, covered entities that jointly administer a health plan, such as Medicare + Choice, are both covered entities, and are not business associates of each other by virtue of such joint administration.
We do not exclude state Medicaid programs. Congress explicitly included the Medicaid program as a covered health plan in the HIPAA statute.
Comment: A commenter asked the Department to provide detailed guidance as to when providers, plans, and clearinghouses become covered entities. The commenter provided the following example: if a provider submits claims only in paper form, and a coordination of benefits (COB) transaction is created due to other insurance coverage, will the original provider need to be notified that the claim is now in electronic form, and that it has become a covered entity? Another commenter voiced concern as to whether physicians who do not conduct electronic transactions would become covered entities if another entity using its records downstream transmits information in connection with a standard transaction on their behalf.
Response: We clarify that health care providers who submit the transactions in standard electronic form, health plans, and health care clearinghouses are covered entities if they meet the respective definitions. Health care providers become subject to the rule if they conduct standard transactions. In the above example, the health care provider would not be a covered entity if the coordination of benefits transaction was generated by a payor.
We also clarify that health care providers who do not submit transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on the providers' behalf. However, where the downstream transaction is not conducted on behalf of the health care provider, the provider does not become a covered entity due to the downstream transaction.
Comment: Several commenters discussed the relationship between section 1179 of the Act and the privacy regulations. One commenter suggested that HHS retain the statement that a covered entity means "the entities to which part C of title XI of the Act applies." In particular, the commenter observed that section 1179 of the Act provides that part C of title XI of the Act does not apply to financial institutions or to entities acting on behalf of such institutions that are covered by the section 1179 exemption. Thus, under the definition of covered entity, they comment that financial institutions and other entities that come within the scope of the section 1179 exemption are appropriately not covered entities.
Other commenters maintained that section 1179 of the Act means that the Act's privacy requirements do not apply to the request for, or the use or disclosure of, information by a covered entity with respect to payment: (a) for transferring receivables; (b) for auditing; (c) in connection with - (i) a customer dispute; or (ii) an inquiry from or to a customer; (d) in a communication to a customer of the entity regarding the customer's transactions payment card, account, check, or electronic funds transfer; (e) for reporting to consumer reporting agencies; or (f) for complying with: (i) a civil or criminal subpoena; or (ii) a federal or state law regulating the entity. These companies expressed concern that the proposed rule did not include the full text of section 1179 when discussing the list of activities that were exempt from the rule's requirements. Accordingly, they recommended including in the final rule either a full listing of or a reference to section 1179's full list of exemptions. Furthermore, these firms opposed applying the proposed rule's minimum necessary standard for disclosure of protected health information to financial institutions because of section 1179.
These commenters suggest that in light of section 1179, HHS lacks the authority to impose restrictions on financial institutions and other entities when they engage in activities described in that section. One commenter expressed concern that even though proposed § 164.510(i) would have permitted covered entities to disclose certain information to financial institutions for banking and payment processes, it did not state clearly that financial institutions and other entities described in section 1179 are exempt from the rule's requirements.
Response: We interpret section 1179 of the Act to mean that entities engaged in the activities of a financial institution, and those acting on behalf of a financial institution, are not subject to this regulation when they are engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution. The statutory reference to 12 U.S.C. 3401 indicates that Congress chose to adopt the definition of financial institutions found in the Right to Financial Privacy Act, which defines financial institutions as any office of a bank, savings bank, card issuer, industrial loan company, trust company, savings association, building and loan, homestead association, cooperative bank, credit union, or consumer finance institution located in the United States or one of its Territories. Thus, when we use the term "financial institution" in this regulation, we turn to the definition with which Congress provided us. We interpret this provision to mean that when a financial institution, or its agent on behalf of the financial institution, conducts the activities described in section 1179, the privacy regulation will not govern the activity.
If, however, these activities are performed by a covered entity or by another entity, including a financial institution, on behalf of a covered entity, the activities are subject to this rule. For example, if a bank operates the accounts payable system or other "back office" functions for a covered health care provider, that activity is not described in section 1179. In such instances, because the bank would meet the rule's definition of "business associate," the provider must enter into a business associate contract with the bank before disclosing protected health information pursuant to this relationship. However, if the same provider maintains an account through which he/she cashes checks from patients, no business associate contract would be necessary because the bank's activities are not undertaken for or on behalf of the covered entity, and fall within the scope of section 1179. In part to give effect to section 1179, in this rule we do not consider a financial institution to be acting on behalf of a covered entity when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for compensation for health care.
We do not agree with the comment that section 1179 of the Act means that the privacy regulation's requirements cannot apply to the activities listed in that section; rather, it means that the entities expressly mentioned, financial institutions (as defined in the Right to Financial Privacy Act), and their agents that engage in the listed activities for the financial institution are not within the scope of the regulation. Nor do we interpret section 1179 to support an exemption for disclosures to financial institutions from the minimum necessary provisions of this regulation.
Comment: One commenter recommended that HHS include a definition of "entity" in the final rule because HIPAA did not define it. The commenter explained that in a modern health care environment, the organization acting as the health plan or health care provider may involve many interrelated corporate entities and that this could lead to difficulties in determining what "entities" are actually subject to the regulation.
Response: We reject the commenter's suggestion. We believe it is clear in the final rule that the entities subject to the regulation are those listed at § 160.102. However, we acknowledge that how the rule applies to integrated or other complex health systems needs to be addressed; we have done so in § 164.504 and in other provisions, such as those addressing organized health care arrangements.
Comment: The preamble should clarify that self-insured group health and workmen's compensation plans are not covered entities or business partners.
Response: In the preamble to the proposed rule we stated that certain types of insurance entities, such as workers' compensation, would not be covered entities under the rule. We do not change this position in this final rule. The statutory definition of health plan does not include workers' compensation products, and the regulatory definition of the term specifically excludes them. However, HIPAA specifically includes most group health plans within the definition of "health plan."
Comment: A health insurance issuer asserted that health insurers and third party administrators are usually required by employers to submit reports describing the volume, amount, payee, basis for services rendered, types of claims paid and services for which payment was requested on behalf of it covered employees. They recommended that the rule permit the disclosure of protected health information for such purposes.
Response: We agree that health plans should be able to disclose protected health information to employers sponsoring health plans under certain circumstances. Section 164.504(f) explains the conditions under which protected health information may be disclosed to plan sponsors. We believe that this provision gives sponsors access to the information they need, but protects individual's information to the extent possible under our legislative authority.
For response to comments relating to "group health plan," see the response to comments on "health plan" below and the response to comments on § 164.504.
Comment: A number of commenters asked that we include disease management activities and other similar health improvement programs, such as preventive medicine, health education services and maintenance, health and case management, and risk assessment, in the definition of "health care." Commenters maintained that the rule should avoid limiting technological advances and new health care trends intended to improve patient "health care."
Response: Review of these and other comments, and our fact-finding, indicate that there are multiple, different, understandings of the definition of these terms. Therefore, rather than create a blanket rule that includes such terms in or excludes such terms from the definition of "health care," we define health care based on the underlying activities that constitute health care. The activities described by these commenters are considered 'health care' under this rule to the extent that they meet this functional definition. Listing activities by label or title would create the risk that important activities would be left out and, given the lack of consensus on what these terms mean, could also create confusion.
Comment: Several commenters urged that the Department clarify that the activities necessary to procure and distribute eyes and eye tissue will not be hampered by the rule. Some of these commenters explicitly requested that we include "eyes and eye tissue" in the list of procurement biologicals as well as "eye procurement" in the definition of "health care." In addition, it was argued that "administration to patients" be excluded in the absence of a clear definition. Also, commenters recommended that the definition include other activities associated with the transplantation of organs, such as processing, screening, and distribution.
Response: We delete from the definition of "health care" activities related to the procurement or banking of blood, sperm, organs, or any other tissue for administration to patients. We do so because persons who make such donations are not seeking to be treated, diagnosed, or assessed or otherwise seeking health care for themselves, but are seeking to contribute to the health care of others. In addition, the nature of these activities entails a unique kind of information sharing and tracking necessary to safeguard the nation's organ and blood supply, and those seeking to donate are aware that this information sharing will occur. Consequently, such procurement or banking activities are not considered health care and the organizations that perform such activities are not considered health care providers for purposes of this rule.
With respect to disclosure of protected health information by covered entities to facilitate cadaveric organ and tissue donation, the final rule explicitly permits a covered entity to disclose protected health information without authorization, consent, or agreement to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating donation and transplantation. See § 164.512(h). We do not include blood or sperm banking in this provision because, for those activities, there is direct contact with the donor, and thus opportunity to obtain the individual's authorization.
Comment: A large number of commenters urged that the term "assessment" be included in the list of services in the definition, as "assessment" is used to determine the baseline health status of an individual. It was explained that assessments are conducted in the initial step of diagnosis and treatment of a patient. If assessment is not included in the list of services, they pointed out that the services provided by occupational health nurses and employee health information may not be covered.
Response: We agree and have added the term "assessment" to the definition to clarify that this activity is considered "health care" for the purposes of the rule.
Comment: One commenter asked that we revise the definition to explicitly exclude plasmapheresis from paragraph (3) of the definition. It was explained that plasmapheresis centers do not have direct access to health care recipients or their health information, and that the limited health information collected about plasma donors is not used to provide health care services as indicated by the definition of health care.
Response: We address the commenters' concerns by removing the provision related to procurement and banking of human products from the definition.
Comment: The largest set of comments relating to health care clearinghouses focused on our proposal to exempt health care clearinghouses from the patient notice and access rights provisions of the regulation. In our NPRM, we proposed to exempt health care clearinghouses from certain provisions of the regulation that deal with the covered entities' notice of information practices and consumers' rights to inspect, copy, and amend their records. The rationale for this exemption was based on our belief that health care clearinghouses engage primarily in business-to-business transactions and do not initiate or maintain direct relationships with individuals. We proposed this position with the caveat that the exemptions would be void for any health care clearinghouse that had direct contact with individuals in a capacity other than that of a business partner. In addition, we indicated that, in most instances, clearinghouses also would be considered business partners under this rule and would be bound by their contracts with covered plans and providers. They also would be subject to the notice of information practices developed by the plans and providers with whom they contract.
Commenters stated that, although health care clearinghouses do not have direct contact with individuals, they do have individually identifiable health information that may be subject to misuse or inappropriate disclosure. They expressed concern that we were proposing to exempt health care clearinghouses from all or many aspects of the regulation. These commenters suggested that we either delete the exemption or make it very narrow, specific and explicit in the final regulatory text.
Clearinghouse commenters, on the other hand, were in agreement with our proposal, including the exemption provision and the provision that the exemption is voided when the entity does have direct contact with individuals. They also stated that a health care clearinghouse that has a direct contact with individuals is no longer a health care clearinghouse as defined and should be subject to all requirements of the regulation.
Response: In the final rule, where a clearinghouse creates or receives protected health information as a business associate of another covered entity, we maintain the exemption for health care clearinghouses from certain provisions of the regulation dealing with the notice of information practices and patient's direct access rights to inspect, copy and amend records (§§ 164.524 and 164.526), on the grounds that a health care clearinghouse is engaged in business-to-business operations, and is not dealing directly with individuals. Moreover, as business associates of plans and providers, health care clearinghouses are bound by the notices of information practices of the covered entities with whom they contract.
Where a health care clearinghouse creates or receives protected health information other than as a business associate, however, it must comply with all the standards, requirements, and implementation specifications of the rule. We describe and delimit the exact nature of the exemption in the regulatory text. See § 164.500(b). We will monitor developments in this sector should the basic business-to-business relationship change.
Comment: A number of comments relate to the proposed definition of health care clearinghouse. Many commenters suggested that we expand the definition. They suggested that additional types of entities be included in the definition of health care clearinghouse, specifically medical transcription services, billing services, coding services, and "intermediaries." One commenter suggested that the definition be expanded to add entities that receive standard transactions, process them and clean them up, and then send them on, without converting them to any standard format. Another commenter suggested that the health care clearinghouse definition be expanded to include entities that do not perform translation but may receive protected health information in a standard format and have access to that information. Another commenter stated that the list of covered entities should include any organization that receives or maintains individually identifiable health information. One organization recommended that we expand the health care clearinghouse definition to include the concept of a research data clearinghouse, which would collect individually identifiable health information from other covered entities to generate research data files for release as de-identified data or with appropriate confidentiality safeguards. One commenter stated that HHS had gone beyond Congressional intent by including billing services in the definition.
Response: We cannot expand the definition of "health care clearinghouse" to cover entities not covered by the definition of this term in the statute. In the final regulation, we make a number of changes to address public comments relating to definition. We modify the definition of health care clearinghouse to conform to the definition published in the Transactions Rule (with the addition of a few words, as noted above). We clarify in the preamble that, while the term "health care clearinghouse" may have other meanings and connotations in other contexts, for purposes of this regulation an entity is considered a health care clearinghouse only to the extent that it actually meets the criteria in our definition. Entities performing other functions but not meeting the criteria for a health care clearinghouse are not clearinghouses, although they may be business associates. Billing services are included in the regulatory definition of "health care clearinghouse," if they perform the specified clearinghouse functions. Although we have not added or deleted any entities from our original definition, we will monitor industry practices and may add other entities in the future as changes occur in the health system.
Comment: Several commenters suggested that we clarify that an entity acting solely as a conduit through which individually identifiable health information is transmitted or through which protected health information flows but is not stored is not a covered entity, e.g., a telephone company or Internet Service Provider. Other commenters indicated that once a transaction leaves a provider or plan electronically, it may flow through several entities before reaching a clearinghouse. They asked that the regulation protect the information in that interim stage, just as the security NPRM established a chain of trust arrangement for such a network. Others noted that these "conduit" entities are likely to be business partners of the provider, clearinghouse or plan, and we should clarify that they are subject to business partner obligations as in the proposed Security Rule.
Response: We clarify that entities acting as simple and routine communications conduits and carriers of information, such as telephone companies and Internet Service Providers, are not clearinghouses as defined in the rule unless they carry out the functions outlined in our definition. Similarly, we clarify that value added networks and switches are not health care clearinghouses unless they carry out the functions outlined in the definition, and clarify that such entities may be business associates if they meet the definition in the regulation.
Comment: Several commenters, including the large clearinghouses and their trade associations, suggested that we not treat health care clearinghouses as playing a dual role as covered entity and business partner in the final rule because such a dual role causes confusion as to which rules actually apply to clearinghouses. In their view, the definition of health care clearinghouse is sufficiently clear to stand alone and identify a health care clearinghouse as a covered entity, and allows health care clearinghouses to operate under one consistent set of rules. Response: For reasons explained in § 164.504 of this preamble, we do not create an exception to the business associate requirements when the business associate is also a covered entity. We retain the concept that a health care clearinghouse may be a covered entity and a business associate of a covered entity under the regulation. As business associates, they would be bound by their contracts with covered plans and providers.
Comment: One commenter pointed out that the preamble referred to the obligations of providers and did not use the term, "covered entity," and thus created ambiguity about the obligations of health care providers who may be employed by persons other than covered entities, e.g., pharmaceutical companies. It was suggested that a better reading of the statute and rule is that where neither the provider nor the company is a covered entity, the rule does not impose an obligation on either the provider-employee or the employer.
Response: We agree. We use the term "covered entity" whenever possible in the final rule, except for the instances where the final rule treats the entities differently, or where use of the term "health care provider" is necessary for purposes of illustrating an example.
Comment: Several commenters stated that the proposal's definition was broad, unclear, and/or confusing. Further, we received many comments requesting clarification as to whether specific entities or persons were "health care providers" for the purposes of our rule. One commenter questioned whether affiliated members of a health care group (even though separate legal entities) would be considered as one primary health care provider.
Response: We permit legally distinct covered entities that share common ownership or control to designate themselves together to be a single covered entity. Such organizations may promulgate a single shared notice of information practices and a consent form. For more detailed information, see the preamble discussion of § 164.504(d).
We understand the need for additional guidance on whether specific entities or persons are health care providers under the final rule. We provide guidance below and will provide additional guidance as the rule is implemented.
Comment: One commenter observed that sections 1171(3), 1861(s) and 1861(u) of the Act do not include pharmacists in the definition of health care provider or pharmacist services in the definition of "medical or other health services," and questioned whether pharmacists were covered by the rule.
Response: The statutory definition of "health care provider" at section 1171(3) includes "any other person or organization who furnishes, bills, or is paid for health care in the normal course of business." Pharmacists' services are clearly within this statutory definition of "health care." There is no basis for excluding pharmacists who meet these statutory criteria from this regulation .
Comment: Some commenters recommended that the scope of the definition be broadened or clarified to cover additional persons or organizations. Several commenters argued for expanding the reach of the health care provider definition to cover entities such as state and local public health agencies, maternity support services (provided by nutritionists, social workers, and public health nurses and the Special Supplemental Nutrition Program for Women, Infants and Children), and those companies that conduct cost-effectiveness reviews, risk management, and benchmarking studies. One commenter queried whether auxiliary providers such as child play therapists, and speech and language therapists are considered to be health care providers. Other commenters questioned whether "alternative" or "complementary" providers, such as naturopathic physicians and acupuncturists would be considered health care providers covered by the rule.
Response: As with other aspects of this rule, we do not define "health care provider" based on the title or label of the professional. The professional activities of these kinds of providers vary; a person is a "health care provider" if those activities are consistent with the rule's definition of "health care provider." Thus, health care providers include persons, such as those noted by the commenters, to the extent that they meet the definition. We note that health care providers are only subject to this rule if they conduct certain transactions. See the definition of "covered entity."
However companies that conduct cost-effectiveness reviews, risk management, and benchmarking studies are not health care providers for the purposes of this rule unless they perform other functions that meet the definition. These entities would be business associates if they perform such activities on behalf of a covered entity.
Comment: Another commenter recommended that the Secretary expand the definition of health care provider to cover health care providers who transmit or "or receive" any health care information in electronic form.
Response: We do not accept this suggestion. Section 1172(a)(3) states that providers that "transmit" health information in connection with one of the HIPAA transactions are covered, but does not use the term "receive" or a similar term.
Comment: Some comments related to online companies as health care providers and covered entities. One commenter argued that there was no reason "why an Internet pharmacy should not also be covered" by the rule as a health care provider. Another commenter stated that online health care service and content companies, including online medical record companies, should be covered by the definition of health care provider. Another commenter pointed out that the definitions of covered entities cover "Internet providers who 'bill' or are 'paid' for health care services or supplies, but not those who finance those services in other ways, such as through sale of identifiable health information or advertising." It was pointed out that thousands of Internet sites use information provided by individuals who access the sites for marketing or other purposes.
Response: We agree that online companies are covered entities under the rule if they otherwise meet the definition of health care provider or health plan and satisfy the other requirements of the rule, i.e., providers must also transmit health information in electronic form in connection with a HIPAA transaction. We restate here the language in the preamble to the proposed rule that "An individual or organization that bills and/or is paid for health care services or supplies in the normal course of business, such as...an 'online' pharmacy accessible on the Internet, is also a health care provider for purposes of this statute" (64 FR 59930).
Comment: We received many comments related to the reference to "health clinic or licensed health care professional located at a school or business in the preamble's discussion of "health care provider." It was stated that including "licensed health care professionals located at a school or business" highlights the need for these individuals to understand they have the authority to disclose information to the Social Security Administration (SSA) without authorization.
However, several commenters urged HHS to create an exception for or delete that reference in the preamble discussion to primary and secondary schools because of employer or business partner relationships. One federal agency suggested that the reference "licensed health care professionals located at a [school]" be deleted from the preamble because the definition of health care provider does not include a reference to schools. The commenter also suggested that the Secretary consider: adding language to the preamble to clarify that the rules do not apply to clinics or school health care providers that only maintain records that have been excepted from the definition of protected health information, adding an exception to the definition of covered entities for those schools, and limiting paperwork requirements for these schools. Another commenter argued for deleting references to schools because the proposed rule appeared to supersede or create ambiguity as to the Family Educational Rights and Privacy Act (FERPA), which gives parents the right to access "education" and health records of their unemancipated minor children. However, in contrast, one commenter supported the inclusion of health care professionals who provide services at schools or businesses.
Response: We realize that our discussion of schools in the NPRM may have been confusing. Therefore, we address these concerns and set forth our policy regarding protected health information in educational agencies and institutions in the "Relationship to Other Federal Laws" discussion of FERPA, above.
Comment: Many commenters urged that direct contact with the patient be necessary for an entity to be considered a health care provider. Commenters suggested that persons and organizations that are remote to the patient and have no direct contact should not be considered health care providers. Several commenters argued that the definition of health care provider covers a person that provides health care services or supplies only when the provider furnishes to or bills the patient directly. It was stated that the Secretary did not intend that manufacturers, such as pharmaceutical, biologics, and device manufacturers, health care suppliers, medical-surgical supply distributors, health care vendors that offer medical record documentation templates and that typically do not deal directly with the patient, be considered health care providers and thus covered entities. However, in contrast, one commenter argued that, as an in vitro diagnostics manufacturer, it should be covered as a health care provider.
Response: We disagree with the comments that urged that direct dealings with an individual be a prerequisite to meeting the definition of health care provider. Many providers included in the statutory definition of provider, such as clinical labs, do not have direct contact with patients. Further, the use and disclosure of protected health information by indirect treatment providers can have a significant effect on individuals' privacy. We acknowledge, however, that providers who treat patients only indirectly need not have the full array of responsibilities as direct treatment providers, and modify the NPRM to make this distinction with respect to several provisions (see, for example § 164.506 regarding consent). We also clarify that manufacturers and health care suppliers who are considered providers by Medicare are providers under this rule.
Comment: Some commenters suggested that blood centers and plasma donor centers that collect and distribute source plasma not be considered covered health care providers because the centers do not provide "health care services" and the blood donors are not "patients" seeking health care. Similarly, commenters expressed concern that organ procurement organizations might be considered health care providers.
Response: We agree and have deleted from the definition of "health care" the term "procurement or banking of blood, sperm, organs, or any other tissue for administration to patients." See prior discussion under "health care."
Comment: Several commenters proposed to restrict coverage to only those providers who furnished and were paid for services and supplies. It was argued that a salaried employee of a covered entity, such as a hospital-based provider, should not be covered by the rule because that provider would be subject both directly to the rule as a covered entity and indirectly as an employee of a covered entity.
Response: The "dual" direct and indirect situation described in these comments can arise only when a health care provider conducts standard HIPAA transactions both for itself and for its employer. For example, when the services of a provider such as a hospital-based physician are billed through a standard HIPAA transaction conducted for the employer, in this example the hospital, the physician does not become a covered provider. Only when the provider uses a standard transaction on its own behalf does he or she become a covered health care provider. Thus, the result is typically as suggested by this commenter. When a hospital-based provider is not paid directly, that is, when the standard HIPAA transaction is not on its behalf, it will not become a covered provider.
Comment: Other commenters argued that an employer who provides health care services to its employees for whom it neither bills the employee nor pays for the health care should not be considered health care providers covered by the proposed rule.
Response: We clarify that the employer may be a health care provider under the rule, and may be covered by the rule if it conducts standard transactions. The provisions of § 164.504 may also apply.
Comment: Some commenters were confused about the preamble statement: "in order to implement the principles in the Secretary's Recommendations, we must impose any protections on the health care providers that use and disclose the information, rather than on the researcher seeking the information," with respect to the rule's policy that a researcher who provides care to subjects in a trial will be considered a health care provider. Some commenters were also unclear about whether the individual researcher providing health care to subjects in a trial would be considered a health care provider or whether the researcher's home institution would be considered a health care provider and thus subject to the rule.
Response: We clarify that, in general, a researcher is also a health care provider if the researcher provides health care to subjects in a clinical research study and otherwise meets the definition of "health care provider" under the rule. However, a health care provider is only a covered entity and subject to the rule if that provider conducts standard transactions. With respect to the above preamble statement, we meant that our jurisdiction under the statute is limited to covered entities. Therefore, we cannot apply any restrictions or requirements on a researcher in that person's role as a researcher. However, if a researcher is also a health care provider that conducts standard transactions, that researcher/provider is subject to the rule with regard to its provider activities.
As to applicability to a researcher/provider versus the researcher's home institution, we provide the following guidance. The rule applies to the researcher as a covered entity if the researcher is a health care provider who conducts standard transactions for services on his or her own behalf, regardless of whether he or she is part of a larger organization. However, if the services and transactions are conducted on behalf of the home institution, then the home institution is the covered entity for purposes of the rule and the researcher/provider is a workforce member, not a covered entity.
Comment: One commenter expressed confusion about those instances when a health care provider was a covered entity one day, and one who "works under a contract" for a manufacturer the next day.
Response: If persons are covered under the rule in one role, they are not necessarily covered entities when they participate in other activities in another role. For example, that person could be a covered health care provider in a hospital one day but the next day read research records for a different employer. In its role as researcher, the person is not covered, and protections do not apply to those research records.
Comment: One commenter suggested that the Secretary modify proposed § 160.102, to add the following clause at the end (after (c)) (regarding health care provider), "With respect to any entity whose primary business is not that of a health plan or health care provider licensed under the applicable laws of any state, the standards, requirements, and implementation specifications of this subchapter shall apply solely to the component of the entity that engages in the transactions specified in [§] 160.103." (Emphasis added.) Another commenter also suggested that the definition of "covered entity" be revised to mean entities that are "primarily or exclusively engaged in health care-related activities as a health plan, health care provider, or health care clearinghouse."
Response: The Secretary rejects these suggestions because they will impermissibly limit the entities covered by the rule. An entity that is a health plan, health care provider, or health care clearinghouse meets the statutory definition of covered entity regardless of how much time is devoted to carrying out health care-related functions, or regardless of what percentage of their total business applies to health care-related functions.
Comment: Several commenters sought to distinguish a health care provider from a business partner as proposed in the NPRM. For example, a number of commenters argued that disease managers that provide services "on behalf of" health plans and health care providers, and case managers (a variation of a disease management service) are business partners and not "health care providers." Another commenter argued that a disease manager should be recognized (presumably as a covered entity) because of its involvement from the physician-patient level through complex interactions with health care providers.
Response: To the extent that a disease or case manager provides services on behalf of or to a covered entity as described in the rule's definition of business associate, the disease or case manager is a business associate for purposes of this rule. However, if services provided by the disease or case manager meet the definition of treatment and the person otherwise meets the definition of "health care provider," such a person is a health care provider for purposes of this rule.
Comment: One commenter argued that pharmacy employees who assist pharmacists, such as technicians and cashiers, are not business partners.
Response: We agree. Employees of a pharmacy that is a covered entity are workforce members of that covered entity for purposes of this rule.
Comment: A number of commenters requested that we clarify the definition of health care provider ("...who furnishes, bills, or is paid for health care services or supplies in the normal course of business") by defining the various terms "furnish", "supply", and "in the normal course of business." For instance, it was stated that this would help employers recognize when services such as an employee assistance program constituted health care covered by the rule.
Response: Although we understand the concern expressed by the commenters, we decline to follow their suggestion to define terms at this level of specificity. These terms are in common use today, and an attempt at specific definition would risk the inadvertent creations of conflict with industry practices. There is a significant variation in the way employers structure their employee assistance programs (EAPs) and the type of services that they provide. If the EAP provides direct treatment to individuals, it may be a health care provider.
The response to comments on health information is included in the response to comments on individually identifiable health information, in the preamble discussion of § 164.501.
Comment: One commenter suggested that to eliminate any ambiguity, the Secretary should clarify that the catch-all category under the definition of health plan includes "24-hour coverage plans" (whether insured or self-insured) that integrate traditional employee health benefits coverage and workers' compensation coverage for the treatment of on-the-job injuries and illnesses under one program. It was stated that this clarification was essential if the Secretary persisted in excluding workers' compensation from the final rule.
Response: We understand concerns that such plans may use and disclose individually identifiable health information. We therefore clarify that to the extent that 24-hour coverage plans have a health care component that meets the definition of "health plan" in the final rule, such components must abide by the provisions of the final rule. In the final rule, we have added a new provision to § 164.512 that permits covered entities to disclose information under workers' compensation and similar laws. A health plan that is a 24-hour plan is permitted to make disclosures as necessary to comply with such laws.
Comment: A number of commenters urged that certain types of insurance entities, such as workers' compensation and automobile insurance carriers, property and casualty insurance health plans, and certain forms of limited benefits coverage, be included in the definition of "health plan." It was argued that consumers deserve the same protection with respect to their health information, regardless of the entity using it, and that it would be inequitable to subject health insurance carriers to more stringent standards than other types of insurers that use individually identifiable health information.
Response: The Congress did not include these programs in the definition of a "health plan" under section 1171 of the Act. Further, HIPAA's legislative history shows that the House Report's (H. Rep. 104-496) definition of "health plan" originally included certain benefit programs, such as workers' compensation and liability insurance, but was later amended to clarify the definition and remove these programs. Thus, since the statutory definition of a health plan both on its face and through legislative history evidence Congress' intention to exclude such programs, we do not have the authority to require that these programs comply with the standards. We have added explicit language to the final rule which excludes the excepted benefit programs, as defined in section 2971(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1).
Comment: Some commenters urged HHS to include entities such as stop loss insurers and reinsurers in the definition of "health plan." It was observed that such entities have come to play important roles in managed care delivery systems. They asserted that increasingly, capitated health plans and providers contract with their reinsurers and stop loss carriers to medically manage their high cost outlier cases such as organ and bone marrow transplants, and therefore should be specifically cited as subject to the regulations.
Response: Stop-loss and reinsurers do not meet the statutory definition of health plan. They do not provide or pay for the costs of medical care, as described in the statute, but rather insure health plans and providers against unexpected losses. Therefore, we cannot include them as health plans in the regulation.
Comment: A commenter asserted that there is a significant discrepancy between the effect of the definition of "group health plan" as proposed in § 160.103, and the anticipated impact in the cost estimates of the proposed rule at 64 FR 60014. Paragraph (1) of the proposed definition of "health plan" defined a "group health plan" as an ERISA-defined employee welfare benefit plan that provides medical care and that: "(i) Has 50 or more participants, or (ii) Is administered by an entity other than the employer that established and maintains the plan[.]" (emphasis added) According to this commenter, under this definition, the only insured or self-insured ERISA plans that would not be regulated "health plans" would be those that have less than 50 participants and are self administered.
The commenter presumed that the we had intended to exclude from the definition of "health plan" (and from coverage under the proposed rule) all ERISA plans that are small (less than 50 participants) or are administered by a third party, whether large or small, based on the statement at 64 FR 60014, note 18. That footnote stated that the Department had "not included the 3.9 million 'other' employer-health plans listed in HCFA's administrative simplification regulations because these plans are administered by a third party. The proposed regulation will not regulate the employer plans but will regulate the third party administrators of the plan." The commenter urged us not to repeat the statutory definition, and to adopt the policy implied in the footnote.
Response: We agree with the commenter's observation that footnote 18 (64 FR 60014) was inconsistent with the proposed definition. We erred in drafting that note. The definition of "group health plan" is adopted from the statutory definition at section 1171(5)(A), and excludes from the rule as "health plans" only the few insured or self-insured ERISA plans that have less than 50 participants and are self administered. We reject the commenter's proposed change to the definition as inconsistent with the statute.
Comment: A number of insurance companies asked that long term care insurance policies be excluded from the definition of "health plan." It was argued that such policies do not provide sufficiently comprehensive coverage of the cost of medical care, and are limited benefit plans that provide or pay for the cost of custodial and other related services in connection with a long term, chronic illness or disability.
These commenters asserted that HIPAA recognizes this nature of long term care insurance, observing that, with respect to HIPAA's portability requirements, Congress enacted a series of exclusions for certain defined types of health plan arrangements that do not typically provide comprehensive coverage. They maintained that Congress recognized that long term care insurance is excluded, so long as it is not a part of a group health plan. Where a long term care policy is offered separately from a group health plan it is considered an excepted benefit and is not subject to the portability and guarantee issue requirements of HIPAA. Although this exception does not appear in the Administrative Simplification provisions of HIPAA, it was asserted that it is guidance with respect to the treatment of long term care insurance as a limited benefit coverage and not as coverage that is so "sufficiently comprehensive" that it is to be treated in the same manner as a typical, comprehensive major medical health plan arrangement.
Another commenter offered a different perspective observing that there are some long-term care policies that do not pay for medical care and therefore are not "health plans." It was noted that most long-term care policies are reimbursement policies-that is, they reimburse the policyholder for the actual expenses that the insured incurs for long-term care services. To the extent that these constitute "medical care," this commenter presumed that these policies would be considered "health plans." Other long-term care policies, they pointed out, simply pay a fixed dollar amount when the insured becomes chronically ill, without regard to the actual cost of any long-term care services received, and thus are similar to fixed indemnity critical illness policies. The commenter suggested that while there was an important distinction between indemnity based long-term care policies and expenses based long-term care policies, it may be wise to exclude all long-term care policies from the scope of the rule to achieve consistency with HIPAA.
Response: We disagree. The statutory language regarding long-term care policies in the portability title of HIPAA is different from the statutory language regarding long-term care policies in the Administrative Simplification title of HIPAA. Section 1171(5)(G) of the Act means that issuers of long-term care policies are considered health plans for purposes of administrative simplification. We also interpret the statute as authorizing the Secretary to exclude nursing home fixed-indemnity policies, not all long-term care policies, from the definition of "health plan," if she determines that these policies do not provide "sufficiently comprehensive coverage of a benefit" to be treated as a health plan (see section 1171 of the Act). We interpret the term "comprehensive" to refer to the breadth or scope of coverage of a policy. "Comprehensive" policies are those that cover a range of possible service options. Since nursing home fixed indemnity policies are, by their own terms, limited to payments made solely for nursing facility care, we have determined that they should not be included as health plans for the purposes of the HIPAA regulations. The Secretary, therefore, explicitly excluded nursing home fixed-indemnity policies from the definition of "health plan" in the Transactions Rule, and this exclusion is thus reflected in this final rule. Issuers of other long-term care policies are considered to be health plans under this rule and the Transactions Rule.
Comment: One commenter was concerned about the potential impact of the proposed regulations on "unfunded health plans," which the commenter described as programs used by smaller companies to provide their associates with special employee discounts or other membership incentives so that they can obtain health care, including prescription drugs, at reduced prices. The commenter asserted that if these discount and membership incentive programs were covered by the regulation, many smaller employers might discontinue offering them to their employees, rather than deal with the administrative burdens and costs of complying with the rule.
Response: Only those special employee discounts or membership incentives that are "employee welfare benefit plans" as defined in section 3(1) of the Employee Retirement Income Security Act of 1974, 29 U.S.C. 1002(1), and provide "medical care" (as defined in section 2791(a)(2) of the Public Health Service Act, 42 U.S.C. 300gg-91(a)(2)), are health plans for the purposes of this rule. Discount or membership incentive programs that are not group health plans are not covered by the rule.
Comment: Several commenters agreed with the proposal to exclude "excepted benefits" such as disability income insurance policies, fixed indemnity critical illness policies, and per diem long-term care policies from the definition of "health plan," but were concerned that the language of the proposed rule did not fully reflect this intent. They asserted that clarification was necessary in order to avoid confusion and costs to both consumers and insurers.
One commenter stated that, while HHS did not intend for the rule to apply to every type of insurance coverage that paid for medical care, the language of the proposed rule did not bear this out. The problem, it was asserted, is that under the proposed rule any insurance policy that pays for "medical care" would technically be a "health plan." It was argued that despite the statements in the narrative, there are no provisions that would exempt any of the "excepted benefits" from the definition of "health care." It was stated that:
Although (with the exception of long-term care insurance), the proposed rule does not include the 'excepted benefits' in its list of sixteen examples of a health plan (proposed 45 CFR 160.104), it does not explicitly exclude them either. Because these types of policies in some instances pay benefits that could be construed as payments for medical care, we are concerned by the fact that they are not explicitly excluded from the definition of 'health plan' or the requirements of the proposed rule."
Several commenters proposed that HHS adopt the same list of "excepted benefits" contained in 29 U.S.C. 1191b, suggesting that they could be adopted either as exceptions to the definition of "health plan" or as exceptions to the requirements imposed on "health plans." They asserted that this would promote consistency in the federal regulatory structure for health plans.
It was suggested that HHS clarify whether the definition of health plan, particularly the "group health plan" and "health insurance issuer" components, includes a disability plan or disability insurer. It was noted that a disability plan or disability insurer may cover only income lost from disability and, as mentioned above, some rehabilitation services, or a combination of lost income, rehabilitation services and medical care. The commenter suggested that in addressing this coverage issue, it may be useful to refer to the definitions of group health plan, health insurance issuer and medical care set forth in Part I of HIPAA, which the statutory provisions of the Administrative Simplification subtitle expressly reference. See 42 U.S.C. 1320d(5)(A) and(B).
Response: We agree that the NPRM may have been ambiguous regarding the types of plans the rule covers. To remedy this confusion, we have added language that specifically excludes from the definition any policy, plan, or program providing or paying the cost of the excepted benefits, as defined in section 2971(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1). As defined in the statute, this includes but is not limited to benefits under one or more (or any combination thereof) of the following: coverage only for accident, or disability income insurance, or any combination thereof; liability insurance, including general liability insurance and automobile liability insurance; and workers' compensation or similar insurance.
However, the other excepted benefits as defined in section 2971(c)(2) of the PHS Act, 42 U.S.C. 300gg-91(c)(2), such as limited scope dental or vision benefits, not explicitly excepted from the regulation could be considered "health plans" under paragraph (1)(xvii) of the definition of "health plan" in the final rule if and to the extent that they meet the criteria for the definition of "health plan." Such plans, unlike the programs and plans listed at section 2971(c)(1), directly and exclusively provide health insurance, even if limited in scope.
Comment: One commenter recommended that the Secretary clarify that "health plan" does not include property and casualty benefit providers. The commenter stated that the clarifying language is needed given the "catchall" category of entities defined as "any other individual plan or group health plan, or combination thereof, that provides or pays for the cost of medical care," and asserted that absent clarification there could be serious confusion as to whether property and casualty benefit providers are "health plans" under the rule.
Response: We agree and as described above have added language to the final rule to clarify that the "excepted benefits" as defined under 42 U.S.C. 300gg-91(c)(1), which includes liability programs such as property and casualty benefit providers, are not health plans for the purposes of this rule.
Comment: Some commenters recommended that the Secretary replace the term "medical care" with "health care." It was observed that "health care" was defined in the proposal, and that this definition was used to define what a health care provider does. However, they observed that the definition of "health plan" refers to the provision of or payment for "medical care," which is not defined. Another commenter recommended that HHS add the parenthetical phrase "as such term is defined in section 2791 of the Public Health Service Act" after the phrase "medical care."
Response: We disagree with the first recommendation. We understand that the term "medical care" can be easily confused with the term "health care." However, the two terms are not synonymous. The term "medical care" is a statutorily defined term and its use is critical in making a determination as to whether a health plan is considered a "health plan" for purposes of administrative simplification. In addition, since the term "medical care" is used in the regulation only in the context of the definition of "health plan" and we believe that its inclusion in the regulatory text may cause confusion, we did not add a definition of "medical care" in the final rule. However, consistent with the second recommendation above, the statutory cite for "medical care" was added to the definition of "health plan" in the Transactions Rule, and thus is reflected in this final rule.
Comment: A number of commenters urged that the Secretary define more narrowly what characteristics would make a government program that pays for specific health care services a "health plan." Commenters argued that there are many "payment" programs that should not be included, as discussed below, and that if no distinctions were made, "health plan" would mean the same as "purchaser" or even "payor."
Commenters asserted that there are a number of state programs that pay for "health care" (as defined in the rule) but that are not health plans. They said that examples include the WIC program (Special Supplemental Nutrition Program for Women, Infants, and Children) which pays for nutritional assessment and counseling, among other services; the AIDS Client Services Program (including AIDS prescription drug payment) under the federal Ryan White Care Act and state law; the distribution of federal family planning funds under Title X of the Public Health Services Act; and the breast and cervical health program which pays for cancer screening in targeted populations. Commenters argued that these are not insurance plans and do not fall within the "health plan" definition's list of examples, all of which are either insurance or broad-scope programs of care under a contract or statutory entitlement. However, paragraph (16) in that list opens the door to broader interpretation through the catchall phrase, "any other individual or group plan that provides or pays for the cost of medical care." Commenters assert that clarification is needed.
A few commenters stated that other state agencies often work in partnership with the state Medicaid program to implement certain Medicaid benefits, such as maternity support services and prenatal genetics screening. They concluded that while this probably makes parts of the agency the "business partner" of a covered entity, they were uncertain whether it also makes the same agency parts a "health plan" as well.
Response: We agree with the commenters that clarification is needed as to the rule's application to government programs that pay for health care services. Accordingly, in the final rule we have excepted from the definition of "health plan" a government funded program which does not have as its principal purpose the provision of, or payment for, the cost of health care or which has as its principal purpose the provision, either directly or by grant, of health care. For example, the principal purpose of the WIC program is not to provide or pay for the cost of health care, and thus, the WIC program is not a health plan for purposes of this rule. The program of health care services for individuals detained by the INS provides health care directly, and so is not a health plan. Similarly, the family planning program authorized by Title X of the Public Health Service Act pays for care exclusively through grants, and so is not a health plan under this rule. These programs (the grantees under the Title X program) may be or include health care providers and may be covered entities if they conduct standard transactions.
We further clarify that, where a public program meets the definition of "health plan," the government agency that administers the program is the covered entity. Where two agencies administer a program jointly, they are both a health plan. For example, both the Health Care Financing Administration and the insurers that offers a Medicare+Choice plan are "health plans" with respect to Medicare beneficiaries. An agency that does not administer a program but which provides services for such a program is not a covered entity by virtue of providing such services. Whether an agency providing services is a business associate of the covered entity depends on whether its functions for the covered entity meet the definition of business associate in § 164.501 and, in the example described by this comment, in particular on whether the arrangement falls into the exception in § 164.504(e)(1)(ii)(C) for government agencies that collect eligibility or enrollment information for covered government programs.
Comment: Some commenters expressed support for retaining the category in paragraph (16) of the proposal's definition: "Any other individual or group health plan, or combination thereof, that provides or pays for the cost of medical care." Others asked that the Secretary clarify this category. One commenter urged that the final rule clearly define which plans would meet the criteria for this category.
Response: As described in the proposed rule, this category implements the language at the beginning of the statutory definition of the term "health plan": "The term 'health plan' means an individual or group plan that provides, or pays the cost of, medical care... Such term includes the following, and any combination thereof..." This statutory language is general, not specific, and as such, we are leaving it general in the final rule. However, as described above, we add explicit language which excludes certain "excepted benefits" from the definition of "health plan" in an effort to clarify which plans are not health plans for the purposes of this rule. Therefore, to the extent that a certain benefits plan or program otherwise meets the definition of "health plan" and is not explicitly excepted, that program or plan is considered a "health plan" under paragraph (1)(xvii) of the final rule.
Comment: A commenter explained that HIPAA defines a group health plan by expressly cross-referencing the statutory sections in the PHS Act and the Employee Retirement Income Security Act of 1974 (ERISA), 29 U.S.C. 1001, et seq., which define the terms "group health plan," "employee welfare benefit plan" and "participant." See 29 U.S.C. 1002(l) (definition of "employee welfare benefit plan," which is the core of the definition of group health plan under both ERISA and the PHS Act); 29 U.S.C. 100217) (definition of participant); 29 U.S.C. 1193(a) (definition of "group health plan," which is identical to that in section 2791(a) of the PHS Act).
It was pointed out that the preamble and the text of the proposed rule both limit the definition of all three terms to their current definitions. The commenter reasoned that since the ERISA definitions may change over time through statutory amendment, Department of Labor regulations or judicial interpretation, it would not be clear what point in time is to be considered current. Therefore, they suggested deleting references to "current" or "currently" in the preamble and in the regulation with respect to these three ERISA definitions.
In addition, the commenter stated that as the preamble to the NPRM correctly reflected, HIPAA expressly cross-references ERISA's definition of "participant" in section 3(7) of ERISA, 29 U.S.C. 1002(7). 42 U.S.C. 1320d(5)(A). The text of the privacy regulation, however, omits this cross-reference. It was suggested that the reference to section 3(7) of ERISA, defining "participant," be included in the regulation.
Finally, HIPAA incorporates the definition of a group health plan as set forth in section 2791(a) of the PHS Act, 42 U.S.C. 300gg-91(a)(l). That definition refers to the provision of medical care "directly or through insurance, reimbursement, or otherwise." The word "reimbursement" is omitted in both the preamble and the text of the regulation; the commenter suggested restoring it to both.
Response: We agree. These changes were made to the definition of "health plan" as promulgated in the Transactions Rule, and are reflected in this final rule.
Comment: One commenter recommended that we delete the reference to $5 million in the definition and instead define a "small health plan" as a health plan with fewer than 50 participants. It was stated that using a dollar limitation to define a "small health plan" is not meaningful for self-insured plans and some other types of health plan coverage arrangements. A commenter pointed out that the general definition of a health plan refers to "50 or more participants," and that using a dollar factor to define a "small health plan" would be inconsistent with this definition.
Response: We disagree. The Small Business Administration (SBA) promulgates size standards that indicate the maximum number of employees or annual receipts allowed for a concern (13 CFR 121.105) and its affiliates to be considered "small." The size standards themselves are expressed either in number of employees or annual receipts (13 CFR 121.201). The size standards for compliance with programs of other agencies are those for SBA programs which are most comparable to the programs of such other agencies, unless otherwise agreed by the agency and the SBA (13 CFR 121.902). With respect to the insurance industry, the SBA has specified that annual receipts of $5 million is the maximum allowed for a concern and its affiliates to be considered small (13 CFR 121.201). Consequently, we retain the proposal's definition in the final rule to be consistent with SBA requirements.
We understand there may be some confusion as to the meaning of "annual receipts" when applied to a health plan. For our purposes, therefore, we consider "pure premiums" to be equivalent to "annual receipts."
Comment: Some commenters requested that we exclude "volunteers" from the definition of workforce. They stated that volunteers are important contributors within many covered entities, and in particular hospitals. They argued that it was unfair to ask that these people donate their time and at the same time subject them to the penalties placed upon the paid employees by these regulations, and that it would discourage people from volunteering in the health care setting.
Response: We disagree. We believe that differentiating those persons under the direct control of a covered entity who are paid from those who are not is irrelevant for the purposes of protecting the privacy of health information, and for a covered entity's management of its workforce. In either case, the person is working for the covered entity. With regard to implications for the individual, persons in a covered entity's workforce are not held personally liable for violating the standards or requirements of the final rule. Rather, the Secretary has the authority to impose civil monetary penalties and in some cases criminal penalties for such violations on only the covered entity.
Comment: One commenter asked that the rule clarify that employees administering a group health or other employee welfare benefit plan on their employers' behalf are considered part of the covered entity's workforce.
Response: As long as the employees have been identified by the group health plan in plan documents as performing functions related to the group health plan (consistent with the requirements of § 164.504(f)), those employees may have access to protected health information. However, they are not permitted to use or disclose protected health information for employment-related purposes or in connection with any other employee benefit plan or employee benefit of the plan sponsor.
We summarize and respond below to comments received in the Transactions rulemaking on the issue of preemption, as well as those received on this topic in the Privacy rulemaking. Because no process was proposed in the Transactions rulemaking for granting exceptions under section 1178(a)(2)(A), a process for making exception determinations was not adopted in the Transactions Rule. Instead, since a process for making exception determinations was proposed in the Privacy rulemaking, we decided that the comments received in the Transactions rulemaking should be considered and addressed in conjunction with the comments received on the process proposed in the Privacy rulemaking. See 65 FR 50318 for a fuller discussion. Accordingly, we discuss the preemption comments received in the Transactions rulemaking where relevant below.
Comment: The majority of comments on preemption addressed the subject in general terms. Numerous comments, particularly from plans and providers, argued that the proposed preemption provisions were burdensome, ineffective, or insufficient, and that complete federal preemption of the "patchwork" of state privacy laws is needed. They also argued that the proposed preemption provisions are likely to invite litigation. Various practical arguments in support of this position were made. Some of these comments recognized that the Secretary's authority under section 1178 of the Act is limited and acknowledged that the Secretary's proposals were within her statutory authority. One commenter suggested that the exception determination process would result in a very costly and laborious and sometimes inconsistent analysis of the occasions in which state law would survive federal preemption, and thus suggested the final privacy regulations preempt state law with only limited exceptions, such as reporting child abuse. Many other comments, however, recommended changing the proposed preemption provisions to preempt state privacy laws on as blanket a basis as possible.
One comment argued that the assumption that more stringent privacy laws are better is not necessarily true, citing a 1999 GAO report finding evidence that the stringent state confidentiality laws of Minnesota halted the collection of comparative information on health care quality.
Several comments in this vein were also received in the Transactions rulemaking. The majority of these comments took the position that exceptions to the federal standards should either be prohibited or discouraged. It was argued that granting exceptions to the standards, particularly the transactions standards, would be inconsistent with the statute's objective of promoting administrative simplification through the use of uniform transactions.
Many other commenters, however, endorsed the "federal floor" approach of the proposed rules. (These comments were made in the context of the proposed privacy regulations.) These comments argued that this approach was preferable because it would not impair the effectiveness of state privacy laws that are more protective of privacy, while raising the protection afforded medical information in states that do not enact laws that are as protective as the rules below. Some comments argued, however, that the rules should give even more deference to state law, questioning in particular the definitions and the proposed addition to the "other purposes" criterion for exception determinations in this regard.
Response: With respect to the exception process provided for by section 1178(a)(2)(A), the contention that the HIPAA standards should uniformly control is an argument that should be addressed to the Congress, not this agency. Section 1178 of the Act expressly gives the Secretary authority to grant exceptions to the general rule that the HIPAA standards preempt contrary state law in the circumstances she determines come within the provisions at section 1178(a)(2)(A). We agree that the underlying statutory goal of standardizing financial and administrative health care transactions dictates that exceptions should be granted only on narrow grounds. Nonetheless, Congress clearly intended to accommodate some state laws in these areas, and the Department is not free to disregard this Congressional choice. As is more fully explained below, we have interpreted the statutory criteria for exceptions under section 1178(a)(2)(A) to balance the need for relative uniformity with respect to the HIPAA standards with state needs to set certain policies in the statutorily defined areas.
The situation is different with respect to state laws relating to the privacy of protected health information. Many of the comments arguing for uniform standards were particularly concerned with discrepancies between the federal privacy standards and various state privacy requirements. Unlike the situation with respect to the transactions standards, where states have generally not entered the field, all states regulate the privacy of some medical information to a greater or lesser extent. Thus, we understand the private sector's concern at having to reconcile differing state and federal privacy requirements.
This is, however, likewise an area where the policy choice has been made by Congress. Under section 1178(a)(2)(B) of the Act and section 264(c)(2) of HIPAA, provisions of state privacy laws that are contrary to and more stringent than the corresponding federal standard, requirement, or implementation specification are not preempted. The effect of these provisions is to let the law that is most protective of privacy control (the "federal floor" approach referred to by many commenters), and this policy choice is one with which we agree. Thus, the statute makes it impossible for the Secretary to accommodate the requests to establish uniformly controlling federal privacy standards, even if doing so were viewed as desirable.
Comment: Numerous comments stated support for the proposal at proposed Subpart B to issue advisory opinions with respect to the preemption of state laws relating to the privacy of individually identifiable health information. A number of these comments appeared to assume that the Secretary's advisory opinions would be dispositive of the issue of whether or not a state law was preempted. Many of these commenters suggested what they saw as improvements to the proposed process, but supported the proposal to have the Department undertake this function.
Response: Despite the general support for the advisory opinion proposal, we decided not to provide specifically for the issuance of such opinions. The following considerations led to this decision. First, the assumption by commenters that an advisory opinion would establish what law applied in a given situation and thereby simplify the task of ascertaining what legal requirements apply to a covered entity or entities is incorrect. Any such opinion would be advisory only. Although an advisory opinion issued by the Department would indicate to covered entities how the Department would resolve the legal conflict in question and would apply the law in determining compliance, it would not bind the courts. While we assume that most courts would give such opinions deference, the outcome could not be guaranteed.
Second, the thousands of questions raised in the public comment about the interpretation, implications, and consequences of all of the proposed regulatory provisions have led us to conclude that significant advice and technical assistance about all of the regulatory requirements will have to be provided on an ongoing basis. We recognize that the preemption concerns that would have been addressed by the proposed advisory opinions were likely to be substantial. However, there is no reason to assume that they will be the most substantial or urgent of the questions that will most likely need to be addressed. It is our intent to provide as much technical advice and assistance to the regulated community as we can with the resources available. Our concern is that setting up an advisory opinion process for just one of the many types of issues that will have to be addressed will lead to a non-optimal allocation of those resources. Upon careful consideration, therefore, we have decided that we will be better able to prioritize our workload and be better able to be responsive to the most urgent and substantial questions raised to the Department, if we do not provide for a formal advisory opinion process on preemption as proposed.
Comment: A few commenters argued that the Privacy Rule should preempt state laws that would impose more stringent privacy requirements for the conduct of clinical trials. One commenter asserted that the existing federal regulations and guidelines for patient informed consent, together with the proposed rule, would adequately protect patient privacy.
Response: The Department does not have the statutory authority under HIPAA to preempt state laws that would impose more stringent privacy requirements on covered entities. HIPAA provides that the rule promulgated by the Secretary may not preempt state laws that are in conflict with the regulatory requirements and that provide greater privacy protections.
Comment: Several commenters indicated that the guidance provided by the definitions at proposed § 160.202 would be of substantial benefit both to regulated entities and to the public. However, these commenters argued that the applicability of such definitions would be too limited as drafted, since proposed § 160.201 provided that the definitions applied only to "determinations and advisory opinions issued by the Secretary pursuant to 42 U.S.C. 1320d-7." The commenters stated that it would be far more helpful to make the definitions in proposed § 160.202 more broadly applicable, to provide general guidance on the issue of preemption.
Response: We agree with the comments on this issue, and have revised the applicability provision of subpart B below accordingly. Section 160.201 below sets out that Subpart B implements section 1178. This means, in our view, that the definitions of the statutory terms at § 160.202 are legislative rules that apply when those statutory terms are employed, whether by HHS, covered entities, or the courts.
Comment: Some commenters asserted that term "contrary" as defined at § 160.202 was overly broad and that its application would be time-consuming and confusing for states. These commenters argued that, under the proposed definition, a state would be required to examine all of its laws relating to health information privacy in order to determine whether or not its law were contrary to the requirements proposed. It was also suggested that the definition contain examples of how it would work in practical terms.
A few commenters, however, argued that the definition of "contrary" as proposed was too narrow. One commenter argued that the Secretary erred in her assessment of the case law analyzing what is known as "conflict preemption" and which is set forth in shorthand in the tests set out at § 160.202.
Response: We believe that the definition proposed represents a policy that is as clear as is feasible and which can be applied nationally and uniformly. As was noted in the preamble to the proposed rules (at 64 FR 59997), the tests in the proposed definition of "contrary" are adopted from the jurisprudence of "conflict preemption." Since preemption is a judicially developed doctrine, it is reasonable to interpret this term as indicating that the statutory analysis should tie in to the analytical formulations employed by the courts. Also, while the court-developed tests may not be as clear as commenters would like, they represent a long-term, thoughtful consideration of the problem of defining when a state/federal conflict exists. They will also, we assume, generally be employed by the courts when conflict issues arise under the rules below. We thus see no practical alternative to the proposed definition and have retained it unchanged. With respect to various suggestions for shorthand versions of the proposed tests, such as the arguably broader term "inconsistent with," we see no operational advantages to such terms.
Comment: One comment asked that the Department clarify that if state law is not preempted, then the federal law would not also apply.
Response: This comment raises two issues, both of which deserve discussion. First, a state law may not be preempted because there is no conflict with the analogous federal requirement; in such a situation, both laws can, and must, be complied with. We thus do not accept this suggestion, to the extent that it suggests that the federal law would give way in this situation. Second, a state law may also not be preempted because it comes within section 1178(a)(2)(B), section 1178(b), or section 1178(c); in this situation, a contrary federal law would give way.
Comment: One comment urged the Department to take the position that where state law exists and no analogous federal requirement exists, the state requirement would not be "contrary to" the federal requirement and would therefore not trigger preemption.
Response: We agree with this comment.
Comment: One commenter criticized the definition as unhelpful in the multi-state transaction context. For example, it was asked whether the issue of whether a state law was "contrary to" should be determined by the law of the state where the treatment is provided, where the claim processor is located, where the payment is issued, or the data maintained, assuming all are in different states.
Response: This is a choice of law issue, and, as is discussed more fully below, is a determination that is routinely made today in connection with multi-state transactions. See discussion below under Exception Determinations (Criteria for Exception Determinations).
Comment: Comments noted that the definition of "state law" does not explicitly include common law and recommended that it be revised to do so or to clarify that the term includes evidentiary privileges recognized at state law. Guidance concerning the impact of state privileges was also requested.
Response: As requested, we clarify that the definition of "state law" includes common law by including the term "common law." In our view, this phrase encompasses evidentiary privileges recognized at state law (which may also, we note, be embodied in state statutes).
Comment: One comment criticized this definition as unwieldy, in that locating state laws pertaining to privacy is likely to be difficult. It was noted that Florida, for example, has more than 60 statutes that address health privacy.
Response: To the extent that state laws currently apply to covered entities, they have presumably determined what those laws require in order to comply with them. Thus, while determining which laws are "contrary" to the federal requirements will require additional work in terms of comparing state law with the federal requirements, entities should already have acquired the knowledge of state law needed for this task in the ordinary course of doing business.
Comment: The New York City Department of Health noted that in many cases, provisions of New York State law are inapplicable within New York City, because the state legislature has recognized that the local code is tailored to the particular needs of the City. It urged that the New York City Code be treated as state law, for preemption purposes.
Response: We agree that, to the extent a state treats local law as substituting for state law it could be considered to be "state law" for purposes of this definition. If, however, a local law is local in scope and effect, and a tier of state law exists over the same subject matter, we do not think that the local law could or should be treated as "state law" for preemption purposes. We do not have sufficient information to assess the situation raised by this comment with respect to this principle, and so express no opinion thereon.
Comment: Many commenters supported the policy in the proposed definition of "individual" at proposed § 164.502, which would have permitted unemancipated minors to exercise, on their own behalf, rights granted to individuals in cases where they consented to the underlying health care. Commenters stated, however, that the proposed preemption provision would leave in place state laws authorizing or prohibiting disclosure to parents of the protected health information of their minor children and would negate the proposed policy for the treatment of minors under the rule. The comments stated that such state laws should be treated like other state laws, and preempted to the extent that they are less protective of the privacy of minors.
Other commenters supported the proposed preemption provision--not to preempt a state law to the extent it authorizes or prohibits disclosure of protected health information regarding a minor to a parent.
Response: Laws regarding access to health care for minors and confidentiality of their medical records vary widely; this regulation recognizes and respects the current diversity of state law in this area. Where states have considered the balance involved in protecting the confidentiality of minors' health information and have explicitly acted, for example, to authorize disclosure, defer the decision to disclose to the discretion of the health care provider, or prohibit disclosure of minor's protected health information to a parent, the rule defers to these decisions to the extent that they regulate such disclosures.
Comment: The proposed definition of "more stringent"was criticized as affording too much latitude to for granting exceptions for state laws that are not protective of privacy. It was suggested that the test should be "most protective of the individual's privacy."
Response: We considered adopting this test. However, for the reasons set out at 64 FR 59997, we concluded that this test would not provide sufficient guidance. The comments did not address the concerns we raised in this regard in the preamble to the proposed rules, and we continue to believe that they are valid.
Comment: A drug company expressed concern with what it saw as the expansive definition of this term, arguing that state governments may have less experience with the special needs of researchers than federal agencies and may unknowingly adopt laws that have a deleterious effect on research. A provider group expressed concern that allowing stronger state laws to prevail could result in diminished ability to get enough patients to complete high quality clinical trials.
Response: These concerns are fundamentally addressed to the "federal floor" approach of the statute, not to the definition proposed: even if the definition of "more stringent" were narrowed, these concerns would still exist. As discussed above, since the "federal floor" approach is statutory, it is not within the Secretary's authority to change the dynamics that are of concern.
Comment: One comment stated that the proposed rule seemed to indicate that the "more stringent" and "contrary to" definitions implied that these standards would apply to ERISA plans as well as to non-ERISA plans.
Response: The concern underlying this comment is that ERISA plans, which are not now subject to certain state laws because of the "field" preemption provision of ERISA but which are subject to the rules below, will become subject to state privacy laws that are "more stringent" than the federal requirements, due to the operation of section 1178(a)(2)(B), together with section 264(c)(2). We disagree that this is the case. While the courts will have the final say on these questions, it is our view that these sections simply leave in place more stringent state laws that would otherwise apply; to the extent that such state laws do not apply to ERISA plans because they are preempted by ERISA, we do not think that section 264(c)(2) overcomes the preemption effected by section 514(a) of ERISA. For more discussion of this point, see 64 FR 60001.
Comment: The Lieutenant Governor's Office of the State of Hawaii requested a blanket exemption for Hawaii from the federal rules, on the ground that its recently enacted comprehensive health privacy law is, as a whole, more stringent than the proposed federal standards. It was suggested that, for example, special weight should be given to the severity of Hawaii's penalties. It was suggested that a new definition ("comprehensive") be added, and that "more stringent" be defined in that context as whether the state act or code as a whole provides greater protection.
An advocacy group in Vermont argued that the Vermont legislature was poised to enact stronger and more comprehensive privacy laws and stated that the group would resent a federal prohibition on that.
Response: The premise of these comments appears to be that the provision-by-provision approach of Subpart B, which is expressed in the definition of the term "contrary", is wrong. As we explained in the preamble to the proposed rules (at 64 FR 59995), however, the statute dictates a provision-by- provision comparison of state and federal requirements, not the overall comparison suggested by these comments. We also note that the approach suggested would be practically and analytically problematic, in that it would be extremely difficult, if not impossible, to determine what is a legitimate stopping point for the provisions to be weighed on either the state side or the federal side of the scale in determining which set of laws was the "more stringent." We accordingly do not accept the approach suggested by these comments.
With respect to the comment of the Vermont group, nothing in the rules below prohibits or places any limits on states enacting stronger or more comprehensive privacy laws. To the extent that states enact privacy laws that are stronger or more comprehensive than contrary federal requirements, they will presumably not be preempted under section 1178(a)(2)(B). To the extent that such state laws are not contrary to the federal requirements, they will act as an overlay on the federal requirements and will have effect.
Comment: One comment raised the issue of whether a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy.
Response: We have reconsidered the proposed "penalty" provision of the proposed definition of "more stringent" and have eliminated it. The HIPAA statute provides for only two types of penalties: fines and imprisonment. Both types of penalties could be imposed in addition to the same type of penalty imposed by a state law, and should not interfere with the imposition of other types of penalties that may be available under state law. Thus, we think it is unlikely that there would be a conflict between state and federal law in this respect, so that the proposed criterion is unnecessary and confusing. In addition, the fact that a state law allows an individual to file a lawsuit to protect privacy does not conflict with the HIPAA penalty provisions.
Comment: One comment criticized the definition of this term as too narrow in scope and too uncertain. The commenter argued that determining the specific purpose of a state law may be difficult and speculative, because many state laws have incomplete, inaccessible, or non-existent legislative histories. It was suggested that the definition be revised by deleting the word "specific" before the word "purpose." Another commenter argued that the definition of this term should be narrowed to minimize reverse preemption by more stringent state laws. One commenter generally supported the proposed definition of this term.
Response: We are not accepting the first comment. The purpose of a given state enactment should be ascertainable, if not from legislative history or a purpose statement, then from the statute viewed as a whole. The same should be true of state regulations or rulings. In any event, it seems appropriate to restrict the field of state laws that may potentially trump the federal standards to those that are clearly intended to establish state public policy and operate in the same area as the federal standards. To the extent that the definition in the rules below does this, we have accommodated the second comment. We note, however, that we do not agree that the definition should be further restricted to minimize "reverse preemption," as suggested by this comment, as we believe that state laws that are more protective of privacy than contrary federal standards should remain, in order to ensure that the privacy of individuals' health information receives the maximum legal protection available.
Most of the comments received on proposed Subpart B lumped together the proposed process for exception determinations under section 1178(a)(2)(A) with the proposed process for issuing advisory opinions under section 1178(a)(2)(B), either because the substance of the comment applied to both processes or because the commenters did not draw a distinction between the two processes. We address these general comments in this section.
Comment: Numerous commenters, particularly providers and provider groups, recommended that exception determinations and advisory opinions not be limited to states and advocated allowing all covered entities (including individuals, providers and insurers), or private sector organizations, to request determinations and opinions with respect to preemption of state laws. Several commenters argued that limiting requests to states would deny third party stakeholders, such as life and disability income insurers, any means of resolving complex questions as to what rule they are subject to. One commenter noted that because it is an insurer who will be liable if it incorrectly analyzes the interplay between laws and reaches an incorrect conclusion, there would be little incentive for the states to request clarification. It would also cause large administrative burdens which, it was stated, would be costly and confusing. It was also suggested that the request for the exception be made to the applicable state's attorney general or chief legal officer, as well as the Secretary. Various changes to the language were suggested, such as adding that "a covered entity, or any other entity impacted by this rule" be allowed to submit the written request.
Response: We agree, and have changed § 164.204(a) below accordingly.
The decision to eliminate advisory opinions makes this issue moot with respect to those opinions.
Comment: Several commenters noted that it was unclear under the proposed rule which state officials would be authorized to request a determination.
Response: We agree that the proposed rule was unclear in this respect. The final rule clarifies who may make the request for a state, with respect to exception determinations. See, § 160.204(a). The language adopted should ensure that the Secretary receives an authoritative statement from the state. At the same time, this language provides states with flexibility, in that the governor or other chief elected official may choose to designate other state officials to make such requests.
Comment: Many commenters recommended that a process be established whereby HHS performs an initial state-by-state critical analysis to provide guidance on which state laws will not be preempted; most suggested that such an analysis (alternatively referred to as a database or clearinghouse) should be completed before providers would be required to come into compliance. Many of these comments argued that the Secretary should bear the cost for the analyses of state law, disagreeing with the premise stated in the preamble to the proposed rules that it is more efficient for the private market to complete the state-by-state review. Several comments also requested that HHS continue to maintain and monitor the exception determination process, and update the database over time in order to provide guidance and certainty on the interaction of the federal rules with newly enacted or amended state laws that are produced after the final rule. Some comments recommended that each state be required to certify agreement with the HHS analyses.
In contrast, one hospital association noted concerns that the Secretary would conduct a nationwide analysis of state laws. The comment stated that implementation would be difficult since much of the law is a product of common law, and such state-specific research should only be attempted by experienced health care attorneys in each jurisdiction.
Response: These comments seem to be principally concerned with potential conflicts between state privacy laws and the privacy standards, because, as is more fully explained below, preemption of contrary state laws not relating to privacy is automatic unless the Secretary affirmatively acts under section 1178(a)(2)(A) to grant an exception. We recognize that the provisions of sections 1178(b) (state public health laws), and 1178(c) (state regulation of health plans) similarly preserve state laws in those areas, but very little of the public comment appeared to be concerned with these latter statutory provisions. Accordingly, we respond below to what we see as the commenters' main concern.
The Department will not do the kind of global analysis requested by many of these comments. What these comments are in effect seeking is a global advisory opinion as to when the federal privacy standards will control and when they will not. We understand the desire for certainty underlying these comments. Nonetheless, the reasons set out above as the basis for our decision not to establish a formal advisory opinion process apply equally to these requests. We also do not agree that the task of evaluating the requirements below in light of existing state law is unduly burdensome or unreasonable. Rather, it is common for new federal requirements to necessitate an examination by the regulated entities of the interaction between existing state law and the federal requirements incident to coming into compliance.
We agree, however, that the case is different where the Secretary has affirmatively acted, either through granting an exception under section 1178(a)(2)(A) or by making a specific determination about the effect of a particular state privacy law in, for example, the course of determining an entity's compliance with the privacy standards. As is discussed below, the Department intends to make notice of exception determinations that it makes routinely available.
We do not agree with the comments suggesting that compliance by covered entities be delayed pending completion of an analysis by the Secretary and that states be required to certify agreement with the Secretary's analysis, as we are not institutionalizing the advisory opinion/analysis process upon which these comments are predicated. Furthermore, with respect to the suggestion regarding delaying the compliance date, Congress provided in section 1175(b) of the Act for a delay in when compliance is required to accommodate the needs of covered entities to address implementation issues such as those raised by these comments. With respect to the suggestion regarding requiring states to certify their agreement with the Secretary's analysis, we have no authority to do this.
Comment: Several commenters criticized the proposed provision for annual publication of determinations and advisory opinions in the Federal Register as inadequate. They suggested that more frequent notices should be made and the regulation be changed accordingly, to provide for publication either quarterly or within a few days of a determination. A few commenters suggested that any determinations made, or opinions issued, by the Secretary be published on the Department's website within 10 days or a few days of the determination or opinion.
Response: We agree that the proposed provision for annual publication was inadequate and have accordingly deleted it. Subpart B contains no express requirement for publication, as the Department is free to publish its determinations absent such a requirement. It is our intention to publish notice of exception determinations on a periodic basis in the Federal Register. We will also consider other avenues of making such decisions publicly available as we move into the implementation process.
Comment: A few commenters argued that the process for obtaining an exception determination or an advisory opinion from the Secretary will result in a period of time in which there is confusion as to whether state or federal law applies. The proposed regulations say that the federal provisions will remain effective until the Secretary makes a determination concerning the preemption issue. This means that, for example, a state law that was enacted and enforced for many years will be preempted by federal law for the period of time during which it takes the Secretary to make a determination. Then if the Secretary determines that the state law is not preempted, the state law will again become effective. Such situations will result in confusion and unintended violations of the law. One of the commenters suggested that requests for exceptions be required only when a challenge is brought against a particular state law, and that a presumption of validity should lie with state laws. Another commenter, however, urged that "instead of the presumption of preemption, the state laws in question would be presumed to be subject to the exception unless or until the Secretary makes a determination to the contrary."
Response: It is true that the effect of section 1178(a)(2)(A) is that the federal standards will preempt contrary state law and that such preemption will not be removed unless and until the Secretary acts to grant an exception under that section (assuming, of course, that another provision of section 1178 does not apply). We do not agree, however, that confusion should result, where the issue is whether a given state law has been preempted under section 1178(a)(2)(A). Because preemption is automatic with respect to state laws that do not come within the other provisions of section 1178 (i.e., sections 1178(a)(2)(B), 1178(b), and 1178(c)), such state laws are preempted until the Secretary affirmatively acts to preserve them from preemption by granting an exception under section 1178(a)(2)(A).
We cannot accept the suggestion that a presumption of validity attach to state laws, and that states not be required to request exceptions except in very narrow circumstances. The statutory scheme is the opposite: the statute effects preemption in the section 1178(a)(2)(A) context unless the Secretary affirmatively acts to except the contrary state law in question.
With respect to preemption under sections 1178(b) and 1178(c) (the carve-outs for state public health laws and state regulation of health plans), we do not agree that preemption is likely to be a major cause of uncertainty. We have deferred to Congressional intent by crafting the permissible releases for public health, abuse, and oversight broadly. See, §§ 164.512(b) - (d) below. Since there must first be a conflict between a state law and a federal requirement in order for an issue of preemption to even arise, we think that, as a practical matter, few preemption questions should arise with respect to sections 1178(b) and 1178(c).
With respect to preemption of state privacy laws under section 1178(a)(2)(B), however, we agree that the situation may be more difficult to ascertain, because the Secretary does not determine the preemption status of a state law under that section, unlike the situation with respect to section 1178(a)(2)(A). We have tried to define the term "more stringent" to identify and particularize the factors to be considered by courts to those relevant to privacy interests. The more specific (than the statute) definition of this term at § 160.202 below should provide some guidance in making the determination as to which law prevails. Ambiguity in the state of the law might also be a factor to be taken into account in determining whether a penalty should be applied.
Comment: Several comments recommended that exception determinations or advisory opinions encompass a state act or code in its entirety (in lieu of a provision-specific evaluation) if it is considered more stringent as a whole than the regulation. It was argued that since the provisions of a given law are typically interconnected and related, adopting or overriding them on a provision-by-provision basis would result in distortions and/or unintended consequences or loopholes. For example, when a state law includes authorization provisions, some of which are consistent with the federal requirements and some which are not, the cleanest approach is to view the state law as inconsistent with the federal requirements and thus preempted in its entirety. Similarly, another comment suggested that state confidentiality laws written to address the specific needs of individuals served within a discreet system of care be considered as a whole in assessing whether they are as stringent or more stringent than the federal requirements. Another comment requested explicit clarification that state laws with a broader scope than the regulation will be viewed as more stringent and be allowed to stand.
Response: We have not adopted the approach suggested by these comments. As discussed above with respect to the definition of the term "more stringent," it is our view that the statute precludes the approach suggested. We also suggest that this approach ignores the fact that each separate provision of law usually represents a nuanced policy choice to, for example, permit this use or prohibit that disclosure; the aggregated approach proposed would fail to recognize and weigh such policy choices.
Comment: One comment recommended that the final rule: permit requests for exception determinations and advisory opinions as of the date of publication of the final rule, require the Secretary to notify the requestor within a specified short period of time of all additional information needed, and prohibit enforcement action until the Secretary issues a response.
Response: With respect to the first recommendation, we clarify that requests for exception determinations may be made at any time; since the process for issuing advisory opinions has not been adopted, this recommendation is moot as it pertains to advisory opinions. With respect to the second recommendation, we will undertake to process exception requests as expeditiously as possible, but, for the reasons discussed below in connection with the comments relating to setting deadlines for those determinations, we cannot commit at this time to a "specified short period of time" within which the Secretary may request additional information. We see no reason to agree to the third recommendation. Because contrary state laws for which an exception is available only under section 1178(a)(2)(A) will be preempted by operation of law unless and until the Secretary acts to grant an exception, there will be an ascertainable compliance standard for compliance purposes, and enforcement action would be appropriate where such compliance did not occur.
Comment: Numerous comments criticized the proposed criteria for their substance or lack thereof. A number of commenters argued that the effectiveness language that was added to the third statutory criterion made the exception so massive that it would swallow the rule. These comments generally expressed concern that laws that were less protective of privacy would be granted exceptions under this language. Other commenters criticized the criteria generally as creating a large loophole that would let state laws that do not protect privacy trump the federal privacy standards.
Response: We agree with these comments. The scope of the statutory criteria is ambiguous, but they could be read so broadly as to largely swallow the federal protections. We do not think that this was Congress's intent. Accordingly, we have added language to most of the statutory criteria clarifying their scope. With respect to the criteria at 1178(a)(2)(A)(i), this clarifying language generally ties the criteria more specifically to the concern with protecting and making more efficient the health care delivery and payment system that underlies the Administrative Simplification provisions of HIPAA, but, with respect to the catch-all provision at section 1178(a)(2)(A)(i)(IV), also requires that privacy interests be balanced with such concerns, to the extent relevant. We require that exceptions for rules to ensure appropriate state regulation of insurance and health plans be stated in a statute or regulation, so that such exceptions will be clearly tied to statements of priorities made by publicly accountable bodies (e.g., through the public comment process for regulations, and by elected officials through statutes). With respect to the criterion at section 1178(a)(2)(A)(ii), we have further delineated what "addresses controlled substances" means. The language provided, which builds on concepts at 21 U.S.C. 821 and the Medicare regulations at 42 CFR 1001.2, delineates the area within which the government traditionally regulates controlled substances, both civilly and criminally; it is our view that HIPAA was not intended to displace such regulation.
Comment: Several commenters urged that the request for determination by the Secretary under proposed § 160.204(a) be limited to cases where an exception is absolutely necessary, and that in making such a determination, the Secretary should be required to make a determination that the benefits of granting an exception outweigh the potential harm and risk of disclosure in violation of the regulation.
Response: We have not further defined the statutory term "necessary", as requested. We believe that the determination of what is "necessary" will be fact-specific and context dependent, and should not be further circumscribed absent such specifics. The state will need to make its case that the state law in question is sufficiently "necessary" to accomplish the particular statutory ground for exception that it should trump the contrary federal standard, requirement, or implementation specification.
Comment: One commenter noted that a state should be required to explain whether it has taken any action to correct any less stringent state law for which an exception has been requested. This commenter recommended that a section be added to proposed § 160.204(a) stating that "a state must specify what, if any, action has been taken to amend the state law to comply with the federal regulations." Another comment, received in the Transactions rulemaking, took the position that exception determinations should be granted only if the state standards in question exceeded the national standards.
Response: The first and last comments appear to confuse the "more stringent" criterion that applies under section 1178(a)(2)(B) of the Act with the criteria that apply to exceptions under section 1178(a)(2)(A). We are also not adopting the language suggested by the first comment, because we do not agree that states should necessarily have to try to amend their state laws as a precondition to requesting exceptions under section 1178(a)(2)(A). Rather, the question should be whether the state has made a convincing case that the state law in question is sufficiently necessary for one of the statutory purposes that it should trump the contrary federal policy.
Comment: One commenter stated that exceptions for state laws that are contrary to the federal standards should not be preempted where the state and federal standards are found to be equal.
Response: This suggestion has not been adopted, as it is not consistent with the statute. With respect to the administrative simplification standards in general, it is clear that the intent of Congress was to preempt contrary state laws except in the limited areas specified as exceptions or carve-outs. See, section 1178. This statutory approach is consistent with the underlying goal of simplifying health care transactions through the adoption of uniform national standards. Even with respect to state laws relating to the privacy of medical information, the statute shields such state laws from preemption by the federal standards only if they are "more" stringent than the related federal standard or implementation specification.
Comment: One commenter noted that determinations would apply only to transactions that are wholly intrastate. Thus, any element of a health care transaction that would implicate more than one state's law would automatically preclude the Secretary's evaluation as to whether the laws were more or less stringent than the federal requirement. Other commenters expressed confusion about this proposed requirement, noting that providers and plans operate now in a multi-state environment.
Response: We agree with the commenters and have dropped the proposed requirement. As noted by the commenters, health care entities now typically operate in a multi-state environment, so already make the choice of law judgements that are necessary in multi-state transactions. It is the result of that calculus that will have to be weighed against the federal standards, requirements, and implementation specifications in the preemption analysis.
Comment: One comment received in the Transactions rulemaking suggested that the Department should allow exceptions to the standard transactions to accommodate abbreviated transactions between state agencies, such as claims between a public health department and the state Medicaid agency. Another comment requested an exception for Home and Community Based Waiver Services from the transactions standards.
Response: The concerns raised by these comments would seem to be more properly addressed through the process established for maintaining and modifying the transactions standards. If the concerns underlying these comments cannot be addressed in this manner, however, there is nothing in the rules below to preclude states from requesting exceptions in such cases. They will then have to make the case that one or more grounds for exception applies.
Comment: Several comments received in the Transactions rulemaking stated that the process for applying for and granting exception determinations (referred to as "waivers" by some) needed to be spelled out in the final rule.
Response: We agree with these comments. As noted above, since no process was proposed in the Transactions rulemaking, a process for making exception determinations was not adopted in those final rules. Subpart B below adopts a process for making exception determinations, which responds to these comments.
Comment: Comments stated that the exception process would be burdensome, unwieldy, and time-consuming for state agencies as well as the Department. One comment took the position that states should not be required to submit exception requests to the Department under proposed § 160.203(a), but could provide documentation that the state law meets one of the conditions articulated in proposed § 160.203.
Response: We disagree that the process adopted at § 164.204 below will be burdensome, unwieldy, or time-consuming. The only thing the regulation describes is the showings that a requestor must make as part of its submission, and all are relevant to the issue to be determined by the Secretary. How much information is submitted is, generally speaking, in the requestor's control, and the regulation places no restrictions on how the requestor obtains it, whether by acting directly, by working with providers and/or plans, or by working with others. With respect to the suggestion that states not be required to submit exception requests, we disagree that this suggestion is either statutorily authorized or advisable. We read this comment as implicitly suggesting that the Secretary must proactively identify instances of conflict and evaluate them. This suggestion is, thus, at bottom the same as the many suggestions that we create a database or compendium of controlling law, and it is rejected for the same reasons.
Comment: Several comments urged that all state requests for non-preemption include a process for public participation. These comments believe that members of the public and other interested stakeholders should be allowed to submit comments on a state's request for exception, and that these comments should be reviewed and considered by the Secretary in determining whether the exception should be granted. One comment suggested that the Secretary at least give notice to the citizens of the state prior to granting an exception.
Response: The revision to § 160.204(a), to permit requests for exception determinations by any person, responds to these comments.
Comment: Many commenters noted that the lack of a clear and reasonable time line for the Secretary to issue an exception determination would not provide sufficient assurance that the questions regarding what rules apply will be resolved in a time frame that will allow business to be conducted properly, and argued that this would increase confusion and uncertainty about which statutes and regulations should be followed. Timeframes of 60 or 90 days were suggested. One group suggested that, if a state does not receive a response from HHS within 60 days, the waiver should be deemed approved.
Response: The workload prioritization and management considerations discussed above with respect to advisory opinions are also relevant here and make us reluctant to agree to a deadline for making exception determinations. This is particularly true at the outset, since we have no experience with such requests. We therefore have no basis for determining how long processing such requests will take, how many requests we will need to process, or what resources will be available for such processing. We agree that states and other requesters should receive timely responses and will make every effort to make determinations as expeditiously as possible, but we cannot commit to firm deadlines in this initial rule. Once we have experience in handling exception requests, we will consult with states and others in regard to their experiences and concerns and their suggestions for improving the Secretary's expeditious handling of such requests.
We are not accepting the suggestion that requests for exception be deemed approved if not acted upon in some defined time period. Section 1178(a)(2)(A) requires a specific determination by the Secretary. The suggested policy would not be consistent with this statutory requirement. It is also inadvisable from a policy standpoint, in that it would tend to maximize exceptions. This would be contrary to the underlying statutory policy in favor of uniform federal standards.
Comment: One commenter took exception to the requirement for states to seek a determination from the Department that a provision of state law is necessary to prevent fraud and abuse or to ensure appropriate state regulation of insurance plans, contending that this mandate could interfere with the Insurance Commissioners' ability to do their jobs. Another commenter suggested that the regulation specifically recognize the broad scope of state insurance department activities, such as market conduct examinations, enforcement investigations, and consumer complaint handling.
Response: The first comment raises an issue that lies outside our legal authority to address, as section 1178(a)(2)(A) clearly mandates that the Secretary make a determination in these areas. With respect to the second comment, to the extent these concerns pertain to health plans, we believe that the provisions at § 164.512 relating to oversight and disclosures required by law should address the concerns underlying this comment.
Comment: Numerous commenters stated that the proposed three year limitation on the effectiveness of exception determinations would pose significant problems and should be limited to one year, since a one year limitation would provide more frequent review of the necessity for exceptions. The commenters expressed concern that state laws which provide less privacy protection than the federal regulation would be given exceptions by the Secretary and thus argued that the exceptions should be more limited in duration or that the Secretary should require that each request, regardless of duration, include a description of the length of time such an exception would be needed.
One state government commenter, however, argued that the 3 year limit should be eliminated entirely, on the ground that requiring a redetermination every three years would be burdensome for the states and be a waste of time and resources for all parties. Other commenters, including two state agencies, suggested that the exemption should remain effective until either the state law or the federal regulation is changed. Another commenter suggested that the three year sunset be deleted and that the final rule provide for automatic review to determine if changes in circumstance or law would necessitate amendment or deletion of the opinion. Other recommendations included deeming the state law as continuing in effect upon the submission of a state application for an exemption rather than waiting for a determination by the Secretary that may not occur for a substantial period of time.
Response: We are persuaded that the proposed 3 year limit on exception determinations does not make sense where neither law providing the basis for the exception has changed in the interim. We also agree that where either law has changed, a previously granted exception should not continue. Section 160.205(a) below addresses these concerns.
Comment: Several commenters questioned whether or not DHHS has standing to issue binding advisory opinions and recommended that the Department clarify this issue before implementation of this regulation. One respondent suggested that the Department clarify in the final rule the legal issues on which it will opine in advisory opinion requests, and state that in responding to requests for advisory opinions the Department will not opine on the preemptive force of ERISA with respect to state laws governing the privacy of individually identifiable health information, since interpretations as to the scope and extent of ERISA's preemption provisions are outside of the Department's jurisdictional authority.
One commenter asked whether a state could enforce a state law which the Secretary had indicated through an advisory opinion is preempted by federal law. This commenter also asked whether the state would be subject to penalties if it chose to continue to enforce its own laws.
Response: As discussed above, in part for reasons raised by these comments, the Department has decided not to have a formal process for issuing advisory opinions, as proposed.
Several of these concerns, however, raise issues of broader concern that need to be addressed. First, we disagree that the Secretary lacks legal authority to opine on whether or not state privacy laws are preempted. The Secretary is charged by law with determining compliance, and where state law and the federal requirements conflict, a determination of which law controls will have to be made in order to determine whether the federal standard, requirement, or implementation specification at issue has been violated. Thus, the Secretary cannot carry out her enforcement functions without making such determinations. It is further reasonable that, if the Secretary makes such determinations, she can make those determinations known, for whatever persuasive effect they may have.
The questions as to whether a state could enforce, or would be subject to penalties if it chose to continue to enforce, its own laws following a denial by the Secretary of an exception request under § 160.203 or a holding by a court of competent jurisdiction that a state privacy law had been preempted by a contrary federal privacy standard raise several issues. First, a state law is preempted under the Act only to the extent that it applies to covered entities; thus, a state is free to continue to enforce a "preempted" state law against non-covered entities to which the state law applies. If there is a question of coverage, states may wish to establish processes to ascertain which entities within their borders are covered entities within the meaning of these rules. Second, with respect to covered entities, if a state were to try to enforce a preempted state law against such entities, it would presumably be acting without legal authority in so doing. We cannot speak to what remedies might be available to covered entities to protect themselves against such wrongful state action, but we assume that covered entities could seek judicial relief, if all else failed. With respect to the issue of imposing penalties on states, we do not see this as likely. The only situation that we can envision in which penalties might be imposed on a state would be if a state agency were itself a covered entity and followed a preempted state law, thereby violating the contrary federal standard, requirement, or implementation specification.
Comment: Several commenters stated that it was unclear whether a state would be required to submit a request for an advisory opinion in order for the law to be considered more stringent and thus not preempted. The Department should clarify whether a state law could be non-preempted even without such an advisory opinion. Another commenter requested that the final rule explicitly state that the stricter rule always applies, whether it be state or federal, and regardless of whether there is any conflict between state and federal law.
Response: The elimination of the proposed process for advisory opinions renders moot the first question. Also, the preceding response clarifies that which law preempts in the privacy context (assuming that the state law and federal requirement are "contrary") is a matter of which one is the "more stringent." This is not a matter which the Secretary will ultimately determine; rather, this is a question about which the courts will ultimately make the final determination. With respect to the second comment, we believe that § 160.203(b) below responds to this issue, but we would note that the statute already provides for this.
Comment: Several commenters supported the decision to limit the parties who may request advisory opinions to the state. These commenters did not believe that insurers should be allowed to request an advisory opinion and open every state law up to challenge and review.
Several commenters requested that guidance on advisory opinions be provided in all circumstances, not only at the Secretary's discretion. It was suggested that proposed § 160.204(b)(2)(iv) be revised to read as follows: "A state may submit a written request to the Secretary for an advisory opinion under this paragraph. The request must include the following information: the reasons why the state law should or should not be preempted by the federal standard, requirement, or implementation specification, including how the state law meets the criteria at § 160.203(b)."
Response: The decision not to have a formal process for issuing advisory opinions renders these issues moot.
Comment: Several commenters asked that the Department provide more specific examples itemizing activities traditionally regulated by the state that could constitute "carve-out" exceptions. These commenters also requested that the Department include language in the regulation stating that if a state law falls within several different exceptions, the state chooses which determination exception shall apply.
Response: We are concerned that itemizing examples in this way could leave out important state laws or create inadvertent negative implications that laws not listed are not included. However, as explained above, we have designed the types of activities that are permissive disclosures for public health under § 164.512(b) below in part to come within the carve-out effected by section 1178(b); while the state regulatory activities covered by section 1178(c) will generally come within § 164.512(d) below. With respect to the comments asking that a state get to "choose" which exception it comes under, we have in effect provided for this with respect to exceptions under section 1178(a)(2)(A), by giving the state the right to request an exception under that section. With respect to exceptions under section 1178(a)(2)(B), those exceptions occur by operation of law, and it is not within the Secretary's power to "let" the state choose whether an exception occurs under that section.
Comment: Several commenters took the position that the Secretary should not limit the procedural requirements in proposed § 160.204(a) to only those applications under proposed § 160.203(a). They urged that the requirements of proposed § 160.204(a) should also apply to preemption under sections 1178(a)(2)(B), 1178(b) and 1178(c). It was suggested that the rules should provide for exception determinations with respect to the matters covered by these provisions of the statute; such additional provisions would provide clear procedures for states to follow and ensure that requests for exceptions are adequately documented.
A slightly different approach was taken by several commenters, who recommended that proposed § 160.204(b) be amended to clarify that the Secretary will also issue advisory opinions as to whether a state law constitutes an exception under proposed §§ 160.203(c) and 160.203(d). This change would, they argued, give states the same opportunity for guidance that they have under § 160.203(a) and (b), and as such, avoid costly lawsuits to preserve state laws.
Response: We are not taking either of the recommended courses of action. With respect to the recommendation that we expand the exception determination process to encompass exceptions under sections 1178(a)(2)(B), 1178(b), and 1178(c), we do not have the authority to grant exceptions under these sections. Under section 1178, the Secretary has authority to make exception determinations only with respect to the matters covered by section 1178(a)(2)(A); contrary state laws coming within section 1178(a)(2)(B) are preempted if not more stringent, while if a contrary state law comes within section 1178(b) or section 1178(c), it is not preempted. These latter statutory provisions operate by their own terms. Thus, it is not within the Secretary's authority to establish the determination process which these comments seek.
With respect to the request seeking advisory opinions in the section 1178(b) and 1178(c) situations, we agree that we have the authority to issue such opinions. However, the considerations described above that have led us not to adopt a formal process for issuing advisory opinions in the privacy context apply with equal force and effect here.
Comment: One commenter argued that it would be unnecessarily burdensome for state health data agencies (whose focus is on the cost of healthcare or improving Medicare, Medicaid, or the healthcare system) to obtain a specific determination from the Department for an exception under proposed § 160.203(c). States should be required only to notify the Secretary of their own determination that such collection is necessary. It was also argued that cases where the statutory carve-outs apply should not require a Secretarial determination.
Response: We clarify that no Secretarial determination is required for activities that fall into one of the statutory carve-outs. With respect to data collections for state health data agencies, we note that provision has been made for many of these activities in several provisions of the rules below, such as the provisions relating to disclosures required by law (§ 164.512(a)), disclosures for oversight (§ 164.512(d)), and disclosures for public health (§ 164.512(b)). Some disclosures for Medicare and Medicaid purposes may also come within the definition of health care operations. A fuller discussion of this issue appears in connection with § 164.512 below.
Comment: Several commenters suggested that as a general matter the rule is unconstitutional.
Response: We disagree that the rule is unconstitutional. The particular grounds for this conclusion are set out with respect to particular constitutional issues in the responses below. With respect to the comments that simply made this general assertion, the lack of detail of the comments makes a substantive response impossible.
Comment: One commenter contended that the Secretary improperly delegated authority to private entities by requiring covered entities to enter into contracts with, monitor, and take action for violations of the contract against their business partners. These comments assert that the selection of these entities to "enforce" the regulations violates the Executive Powers Clause and the Appointments and Take Care Clauses.
Response: We reject the assertion that the business associate provisions constitute an improper delegation of executive power to private entities. HIPAA provides HHS with authority to enforce the regulation against covered entities. The rules below regulate only the conduct of the covered entity; to the extent a covered entity chooses to conduct its funding through a business associate, those functions are still functions of the covered entity. Thus, no improper delegation has occurred because what is being regulated are the actions of the covered entity, not the actions of the business associate in its independent capacity.
We also reject the suggestion that the business associates provisions constitute an improper appointment of covered entities to enforce the regulation and violate the Take Care Clause. Because the Secretary has not delegated authority to covered entities, the inference that she has appointed covered entities to exercise such authority misses the mark.
Comment: A few commenters suggested that the privacy regulation regulates activities that are not in interstate commerce and which are, therefore, beyond the powers the U.S. Constitution gives the federal government.
Response: We disagree. Health care providers, health plans, and health care clearinghouses are engaged in economic and commercial activities, including the exchange of individually identifiable health information electronically across state lines. These activities constitute interstate commerce. Therefore, they come within the scope of Congress' power to regulate interstate commerce.
Comment: Some commenters objected to the manner by which Congress provided the Secretary authority to promulgate this regulation. These comments asserted that Congress violated the nondelegation doctrine by (1) not providing an "intelligible principle" to guide the agency, (2) not establishing "ascertainable standards," and (3) improperly permitting the Secretary to make social policy decisions.
Response: We disagree. HIPAA clearly delineates Congress' general policy to establish strict privacy protections for individually identifiable health information to encourage electronic transactions. Congress also established boundaries limiting the Secretary's authority. Congress established these limitations in several ways, including by calling for privacy standards for "individually identifiable health information"; specifying that privacy standards must address individuals' rights regarding their individually identifiable health information, the procedures for exercising those rights, and the particular uses and disclosures to be authorized or required; restricting the direct application of the privacy standards to "covered entities," which Congress defined; requiring consultation with the National Committee on Vital and Health Statistics and the Attorney General; specifying the circumstances under which the federal requirements would supersede state laws; and specifying the civil and criminal penalties the Secretary could impose for violations of the regulation. These limitations also serve as "ascertainable standards" upon which reviewing courts can rely to determine the validity of the exercise of authority.
Although Congress could have chosen to impose expressly an exhaustive list of specifications that must be met in order to achieve the protective purposes of the HIPAA, it was entirely permissible for Congress to entrust to the Secretary the task of providing these specifications based on her experience and expertise in dealing with these complex and technical matters.
We disagree with the comments that Congress improperly delegated Congressional policy choices to her. Congress clearly decided to create federal standards protecting the privacy of "individually identifiable health information" and not to preempt state laws that are more stringent. Congress also determined over whom the Secretary would have authority, the type of information protected, and the minimum level of regulation.
Comment: Some commenters asserted that the federal government may not preempt state laws that are not as strict as the privacy regulation because to do so would violate the separation of powers in the U.S. Constitution. One comment suggested that the rules raised a substantial constitutional issue because, as proposed, they permitted the Secretary to make determinations on preemption, which is a role reserved for the judiciary.
Response: We disagree. We note that this comment only pertains to determinations under section 1178(a)(2)(A); as discussed above, the rules below provide for no Secretarial determinations with respect to state privacy laws coming within section 1178(a)(2)(B). With respect to determinations under section 1178(a)(2)(A), however, the final rules, like the proposed rules, provide that at a state's request the Secretary may make certain determinations regarding the preemptive effect of the rules on a particular state law. As usually the case with any administrative decisions, these are subject to judicial review pursuant to the Administrative Procedure Act.
Comment: Some comments suggested that the rules violated the First Amendment. They asserted that if the rule included Christian Science practitioners as covered entities it would violate the separation of church and state doctrine.
Response: We disagree. The First Amendment does not always prohibit the federal government from regulating secular activities of religious organizations. However, we address concerns relating to Christian Science practitioners more fully in the response to comments discussion of the definition of "covered entity" in § 160.103.
Comment: Many comments expressed Fourth Amendment concerns about various proposed provisions. These comments fall into two categories-general concerns about warrantless searches and specific concerns about administrative searches. Several comments argued that the proposed regulations permit law enforcement and government officials access to protected health information without first requiring a judicial search warrant or an individual's consent. These comments rejected the applicability of any of the existing exceptions permitting warrantless searches in this context. Another comment argued that federal and state police should be able to obtain personal medical records only with the informed consent of an individual. Many of these comments also expressed concern that protected health information could be provided to government or private agencies for inclusion in a governmental health data system.
Response: We disagree that the provisions of these rules that permit disclosures for law enforcement purposes and governmental health data systems generally violate the Fourth Amendment. The privacy regulation does not create new access rights for law enforcement. Rather, it refrains from placing a significant barrier in front of access rights that law enforcement currently has under existing legal authority. While the regulation may permit a covered entity to make disclosures in specified instances, it does not require the covered entity make the disclosure. Thus, because we are not modifying existing law regarding disclosures to law enforcement officials, except to strengthen the requirements related to requests already authorized under law, and are not requiring any such disclosures, the privacy regulation does not infringe upon individual's Fourth Amendment rights. We discuss the rationale underlying the permissible disclosures to law enforcement officials more fully in the preamble discussion relating to § 164.512(f).
We note that the proposed provision relating to disclosures to government health data systems has been eliminated in the final rule. However, to the extent that the comments can be seen as raising concern over disclosure of protected health information to government agencies for public health, health oversight, or other purposes permitted by the final rule, the reasoning in the previous paragraph applies.
Comment: One commenter suggested that the rules violate the Fourth Amendment by requiring covered entities to provide access to the Secretary to their books, records, accounts, and facilities to ensure compliance with these rules. The commenter also suggested that the requirement that covered entities enter into agreements with their business partners to make their records available to the Secretary for inspection as well also violates the warrant requirement of the Fourth Amendment.
Response: We disagree. These requirements are consistent with U.S. Supreme Court cases holding that warrantless administrative searches of commercial property are not per se violations of the Fourth Amendment. The provisions requiring that covered entities provide access to certain material to determine compliance with the regulation come within the well-settled exception regarding closely regulated businesses and industries to the warrant requirement. From state and local licensure laws to the federal fraud and abuse statutes and regulations, the health care industry is one of the most tightly regulated businesses in the country. Because the industry has such an extensive history of government oversight and involvement, those operating within it have no reasonable expectation of privacy from the government such that a warrant would be required to determine compliance with the rules.
In addition, the cases cited by the commenters concern unannounced searches of the premises and facilities of particular entities. Because our enforcement provisions only provide for the review of books, records, and other information and only during normal business hours with notice, except for exceptional situations, this case law does not apply.
As for business associates, they voluntarily enter into their agreements with covered entities. This agreement, therefore, functions as knowing and voluntary consents to the search (even assuming it could be understood to be a search) and obviates the need for a warrant.
Comment: Several comments asserted that the proposed rules violated the Fifth Amendment because in the commenters' views they authorized the taking of privacy property without just compensation or due process of law.
Response: We disagree. The rules set forth below do not address the issue of who owns an individual's medical record. Instead, they address what uses and disclosures of protected health information may be made by covered entities with or without a consent or authorization. As described in response to a similar comment, medical records have been the property of the health care provider or medical facility that created them, historically. In some states, statutes directly provide these entities with ownership. These laws are limited by laws that provide patients or their representatives with access to the records or that provide the patient with an ownership interest in the information within the records. As we discuss, the final rule is consistent with current state law that provides patients access to protected health information, but not ownership of medical records. State laws that provide patients with greater access would remain in effect. Therefore, because patients do not own their records, no taking can occur. As for their interest in the information, the final rule retains their rights. As for covered entities, the final rule does not take away their ownership rights or make their ownership interest in the protected health information worthless. Therefore, no taking has occurred in these situations either.
Comment: Several comments asserted that the proposed rules violated the Ninth and Tenth Amendments. One commenter suggested that the Ninth Amendment prohibits long and complicated regulations. Other commenters suggested that the proposed rules authorized the compelled disclosure of individually identifiable health information in violation of State constitutional provisions, such as those in California and Florida. Similarly, a couple of commenters asserted that the privacy rules violate the Tenth Amendment.
Response: We disagree. The Ninth and Tenth Amendments address the rights retained by the people and acknowledge that the States or the people are reserved the powers not delegated to the federal government and not otherwise prohibited by the Constitution. Because HHS is regulating under a delegation of authority from Congress in an area that affects interstate commerce, we are within the powers provided to Congress in the Constitution. Nothing in the Ninth Amendment, or any other provision of the Constitution, restricts the length or complexity of any law. Additionally, we do not believe the rules below impermissibly authorize behavior that violates State constitutions. This rule requires disclosure only to the individual or to the Secretary to enforce this rule. As noted in the preamble discussion of "Preemption," these rules do not preempt State laws, including constitutional provisions, that are contrary to and more stringent, as defined at § 160.502, than these rules. See the discussion of "Preemption" for further clarification. Therefore, if these State constitutions are contrary to the rule below and provide greater protection, they remain in full force; if they do not, they are preempted, in accordance with the Supremacy Clause of the Constitution.
Comment: Several comments suggested that the proposed regulation would violate the right to privacy guaranteed by the First, Fourth, Fifth, and Ninth Amendments because it would permit covered entities to disclose protected health information without the consent of the individual.
Response: These comments did not provide specific facts or legal basis for the claims. We are, thus, unable to provide a substantive response to these particular comments. However, we note that the rule requires disclosures only to the individual or to the Secretary to determine compliance with this rule. Other uses or disclosures under this rule are permissive, not required. Therefore, if a particular use or disclosure under this rule is viewed as interfering with a right that prohibited the use or disclosure, the rule itself is not what requires the use or disclosure.
Comment: One comment suggested that the Secretary's use of a "reasonableness" standard is unconstitutionally vague. Specifically, this comment objected to the requirement that covered entities use "reasonable" efforts to use or disclose the minimum amount of protected health information, to ensure that business partners comply with the privacy provisions of their contracts, to notify business partners of any amendments or corrections to protected health information, and to verify the identity of individuals requesting information, as well as charge only a "reasonable" fee for inspecting and copying health information. This comment asserted that the Secretary provided "inadequate guidance" as to what qualifies as "reasonable."
Response: We disagree with the comment's suggestion that by applying a "reasonableness" standard, the regulation has failed to provide for "fair warning" or "fair enforcement." The "reasonableness" standard is well-established in law; for example, it is the foundation of the common law of torts. Courts also have consistently held as constitutional statutes that rely upon a "reasonableness" standard. Our reliance upon a "reasonableness" standard, thus, provides covered entities with constitutionally sufficient guidance.
Comment: One comment argued that the regulation's reliance upon a "reasonableness" standard criminalizes "unreasonable efforts" without requiring criminal intent or mens rea.
Response: We reject this suggestion because HIPAA clearly provides the criminal intent requirement. Specifically, HIPPA provides that a "person who knowingly and in violation of this part - (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b)." HIPAA section 1177 (emphasis added). Subsection (b) also relies on a knowledge standard in outlining the three levels of criminal sanctions. Thus, Congress, not the Secretary, established the mens rea by including the term "knowingly" in the criminal penalty provisions of HIPAA.
Comment: One commenter suggested that the U.S. Constitution authorized the collection of data on individuals only for the purpose of the census.
Response: While it might be true that the U.S. Constitution expressly discusses the national census, it does not forbid federal agencies from collecting data for other purposes. The ability of agencies to collect non-census data has been upheld by the courts.
Comment: We received several comments that sought clarification of the interaction of various federal laws and the privacy regulation. Many of these comments simply listed federal laws and regulations with which the commenter currently must comply. For example, commenters noted that they must comply with regulations relating to safety, public health, and civil rights, including Medicare and Medicaid, the Americans with Disabilities Act, the Family and Medical Leave Act, the Federal Aviation Administration regulations, the Department of Transportation regulations, the Federal Highway Administration regulations, the Occupational Safety and Health Administration regulations, and the Environmental Protection Agency regulations, and alcohol and drug free workplace rules. These commenters suggested that the regulation state clearly and unequivocally that uses or disclosures of protected health information for these purposes were permissible. Some suggested modifying the definition of health care operations to include these uses specifically. Another suggestion was to add a section that permitted the transmission of protected health information to employers when reasonably necessary to comply with federal, state, or municipal laws and regulations, or when necessary for public or employee safety and health.
Response: Although we sympathize with entities' needs to evaluate the existing laws with which they must comply in light of the requirements of the final regulation, we are unable to respond substantially to comments that do no pose specific questions. We offer, however, the following guidance: if an covered entity is required to disclose protected health information pursuant to a specific statutory or regulatory scheme, the covered entity generally will be permitted under § 164.512(a) to make these disclosures without a consent or authorization; if, however, a statute or regulation merely suggests a disclosure, the covered entity will need to determine if the disclosure comes within another category of permissible disclosure under §§ 164.510 or 164.512 or, alternatively, if the disclosure would otherwise come within § 164.502. If not, the entity will need to obtain a consent or authorization for the disclosure.
Comment: One commenter sought clarification as to when a disclosure is considered to be "required" by another law versus "permitted" by that law.
Responses: We use these terms according to their common usage. By "required by law," we mean that a covered entity has a legal obligation to disclose the information. For example, if a statute states that a covered entity must report the names of all individuals presenting with gun shot wounds to the emergency room or else be fined $500 for each violation, a covered entity would be required by law to disclose the protected health information necessary to comply with this mandate. The privacy regulation permits this type of disclosure, but does not require it. Therefore, if a covered entity chose not to comply with the reporting statute it would violate only the reporting statute and not the privacy regulation.
On the other hand, if a statute stated that a covered entity may or is permitted to report the names of all individuals presenting with gun shot wounds to the emergency room and, in turn, would receive $500 for each month it made these reports, a covered entity would not be permitted by § 164.512(a) to disclose the protected health information. Of course, if another permissible provision applied to these facts, the covered entity could make the disclosure under that provision, but it would not be considered to be a disclosure. See discussion under § 164.512(a) below.
Comment: Several commenters suggested that the proposed rule was unnecessarily duplicative of existing regulations for federal programs, such as Medicare, Medicaid, and the Federal Employee Health Benefit Program.
Response: Congress specifically subjected certain federal programs, including Medicare, Medicaid, and the Federal Employee Health Benefit Program to the privacy regulation by including them within the definition of "health plan." Therefore, covered entities subject to requirements of existing federal programs will also have to comply with the privacy regulation.
Comment: One comment asserts that the regulation would not affect current federal requirements if the current requirements are weaker than the requirements of the privacy regulation. This same commenter suggested that current federal requirements will trump both state law and the proposed regulation, even if Medicaid transactions remain wholly intrastate.
Response: We disagree. As noted in our discussion of "Relationship to Other Federal Laws," each law or regulation will need to be evaluated individually. We similarly disagree with the second assertion made by the commenter. The final rule will preempt state laws only in specific instances. For a more detailed analysis, see the preamble discussion of "Preemption."
Comment: One comment stated that the final rule should not impose new standards on administrative subpoenas that would conflict with existing laws or administrative or judicial rules that establish standards for issuing subpoenas. Nor should the final rule conflict with established standards for the conduct of administrative, civil, or criminal proceedings, including the rules regarding the discovery of evidence. Other comments sought further restrictions on access to protected health information in this context.
Response: Section 164.512(e) below addresses disclosures for judicial and administrative proceedings. The final rules generally do not interfere with these existing processes to the extent an individual served with a subpoena, court order, or other similar process is able to raise objections already available. See the discussion below under § 164.512(e) for a fuller response.
Comment: Several comments discussed the intersection between the proposed Privacy Rule and the Americans with Disabilities Act ("ADA") and sections 503 and 504 of the Rehabilitation Act of 1973. One comment suggested that the final rule explicitly allows disclosures authorized by the Americans with Disabilities Act without an individual's authorization, because this law, in the commenter's view, provides more than adequate protection for the confidentiality of medical records in the employment context. The comment noted that under these laws employers may receive information related to fitness for duty, pre-employment physicals, routine examinations, return to work examinations, examinations following other types of absences, examinations triggered by specific events, changes in circumstances, requests for reasonable accommodations, leave requests, employee wellness programs, and medical monitoring.
Other commenters suggested that the ADA requires the disclosure of protected health information to employers so that the employee may take advantage of the protections of these laws. They suggested that the final rules clarify that employment may be conditioned on obtaining an authorization for disclosure of protected health information for lawful purposes and provide guidance concerning the interaction of the ADA with the final regulation's requirements. Several commenters wanted clarification that the privacy regulation would not permit employers to request or use protected health information in violation of the ADA.
Response: We disagree with the comment that the final rule should allow disclosures of protected health information authorized by the ADA without the individual's authorization. We learned from the comments that access to and use of protected health information by employers is of particular concern to many people. With regard to employers, we do not have statutory authority to regulate them. Therefore, it is beyond the scope of this regulation to prohibit employers from requesting or obtaining protected health information. Covered entities may disclose protected health information about individuals who are members of an employer's workforce with an authorization. Nothing in the privacy regulation prohibits employers from obtaining that authorization as a condition of employment. We note, however, that employers must comply with other laws that govern them, such as nondiscrimination laws. For example, if an employer receives a request for a reasonable accommodation, the employer may require reasonable documentation about the employee's disability and the functional limitations that require the reasonable accommodation, if the disability and the limitations are not obvious. If the individual provides insufficient documentation and does not provide the missing information in a timely manner after the employer's subsequent request, the employer may require the individual to go to an appropriate health professional of the employer's choice. In this situation, the employee does not authorize the disclosure of information to substantiate the disability and the need for reasonable accommodation, the employer need not provide the accommodation.
We agree that this rule does not permit employers to request or use protected health information in violation of the ADA or other antidiscrimination laws.
Comment: One comment suggested that the penalty provisions of HIPAA, if extended to the privacy regulation, would require the Secretary to violate "Appropriations Laws" because the Secretary could be in the position of assessing penalties against her own and other federal agencies in their roles as covered entities. Enforcing penalties on these entities would require the transfer of agency funds to the General Fund.
Response: We disagree. Although we anticipate achieving voluntary compliance and resolving any disputes prior to the actual assessment of penalties, the Department of Justice's Office of Legal Counsel has determined in similar situations that federal agencies have authority to assess penalties against other federal agencies and that doing so is not in violation of the Anti-Deficiency Act, 31 U.S.C. 1341.
Comment: One comment expressed concern that the regulation would place tremendous burdens on providers already struggling with the effects of the Balanced Budget Act of 1997.
Response: We appreciate the costs covered entities face when complying with other statutory and regulatory requirements, such as the Balanced Budget Act of 1997. However, HHS cannot address the impact of the Balanced Budget Act or other statutes in the context of this regulation.
Comment: Another comment stated that the regulation is in direct conflict with the Balanced Budget Act of 1997 ("BBA"). The comment asserts that the regulation's compliance date conflicts with the BBA, as well as Generally Acceptable Accounting Principles. According to the comment, covered entities that made capital acquisitions to ensure compliance with the year 2000 ("Y2K") problem would not be able to account for the full depreciation of these systems until 2005. Because HIPAA requires compliance before that time, the regulation would force premature obsolescence of this equipment because while it is Y2K compliant, it may be HIPAA non-compliant.
Response: This comment raises two distinct issues-(1) the investment in new equipment and (2) the compliance date. With regard to the first issue, we reject the comment's assertion that the regulation requires covered entities to purchase new information systems or information technology equipment, but realize that some covered entities may need to update their equipment. We have tried to minimize the costs, while responding appropriately to Congress' mandate for privacy rules. We have dealt with the cost issues in detail in the "Regulatory Impact Analysis" section of this Preamble. With regard to the second issue, Congress, not the Secretary, established the compliance data at section 1175(b) of the Act.
Comment: A few comments expressed concern that the privacy regulation would inadvertently hinder the Department of Justice Civil Rights Divisions' investigations under the Civil Rights of Institutionalized Persons Act ("CRIPA"). These comments suggested clearly including civil rights enforcement activities as health care oversight.
Response: We agree with this comment. We do not intend for the privacy rules to hinder CRIPA investigations. Thus, the final rule includes agencies that are authorized by law to "enforce civil rights laws for which health information is relevant" in the definition of "health oversight agency" at § 164.501. Covered entities are permitted to disclose protected health information to health oversight agencies under § 164.512(d) without an authorization. Therefore, we do not believe the final rule should hinder the Department of Justice's ability to conduct investigations pursuant to its authority in CRIPA.
Comment: One comment expressed concern that the proposed definition of health care operations did not include activities related to the quality control clinical studies performed by laboratories to demonstrate the quality of patient test results. Because the Clinical Laboratory Improvement Amendments of 1988 ("CLIA") requires these studies that the comment asserted require the use of protected health information, the comment suggested including this specific activity in the definition of "health care operations."
Response: We do not intend for the privacy regulation to impede the ability of laboratories to comply with the requirements of CLIA. Quality control activities come within the definition of "health care operations" in § 164.501 because they come within the meaning of the term "quality assurance activities." To the extent they would not come within health care operations, but are required by CLIA, the privacy regulation permits clinical laboratories that are regulated by CLIA to comply with mandatory uses and disclosures of protected health information pursuant to § 164.512(a).
Comment: One comment stated that the proposed regulation's right of access for inspection and copying provisions were contrary to CLIA in that CLIA permits laboratories to disclose lab test results only to "authorized persons." This comment suggested that the final rule include language adopting this restriction to ensure that patients not obtain laboratory test results before the appropriate health care provider has reviewed and explained those results to the patients.
A similar comment stated that the lack of preemption of state laws could create problems for clinical laboratories under CLIA. Specifically, this comment noted that CLIA permits clinical laboratories to perform tests only upon the written or electronic request of, and to provide the results to, an "authorized person." State laws define who is an "authorized person." The comment expressed concern as to whether the regulation would preempt state laws that only permit physicians to receive test results.
Response: We agree that CLIA controls in these cases. Therefore, we have amended the right of access, § 164.524(a), so that a covered entity that is subject to CLIA does not have to provide access to the individual to the extent such access would be prohibited by law. Because of this change, we believe the preemption concern is moot.
Comment: One comment expressed concern that the privacy regulation as proposed would restrict the Drug Enforcement Agency's ("the DEA") enforcement of the Controlled Substances Act ("CSA"). The comment suggested including enforcement activities in the definition of "health oversight agency."
Response: In our view, the privacy regulation should not impede the DEA's ability to enforce the CSA. First, to the extent the CSA requires disclosures to the DEA, these disclosures would be permissible under § 164.512(a). Second, some of the DEA's CSA activities come within the exception for health oversight agencies which permits disclosures to health oversight agencies for:
activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections . . . civil, administrative, or criminal proceedings or actions; and other activity necessary for appropriate oversight of the health care system.
Therefore, to the extent the DEA is enforcing the CSA, disclosures to it in its capacity as a health oversight agency are permissible under § 164.512(d). Alternatively, CSA required disclosures to the DEA for law enforcement purposes are permitted under § 164.512(f). When acting as a law enforcement agency under the CSA, the DEA may obtain the information pursuant to § 164.512(f). Thus, we do not agree that the privacy regulation will impede the DEA's enforcement of the CSA. See the preamble discussion of § 164.512 for further explanation.
Comment: One commenter suggested clarifying the provisions allowing disclosures that are "required by law" to ensure that the mandatory reporting requirements the CSA imposes on covered entities, including making available reports, inventories, and records of transactions, are not preempted by the regulation.
Response: We agree that the privacy regulation does not alter covered entities' obligations under the CSA. Because the CSA requires covered entities manufacturing, distributing, and/or dispensing controlled substances to maintain and provide to the DEA specific records and reports, the privacy regulation permits these disclosures under § 164.512(a). In addition, when the DEA seeks documents to determine an entity's compliance with the CSA, such disclosures are permitted under § 164.512(d).
Comment: The same commenter expressed concern that the proposed privacy regulation inappropriately limits voluntary reporting and would prevent or deter employees of covered entities from providing the DEA with information about violations of the CSA.
Response: We agree with the general concerns expressed in this comment. We do not believe the privacy rules will limit voluntary reporting of violations of the CSA. The CSA requires certain entities to maintain several types of records that may include protected health information. Although reports that included protected health information may be restricted under these rules, reporting the fact that an entity is not maintaining proper reports is not. If it were necessary to obtain protected health information during the investigatory stages following such a voluntary report, the DEA would be able to obtain the information in other ways, such as by following the administrative procedures outlined in § 164.512(e).
We also agree that employees of covered entities who report violations of the CSA should not be subjected to retaliation by their employers. Under § 164.502(j), we specifically state that a covered entity is not considered to have violated the regulation if a workforce member or business associate in good faith reports violations of laws or professional standards by covered entities to appropriate authorities. See discussion of § 164.502(j) below.
Comment: Several commenters stated that the Secretary should recognize in the preamble that it is permissible for employers to condition employment on an individual's delivering a consent to certain medical tests and/or examinations, such as drug-free workplace programs and Department of Transportation ("DOT")-required physical examinations. These comments also suggested that employers should be able to receive certain information, such as pass/fail test and examination results, fitness-to-work assessments, and other legally required or permissible physical assessments without obtaining an authorization. To achieve this goal, these comments suggested defining "health information" to exclude information such as information about how much weight a specific employee can lift.
Response: We reject the suggestion to define "health information," which Congress defined in HIPAA, so that it excludes individually identifiable health information that may be relevant to employers for these types of examinations and programs. We do not regulate employers. Nothing in the rules prohibit employers from conditioning employment on an individual signing the appropriate consent or authorization. By the same token, however, the rules below do not relieve employers from their obligations under the ADA and other laws that restrict the disclosure of individually identifiable health information.
Comment: One commenter asserted that the proposed regulation conflicts with the DOT guidelines regarding positive alcohol and drug tests that require the employer be notified in writing of the results. This document contains protected health information. In addition, the treatment center records must be provided to the Substance Abuse Professional ("SAP") and the employer must receive a report from SAP with random drug testing recommendations.
Response: It is our understanding that DOT requires drug testing of all applicants for employment in safety-sensitive positions or individuals being transferred to such positions. Employers, pursuant to DOT regulations, may condition an employee's employment or position upon first obtaining an authorization for the disclosure of results of these tests to the employer. Therefore, we do not believe the final rules conflict with the DOT requirements, which do not prohibit obtaining authorizations before such information is disclosed to employers.
Comment: One commenter urged HHS to ensure that the regulation would not impede access to individually identifiable health information to entities that are part of the Protection and Advocacy System to investigate abuse and neglect as authorized by the Developmental Disabilities Bill of Rights Act.
Response: The Developmental Disabilities Assistance and Bill of Rights Act of 2000 ("DD Act") mandates specific disclosures of individually identifiable health information to Protection and Advocacy systems designated by the chief elected official of the states and Territories. Therefore, covered entities may make these disclosures under § 164.512(a) without first obtaining an individual's authorization, except in those circumstances in which the DD Act requires the individual's authorization. Therefore, the rules below will not impede the functioning of the existing Protection and Advocacy System.
Comment: Several commenters objected to the fact that the NPRM did not clarify the scope of preemption of state laws under the Employee Retirement Income Security Act of 1974 (ERISA). These commenters asserted that the final rule must state that ERISA preempts all state laws (including those relating to the privacy of individually identifiable health information) so that multistate employers could continue to administer their group health plans using a single set of rules. In contrast, other commenters criticized the Department for its analysis of the current principles governing ERISA preemption of state law, pointing out that the Department has no authority to interpret ERISA.
Response: This Department has no authority to issue regulations under ERISA as requested by some of these commenters, so the rule below does not contain the statement requested. See the discussion of this point under "Preemption" above.
Comment: One commenter requested that the final rule clarify that section 264(c)(2) of HIPAA does not save state laws that would otherwise be preempted by the Federal Employees Health Benefits Program. The commenter noted that in the NPRM this statement was made with respect to Medicare and ERISA, but not the law governing the FEHBP.
Response: We agree with this comment. The preemption analysis set out above with respect to ERISA applies equally to the Federal Employees Health Benefit Program.
Comment: One commenter noted that the final rule should clarify the interplay between state law, the preemption standards in Subtitle A of Title I of HIPAA (Health Care Access, Portability and Renewability), and the preemption standards in the privacy requirements in Subtitle F of Title II of HIPAA (Administrative Simplification).
Response: The NPRM described only the preemption standards that apply with respect to the statutory provisions of HIPAA that were implemented by the proposed rule. We agree that the preemption standards in Subtitle A of Title I of HIPAA are different. Congress expressly provided that the preemption provisions of Title I apply only to Part 7, which addresses portability, access, and renewability requirements for Group Health Plans. To the extent state laws contain provisions regarding portability, access, or renewability, as well as privacy requirements, a covered entity will need to evaluate the privacy provisions under the Title II preemption provisions, as explained in the preemption provisions of the rules, and the other provisions under the Title I preemption requirements.
Comment: Several comments stated that the privacy regulation should be consistent with the European Union's Directive on Data Protection. Others sought guidance as to how to comply with both the E.U. Directive on Data Protection and the U.S. Safe Harbor Privacy Principles.
Response: We appreciate the need for covered entities obtaining personal data from the European Union to understand how the privacy regulation intersects with the Data Protection Directive. We have provided guidance as to this interaction in the "Other Federal Laws" provisions of the preamble.
Comment: A few comments expressed concern that the proposed definition of "individual" excluded foreign military and diplomatic personnel and their dependents, as well as overseas foreign national beneficiaries. They noted that the distinctions are based on nationality and are inconsistent with the stance of the E.U. Directive on Data Protection and the Department of Commerce's assurances to the European Commission.
Response: We agree with the general principle that privacy protections should protect every person, regardless of nationality. As noted in the discussion of the definition of "individual," the final regulation's definition does not exclude foreign military and diplomatic personnel, their dependents, or overseas foreign national beneficiaries from the definition of individual. As described in the discussion of § 164.512 below, the final rule applies to foreign diplomatic personnel and their dependents like all other individuals. Foreign military personnel receive the same treatment under the final rule as U.S. military personnel do, as discussed with regard to § 164.512 below. Overseas foreign national beneficiaries to the extent they receive care for the Department of Defense or a source acting on behalf of the Department of Defense remain generally excluded from the final rules protections. For a more detailed explanation, see § 164.500.
Comment: A few commenters requested that we exclude information maintained, used, or disclosed pursuant to the Fair Credit Reporting Act ("FCRA") from the requirements of the privacy regulation. These commenters noted that the protection in the privacy regulation duplicate those in the FCRA.
Response: Although we realize that some overlap between FCRA and the privacy rules may exist, we have chosen not to remove information that may come within the purview of FCRA from the scope of our rules because FCRA's focus is not the same as our Congressional mandate to protect individually identifiable health information.
To the extent a covered entity seeks to engage in collection activities or other payment-related activities, it may do so pursuant to the requirements of this rule related to payment. See discussion of §§ 164.501 and 164.502 below.
We understand that some covered entities may be part of, or contain components that are, entities which meet the definition of "consumer reporting agencies." As such, these entities are subject to the FCRA. As described in the preamble to § 164.504, covered entities must designate what parts of their organizations will be treated as covered entities for the purpose of these privacy rules. The covered entity component will need to comply with these rules, while the components that are consumer reporting agencies will need to comply with FCRA.
Comment: One comment suggested that the privacy regulation would conflict with the FCRA if the regulation's requirement applied to information disclosed to consumer reporting agencies.
Response: To the extent a covered entity is required to disclose protected health information to a consumer reporting agency, it may do so under § 164.512(a). See also discussion under the definition of "payment" below.
Comment: Several comments expressed concern that health plans and health care providers be able to continue using debt collectors in compliance with the Fair Debt Collections Practices Act and related laws.
Response: In our view, health plans and health care providers will be able to continue using debt collectors. Using the services of a debt collector to obtain payment for the provision of health care comes within the definition of "payment" and is permitted under the regulation. Thus, so long as the use of debt collectors is consistent with the regulatory requirements (such as, providers obtain the proper consents, the disclosure is of the minimum amount of information necessary to collect the debt, the provider or health plan enter into a business associate agreement with the debt collector, etc.), relying upon debt collectors to obtain reimbursement for the provision of health care would not be prohibited by the regulation.
Comment: One comment suggested that the proposed regulation adversely affects the ability of an employer to determine an employee's entitlement to leave under the Family Medical Leave Act ("FMLA") by affecting the employer's right to receive medical certification of the need for leave, additional certifications, and fitness for duty certification at the end of the leave. The commenter sought clarification as to whether a provider could disclose information to an employer without first obtaining an individual's consent or authorization. Another commenter suggested that the final rule explicitly exclude from the rule disclosures authorized by the FMLA, because, in the commenter's view, it provides more than adequate protection for the confidentiality of medical records in the employment context.
Response: We disagree that the FMLA provides adequate privacy protections for individually identifiable health information. As we understand the FMLA, the need for employers to obtain protected health information under the statute is analogous to the employer's need for protected health information under the ADA. In both situations, employers may need protected health information to fulfill their obligations under these statutes, but neither statute requires covered entities to provide the information directly to the employer. Thus, covered entities in these circumstances will need an individual's authorizations before the disclosure is made to the employer.
Comment: One commenter did not want the privacy rules to interfere with the federal common law governing collective bargaining agreements permitting employers to insist on the cooperation of employees with medical fitness evaluations.
Response: We do not seek to interfere with legal medical fitness evaluations. These rules require a covered entity to have an individual's authorization before the information resulting from such evaluations is disclosed to the employer unless another provision of the rule applies. We do not prohibit employers from conditioning employment, accommodations, or other benefits, when legally permitted to do so, upon the individual/employee providing an authorization that would permit the disclosure of protected health information to employers by covered entities. See § 164.508(b)(4) below.
Comment: A few commenters supported the exclusion of "education records" from the definition of "protected health information." However, one commenter requested that "treatment records" of students who are 18 years or older attending post-secondary education institutions be excluded from the definition of "protected health information" as well to avoid confusion.
Response: We agree with these commenters. See "Relationship to Other Federal Laws" for a description of our exclusion of FERPA "education records" and records defined at 20 U.S.C. 1232g(a)(4)(B)(iv), commonly referred to as "treatment records," from the definition of "protected health information."
Comment: One comment suggested that the regulation should not apply to any health information that is part of an "education record" in any educational agency or institution, regardless of its FERPA status.
Response: We disagree. As noted in our discussion of "Relationship of Other Federal Laws," we exclude education records from the definition of protected health information because Congress expressly provided privacy protections for these records and explained how these records should be treated in FERPA.
Comment: One commenter suggested eliminating the preamble language that describes school nurses and on-site clinics as acting as providers and subject to the privacy regulation, noting that this language is confusing and inconsistent with the statements provided in the preamble explicitly stating that HIPAA does not preempt FERPA.
Response: We agree that this language may have been confusing. We have provided a clearer expression of when schools may be required to comply with the privacy regulation in the "Relationship to Other Federal Laws" section of the preamble.
Comment: One commenter suggested adding a discussion of FERPA to the "Relationship to Other Federal Laws" section of the preamble.
Response: We agree and have added FERPA to the list of federal laws discussed in "Relationship to Other Federal Laws" section of the preamble.
Comment: One commenter stated that school clinics should not have to comply with the "ancillary" administrative requirements, such as designating a privacy official, maintaining documentation of their policies and procedures, and providing the Secretary of HHS with access.
Response: We disagree. Because we have excluded education records and records described at 20 U.S.C. 1232g(a)(4)(B)(iv) held by educational agencies and institutions subject to FERPA from the definition of protected health information, only non-FERPA schools would be subject to the administrative requirements. Most of these school clinics will also not be covered entities because they are not engaged in HIPAA transactions and these administrative requirements will not apply to them. However, to the extent a school clinic is within the definition of a health care provider, as Congress defined the term, and the school clinic is engaged in HIPAA transactions, it will be a covered entity and must comply with the rules below.
Comment: Several commenters expressed concern that the privacy regulation would eliminate the parents' ability to have access to information in their children's school health records. Because the proposed regulation suggests that school-based clinics keep health records separate from other educational files, these comments argued that the regulation is contrary to the spirit of FERPA, which provides parents with access rights to their children's educational files.
Response: As noted in the "Relationship to Other Federal Laws" provision of the preamble, to the extent information in school-based clinics is not protected health information because it is an education record, the FERPA access requirements apply and this regulation does not. For more detail regarding the rule's application to unemancipated minors, see the preamble discussion about "Personal Represenatives."
Comment: One comment noted that the Federal Employees Compensation Act ("FECA") requires claimants to sign a release form when they file a claim. This commenter suggested that the privacy regulation should not place additional restrictions on this type of release form.
Response: We agree. In the final rule, we have added a new provision, § 164.512(l), that permits covered entities to make disclosures authorized under workers' compensation and similar laws. This provision would permit covered entities to make disclosures authorized under FECA and not require a different release form.
Comment: A few comments expressed concern about the preemption effect on FEHBP and wanted clarification that the privacy regulation does not alter the existing preemptive scope of the program.
Response: We do not intend to affect the preemptive scope of the FEHBP. The Federal Employee Health Benefit Act of 1998 preempts any state law that "relates to" health insurance or plans. 5 U.S.C. 8902(m). The final rule does not attempt to alter the preemptive scope Congress has provided to the FEHBP.
Comment: One comment suggested that in the context of FEHBP HHS should place the enforcement responsibilities of the privacy regulation with Office of Personnel Management, as the agency responsible for administering the program.
Response: We disagree. Congress placed enforcement with the Secretary. See section 1176 of the Act.
Comment: A few comments suggested revising proposed § 164.510(d) so that it is consistent with the existing discovery procedure under the Federal Rules of Civil Procedure or local rules.
Response: We disagree that the rules regarding disclosures and uses of protected health information for judicial and administrative procedures should provide only those protections that exist under existing discovery rules. Although the current process may be appropriate for other documents and information requested during the discovery process, the current system, as exemplified by the Federal Rules of Civil Procedure, does not provide sufficient protection for protected health information. Under current discovery rules, private attorneys, government officials, and others who develop such requests make the initial determinations as to what information or documentation should be disclosed. Independent third-party review, such as that by a court, only becomes necessary if a person of whom the request is made refuses to provide the information. If this happens, the person seeking discovery must obtain a court order or move to compel discovery. In our view this system does not provide sufficient protections to ensure that unnecessary and unwarranted disclosures of protected health information does not occur. For a related discuss, see the preamble regarding "Disclosures for Judicial and Administrative Proceedings" under § 164.512(e).
Comment: Many comments requested clarification that the privacy regulation does not conflict or interfere with the federal or state privileges. In particular, one of these comments suggested that the final regulation provide that disclosures for a purpose recognized by the regulation not constitute a waiver of federal or state privileges.
Response: We do not intend for the privacy regulation to interfere with federal or state rules of evidence that create privileges. Consistent with The Uniform Health-Care Information Act drafted by the National Conference of Commissioners on Uniform State Laws, we do not view a consent or an authorization to function as a waiver of federal or state privileges. For further discussion of the effect of consent or authorization on federal or state privileges, see preamble discussions in §§ 164.506 and 164.508.
Comment: Other comments applauded the Secretary's references to Jaffee v. Redman, 518 U.S. 1 (1996), which recognized a psychotherapist-patient privilege, and asked the Secretary to incorporate expressly this privilege into the final regulation.
Response: We agree that the psychotherapist-patient relationship is an important one that deserves protection. However, it is beyond the scope our mandate to create specific evidentiary privileges. It is also unnecessary because the United States Supreme Court has adopted this privilege.
Comment: A few comments discussed whether one remedy for violating the privacy regulation should be to exclude or suppress evidence obtained in violation of the regulation. One comment supported using this penalty, while another opposed it.
Response: We do not have the authority to mandate that courts apply or not apply the exclusionary rule to evidence obtained in violation of the regulation. This issue is in the purview of the courts.
Comment: One comment contended that the proposed regulation's requirement mandating covered entities to name the subjects of protected health information disclosed under a business partner contract as third party intended beneficiaries under the contract would have created an impermissible right of action against the government under the Federal Tort Claims Act ("FTCA").
Response: Because we have deleted the third party beneficiary provisions from the final rules, this comment is moot.
Comment: Another comment suggested the regulation would hamper the ability of federal agencies to disclose protected health information to their attorneys, the Department of Justice, during the initial stages of the claims brought under the FTCA.
Response: We disagree. The regulation applies only to federal agencies that are covered entities. To the extent an agency is not a covered entity, it is not subject to the regulation; to the extent an agency is a covered entity, it must comply with the regulation. A covered entity that is a federal agency may disclose relevant information to its attorneys, who are business associates, for purposes of health care operations, which includes uses or disclosures for legal functions. See § 164.501 (definitions of "business associate" and "health care operations"). The final rule provides specific provisions describing how federal agencies may provide adequate assurances for these types of disclosures of protected health information. See § 164.504(e)(3).
Comment: A few comments expressed concerns about the use of protected health information for reporting activities to the Food and Drug Administration ("FDA"). Their concern focused on the ability to obtain or disclose protected health information for pre- and post-marketing adverse event reports, device tracking, and post-marketing safety and efficacy evaluation.
Response: We agree with this comment and have provided that covered entities may disclose protected health information to persons subject to the jurisdiction of the FDA, to comply with the requirements of, or at the direction of, the FDA with regard to reporting adverse events (or similar reports with respect to dietary supplements), the tracking of medical devices, other post-marketing surveillance, or other similar requirements described at § 164.512(b).
Comment: One comment asked how the regulation could be enforced against foreign countries (or presumably entities in foreign countries) that solicit medical records from entities in the United States.
Response: We do not regulate solicitations of information. To the extent a covered entity wants to comply with a request for disclosure of protected health information to foreign countries or entities within foreign countries, it will need to comply with the privacy rules before making the disclosure. If the covered entity fails to comply with the rules, it will be subject to enforcement proceedings.
Comment: One comment asserted that the proposed privacy regulation conflicts with the Freedom of Information Act ("FOIA"). The comment argued that the proposed restriction on disclosures by agencies would not come within one of the permissible exemptions to the FOIA. In addition, the comment noted that only in exceptional circumstances would the protected health information of deceased individuals come within an exemption because, for the most part, death extinguishes an individual's right to privacy.
Response: Section 164.512(a) below permits covered entities to disclose protected health information when such disclosures are required by other laws as long as they follow the requirements of those laws. Therefore, the privacy regulation will not interfere with the ability of federal agencies to comply with FOIA, when it requires the disclosure.
We disagree, however, that most protected health information will not come within Exemption 6 of FOIA. See the discussion above under "Relationship to Other Federal Laws" for our review of FOIA. Moreover, we disagree with the comment's assertion that the protected health information of deceased individuals does not come within Exemption 6. Courts have recognized that a deceased individual's surviving relatives may have a privacy interest that federal agencies may consider when balancing privacy interests against the public interest in disclosure of the requested information. Federal agencies will need to consider not only the privacy interests of the subject of the protected health information in the record requested, but also, when appropriate, those of a deceased individual's family consistent with judicial rulings.
If an agency receives a FOIA request for the disclosure of protected health information of a deceased individual, it will need to determine whether or not the disclosure comes within Exemption 6. This evaluation must be consistent with the court's rulings in this area. If the exemption applies, the federal agency will not have to release the information. If the federal agency determines that the exemption does not apply, may release it under § 164.512(a) of this regulation.
Comment: One commenter expressed concern that our proposal to protect the individually identifiable health information about the deceased for two years following death would impede public interest reporting and would be at odds with many state Freedom of Information laws that make death records and autopsy reports public information. The commenter suggested permitting medical information to be available upon the death of an individual or, at the very least, that an appeals process be permitted so that health information trustees would be allowed to balance the interests in privacy and in public disclosure and release or not release the information accordingly.
Response: These rules permit covered entities to make disclosures that are required by state Freedom of Information Act (FOIA) laws under 164.512(a). Thus, if a state FOIA law designates death records and autopsy reports as public information that must be disclosed, a covered entity may disclose it without an authorization under the rule. To the extent that such information is required to be disclosed by FOIA or other law, such disclosures are permitted under the final rule. In addition, to the extent that death records and autopsy reports are obtainable from non-covered entities, such as state legal authorities, access to this information is not impeded by this rule.
If another law does not require the disclosure of death records and autopsy reports generated and maintained by a covered entity, which are protected health information, covered entities are not allowed to disclose such information except as permitted or required by the final rule, even if another entity discloses them.
Comment: One comment sought clarification of the relationship between the Freedom of Information Act, the Privacy Act, and the privacy rules.
Response: We have provided this analysis in the "Relationship to Other Federal Laws" section of the preamble in our discussion of the Freedom of Information Act.
Comments: One commenter noted that the Financial Services Modernization Act, also known as Gramm-Leach-Bliley ("GLB"), requires financial institutions to provide detailed privacy notices to individuals. The commenter suggested that the privacy regulation should not require financial institutions to provide additional notice.
Response: We disagree. To the extent a covered entity is required to comply with the notice requirements of GLB and those of our rules, the covered entity must comply with both. We will work with the FTC and other agencies implementing GLB to avoid unnecessary duplication. For a more detailed discussion of GLB and the privacy rules, see the "Relationship to Other Federal Laws" section of the preamble.
Comment: A few commenters asked that the Department clarify that financial institutions, such as banks, that serve as payors are covered entities. The comments explained that with the enactment of the Gramm-Leach-Bliley Act, banks are able to form holding companies that will include insurance companies (that may be covered entities). They recommended that banks be held to the rule's requirements and be required to obtain authorization to conduct non-payment activities, such as for the marketing of health and non-health items and services or the use and disclosure to non-health related divisions of the covered entity.
Response: These comments did not provide specific facts that would permit us to provide a substantive response. An organization will need to determine whether it comes within the definition of "covered entity." An organization may also need to consider whether or not it contains a health care component. Organizations that are uncertain about the application of the regulation to them will need to evaluate their specific facts in light of this rule.
Comment: One comment requested the Secretary to clarify in the preamble that the privacy regulation does not preempt the Inspector General Act.
Response: We agree that to the extent the Inspector General Act requires uses or disclosures of protected health information, the privacy regulation does not preempt it. The final rule provides that to the extent required under section 201(a)(5) of the Act, nothing in this subchapter should be construed to diminish the authority of any Inspector General, including the authority provided in the Inspector General Act of 1978. See discussion of § 160.102 above.
Comment: One comment suggested possible inconsistencies between the regulation and Medicare/Medicaid requirements, such as those under the Quality Improvement System for Managed Care. This commenter asked that HHS expand the definition of health care operations to include health promotion activities and avoid potential conflicts.
Response: We disagree that the privacy regulation would prohibit managed care plans operating in the Medicare or Medicaid programs from fulfilling their statutory obligations. To the extent a covered entity is required by law to use or disclose protected health information in a particular manner, the covered entity may make such a use or disclosure under § 164.512(a). Additionally, quality assessment and improvement activities come within the definition of "health care operations." Therefore, the specific example provided by the commenter would seem to be a permissible use or disclosure under § 164.502, even if it were not a use or disclosure "required by law."
Comment: One commenter stated that Medicare should not be able to require the disclosure of psychotherapy notes because it would destroy a practitioner's ability to treat patients effectively.
Response: If the Title XVIII of the Social Security Act requires the disclosure of psychotherapy notes, the final rule permits, but does not require, a covered entity to make such a disclosure under § 164.512(a). If, however, the Social Security Act does not require such disclosures, Medicare does not have the discretion to require the disclosure of psychotherapy notes as a public policy matter because the final rule provides that covered entities, with limited exceptions, must obtain an individual's authorization before disclosing psychotherapy notes. See § 164.508(a)(2).
Comment: A few comments expressed concern that the regulation did not address the obligation of covered entities to disclose protected health information to collective bargaining representatives under the National Labor Relations Act.
Response: The final rule does not prohibit disclosures that covered entities must make pursuant to other laws. To the extent a covered entity is required by law to disclose protected health information to collective bargaining representatives under the NLRA, it may to so without an authorization. Also, the definition of "health care operations" at § 164.501 permits disclosures to employee representatives for purposes of grievance resolution.
Comment: One commenter expressed concern about the potential impact of the regulation on the organ donation program under 42 CFR Part 482.
Response: In the final rule, we add provisions allowing the use or disclosure of protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating donation and transplantation. See § 164.512(h).
Comment: One comment suggested that the final rule unambiguously permit the continued operation of the statutorily established or authorized discretionary routine uses permitted under the Privacy Act for both law enforcement and health oversight.
Response: We disagree. See the discussion of the Privacy Act in "Relationship to Other Federal Laws" above.
Comment: One comment suggested that the Public Health Service Act places more stringent rules regarding the disclosure of information on Federally Qualified Health Centers than the proposed privacy regulation suggested. Therefore, the commenter suggested that the final rule exempt Federally Qualified Health Centers from the rules requirements
Response: We disagree. Congress expressly included Federally Qualified Health Centers, a provider of medical or other health services under the Social Security Act section 1861(s), within of its definition health care provider in section 1171 of the Act; therefore, we cannot exclude them from the regulation.
Comment: One commenter noted that no conflicts existed between the proposed rule and the Public Health Services Act.
Response: As we discuss in the "Relationship to Other Federal Laws" section of the preamble, the Public Health Service Act contains explicit confidentiality requirements that are so general as not to create problems of inconsistency. We recognized, however, that in some cases, that law or its accompanying regulations may contain greater restrictions. In those situations, a covered entity's ability to make what are permissive disclosures under this privacy regulation would be limited by those laws.
Comment: One comment noted that federal agencies must provide information to certain entities pursuant to various federal statutes. For example, federal agencies must not withhold information from a Congressional oversight committee or the General Accounting Office. Similarly, some federal agencies must provide the Bureau of the Census and the National Archives and Records Administration with certain information. This comment expressed concern that the privacy regulation would conflict with these requirements. Additionally, the commenter asked whether the privacy notice would need to contain these uses and disclosures and recommended that a general statement that these federal agencies would disclose protected health information when required by law be considered sufficient to meet the privacy notice requirements.
Response: To the extent a federal agency acting as a covered entity is required by federal statute to disclose protected health information, the regulation permits the disclosure as required by law under § 164.512(a). The notice provisions at § 164.520(b)(1)(ii)(B) require covered entities to provide a brief description of the purposes for which the covered entity is permitted or required by the rules to use or disclose protected health information without an individual's written authorization. If these statutes require the disclosures, covered entities subject to the requirement may make the disclosure pursuant to § 164.512(a). Thus, their notice must include a description of the category of these disclosures. For example, a general statement such as the covered entity "will disclose your protected health information to comply with legal requirements" should suffice.
Comment: One comment stressed that the final rule should not inadvertently preempt mandatory reporting laws duly enacted by federal, state, or local legislative bodies. This commenter also suggested that the final rule not prevent the reporting of violations to law enforcement agencies.
Response: We agree. Like the proposed rule, the final rule permits covered entities to disclose protected health information when required by law under § 164.512(a). To the extent a covered entity is required by law to make a report to law enforcement agencies or is otherwise permitted to make a disclosure to a law enforcement agency as described in § 164.512(f), it may do so without an authorization. Alternatively, a covered entity may always request that individuals authorize these disclosures.
Comment: One comment called for HHS to consider the privacy regulation in conjunction with the other HIPAA standards. In particular, this comment focused on the belief that the security standards should be compatible with the existing and emerging health care and information technology industry standards.
Response: We agree that the security standards and the privacy rules should be compatible with one another and are working to ensure that the final rules in both areas function together. Because we are addressing comments regarding the privacy rules in this preamble, we will consider the comment about the security standard as we finalize that set of rules.
Comment: Several commenters noted that many health care providers are bound by the federal restrictions governing alcohol and drug abuse records. One commenter noted that the NPRM differed substantially from the substance abuse regulations and would have caused a host of practical problems for covered entities. Another commenter, however, supported the NPRM's analysis that stated that more stringent provisions of the substance abuse provisions would apply. This commenter suggested an even stronger approach of including in the text a provision that would preserve existing federal law. Yet, one comment suggested that the regulation as proposed would confuse providers by making it difficult to determine when they may disclose information to law enforcement because the privacy regulation would permit disclosures that the substance abuse regulations would not.
Response: We appreciate the need of some covered entities to evaluate the privacy rules in light of federal requirements regarding alcohol and drug abuse records. Therefore, we provide a more detailed analysis in the "Relationship to Other Federal Laws" section of the preamble.
Comment: Some of these commenters also noted that state laws contain strict confidentiality requirements. A few commenters suggested that HHS reassess the regulations to avoid inconsistencies with state privacy requirements, implying that problems exist because of conflicts between the federal and state laws regarding the confidentiality of substance abuse information.
Response: As noted in the preamble section discussing preemption, the final rules do not preempt state laws that provide more privacy protections. For a more detailed analysis of the relationship between state law and the privacy rules, see the "Preemption" provisions of the preamble.
Comments: One commenter suggested that the consultation process with tribal governments described in the NPRM was inadequate under Executive Order No. 13084. In addition, the commenter expressed concern that the disclosures for research purposes as permitted by the NPRM would conflict with a number of tribal laws that offer individuals greater privacy rights with respect to research and reflects cultural appropriateness. In particular, the commenter referenced the Health Research Code for the Navajo Nation which creates a entity with broader authority over research conducted on the Navajo Nation than the local IRB and requires informed consent by study participants. Other laws mentioned by the commenter included the Navajo Nation Privacy and Access to Information Act and a similar policy applicable to all health care providers within the Navajo Nation. The commenter expressed concern that the proposed regulation research provisions would override these tribal laws.
Response: We disagree with the comment that the consultation with tribal governments undertaken prior to the proposed regulation is inadequate under Executive Order No. 13084. As stated in the proposed regulation, the Department consulted with representatives of the National Congress of American Indians and the National Indian Health Board, as well as others, about the proposals and the application of HIPAA to the Tribes, and the potential variations based on the relationship of each Tribe with the IHS for the purpose of providing health services. In addition, Indian and tribal governments had the opportunity to, and did, submit substantive comments on the proposed rules.
Additionally, disclosures permitted by this regulation do not conflict with the policies as described by this commenter. Disclosures for research purposes under the final rule, as in the proposed regulation, are permissive disclosures only. The rule describes the outer boundaries of permissible disclosures. A covered health care provider that is subject to the tribal laws of the Navajo Nation must continue to comply with those tribal laws. If the tribal laws impose more stringent privacy standards on disclosures for research, such as requiring informed consent in all cases, nothing in the final rule would preclude compliance with those more stringent privacy standards. The final rule does not interfere with the internal governance of the Navajo Nation or otherwise adversely affect the policy choices of the tribal government with respect to the cultural appropriateness of research conducted in the Navajo Nation.
Comment: One comment expressed concern regarding the application of the "minimum necessary" standard to investigations of health care providers under the TRICARE (formerly the CHAMPUS) program. The comment also expressed concern that health care providers would be able to avoid providing their records to such investigators because the proposed § 164.510 exceptions were not mandatory disclosures.
Response: In our view, neither the minimum necessary standard nor the final §§ 164.510 and 164.512 permissive disclosures will impede such investigations. The regulation requires covered entities to make all reasonable efforts not to disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure. This requirement, however, does not apply to uses or disclosures that are required by law. See § 164.502(b)(2)(iv). Thus, if the disclosure to the investigators is required by law, the minimum necessary standard will not apply. Additionally, the final rule provides that covered entities rely, if such reliance is reasonable, on assertions from public officials about what information is reasonably necessary for the purpose for which it is being sought. See § 164.514(d)(3)(iii).
We disagree with the assertion that providers will be able to avoid providing their records to investigators. Nothing in this rule permits covered entities to avoid disclosures required by other laws.
Comment: One comment sought clarification about how disclosures of protected health information would occur within the Veterans Affairs programs for veterans and their dependents.
Response: We appreciate the commenter's request for clarification as to how the rules will affect disclosures of protected health information in the specific context of Veteran's Affairs programs. Veterans health care programs under 38 U.S.C. chapter 17 are defined as "health plans." Without sufficient details as to the particular aspects of the Veterans Affairs programs that this comment views as problematic, we cannot comment substantively on this concern.
Comment: One comment suggested that the final regulation clarify that the analysis applied to the substance abuse regulations apply to laws governing Veteran's Affairs health records.
Response: Although we realize some difference may exist between the laws, we believe the discussion of federal substance abuse confidentiality regulations in the "Relationship to Other Federal Laws" preamble provides guidance that may be applied to the laws governing Veteran's Affairs ("VA") health records. In most cases, a conflict will not exist between these privacy rules and the VA programs. For example, some disclosures allowed without patient consent or authorization under the privacy regulation may not be within the VA statutory list of permissible disclosures without a written consent. In such circumstances, the covered entity would have to abide by the VA statute, and no conflict exists. If the disclosures permitted by the VA statute come within the permissible disclosures of our rules, no conflict exists. In some cases, our rules may demand additional requirements, such as obtaining the approval of a privacy board or Institutional Review Board if a covered entity seeks to disclose protected health information for research purposes without the individual's authorization. A covered entity subject to the VA statute will need to ensure that it meets the requirements of both that statute and the regulation below. If a conflict arises, the covered entity should evaluate the specific potential conflicting provisions under the implied repeal analysis set forth in the "Relationship to Other Federal Laws" discussion in the preamble.
Comment: One comment called on other federal agencies to examine their regulations and policies regarding the use and disclosure of protected health information. The comment suggested that other agencies revise their regulations and policies to avoid duplicative, contradictory, or more stringent requirements. The comment noted that the U.S. Department of Agriculture's Special Supplemental Nutrition Program for Women, Infants, and Children ("WIC") does not release WIC data. Because the commenter believed the regulation would not prohibit the disclosure of WIC data, the comment stated that the Department of Agriculture should now release such information.
Response: We support other federal agencies to whom the rules apply in their efforts to review existing regulations and policies regarding protected health information. However, we do not agree with the suggestion that other federal agencies that are not covered entities must reduce the protections or access-related rights they provide for individually identifiable health information they hold.
Comment: The proposed rule limited those who could file a complaint with the Secretary to individuals. A number of commenters suggested that other persons with knowledge of a possible violation should also be able to file complaints. Examples that were provided included a mental health care provider with first hand knowledge of a health plan improperly requiring disclosure of psychotherapy notes and an occupational health nurse with knowledge that her human resources manager is improperly reviewing medical records. A few comments raised the concern that permitting any person to file a complaint lends itself to abuse and is not necessary to ensure privacy rights and that the complainant should be a person for whom there is a duty to protect health information.
Response: As discussed below, the rule defines "individual" as the person who is the subject of the individually identifiable health information. However, the covered entity may allow other persons, such as personal representatives, to exercise the rights of the individual under certain circumstances, e.g., for a deceased individual. We agree with the commenters that any person may become aware of conduct by a covered entity that is in violation of the rule. Such persons could include the covered entity's employees, business associates, patients, or accrediting, health oversight, or advocacy agencies or organizations. Many persons, such as the covered entity's employees, may, in fact, be in a better position than the "individual" to know that a violation has occurred. Another example is a state Protection and Advocacy group that may represent persons with developmental disabilities. We have decided to allow complaints from any person. The term "person" is not restricted here to human beings or natural persons, but also includes any type of association, group, or organization.
Allowing such persons to file complaints may be the only way the Secretary may learn of certain possible violations. Moreover, individuals who are the subject of the information may not be willing to file a complaint because of fear of embarrassment or retaliation. Based on our experience with various civil rights laws, such as Title VI of the Civil Rights Act of 1964 and Title II of the Americans with Disabilities Act, that allow any person to file a complaint with the Secretary, we do not believe that this practice will result in abuse. Finally, upholding privacy protections benefits all persons who have or may be served by the covered entity as well as the general public, and not only the subject of the information.
If a complaint is received from someone who is not the subject of protected health information, the person who is the subject of this information may be concerned with the Secretary's investigation of this complaint. While we did not receive comments on this issue, we want to protect the privacy rights of this individual. This might involve the Secretary seeking to contact the individual to provide information as to how the Secretary will address individual's privacy concerns while resolving the complaint. Contacting all individuals may not be practicable in the case of allegations of systemic violations (e.g., where the allegation is that hundreds of medical records were wrongfully disclosed).
Comment: A number of commenters, primarily health plans, suggested that individuals should not be permitted to file a complaint with the Secretary until they exhaust the covered entity's own complaint process. Commenters stated that covered entities should have a certain period of time, such as ninety days, to correct the violation. Some commenters asserted that providing for filing a complaint with the Secretary will be very expensive for both the public and private sectors of the health care industry to implement. Other commenters suggested requiring the Secretary to inform the covered entity of any complaint it has received and not initiate an investigation or "take enforcement action" before the covered entity has time to address the complaint.
Response: We have decided, for a number of reasons, to retain the approach as presented in the proposed rule. First, we are concerned that requiring that complainants first notify the covered entity would have a chilling effect on complaints. In the course of investigating individual complaints, the Secretary will often need to reveal the identity of the complainant to the covered entity. However, in the investigation of cases of systemic violations and some individual violations, individual names may not need to be identified. Under the approach suggested by these commenters, the covered entity would learn the names of all persons who file complaints with the Secretary. Some individuals might feel uncomfortable or fear embarrassment or retaliation revealing their identity to the covered entity they believe has violated the regulation. Individuals may also feel they are being forced to enter into negotiations with this entity before they can file a complaint with the Secretary.
Second, because some potential complainants would not bring complaints to the covered entity, possible violations might not become known to the Secretary and might continue. Third, the delay in the complaint coming to the attention of the Secretary because of the time allowed for the covered entity to resolve the complaint may mean that significant violations are not addressed expeditiously. Finally, the process proposed by these commenters is arguably unnecessary because an individual who believes that an agreement can be reached with the covered entity, can, through the entity's internal complaint process or other means, seek resolution before filing a complaint with the Secretary.
Our approach is consistent with other laws and regulations protecting individual rights. None of the civil rights laws enforced by the Secretary require a complainant to provide any notification to the entity that is alleged to have engaged in discrimination (e.g., Americans with Disabilities Act, section 504 of the Rehabilitation Act, Title VI of the Civil Rights Act, and the Age Discrimination Act). The concept of "exhaustion" is used in laws that require individuals to pursue administrative remedies, such as that provided by a governmental agency, before bringing a court action. Under HIPAA, individuals do not have a right to court action.
Some commenters seemed to believe that the Secretary would pursue enforcement action without notifying the covered entity. It has been the Secretary's practice in investigating cases under other laws, such as various civil rights laws, to inform entities that we have received a complaint against them and to seek early resolution if possible. In enforcing the privacy rule, the Secretary will generally inform the covered entity of the nature of any complaints it has received against the entity. (There may be situations where information is withheld to protect the privacy interests of the complainant or others or where revealing information would impede the investigation of the covered entity.) The Secretary will also generally afford the entity an opportunity to share information with the Secretary that may result in an early resolution. Our approach will be to seek informal resolution of complaints whenever possible, which includes allowing covered entities a reasonable amount of time to work with the Secretary to come into compliance before initiating action to seek civil monetary penalties.
Comment: A number of commenters, primarily privacy and disability advocacy organizations, suggested that the regulation require that complaints be filed with the Secretary by a certain time. These commenters generally recommended that the time period for filing a complaint should commence to run from the time when the individual knew or had reason to know of the violation or omission. Another comment suggested that a requirement to file a complaint with the Secretary within 180 days of the alleged noncompliance is a problem because a patient may, because of his or her medical condition, be unable to access his or her records within that time frame.
Response: We agree with the commenters that complainants should generally be required to submit complaints in a timely fashion. Federal regulations implementing Title VI of the Civil Rights Act of 1964 provide that "[a] complaint must be filed not later than '180 days from the date of the alleged discrimination' unless the time for filing is extended by the responsible Department official or his designee." 45 CFR 80.7(b). Other civil rights laws, such as the Age Discrimination Act, section 504 of the Rehabilitation Act, and Title II of the Americans with Disabilities Act (ADA) (state and local government services), also use this approach. Under civil rights laws administered by the EEOC, individuals have 180 days of the alleged discriminatory act to file a charge with EEOC (or 300 days if there is a state or local fair employment practices agency involved).
Therefore, in the final rule we require that complaints be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred unless this time limit is waived by the Secretary for good cause shown. We believe that an investigation of a complaint is likely to be most effective if persons can be interviewed and documents reviewed as close to the time of the alleged violation as possible. Requiring that complaints generally be filed within a certain period of time increases the likelihood that the Secretary will have necessary and reliable information. Moreover, we are taking this approach in order to encourage complainants to file complaints as soon as possible. By receiving complaints in a timely fashion, we can, if such complaints prove valid, reduce the harm caused by the violation.
Comment: A number of comments expressed concern that the Secretary would conduct compliance reviews without having received a complaint or having reason to believe there is noncompliance. A number of these commenters appeared to believe that the Secretary would engage in "routine visits." Some commenters suggested that the Secretary should only be able to conduct compliance reviews if the Secretary has initiated an investigation of a complaint regarding the covered entity in the preceding twelve months. Some commenters suggested that there should only be compliance reviews based on established criteria for reviews (e.g., finding of "reckless disregard"). Many of these commenters stated that cooperating with compliance reviews is potentially burdensome and expensive.
One commenter asked whether the Secretary will have a process for reviewing all covered entities to determine how they are complying with requirements. This commenter questioned whether covered entities will be required to submit plans and wait for Departmental approval.
Another commenter suggested that the Secretary specify a time limit for the completion of a compliance review.
Response: We disagree with the commenters that the final rule should restrict the Secretary's ability to conduct compliance reviews. The Secretary needs to maintain the flexibility to conduct whatever reviews are necessary to ensure compliance with the rule.
Comment: Some commenters raised objections to provisions in the proposed rule which required that covered entities maintain records and submit compliance reports as the Secretary determines is necessary to determine compliance and required that covered entities permit access by the Secretary during normal business hours to its books, records, accounts, and other sources of information, including protected health information, and its facilities, that are pertinent to ascertaining compliance with this subpart. One commenter stated that the Secretary's access to private health information without appropriate patient consent is contrary to the intent of HIPAA. Another commenter expressed the view that, because covered entities face criminal penalties for violations, these provisions violate the Fifth Amendment protections against forced self incrimination. Other commenters stated that covered entities should be given the reason the Secretary needs to have access to its books and records. Another commenter stated that there should be a limit to the frequency or extent of intrusion by the federal government into the business practices of a covered entity and that these provisions violate the Fourth Amendment of the Constitution.
Finally, a coalition of church plans suggested that the Secretary provide church plans with additional procedural safeguards to reduce unnecessary intrusion into internal church operations. These suggested safeguards included permitting HHS to obtain records and other documents only if they are relevant and necessary to compliance and enforcement activities related to church plans, requiring a senior official to determine the appropriateness of compliance-related activities for church plans, and providing church plans with a self-correcting period similar to that Congress expressly provided in Title I of HIPAA under the tax code.
Response: The final rule retains the proposed language in these two provisions with one change. The rule adds a provision indicating that the Secretary's access to information held by the covered entity may be at any time and without notice where exigent circumstances exist, such as where time is of the essence because documents might be hidden or destroyed. Thus, covered entities will generally receive notice before the Secretary seeks to access the entity's books or records.
Other than the exigent circumstances language, the language in these two provisions is virtually the same as the language in this Department's regulation implementing Title VI of the Civil Rights Act of 1964. 45 CFR 80.6(b) and (c). The Title VI regulation is incorporated by reference in other Department regulations prohibiting discrimination of the basis of disability. 45 CFR 84.61. Similar provisions allowing this Department access to recipient information is found in the Secretary's regulation implementing the Age Discrimination Act. 45 CFR 91.34. These provisions have not proved to be burdensome to entities that are subject to these civil rights regulations (i.e., all recipients of Department funds).
We do not interpret Constitutional case law as supporting the view that a federal agency's review of information pursuant to statutory mandate violates the Fifth Amendment protections against forced self incrimination. Nor would such a review of this information raise Fourth Amendment problems. See discussion above regarding Constitutional comments and responses.
We appreciate the concern that the Secretary not involve herself unnecessarily into the internal operations of church plans. However, by providing health insurance or care to their employees, church plans are engaging in a secular activity. Under the regulation, church plans are subject to the same compliance and enforcement requirements with which other covered entities must comply. Because Congress did not carve out specific exceptions or require stricter standards for investigations related to church plans, incorporating such measures into the regulation would be inappropriate.
Additionally, there is no indication that the regulation will directly interfere with the religious practices of church plans. Also, the regulation as written appropriately limits the ability of investigators to obtain information from covered entities. The regulation provides that the Secretary may obtain access only to information that is pertinent to ascertain compliance with the regulation. We do not anticipate asking for information that is not necessary to assess compliance with the regulation. The purpose of obtaining records and similar materials is to determine compliance, not to engage in any sort of review or evaluation of religious activities or beliefs. Therefore, we believe the regulation appropriately balances the need to access information to determine compliance with the desire of covered entities to avoid opening every record in their possession to the government.
Comment: A number of commenters inquired as to how a covered entity can request technical assistance from the Secretary to come into compliance. A number of commenters suggested that the Secretary provide interpretive guidance to assist with compliance. Others recommended that the Secretary have a contact person or privacy official, available by telephone or email, to provide guidance on the appropriateness of a disclosure or a denial of access. One commenter suggested that there be a formal process for a covered entity to submit compliance activities to the Secretary for prior approval and clarification. This commenter suggested that clarifications be published on a contemporaneous basis in the Federal Register to help correct any ambiguities and confusion in implementation. It was also suggested that the Secretary undertake an assessment of "best practices" of covered entities and document and promote the findings to serve as a convenient "road map" for other covered entities. Another commenter suggested that we work with providers to create implementation guidelines modeled after the interpretative guidelines that HCFA creates for surveyors on the conditions of participation for Medicare and Medicaid contractors.
Response: While we have not in the final rule committed the Secretary to any specific model of providing guidance or assistance, we do state our intent, subject to budget and staffing constraints, to develop a technical assistance program that will include the provision of written material when appropriate to assist covered entities in achieving compliance. We will consider other models including HCFA's Medicare and Medicaid interpretative guidelines. Further information regarding the Secretary's technical assistance program may be provided in the Federal Register and on the HHS Office for Civil Rights (OCR) Web Site. While OCR plans to have fully trained staff available to respond to questions, its ability to provide individualized advice in regard to such matters as the appropriateness of a particular disclosure or the sufficiency of compliance activities will be based on staff resources and demands. The idea of looking at "best practices" and sharing information with all covered entities is a good one and we will explore how best to do this. We note that a covered entity is not excused from compliance with the regulation because of any failure to receive technical assistance or guidance.
Comment: A number of commenters asked that covered entities not be liable for violations of the rule if they have acted in good faith. One commenter indicated that enforcement actions should not be pursued against covered entities that make legitimate business decisions about how to comply with the privacy standards.
Response: The commenters seemed to argue that even if a covered entity does not comply with a requirement of the rule, the covered entity should not be liable if there was an honest and sincere intention or attempt to fulfill its obligations. The final rule, however, does not take this approach but instead draws careful distinctions between what a covered entity must do unconditionally, and what a covered entity must make certain reasonable efforts to do. In addition, the final rule is clear as to the specific provisions where "good faith" is a consideration. For example, a covered entity is permitted to use and disclose protected health information without authorization based on criteria that includes a good faith belief that such use or disclosure is necessary to avert an imminent threat to health or safety (§ 164.512(j)(1)(i)). Therefore, covered entities need to pay careful attention to the specific language in each requirement. However, we note that many of these provisions can be implemented in a variety of ways; e.g, covered entities can exercise business judgement regarding how to conduct staff training.
As to enforcement, a covered entity will not necessarily suffer a penalty solely because an act or omission violates the rule. As we discuss elsewhere, the Department will exercise discretion to consider not only the harm done, but the willingness of the covered entity to achieve voluntary compliance. Further, the Administrative Simplification provisions of HIPAA provide that whether a violation was known or not is relevant in determining whether civil or criminal penalties apply. In addition, if a civil penalty applies, HIPAA allows the Secretary, where the failure to comply was due to reasonable cause and not to willful neglect, to delay the imposition of the penalty to allow the covered entity to comply. The Department will develop and release for public comment an enforcement regulation applicable to all the administrative simplification regulations that will address these issues.
Comment: One commenter asked whether hospitals will be vicariously liable for the violations of their employees and expressed concern that hospitals and other providers will be the ones paying large fines.
Response: The enforcement regulation will address this issue. However, we note that section 1128A(1) of the Social Security Act, which applies to the imposition of civil monetary penalties under HIPAA, provides that a principal is liable for penalties for the actions of its agent acting within the scope of the agency. Therefore, a covered entity will generally be responsible for the actions of its employees such as where the employee discloses protected health information in violation of the regulation.
Comment: A commenter expressed the concern that if a covered entity acquires a non-compliant health plan, it would be liable for financial penalties. This commenter suggested that, at a minimum, the covered entity be given a grace period of at least a year, but not less than six months to bring any acquisition up to standard. The commenter stated that the Secretary should encourage, not discourage, compliant companies to acquire non-compliant ones. Another commenter expressed a general concern about resolution of enforcement if an entity faced with a HIPAA complaint acquires or merges with an entity not covered by HIPAA.
Response: As discussed above, the Secretary will encourage voluntary efforts to cure violations of the rule, and will consider that fact in determining whether to bring a compliance action. We do not agree, however, that we should limit our authority to pursue violations of the rule if the situation warrants it.
Comment: One commenter was concerned about the "undue risk" of liability on originators of information, stemming from the fact that "the number of covered entities is limited and they are unable to restrict how a recipient of information may use or re-disclose information..."
Response: Under this rule, we do not hold covered entities responsible for the actions of recipients of protected health information, unless the recipient is a business associate of the covered entity. We agree that it is not fair to hold covered entities responsible for the actions of persons with whom they have no on-going relationship, but believe it is fair to expect covered entities to hold their business associates to appropriate standards of behavior with respect to health information.
Comment: A number of comments raised questions regarding the Secretary's priorities for enforcement. A few commenters stated that they supported deferring enforcement until there is experience using the proposed standards. One organization asked that we clarify that the regulation does not replace or otherwise modify the self-regulatory/consumer empowerment approach to consumer privacy in the online environment.
Response: We have not made any decisions regarding enforcement priorities. It appears that some commenters believe that no enforcement action will be taken against a given covered entity until that entity has had some time to comply. Covered entities have two years to come into compliance with the regulation (three years in the case of small health plans). Some covered entities will have had experience using the standards prior to the compliance date. We do not agree that we should defer enforcement where violations of the rule occur. It would be wrong for covered entities to believe that enforcement action is based on their not having much experience in using a particular standard or meeting another requirement.
We support a self-regulation approach in that we recognize that most compliance will be achieved by the voluntary activities of covered entities rather than by our enforcement activities. Our emphasis will be on education, technical assistance, and voluntary compliance and not on finding violations and imposing penalties. We also support a consumer empowerment approach. A knowledgeable consumer is key to the effectiveness of this rule. A consumer familiar with the requirements of this rule will be equipped to make choices regarding which covered entity will best serve their privacy interests and will know their rights under the rule and how they can seek redress for violations of this rule. Privacy-minded consumers will seek to protect the privacy rights of others by bringing concerns to the attention of covered entities, the public, and the Secretary. However, we do not agree that we should defer enforcement where violations of the rule occur.
Comment: One commenter expressed concern that by filing a complaint an individual would be required to reveal sensitive information to the public. Another commenter suggested that complaints regarding noncompliance in regard to psychotherapy notes should be made to a panel of mental health professionals designated by the Secretary. This commenter also proposed that all patient information be maintained as privileged, not be revealed to the public, and be kept under seal after the case is reviewed and closed.
Response: We appreciate this concern and will seek to ensure that individually identifiable health information and other personal information contained in complaints will not be available to the public. The privacy regulation provides, at § 160.310(c)(3), that protected health information obtained by the Secretary in connection with an investigation or compliance review will not be disclosed except if necessary for ascertaining or enforcing compliance with the regulation or if required by law. In addition, this Department generally seeks to protect the privacy of individuals to the fullest extent possible, while permitting the exchange of records required to fulfill its administrative and program responsibilities. The Freedom of Information Act, 5 U.S.C. 552, and the HHS implementing regulation, 45 CFR Part 5, provide substantial protection for records about individuals where disclosure would constitute an unwarranted invasion of their personal privacy. In implementing the privacy regulation, OCR plans to continue its current practice of protecting its complaint files from disclosure. OCR treats these files as investigatory records compiled for law enforcement purposes. Moreover, OCR maintains that disclosing protected health information in these files generally constitutes an unwarranted invasion of personal privacy.
It is not clear in regarding the use of mental health professionals, whether the commenter believes that such professionals should be involved because they would be best able to keep psychotherapy notes confidential or because such professionals can best understand the meaning or relevance of such notes. OCR anticipates that it will not have to obtain a copy or review psychotherapy notes in investigating most complaints regarding noncompliance in regard to such notes. There may be some cases where a review of the notes may be needed such as where we need to identify that the information a covered entity disclosed was in fact psychotherapy notes. If we need to obtain a copy of psychotherapy notes, we will keep these notes confidential and secure. OCR investigative staff will be trained to ensure that they fully respect the confidentiality of personal information. In addition, while the specific contents of these notes is generally not relevant to violations under this rule, if such notes are relevant, we will secure the expertise of mental health professionals if needed in reviewing psychotherapy notes.
Comment: A member of Congress and a number of privacy and consumer groups expressed concern with whether OCR has adequate funding to carry out the major responsibility of enforcing the complaint process established by this rule. The Senator stated that "[d]ue to the limited enforcement ability allowed for in this rule by HIPAA, it is essential that OCR have the capacity to enforce the regulations. Now is the time for OCR to begin building the necessary infrastructure to enforce the regulation effectively."
Response: We agree and are committed to an effective enforcement program. We are working with Congress to ensure that the Secretary has the necessary funds to secure voluntary compliance through education and technical assistance, to investigate complaints and conduct compliance reviews, to provide states with exception determinations, and to use civil and criminal penalties when necessary. We will continue to work with Congress and within the new Administration in this regard.
Comment: A number of commenters referenced other entities that already consider the privacy of health information. One commenter indicated opposition to the delegation of inspections to third party organizations, such as the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO). A few commenters indicated that state agencies are already authorized to investigate violations of state privacy standards and that we should rely on those agencies to investigate alleged violations of the privacy rules or delegate its complaint process to states that wish to carry out this responsibility or to those states that have a complaint process in place. Another commenter argued that individuals should be required to exhaust any state processes before filing a complaint with the Secretary. Others referenced the fact that state medical licensing boards investigate complaints against physicians for violating patient confidentiality. One group asked that the federal government streamline all of these activities so physicians can have a single entity to whom they must be responsive. Another group suggested that OMB should be given responsibility for ensuring that FEHB Plans operate in compliance with the privacy standards and for enforcement.
A few commenters stated that the regulation might be used as a basis for violation findings and subsequent penalties under other Department authorities, such as under Medicare's Conditions of Participation related to patient privacy and right to confidentiality of medical records. One commenter wanted some assurance that this regulation will not be used as grounds for sanctions under Medicare. Another commenter indicated support for making compliance with the privacy regulation a Condition of Participation under Medicare.
Response: HIPAA does not give the Secretary the authority to delegate her responsibilities to other private or public agencies such as JCAHO or state agencies. However, we plan to explore ways that we may benefit from current activities that also serve to protect the privacy of individually identifiable health information. For example, if we conduct an investigation or review of a covered entity, that entity may want to share information regarding findings of other bodies that conducted similar reviews. We would welcome such information. In developing its enforcement program, we may explore ways it can coordinate with other regulatory or oversight bodies so that we can efficiently and effectively pursue our joint interests in protecting privacy.
We do not accept the suggestion that individuals be required to exhaust their remedies under state law before filing a complaint with the Secretary. Our rationale is similar to that discussed above in regard to the suggestion that covered entities be required to exhaust a covered entity's internal complaint process before filing a complaint with the Secretary. Congress provided for federal privacy protection and we want to allow individuals the right to this protection without barriers or delay. Covered entities may in their privacy notice inform individuals of any rights they have under state law including any right to file privacy complaints. We do not have the authority to interfere with state processes and HIPAA explicitly provides that we cannot preempt state laws that provide greater privacy protection.
We have not yet addressed the issue as to whether this regulation might be used as a basis for violation findings or penalties under other Department authorities. We note that Medicare conditions of participation require participating providers to have procedures for ensuring the confidentiality of patient records, as well as afford patients with the right to the confidentiality of their clinical records.
Comment: Many commenters considered the statutory penalties insufficient to protect privacy, stating that the civil penalties are too weak to have the impact needed to reduce the risk of inappropriate disclosure. Some commenters took the opposing view and stated that large fines and prison sentences for violations would discourage physicians from transmitting any sort of health care information to any other agency, regardless of the medical necessity. Another comment expressed the concern that doctors will be at risk of going to jail for protecting the privacy of individuals (by not disclosing information the government believes should be released).
Response: The enforcement regulation will address the application of the civil monetary and criminal penalties under HIPAA. The regulation will be published in the Federal Register as a proposed regulation and the public will have an opportunity to comment. We do not believe that our rule, and the penalties available under it, will discourage physicians and other providers from using or disclosing necessary information. We believe that the rule permits physicians to make the disclosures that they need to make under the health care system without exposing themselves to jeopardy under the rule. We believe that the penalties under the statute are woefully inadequate. We support legislation that would increase the amount of these penalties.
Comment: A number of commenters stated that the regulations should permit individuals to sue for damages caused by breaches of privacy under these regulations. Some of these commenters specified that damages, equitable relief, attorneys fees, and punitive damages should be available. Conversely, one comment stated that strong penalties are necessary and would preclude the need for a private right of action. Another commenter stated that he does not believe that the statute intended to give individuals the equivalent of a right to sue, which results from making individuals third party beneficiaries to contracts between business partners.
Response: We do not have the authority to provide a private right of action by regulation. As discussed below, the final rule deletes the third party beneficiary provision that was in the proposed rule.
However, we believe that, in addition to strong civil monetary penalties, federal law should allow any individual whose rights have been violated to bring an action for actual damages and equitable relief. The Secretary's Recommendations, which were submitted to Congress on September 11, 1997, called for a private right of action to permit individuals to enforce their privacy rights.
Comment: One comment stated that, in calculating civil monetary penalties, the criteria should include aggravating or mitigating circumstances and whether the violation is a minor or first time violation. Several comments stated that penalties should be tiered so that those that commit the most egregious violations face stricter civil monetary penalties.
Response: As mentioned above, issues regarding civil fines and criminal penalties will be addressed in the enforcement regulation.
Comment: One comment stated that the regulation should clarify whether a single disclosure that involved the health information of multiple parties would constitute a single or multiple infractions, for the purpose of calculating the penalty amount.
Response: The enforcement regulation will address the calculation of penalties. However, we note that section 1176 subjects persons to civil monetary penalties of not more than $100 for each violation of a requirement or prohibition and not more than $25,000 in a calendar year for all violations of an identical requirement or prohibition. For example, if a covered entity fails to permit amendment of protected health information for 10 patients in one calendar year, the entity may be fined up to $1000 ($100 times 10 violations equals $1000).
The response to comments on covered entities is included in the response to comments on the definition of "covered entity" in the preamble discussion of § 160.103.
The response to comments on covered information is included in the response to comments on the definition of "protected health information" in the preamble discussion of § 164.501.
Comment: Many commenters generally supported our proposed definition of designated record set. Commenters suggested different methods for narrowing the information accessible to individuals, such as excluding information obtained without face-to-face interaction (e.g., phone consultations). Other commenters recommended broadening the information accessible to individuals, such as allowing access to "the entire medical record," not just a designated record set. Some commenters advocated for access to all information about individuals. A few commenters generally supported the provision but recommended that consultation and interpretative assistance be provided when the disclosure may cause harm or misunderstanding.
Response: We believe individuals should have a right to access any protected health information that may be used to make decisions about them and modify the final rule to accomplish this result. This approach facilitates an open and cooperative relationship between individuals and covered health care providers and health plans and allows individuals fair opportunities to know what health information may be used to make decisions about them. We list certain records that are always part of the designated record set. For covered providers these are the medical record and billing record. For health plans these are the enrollment, payment, claims adjudication, and case or medical management records. The purpose of these specified records is management of the accounts and health care of individuals. In addition, we include in the designated record set to which individuals have access any record used, in whole or in part, by or for the covered entity to make decisions about individuals. Only protected health information that is in a designated record set is covered. Therefore, if a covered provider has a phone conversation, information obtained during that conversation is subject to access only to the extent that it is recorded in the designated record set.
We do not require a covered entity to provide access to all individually identifiable health information, because the benefits of access to information not used to make decisions about individuals is limited and is outweighed by the burdens on covered entities of locating, retrieving, and providing access to such information. Such information may be found in many types of records that include significant information not relevant to the individual as well as information about other persons. For example, a hospital's peer review files that include protected health information about many patients but are used only to improve patient care at the hospital, and not to make decisions about individuals, are not part of that hospital's designated record sets.
We encourage but do not require covered entities to provide interpretive assistance to individuals accessing their information, because such a requirement could impose administrative burdens that outweigh the benefits likely to accrue.
The importance to individuals of having the right to inspect and copy information about them is supported by a variety of industry groups and is recognized in current state and federal law. The July 1977 Report of the Privacy Protection Study Commission recommended that individuals have access to medical records and medical record information. (2) The Privacy Act (5 U.S.C. 552a) requires government agencies to permit individuals to review records and have a copy made in a form comprehensible to the individual. In its report "Best Principles for Health Privacy," the Health Privacy Working Group recommended that individuals should have the right to access information about them. (3) The National Association of Insurance Commissioners' Health Information Privacy Model Act establishes the right of an individual to examine or receive a copy of protected health information in the possession of the carrier or a person acting on behalf of the carrier.
Many states also establish a right for individuals to access health information about them. For example, Alaska law (AK Code 18.23.005) entitles patients "to inspect and copy any records developed or maintained by a health care provider or other person pertaining to the health care rendered to the patient." Hawaii law (HRS section 323C-11) requires health care providers and health plans, among others, to permit individuals to inspect and copy protected health information about them. Many other states have similar provisions.
Industry and standard-setting organizations also have developed policies to enable individual access to health information. The National Committee for Quality Assurance and the Joint Commission on Accreditation of Healthcare Organizations issued recommendations stating, "Patients' confidence in the protection of their information requires that they have the means to know what is contained in their records. The opportunity for patients to review their records will enable them to correct any errors and may provide them with a better understanding of their health status and treatment." (4) Standards of the American Society for Testing and Materials state, "The patient or his or her designated personal representative has access rights to the data and information in his or her health record and other health information databases except as restricted by law. An individual should be able to inspect or see his or her health information or request a copy of all or part of the health information, or both." (5) We build on this well-established principle in this final rule.
Comment: Several commenters advocated for access to not only information that has already been used to make decisions, but also information that may be used to make decisions. Other commenters believed accessible information should be more limited; for example, some commenters argued that accessible information should be restricted to only information used to make health care decisions.
Response: We agree that it is desirable that individuals have access to information reasonably likely to be used to make decisions about them. On the other hand, it is desirable that the category of records covered be readily ascertainable by the covered entity. We therefore define "designated record set" to include certain categories of records (a provider's medical record and billing record, the enrollment records, and certain other records maintained by a health plan) that are normally used, and are reasonably likely to be used, to make decisions about individuals. We also add a category of other records that are, in fact, used, in whole or in part, to make decisions about individuals. This category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
We disagree that accessible information should be restricted to information used to make health care decisions, because other decisions by covered entities can also affect individuals' interests. For example, covered entities make financial decisions about individuals, such as whether an individual's deductible has been met. Because such decisions can significantly affect individuals' interests, we believe they should have access to any protected health information included in such records.
Comment: Some commenters believed the rule should use the term "retrievable" instead of "retrieved" to describe information accessible to individuals. Other commenters suggested that the rule follow the Privacy Act's principle of allowing access only when entities retrieve records by individual identifiers. Some commenters requested clarification that covered entities are not required to maintain information by name or other patient identifier.
Response: We have modified the proposed definition of the designated record set to focus on how information is used, not how it is retrieved. Information may be retrieved or retrievable by name, but if it is never used to make decisions about any individuals, the burdens of requiring a covered entity to find it and to redact information about other individuals outweigh any benefits to the individual of having access to the information. When the information might be used to affect the individual's interests, however, that balance changes and the benefits outweigh the burdens. We confirm that this regulation does not require covered entities to maintain any particular record set by name or identifier.
Comment: A few commenters recommended denial of access for information relating to investigations of claims, fraud, and misrepresentations. Many commenters suggested that sensitive, proprietary, and legal documents that are "typical state law privileges" be excluded from the right to access. Specific suggestions for exclusion, either from the right of access or from the definition of designated record set, include quality assurance activities, information related to medical appeals, peer review and credentialing, attorney-client information, and compliance committee activities. Some commenters suggested excluding information already supplied to individuals on previous requests and information related to health care operations. However, some commenters felt that such information was already excluded from the definition of designated record set. Other commenters requested clarification that this provision will not prevent patients from getting information related to medical malpractice.
Response: We do not agree that records in these categories are never used to affect the interests of individuals. For example, while protected health information used for peer review and quality assurance activities typically would not be used to make decisions about individuals, and, thus, typically would not be part of a designated record set, we cannot say that this is true in all cases. We design this provision to be sufficiently flexible to work with the varying practices of covered entities.
The rule addresses several of these comments by excepting from the access provisions (§ 164.524) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. Similarly, nothing in this rule requires a covered entity to divulge information covered by physician-patient or similar privilege. Under the access provisions, a covered entity may redact information in a record about other persons or information obtained under a promise of confidentiality, prior to releasing the information to the individual. We clarify that nothing in this provision would prevent access to information needed to prosecute or defend a medical malpractice action; the rules of the relevant court determine such access.
We found no persuasive evidence to support excluding information already supplied to individuals on previous requests. The burdens of tracking requests and the information provided pursuant to requests outweigh the burdens of providing the access requested. A covered entity may, however, discuss the scope of the request for access with the individual to facilitate the timely provision of access. For example, if the individual agrees, the covered entity could supply only the information created or received since the date access was last granted.
Comment: A number of commenters asked that the definition of "disclosure" be modified so that it is clear that it does not include the release, transfer, provision of access to, or divulging in any other manner of protected health information to the individual who is the subject of that information. It was suggested that we revise the definition in this way to clarify that a health care provider may release protected health information to the subject of the information without first requiring that the patient complete an authorization form.
Response: We agree with the commenters' concern, but accomplish this result through a different provision in the regulation. In § 164.502 of this final rule, we specify that disclosures of protected health information to the individual are not subject to the limitations on disclosure of protected health information otherwise imposed by this rule.
Comment: A number of commenters stated that the regulation should not apply to disclosures occurring within or among different subsidiaries or components of the same entity. One commenter interpreted "disclosure" to mean outside the agency or, in the case of a state Department of Health, outside sister agencies and offices that directly assist the Secretary in performing Medicaid functions and are listed in the state plan as entitled to receive Medicaid data.
Response: We agree that there are circumstances under which related organizations may be treated as a single covered entity for purposes of protecting the privacy of health information, and modify the rule to accommodate such circumstances. In § 164.504 of the final rule, we specify the conditions under which affiliated companies may combine into a single covered entity and similarly describe which components of a larger organization must comply with the requirements of this rule. For example, transfers of information within the designated component or affiliated entity are uses while transfers of information outside the designated component or affiliated entity are disclosures. See the discussion of § 164.504 for further information and rationale. It is not clear from these comments whether the particular organizational arrangements described could constitute a single covered entity.
Comment: A commenter noted that the definition of "disclosure" should reflect that health plan correspondence containing protected health information, such as Explanation of Benefits (EOBs), is frequently sent to the policyholder. Therefore, it was suggested that the words "provision of access to" be deleted from the definition and that a "disclosure" be clarified to include the conveyance of protected health information to a third party.
Response: The definition is, on its face, broad enough to cover the transfers of information described and so is not changed. We agree that health plans must be able to send EOBs to policyholders. Sending EOB correspondence to a policyholder by a covered entity is a disclosure for purposes of this rule, but it is a disclosure for purposes of payment. Therefore, subject to the provisions of § 164.522(b) regarding Confidential Communications, it is permitted even if it discloses to the policyholder protected health information about another individual (see below).
Comment: Several commenters stated that the list of activities within the definition of health care operations was too broad and should be narrowed. They asserted that the definition should be limited to exclude activities that have little or no connection to the care of a particular patient or to only include emergency treatment situations or situations constituting a clear and present danger to oneself or others.
Response: We disagree. We believe that narrowing the definition in the manner requested will place serious burdens on covered entities and impair their ability to conduct legitimate business and management functions.
Comment: Many commenters, including physician groups, consumer groups, and privacy advocates, argued that we should limit the information that can be used for health care operations to de-identified data. They argued that if an activity could be done with de-identified data, it should not be incorporated in the definition of health care operations.
Response: We disagree. We believe that many activities necessary for the business and administrative operations of health plans and health care providers are not possible with de-identified information or are possible only under unduly burdensome circumstances. For example, identified information may be used or disclosed during an audit of claims, for a plan to contact a provider about alternative treatments for specific patients, and in reviewing the competence of health care professionals. Further, not all covered entities have the same ability to de-identify protected health information. Covered entities with highly automated information systems will be able to use de-identified data for many purposes. Other covered entities maintain most of their records on paper, so a requirement to de-identify information would place too great a burden on the legitimate and routine business functions included in the definition of health care operations. Small business, which are most likely to have largely paper records, would find such a blanket requirement particularly burdensome.
Protected health information that is de-identified pursuant to § 164.514(a) is not subject to this rule. We hope this provides covered entities capable of de-identifying information with the incentive to do so.
Comment: Some commenters requested that we permit the use of demographic data (geographic, location, age, gender, and race) separate from all other data for health care operations. They argued that demographic data was needed to establish provider networks and monitor providers to ensure that the needs of ethnic and minority populations were being addressed.
Response: The use of demographic data for the stated purposes is within the definition of health care operations; a special rule is not necessary.
Comment: Some commenters pointed out that the definition of health care operations is similar to, and at times overlaps with, the definition of research. In addition, a number of commenters questioned whether or not research conducted by the covered entity or its business partner must only be applicable to and used within the covered entity to be considered health care operations. Others questioned whether such studies or research performed internal to a covered entity are "health care operations" even if generalizable results may be produced.
Response: We agree that some health care operations have many of the characteristics of research studies and in the NPRM asked for comments on how to make this distinction. While a clear answer was not suggested in any of the comments, the comments generally together with our fact finding lead to the provisions in the final rule. The distinction between health care operations and research rests on whether the primary purpose of the study is to produce "generalizable knowledge." We have modified the definition of health care operations to include "quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities." If the primary purpose of the activity is to produce generalizable knowledge, the activity fits within this rule's definition of "research" and the covered entity must comply with §§ 164.508 or 164.512, including obtaining an authorization or the approval of an institutional review board or privacy board. If not and the activity otherwise meets the definition of health care operations, the activity is not research and may be conducted under the health care operations provisions of this rule.
In some instances, the primary purpose of the activity may change as preliminary results are analyzed. An activity that was initiated as an internal outcomes evaluation may produce information that the covered entity wants to generalize. If the purpose of a study changes and the covered entity does intend to generalize the results, the covered entity should document the change in status of the activity to establish that they did not violate the requirements of this rule. (See definition of "research," below, for further information on the distinction between "research" and "health care operations.")
We note that the difficulty in determining when an activity is for the internal operations of an entity and when it is a research activity is a long-standing issue in the industry. The variation among commenters' views is one of many indications that, today, there is not consensus on how to draw this line. We do not resolve the larger issue here, but instead provide requirements specific to the information covered by this rule.
Comment: Several commenters asked that disease management and disability management activities be explicitly included in the definition of health care operations. Many health plans asserted that they would not be able to provide disease management, wellness, and health promotion activities if the activity were solely captured in the rule's definition of "treatment." They also expressed concern that "treatment" usually applies to an individual, not to a population, as is the practice for disease management.
Response: We were unable to find generally accepted definitions of the terms 'disease management' and 'disability management.' Rather than rely on this label, we include many of the functions often included in discussions of disease management in this definition or in the definition of treatment, and modify both definitions to address the commenters' concerns. For example, we have revised the definition of health care operations to include population-based activities related to improving health or reducing health care costs. This topic is discussed further in the comment responses regarding the definition of 'treatment,' below.
Comment: Several commenters urged that the definition of health care operations be illustrative and flexible, rather than structured in the form of a list as in the proposed rule. They believed it would be impossible to identify all the activities that constitute health care operations. Commenters representing health plans were concerned that the "static" nature of the definition would stifle innovation and could not reflect the new functions that health plans may develop in the future that benefit consumers, improve quality, and reduce costs. Other commenters, expressed support for the approach taken in the proposed rule, but felt the list was too broad.
Response: In the final rule, we revise the proposed definition of health care operations to broaden the list of activities included, but we do not agree with the comments asking for an illustrative definition rather than an inclusive list. Instead, we describe the activities that constitute health care operations in broad terms and categories, such as "quality assessment" and "business planning and development." We believe the use of broadly stated categories will allow industry innovation, but without the privacy risks entailed in an illustrative approach.
Comment: Several commenters noted that utilization review and internal quality review should be included in the definition. They pointed out that both of these activities were discussed in the preamble to the proposed rule but were not incorporated into the regulation text.
Response: We agree and have modified the regulation text to incorporate quality assessment and improvement activities, including the development of clinical guidelines and protocol development.
Comment: Several commenters stated that the proposal did not provide sufficient guidance regarding compiling and analyzing information in anticipation of or for use in legal proceedings. In particular, they raised concerns about the lack of specificity as to when "anticipation" would be triggered.
Response: We agree that this provision was confusing and have replaced it with a broader reference to conducting or arranging for legal services generally.
Comment: Hospital representatives pointed out the pressure on health care facilities to improve cost efficiencies, make cost-effectiveness studies, and benchmark essential health care operations. They emphasized that such activities often use identifiable patient information, although the products of the analyses usually do not contain identifiable health information. Commenters representing state hospital associations pointed out that they routinely receive protected health information from hospitals for analyses that are used by member hospitals for such things as quality of care benchmark comparisons, market share analysis, determining physician utilization of hospital resources, and charge comparisons.
Response: We have expanded the definition of health care operations to include use and disclosure of protected health information for the important functions noted by these commenters. We also allow a covered entity to engage a business associate to provide data aggregation services. See § 164.504(e).
Comment: Several commenters argued that many activities that are integral to the day-to-day operations of a health plan have not been included in the definition. Examples provided by the commenters include: issuing plan identification cards, customer service, computer maintenance, storage and back-up of radiologic images, and the installation and servicing of medical equipment or computer systems.
Response: We agree with the commenters that there are activities not directly part of treatment or payment that are more closely associated with the administrative or clerical functions of the plan or provider that need to be included in the definition. To include such activities in the definition of health care operations, we eliminate the requirement that health care operations be directly related to treatment and payment, and we add to this definition the new categories of business management (including general administrative activities) and business planning activities.
Comment: One commenter asked for clarification on whether cost-related analyses could also be done by providers as well as health plans.
Response: Health care operations, including business management functions, are not limited to health plans. Any covered entity can perform health care operations.
Comment: One commenter stated that the proposed rule did not address what happens to records when a covered entity is sold or merged with another entity.
Response: We agree and add to the definition of health care operations disclosures of protected health information for due diligence to a covered entity that is a potential successor in interest. This provision includes disclosures pursuant to the sale of a covered entity's business as a going concern, mergers, acquisitions, consolidations, and other similar types of corporate restructuring between covered entities, including a division of a covered entity, and to an entity that is not a covered entity but will become a covered entity if the reorganization or sale is completed. Other types of sales of assets, or disclosures to organizations that are not and would not become covered entities, are not included in the definition of health care operations and could only occur if the covered entity obtained valid authorization for such disclosure in accordance with § 164.508 or if the disclosure is otherwise permitted under this rule.
Once a covered entity is sold or merged with another covered entity, the successor in interest becomes responsible for complying with this regulation with respect to the transferred information.
Comment: Several commenters expressed concern that the definition of health care operations failed to include the use of protected health information for the underwriting of new health care policies and took issue with the exclusion of uses and disclosures of protected health information of prospective enrollees. They expressed the concern that limiting health care operations to the underwriting and rating of existing members places a health plan in the position of not being able to evaluate prudently and underwrite a consumer's health care risk.
Response: We agree that covered entities should be able to use the protected health information of prospective enrollees to underwrite and rate new business and change the definition of health care operations accordingly. The definition of health care operations below includes underwriting, premium rating, and other activities related to the creation of a contract of health insurance.
Comment: Several commenters stated that group health plans needed to be able to use and disclose protected health information for purposes of soliciting a contract with a new carrier and rate setting.
Response: We agree and add "activities relating to the ... replacement of a contract of insurance" to cover such disclosures. See § 164.504 for the rules for plan sponsors of group health plans to obtain such information.
Comment: Commenters from the business community supported our recognition of the importance of financial risk transfer mechanisms in the health care marketplace by including "reinsurance" in the definition of health care operations. However, they stated that the term "reinsurance" alone was not adequate to capture "stop-loss insurance" (also referred to as excess of loss insurance), another type of risk transfer insurance.
Response: We agree with the commenters that stop-loss and excess of loss insurance are functionally equivalent to reinsurance and add these to the definition of health care operations.
Comment: Commenters from the employer community explained that there is a trend among employers to contract with a single insurer for all their insurance needs (health, disability, workers' compensation). They stated that in these integrated systems, employee health information is shared among the various programs in the system. The commenters believed the existing definition poses obstacles for those employers utilizing an integrated health system because of the need to obtain authorizations before being permitted to use protected health information from the health plan to administer or audit their disability or workers' compensation plan.
Other commenters representing employers stated that some employers wanted to combine health information from different insurers and health plans providing employee benefits to their workforces, including its group health plan, workers' compensation insurers, and disability insurers, so that they could have more information in order to better manage the occurrences of disability and illness among their workforces. They expressed concern that the proposed rule would not permit such sharing of information.
Response: While we agree that integrating health information from different benefit programs may produce efficiencies as well as benefits for individuals, the integration also raises significant privacy concerns, particularly if there are no safeguards on uses and disclosures from the integrated data. Under HIPAA, we do not have jurisdiction over many types of insurers that use health information, such as workers' compensation insurers or insurers providing disability income benefits, and we cannot address the extent to which they provide individually identifiable health information to a health plan, nor do we prohibit a health plan from receiving such information. Once a health plan receives identifiable health information, however, the information becomes protected and may only be used and disclosed as otherwise permitted by this rule.
We clarify, however, that a covered entity may provide data and statistical analyses for its customers as a health care operation, provided that it does not disclose protected health information in a way that would otherwise violate this rule. A group health plan or health insurance issuer or HMO, or their business associate on their behalf, may perform such analyses for an employer customer and provide the results in de-identified form to the customer, using integrated data received from other insurers, as long as protected health information is not disclosed in violation of this rule. See the definition of "health care operations," § 164.501. If the employer sponsors more than one group health plan, or if its group health plan provides coverage through more than one health insurance issuer or HMO, the different covered entities may be an organized health care arrangement and be able to jointly participate in such an analysis as part of the health care operations of such organized health care arrangement. See the definitions of "health care operations" and "organized health care arrangement," § 164.501. We further clarify that a plan sponsor providing plan administration to a group health plan may participate in such an analysis, provided that the requirements of § 164.504(f) and other parts of this rule are met.
The results described above are the same whether the health information that is being combined is from separate insurers or from one entity that has a health component and also provides excepted benefits. See the discussion relating to health care components, § 164.504.
We note that under the arrangements described above, the final rule provides substantial flexibility to covered entities to provide general data and statistical analyses, resulting in the disclosure of de-identified information, to employers and other customers. An employer also may receive protected health information from a covered entity for any purpose, including those described in comment above, with the authorization of the individual. See § 164.508.
Comment: A number of commenters asserted that the proposed definition appeared to limit training and educational activities to that of health care professionals, students, and trainees. They asked that we expand the definition to include other education-related activities, such as continuing education for providers and training of non-health care professionals as needed for supporting treatment or payment.
Response: We agree with the commenters that the definition of health care operations was unnecessarily limiting with respect to educational activities and expand the definition of health care operations to include "conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers." We clarify that medical rounds are considered treatment, not health care operations.
Comment: A few commenters outlined the need to include the training of non-health care professionals, such as health data analysts, administrators, and computer programmers within the definition of health care operations. It was argued that, in many cases, these professionals perform functions which support treatment and payment and will need access to protected health information in order to carry out their responsibilities.
Response: We agree and expand the definition of health care operations to include training of non-health care professionals.
Comment: One commenter stated that the definition did not explicitly include physician credentialing and peer review.
Response: We have revised the definition to specifically include "licensing or credentialing activities." In addition, peer review activities are captured in the definition as reviewing the competence or qualifications of health care professionals and evaluating practitioner and provider performance.
Comment: Some commenters sought to have specific organizations defined as health oversight agencies. For example, some commenters asked that the regulation text, rather than the preamble, explicitly list state insurance departments as an example of health oversight agencies. Medical device manufacturers recommended expanding the definition to include government contractors such as coding committees, which provide data to HCFA to help the agency make reimbursement decisions.
One federal agency sought clarification that several of its sub-agencies were oversight agencies; it was concerned about its status in part because the agency fits into more than one of the categories of health oversight agency listed in the proposed rule.
Other commenters recommended expanding the definition of oversight agency to include private-sector accreditation organizations. One commenter recommended stating in the final rule that private companies providing information to insurers and employers are not included in the definition of health oversight agency.
Response: Because the range of health oversight agencies is so broad, we do not include specific examples in the definition. We include many examples in the preamble above and provide further clarity here.
As under the NPRM, state insurance departments are an example of a health oversight agency. A commenter concerned about state trauma registries did not describe the registries' activities or legal charters, so we cannot clarify whether such registries may be health oversight agencies. Government contractors such as coding committees, which provide data to HCFA to support payment processes, are not thereby health oversight agencies under this rule. We clarify that public agencies may fit into more than one category of health oversight agency.
The definition of health oversight agency does not include private-sector accreditation organizations. While their work can promote quality in the health care delivery system, private accreditation organizations are not authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. Under the final rule, we consider private accrediting groups to be performing a health care operations function for covered entities. Thus, disclosures to private accrediting organizations are disclosures for health care operations, not for oversight purposes.
When they are performing accreditation activities for a covered entity, private accrediting organizations will meet the definition of business associate, and the covered entity must enter into a business associate contract with the accrediting organization in order to disclose protected health information. This is consistent with current practice; today, accrediting organizations perform their work pursuant to contracts with the accredited entity. This approach is also consistent with the recommendation by the Joint Commission on Accreditation of Healthcare Organizations and the National Committee for Quality Assurance, which stated in their report titled Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment (1998) that "Oversight organizations, including accrediting bodies, states, and federal agencies, should include in their contracts terms that describe their responsibility to maintain the confidentiality of any personally identifiable health information that they review."
We agree with the commenter who believed that private companies providing information to insurers and employers are not performing an oversight function; the definition of health oversight agency does not include such companies.
In developing and clarifying the definition of health oversight in the final rule, we seek to achieve a balance in accounting for the full range of activities that public agencies may undertake to perform their health oversight functions while establishing clear and appropriate boundaries on the definition so that it does not become a catch-all category that public and private agencies could use to justify any request for information.
Comment: A few commenters stated that foreign military and diplomatic personnel, and their dependents, and overseas foreign national beneficiaries, should not be excluded from the definition of "individual."
Response: We agree with concerns stated by commenters and eliminate these exclusions from the definition of "individual" in the final rule. Special rules for use and disclosure of protected health information about foreign military personnel are stated in § 164.512(k). Under the final rule, protected health information about diplomatic personnel is not accorded special treatment. While the exclusion of overseas foreign national beneficiaries has been deleted from the definition of "individual," we have revised § 164.500 to indicate that the rule does not apply to the Department of Defense or other federal agencies or non-governmental organizations acting on its behalf when providing health care to overseas foreign national beneficiaries. This means that the rule will not cover any health information created incident to the provision of health care to foreign nationals overseas by U.S. sponsored missions or operations. (See § 164.500 and its corresponding preamble for details and the rationale for this policy.)
Comment: Several commenters expressed concern about the interrelationship of the definition of "individual" and the two year privacy protection for deceased persons.
Response: In the final rule, we eliminate the two year limit on privacy protection for protected health information about deceased individuals and require covered entities to comply with the requirements of the rule with respect to the protected health information of deceased individuals as long as they hold such information. See discussion under § 164.502.
Comment: A number of commenters suggested that HHS revise the definitions of health information and individually identifiable health information to include consistent language in paragraph (1) of each respective definition. They observed that paragraph (1) of the definition of health information reads: "(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse...;" in contrast to paragraph (1) of the definition of individually identifiable health information, which reads: "(1) Is created by or received from a health care provider, health plan, employer, or health care clearinghouse..." [Emphasis added.]
Another commenter asked that we delete from the definition of health information, the words "health or" to make the definition more consistent with the definition of "health care," as well as the words "whether oral or."
Response: We define these terms in the final rule as they are defined by Congress in sections 1171(4) and 1171(6) of the Act, respectively. We have, however, changed the word "from" in the definition of "individually identifiable health information" to conform to the statute.
Comment: Several commenters urged that the definition of individually identifiable health information include information created or received by a researcher. They reasoned that it is important to ensure that researchers using personally identifiable health information are subject to federal privacy standards. They also stated that if information created by a school regarding the health status of its students could be labeled "health information," then information compiled by a clinical researcher regarding an individual also should be considered health information.
Response: We are restricted to the statutory limits of the terms. The Congress did not include information created or received by a researcher in either definition, and, consequently, we do not include such language in the rule's definitions.
Comment: Several commenters suggested modifying the definition of individually identifiable health information to state as a condition that the information provide a direct means of identifying the individual. They commented that the rule should support the need of those (e.g., researchers) who need "ready access to health information... that remains linkable to specific individuals."
Response: The Congress included in the statutory definition of individually identifiable health information the modifier "reasonable basis" when describing the condition for determining whether information can be used to identify the individual. Congress thus intended to go beyond "direct" identification and to encompass circumstances in which a reasonable likelihood of identification exists. Even after removing "direct" or "obvious" identifiers of information, a risk or probability of identification of the subject of the information may remain; in some instances, the risk will not be inconsequential. Thus, we agree with the Congress that "reasonable basis" is the appropriate standard to adequately protect the privacy of individuals' health information.
Comment: A number of commenters suggested that the Secretary eliminate the distinction between protected health information and individually identifiable health information. One commenter asserted that all individually identifiable health information should be protected. One commenter observed that the terms individually identifiable health information and protected health information are defined differently in the rule and requested clarification as to the precise scope of coverage of the standards. Another commenter stated that the definition of individually identifiable health information includes "employer," whereas protected health information pertains only to covered entities for which employers are not included. The commenter argued that this was an "incongruity" between the definitions of individually identifiable health information and protected health information and recommended that we remove "employer" from the definition of individually identifiable health information.
Response: We define individually identifiable health information in the final rule generally as it is defined by Congress in section 1171(6) of the Act. Because "employer" is included in the statutory definition, we cannot accept the comment to remove the word "employer" from the regulatory definition.
We use the phrase 'protected health information' to distinguish between the individually identifiable health information that is used or disclosed by the entities that are subject to this rule and the entire universe of individually identifiable health information. 'Individually identifiable health information' as defined in the statute is not limited to health information used or disclosed by covered entities, so the qualifying phrase 'protected health information' is necessary to define that individually identifiable health information to which this rule applies.
Comment: One commenter noted that the definition of individually identifiable health information in the NPRM appeared to be the same definition used in the other HIPAA proposed rule, Security and Electronic Signature Standards (63 FR 43242). However, the commenter stated that the additional condition in the privacy NPRM, that protected health information is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form, appears to create potential disparity between the requirements of the two rules. The commenter questioned whether the provisions in proposed § 164.518(c) were an attempt to install similar security safeguards for such situations.
Response: The statutory definition of individually identifiable health information applies to the entire Administrative Simplification subtitle of HIPAA and, thus, was included in the proposed Security Standards. At this time, however, the final Security Standards have not been published, so the definition of protected health information is relevant only to HIPAA's privacy standards and is, therefore, included in Subpart E of Part 164 only. We clarify that the requirements in the proposed Security Standards are distinct and separate from the privacy safeguards promulgated in this final rule.
Comment: Several commenters expressed confusion and requested clarification as to what is considered health information or individually identifiable health information for purposes of the rule. For example, one commenter was concerned that information exists in collection agencies, credit bureaus, etc., which could be included under the proposed regulation but may or may not have been originally obtained by a covered entity. The commenter noted that generally this information is not clinical, but it could be inferred from the data that a health care provider provided a person or member of person's family with health care services. The commenter urged the Secretary to define more clearly what and when information is covered.
One commenter queried how a non-medical record keeper could tell when personal information is health information within the meaning of rule, e.g., when a worker asks for a low salt meal in a company cafeteria, when a travel voucher of an employee indicates that the traveler returned from an area that had an outbreak of fever, or when an airline passenger requests a wheel chair. It was suggested that the rule cover health information in the hands of schools, employers, and life insurers only when they receive individually identifiable health information from a covered entity or when they create it while providing treatment or making payment.
Response: This rule applies only to individually identifiable health information that is held by a covered entity. Credit bureaus, airlines, schools, and life insurers are not covered entities, so the information described in the above comments is not protected health information. Similarly, employers are not covered entities under the rule. Covered entities must comply with this regulation in their health care capacity, not in their capacity as employers. For example, information in hospital personnel files about a nurses' sick leave is not protected health information under this rule.
Comment: One commenter recommended that the privacy of health information should relate to actual medical records. The commenter expressed concern about the definition's broadness and contended that applying prescriptive rules to information that health plans hold will not only delay processing of claims and coverage decisions, but ultimately affect the quality and cost of care for health care consumers.
Response: We disagree. Health information about individuals exists in many types of records, not just the formal medical record about the individual. Limiting the rule's protections to individually identifiable health information contained in medical records, rather than individually identifiable health information in any form, would omit a significant amount of individually identifiable health information, including much information in covered transactions.
Comment: One commenter voiced a need for a single standard for individually identifiable health information and disability and workers' compensation information; each category of information is located in their one electronic data base, but would be subjected to a different set of use and transmission rules.
Response: We agree that a uniform, comprehensive privacy standard is desirable. However, our authority under the HIPAA is limited to individually identifiable health information as it is defined in the statute. The legislative history of HIPAA makes clear that workers' compensation and disability benefits programs were not intended to be covered by the rule. Entities are of course free to apply the protections required by this rule to all health information they hold, including the excepted benefits information, if they wish to do so (for example, in order to reduce administrative burden).
Comment: Commenters recommended that the definition of individually identifiable health information not include demographic information that does not have any additional health, treatment, or payment information with it. Another commenter recommended that protected health information should not include demographic information at all.
Response: Congress explicitly included demographic information in the statutory definition of this term, so we include such language in our regulatory definition of it.
Comments: A number of commenters expressed concern about whether references to personal information about individuals, such as "John Doe is fit to work as a pipe fitter ..." or "Jane Roe can stand no more than 2 hours ...", would be considered individually identifiable health information. They argued that such "fitness-to-work" and "fitness for duty" statements are not health care because they do not reveal the type of information (such as the diagnosis) that is detrimental to an individual's privacy interest in the work environment.
Response: References to personal information such as those suggested by the commenters could be individually identifiable health information if the references were created or received by a health care provider, health plan, employer, or health care clearinghouse and they related to the past, present, or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Although these fitness for duty statements may not reveal a diagnosis, they do relate to a present physical or mental condition of an individual because they describe the individual's capacity to perform the physical and mental requirements of a particular job at the time the statement is made (even though there may be other non-health-based qualifications for the job). If these statements were created or received by one of more of the entities described above, they would be individually identifiable health information.
Comment: Some commenters, particularly those representing health care providers, expressed concern that the proposed definition of "law enforcement official" could have allowed many government officials without health care oversight duties to obtain access to protected health information without patient consent.
Response: We do not intend for the definition of "law enforcement official" to be limited to officials with responsibilities directly related to health care. Law enforcement officials may need protected health information for investigations or prosecutions unrelated to health care, such as investigations of violent crime, criminal fraud, or crimes committed on the premises of health care providers. For these reasons, we believe it is not appropriate to limit the definition of "law enforcement official" to persons with responsibilities oversight of the health care system.
Comment: A few commenters expressed concern that the proposed definition could include any county or municipal official, even those without traditional law enforcement training.
Response: We do not believe that determining training requirements for law enforcement officials is appropriately within the purview of this regulation; therefore, we do not make the changes that these commenters requested.
Comment: Some commenters, particularly those from the district attorney community, expressed general concern that the proposed definition of "law enforcement official" was too narrow to account for the variation in state interpretations of law enforcement officials' power. One group noted specifically that the proposed definition could have prevented prosecutors from gaining access to needed protected health information.
Response: We agree that protected health information may be needed by law enforcement officials for both investigations and prosecutions. We did not intend to exclude the prosecutorial function from the definition of "law enforcement official ," and accordingly we modify the definition of law enforcement official to reflect their involvement in prosecuting cases. Specifically, in the final rule, we define law enforcement official as an official of any agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, who is empowered by law to: (1) investigate or conduct an inquiry into a potential violation of law; or (2) prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
Comment: One commenter recommended making the definition of law enforcement official broad enough to encompass Medicaid program auditors, because some matters requiring civil or criminal law enforcement action are first identified through the audit process.
Response: We disagree. Program auditors may obtain protected health information necessary for their audit functions under the oversight provision of this regulation (§ 164.512(d)).
Comment: One commenter suggested that the proposed definition of "law enforcement official" could be construed as limited to circumstances in which an official "knows" that law has been violated. This commenter was concerned that, because individuals are presumed innocent and because many investigations, such as random audits, are opened without an agency knowing that there is a violation, the definition would not have allowed disclosure of protected health information for these purposes. The commenter recommended modifying the definition to include investigations into "whether" the law has been violated.
Response: We do not intend for lawful disclosures of protected health information for law enforcement purposes to be limited to those in which a law enforcement official knows that law has been violated. Accordingly, we revise the definition of "law enforcement official " to include investigations of "potential" violations of law.
Comments related to "marketing" are addressed in the responses to comments regarding § 164.514(e).
Comment: One commenter urged that the Department not permit protected health information to be disclosed to a collection agency for collecting payment on a balance due on patient accounts. The commenter noted that, at best, such a disclosure would only require the patient's and/or insured's address and phone number.
Response: We disagree. A collection agency may require additional protected health information to investigate and assess payment disputes for the covered entity. For example, the collection agency may need to know what services the covered entity rendered in order to resolve disputes about amounts due. The information necessary may vary, depending on the nature of the dispute. Therefore we do not specify the information that may be used or disclosed for collection activities. The commenter's concern may be addressed by the minimum necessary requirements in § 164.514. Under those provisions, when a covered entity determines that a collection agency only requires limited information for its activities, it must make reasonable efforts to limit disclosure to that information.
Comment: A number of commenters supported retaining the expansive definition in the proposed rule so that current methods of administering the claims payment process would not be hindered by blocking access to protected health information.
Response: We agree and retain the proposed overall approach to the definition.
Comment: Some commenters argued that the definition of "payment' should be narrowly interpreted as applying only to the individual who is the subject of the information.
Response: We agree with the commenter and modify the definition to clarify that payment activities relate to the individual to whom health care is provided.
Comment: Another group of commenters asserted that the doctor-patient relationship was already being interfered with by the current practices of managed care. For example, it was argued that the definition expanded the power of government and other third party "payors," turning them into controllers along with managed care companies. Others stated that activities provided for under the definition occur primarily to fulfill the administrative function of managed health plans and that an individual's privacy is lost when his or her individually identifiable health information is shared for administrative purposes.
Response: Activities we include in the definition of payment reflect core functions through which health care and health insurance services are funded. It would not be appropriate for a rule about health information privacy to hinder mechanisms by which health care is delivered and financed. We do not through this rule require any health care provider to disclose protected health information to governmental or other third party payors for the activities listed in the payment definition. Rather, we allow these activities to occur, subject to and consistent with the requirements of this rule.
Comment: Several commenters requested that we expand the definition to include "coordination of benefits" as a permissible activity.
Response: We agree and modify the definition accordingly.
Comment: A few commenters raised concerns that the use of "medical data processing" was too restrictive. It was suggested that a broader reference such as "health related" data processing would be more appropriate.
Response: We agree and modify the definition accordingly.
Comment: Some commenters suggested that the final rule needed to clarify that drug formulary administration activities are payment related activities.
Response: While we agree that uses and disclosures of protected health information for drug formulary administration and development are common and important activities, we believe these activities are better described as health care operations and that these activities come within that definition.
Comment: Commenters asked that the definition include calculation of prescription drug costs, drug discounts, and maximum allowable costs and copayments.
Response: Calculations of drug costs, discounts, or copayments are payment activities if performed with respect to a specific individual and are health care operations if performed in the aggregate for a group of individuals.
Comment: We were urged to specifically exclude "therapeutic substitution" from the definition.
Response: We reject this suggestion. While we understand that there are policy concerns regarding therapeutic substitution, those policy concerns are not primarily about privacy and thus are not appropriately addressed in this regulation.
Comment: A few commenters asked that patient assistance programs (PAPS) should be excluded from the definition of payment. Such programs are run by or on behalf of manufacturers and provide free or discounted medications to individuals who could not afford to purchase them. Commenters were concerned that including such activities in the definition of payment could harm these programs.
For example, a university school of pharmacy may operate an outreach program and serve as a clearinghouse for information on various pharmaceutical manufacturer PAPS. Under the program state residents can submit a simple application to the program (including medication regimen and financial information), which is reviewed by program pharmacists who study the eligibility criteria and/or directly call the manufacturer's program personnel to help evaluate eligibility for particular PAPS. The program provides written guidance to the prescribing physicians that includes a suggested approach for helping their indigent patients obtain the medications that they need and enrollment information for particular PAPS.
Response: We note that the concerns presented are not affected by definition of "payment." The application of this rule to patient assistance programs activities will depend on how the individual programs operate and are affected primarily by the definition of treatment. Each of these programs function differently, so it is not possible to state a blanket rule for whether and how the rule affects such programs.
Under the example provided, the physician who contacts the program on behalf of a patient is managing the patient's care. If the provider is also a covered entity, he or she would be permitted to make such a "treatment" disclosure of protected health information if a general consent had been obtained from the patient. Depending on the particular facts, the manufacturer, by providing the prescription drugs for an individual, could also be providing health care under this rule. Even so, however, the manufacturer may or may not be a covered entity, depending on whether or not it engages in any of the standard electronic transactions (See the definition of a covered entity). It also may be an indirect treatment provider, since it may be providing the product through another provider, not directly to the patient. In this example, the relevant disclosures of protected health information by any covered health care provider with a direct treatment relationship with the patient would be permitted subject to the general consent requirements of § 164.506.
Whether and how this rule affects the school of pharmacy is equally dependent on the specific facts. For example, if the school merely provides a patient or a physician with the name of a manufacturer and a contact phone number, it would not be functioning as a health care provider and would not be subject to the rule. However, if the school is more involved in the care of the individual, its activities could come in within the definition of "health care provider" under this rule.
Comment: Commenters pointed out that drugs may or may not be "covered" under a plan. Individuals, on the other hand, may or may not be "eligible" for benefits under a plan. The definition should incorporate both terms to clarify that determinations of both coverage and eligibility are payment activities.
Response: We agree and modify the rule to include "eligibility".
Comment: Several commenters urged that "concurrent and retrospective review" were significant utilization review activities and should be incorporated.
Response: We agree and modify the definition accordingly.
Comment: Commenters noted that the proposed rule was not clear as to whether protected health information could be used to resolve disputes over coverage, including appeals or complaints regarding quality of care.
Response: We modify the definition of payment to include resolution of payment and coverage disputes; the final definition of payment includes "the adjudication ... of health benefit claims." The other examples provided by commenters, such as arranging, conducting, or assistance with primary and appellate level review of enrollee coverage appeals, also fall within the scope of adjudication of health benefits claims. Uses and disclosures of protected health information to resolve disputes over quality of care may be made under the definition of "health care operations" (see above).
Comment: Some commenters suggested that if an activity falls within the scope of payment it should not be considered marketing. Commenters supported an approach that would bar such an activity from being construed as "marketing" even if performing that activity would result in financial gain to the covered entity.
Response: We agree that the proposed rule did not clearly define 'marketing,' leaving commenters to be concerned about whether payment activities that result in financial gain might be considered marketing. In the final rule we add a definition of marketing and clarify when certain activities that would otherwise fall within that definition can be accomplished without authorization. We believe that these changes will clarify the distinction between marketing and payment and address the concerns raised by commenters.
Comment: Commenters asserted that HHS should not include long-term care insurance within the definition of "health plan". If they are included, the commenters argued that the definition of payment must be modified to reflect the activities necessary to support the payment of long-term care insurance claims. As proposed, commenters argued that the definition of payment would not permit long term care insurers to use and disclose protected health information without authorization to perform functions that are "compatible with and directly relate to...payment" of claims submitted under long term care policies.
Response: Long-term care policies, except for nursing home fixed-indemnity policies, are defined as health plans by the statute (see definition of "health plan," above). We disagree with the assertion that the definition of payment does not permit long term care insurers to undertake these necessary activities. Processing of premium payments, claims administration, and other activities suggested for inclusion by the commenters are covered by the definition. The rule permits protected health information to be used or disclosed by a health plan to determine or fulfill its responsibility for provision of benefits under the health plan.
Comment: Some commenters argued that the definition needs to be expanded to include the functions of obtaining stop-loss and ceding reinsurance.
Response: We agree that use and disclosure of protected health information for these activities should be permitted without authorization, but have included them under health care operation rather than payment.
Comment: Commenters asked that the definition be modified to include collection of accounts receivable or outstanding accounts. Commenters raised concern that the proposed rule, without changes, might unintentionally prevent the flow of information between medical providers and debt collectors.
Response: We agree that the proposed definition of payment did not explicitly provide for "collection activities" and that this oversight might have impeded a covered entity's debt collection efforts. We modify the regulatory text to add "collection activities."
Comment: The preamble should clarify that self-insured group health and workers' compensation plans are not covered entities or business partners.
Response: The statutory definition of health plan does not include workers' compensation products. See the discussion of "health plan" under § 160.103 above.
Comment: Certain commenters explained that third party administrators usually communicate with employees through Explanation of Benefit (EOB) reports on behalf of their dependents (including those who might not be minor children). Thus, the employee might be apprized of the medical encounters of his or her dependents but not of medical diagnoses unless there is an over-riding reason, such as a child suspected of drug abuse due to multiple prescriptions. The commenters urged that the current claim processing procedures be allowed to continue.
Response: We agree. We interpret the definition of payment and, in particular the term 'claims management,' to include such disclosures of protected health information.
Comment: One private company noted that pursuant to the proposed Transactions Rule standard for payment and remittance advice, the ASC X12N 835 can be used to make a payment, send a remittance advice, or make a payment and send remittance advice by a health care payor and a health care provider, either directly or through a designated financial institution. Because a remittance advice includes diagnostic or treatment information, several private companies and a few public agencies believed that the proposed Transactions Rule conflicted with the proposed privacy rule. Two health plans requested guidance as to whether, pursuant to the ASC X12N 835 implementation guide, remittance advice information is considered "required" or "situational." They sought guidance on whether covered entities could include benefits information in payment of claims and transfer of remittance information.
One commenter asserted that if the transmission of certain protected health information were prohibited, health plans may be required to strip remittance advice information from the ASC X12N 835 when making health care payments. It recommended modifying the proposed rule to allow covered entities to provide banks or financial institutions with the data specified in any transaction set mandated under the Transactions Rule for health care claims payment.
Similarly, a private company and a state health data organization recommended broadening the scope of permissible disclosures pursuant to the banking section to include integrated claims processing information, as contained in the ASC X12N 835 and proposed for adoption in the proposed Transactions Rule; this transaction standard includes diagnostic and treatment information. The company argued that inclusion of diagnostic and treatment information in the data transmitted in claims processing was necessary for comprehensive and efficient integration in the provider's patient accounting system of data corresponding with payment that financial institutions credit to the provider's account.
A state health data organization recommended applying these rules to financial institutions that process electronic remittance advice pursuant to the Transactions Rule.
Response: The Transactions Rule was published August 17, 2000, after the issuance of the privacy proposed rule. As noted by the commenters, the ASC X12N 835 we adopted as the "Health Care Payment and Remittance Advice" standard in the Transactions Rule has two parts. They are the electronic funds transfer (EFT) and the electronic remittance advice (ERA). The EFT part is optional and is the mechanism that payors use to electronically instruct one financial institution to move money from one account to another at the same or at another financial institution. The EFT includes information about the payor, the payee, the amount, the payment method, and a reassociation trace number. Since the EFT is used to initiate the transfer of funds between the accounts of two organizations, typically a payor to a provider, it includes no individually identifiable health information, not even the names of the patients whose claims are being paid. The funds transfer information may also be transmitted manually (by check) or by a variety of other electronic means, including various formats of electronic transactions sent through a payment network, such as the Automated Clearing House (ACH) Network.
The ERA, on the other hand, contains specific information about the patients and the medical procedures for which the money is being paid and is used to update the accounts receivable system of the provider. This information is always needed to complete a standard Health Care Payment and Remittance Advice transaction, but is never needed for the funds transfer activity of the financial institution. The only information the two parts of this transaction have in common is the reassociation trace number.
Under the ASC X12N 835 standard, the ERA may be transmitted alone, directly from the health plan to the health care provider and the reassociation trace number is used by the provider to match the ERA information with a specific payment conducted in some other way (e.g., EFT or paper check). The standard also allows the EFT to be transmitted alone, directly to the financial institution that will initiate the payment. It also allows both parts to be transmitted together, even though the intended recipients of the two parts are different (the financial institution and the provider). For example, this would be done when the parties agree to use the ACH system to carry the ERA through the provider's bank to the provider when it is more efficient than sending the ERA separately through a different electronic medium.
Similarly, the ASC X12N 820 standard for premium payments has two parts, an EFT part (identical to that of the 835) and a premium data part containing identity and health information about the individuals for whom health insurance premiums are being paid.
The transmission of both parts of the standards are payment activities under this rule, and permitted subject to certain restrictions. Because a financial institution does not require the remittance advice or premium data parts to conduct funds transfers, disclosure of those parts by a covered entity to it (absent a business associate arrangement to use the information to conduct other activities) would be a violation of this rule.
We note that additional requirements may be imposed by the final Security Rule. Under the proposed Security Rule, the ACH system and similar systems would have been considered "open networks" because transmissions flow unpredictably through and become available to member institutions who are not party to any business associate agreements (in a way similar to the internet). The proposed Security Rule would require any protected health information transferred through the ACH or similar system to be encrypted.
Comment: A few commenters noted the Gramm-Leach-Bliley (GLB) Act (Pub.L. 106-102) allows financial holding companies to engage in a variety of business activities, such as insurance and securities, beyond traditional banking activities. Because the term "banking" may take on broader meaning in light of these changes, the commenter recommended modifying the proposed rule to state that disclosure of diagnostic and treatment information to banks along with payment information would constitute a violation of the rule. Specifically, the organization recommended clarifying in the final rule that the provisions included in the proposed section on banking and payment processes (proposed § 164.510(i)) govern payment processes only and that all activities of financial institutions that did not relate directly to payment processes must be conducted through business partner contracts. Furthermore, this group recommended clarifying that if financial institutions act as payors, they will be covered entities under the rule.
Response: We recognize that implementation of the GLB Act will expand significantly the scope of activities in which financial holding companies engage. However, unless a financial institution also meets the definition of a "covered entity," it cannot be a covered entity under this rule.
We agree with the commenters that disclosure of diagnostic and specific treatment information to financial institutions for many banking and funds processing purposes may not be consistent with the minimum necessary requirements of this final rule. We also agree with the commenters that financial institutions are business associates if they receive protected health information when they engage in activities other than funds processing for covered entities. For example, if a health care provider contracts with a financial institution to conduct "back office" billing and accounts receivable activities, we require the provider to enter into a business associate contract with the institution.
Comment: Two commenters expressed support for the proposed rule's approach to disclosure for banking and payment processes. On the other hand, many other commenters were opposed to disclosure of protected health information without authorization to banks. One commenter said that no financial institution should have individually identifiable health information for any reason, and it said there were technological means for separating identity from information necessary for financial transactions. Some commenters believed that implementation of the proposed rule's banking provisions could lead banks to deny loans on the basis of individuals' health information.
Response: We seek to achieve a balance between protecting patient privacy and facilitating the efficient operation of the health care system. While we agree that financial institutions should not have access to extensive information about individuals' health, we recognize that even the minimal information required for processing of payments may effectively reveal a patient's health condition; for example, the fact that a person has written a check to a provider suggests that services were rendered to the person or a family member. Requiring authorization for disclosure of protected health information to a financial institution in order to process every payment transaction in the health care system would make it difficult, if not impossible, for the health care system to operate effectively. See also discussion of section 1179 of the Act above.
Comment: Under the proposed rule, covered entities could have disclosed the following information without consent to financial institutions for the purpose of processing payments: (1) the account holder's name and address; (2) the payor or provider's name and address; (3) the amount of the charge for health services; (4) the date on which services were rendered; (5) the expiration date for the payment mechanism, if applicable (e.g., credit card expiration date); and (6) the individual's signature. The proposed rule solicited comments on whether additional data elements would be necessary to process payment transactions from patients to covered entities.
One commenter believed that it was unnecessary to include this list in the final rule, because information that could have been disclosed under the proposed minimum necessary rule would have been sufficient to process banking and payment information. Another private company said that its extensive payment systems experience indicated that we should avoid attempts to enumerate a list of information allowed to be disclosed for banking and payment processing. Furthermore, the commenter said, the proposed rule's list of information allowed to be disclosed was not sufficient to perform the range of activities necessary for the operation of modern electronic payment systems. Finally, the commenter said, inclusion of specific data elements allowed to be disclosed for banking and payment processes rule would stifle innovation in continually evolving payment systems. Thus, the commenter recommended that in the final rule, we eliminate the minimum necessary requirement for banking and payment processing and that we do not include a list of specific types of information allowed to be disclosed for banking and payment processes.
On the other hand, several other commenters supported applying the minimum necessary standard to covered entities' disclosures to financial institutions for payment processing. In addition, these groups said that because financial institutions are not covered entities under the proposed rule, they urged Congress to enact comprehensive privacy legislation to limit financial institutions' use and re-disclosure of the minimally necessary protected health information they could receive under the proposed rule. Several of these commenters said that, in light of the increased ability to manipulate data electronically, they were concerned that financial institutions could use the minimal protected health information they received for making financial decisions. For example, one of these commenters said that a financial institution could identify an individual who had paid for treatment of domestic violence injuries and subsequently could deny the individual a mortgage based on that information.
Response: We agree with the commenters who were concerned that a finite list of information could hamper systems innovation, and we eliminate the proposed list of data items.
However, we disagree with the commenters who argued that the requirement for minimum necessary disclosures not apply to disclosures to financial institution or for payment activities. They presented no persuasive reasons why these disclosures differ from others to which the standard applies, nor did they suggest alternative means of protecting individuals' privacy. Further, with elimination of the proposed list of items that may be disclosed, it will be necessary to rely on the minimum necessary disclosure requirement to ensure that disclosures for payment purposes do not include information unnecessary for that purposes. In practice, the following is the information that generally will be needed: the name and address of the individual; the name and address of the payor or provider; the amount of the charge for health services; the date on which health services were rendered; the expiration date for the payment mechanism, if applicable (i.e., credit card expiration date); the individual's signature; and relevant identification and account numbers.
Comment: One commenter said that the minimum necessary standard would be impossible to implement with respect to information provided on its standard payment claim, which, it said, was used by pharmacies for concurrent drug utilization review and that was expected to be adopted by HHS as the national pharmacy payment claim.
Two other commenters also recommended clarifying in the final rule that pharmacy benefit cards are not considered a type of "other payment card" pursuant to the rule's provisions governing payment processes. These commenters were concerned that if pharmacy benefit cards were covered by the rule's payment processing provisions, their payment claim, which they said was expected to be adopted by HHS as the national pharmacy payment claim, may have to be modified to comply with the minimum necessary standard that would have been required pursuant to proposed § 164.510(i) on banking and payment processes. One of these commenters noted that its payment claim facilitates concurrent drug utilization review, which was mandated by Congress pursuant to the Omnibus Budget Reconciliation Act of 1990 and which creates the real-time ability for pharmacies to gain access to information that may be necessary to meet requirements of this and similar state laws. The commenter said that information on its standard payment claim may include information that could be used to provide professional pharmacy services, such as compliance, disease management, and outcomes programs. The commenter opposed restricting such information by applying the minimum necessary standard.
Response: We make an exception to the minium necessary disclosure provision of this rule for the required and situational data elements of the standard transactions adopted in the Transactions Rule, because those elements were agreed to through the ANSI-accredited consensus development process. The minimum necessary requirements do apply to optional elements in such standard transactions, because industry consensus has not resulted in precise and unambiguous situation specific language to describe their usage. This is particularly relevant to the NCPDP standards for retail pharmacy transactions referenced by these commenters, in which the current standard leaves most fields optional. For this reason, we do not accept this suggestion.
The term 'payment card' was intended to apply to a debit or credit card used to initiate payment transactions with a financial institution. We clarify that pharmacy benefit cards, as well as other health benefit cards, are used for identification of individual, plan, and benefits and do not qualify as "other payment cards."
Comment: Two commenters asked the following questions regarding the banking provisions of the proposed rule: (1) Does the proposed regulation stipulate that disclosures to banks and financial institutions can occur only once a patient has presented a check or credit card to the provider, or pursuant to a standing authorization?; and (2) Does the proposed rule ban disclosure of diagnostic or other related detailed payment information to financial institutions?
Response: We do not ban disclosure of diagnostic information to financial institutions, because some such information may be evident simply from the name of the payee (e.g., when payment is made to a substance abuse clinic). This type of disclosure, however, is permitted only when reasonably necessary for the transaction (see requirements for minimum necessary disclosure of protected health information, in § 164.502 and § 164.514).
Similarly, we do not stipulate that such disclosure may be made only once a patient has presented a check or credit card, because some covered entities hire financial institutions to perform services such as management of accounts receivables and other back office functions. In providing such services to covered entities, the financial institution will need access to protected health information. (In this situation, the disclosure will typically be made under a business associate arrangement that includes provisions for protection of the information.)
Comment: One commenter was concerned that the proposed rule's section on financial institutions, when considered in conjunction with the proposed definition of "protected health information," could have been construed as making covered entities' disclosures of consumer payment history information to consumer reporting agencies subject to the rule. It noted that covered entities' reporting of payment history information to consumer reporting agencies was not explicitly covered by the proposed rule's provisions regarding disclosure of protected health information without authorization. It was also concerned that the proposed rule's minimum necessary standard could have been interpreted to prevent covered entities and their business partners from disclosing appropriate and complete information to consumer reporting agencies. As a result, it said, consumer reporting agencies might not be able to compile complete consumer reports, thus potentially creating an inaccurate picture of a consumer's credit history that could be used to make future credit decisions about the individual.
Furthermore, this commenter said, the proposed rule could have been interpreted to apply to any information disclosed to consumer reporting agencies, thus creating the possibility for conflicts between the rule's requirements and those of the Fair Credit Reporting Act. They indicated that areas of potential overlap included: limits on subsequent disclosures; individual access rights; safeguards; and notice requirements.
Response: We have added to the definition of "payment" disclosure of certain information to consumer reporting agencies. With respect to the remaining concerns, this rule does not apply to consumer reporting agencies if they are not covered entities.
Comment: Several commenters recommended prohibiting disclosure of psychotherapy notes under this provision and under all of the sections governing disclosure without consent for national priority purposes.
Response: We agree that psychotherapy notes should not be disclosed without authorization for payment purposes, and the final rule does not allow such disclosure. See the discussion under § 164.508.
Comment: An overwhelmingly large number of commenters urged the Secretary to expand privacy protection to all individually identifiable health information, regardless of form, held or transmitted by a covered entity. Commenters provided many arguments in support of their position. They asserted that expanding the scope of covered information under the rule would increase patient confidence in their health care providers and the health care system in general. Commenters stated that patients may not seek care or honestly discuss their health conditions with providers if they do not believe that all of their health information is confidential. In particular, many suggested that this fear would be particularly strong with certain classes of patients, such as persons with disabilities, who may be concerned about potential discrimination, embarrassment or stigmatization, or domestic violence victims, who may hide the real cause of their injuries.
In addition, commenters felt that a more uniform standard that covered all records would reduce the complexity, burden, cost, and enforcement problems that would result from the NPRM's proposal to treat electronic and non-electronic records differently. Specifically, they suggested that such a standard would eliminate any confusion regarding how to treat mixed records (paper records that include information that has been stored or transmitted electronically) and would eliminate the need for health care providers to keep track of which portions of a paper record have been (or will be) stored or transmitted electronically, and which are not. Many of these commenters argued that limiting the definition to information that is or has at one time been electronic would result in different protections for electronic and paper records, which they believe would be unwarranted and give consumers a false sense of security. Other comments argued that the proposed definition would cause confusion for providers and patients and would likely cause difficulties in claims processing. Many others complained about the difficulty of determining whether information has been maintained or transmitted electronically. Some asked us to explicitly list the electronic functions that are intended to be excluded, such as voice mail, fax, etc. It was also recommended that the definitions of 'electronic transmission' and 'electronic maintenance' be deleted. It was stated that the rule may apply to many medical devices that are regulated by the FDA. A commenter also asserted that the proposal's definition was technically flawed in that computers are also involved in analog electronic transmissions such as faxes, telephone, etc., which is not the intent of the language. Many commenters argued that limiting the definition to information that has been electronic would create a significant administrative burden, because covered entities would have to figure out how to apply the rule to some but not all information.
Others argued that covering all individually identifiable health information would eliminate any disincentives for covered entities to convert from paper to computerized record systems. These commenters asserted that under the proposed limited coverage, contrary to the intent of HIPAA's administrative simplification standards, providers would avoid converting paper records into computerized systems in order to bypass the provisions of the regulation. They argued that treating all records the same is consistent with the goal of increasing the efficiency of the administration of health care services.
Lastly, in the NPRM, we explained that while we chose not to extend our regulatory coverage to all records, we did have the authority to do so. Several commenters agreed with our interpretation of the statute and our authority and reiterated such statements in arguing that we should expand the scope of the rule in this regard.
Response: We find these commenters' arguments persuasive and extend protections to individually identifiable health information transmitted or maintained by a covered entity in any form (subject to the exception for "education records" governed by FERPA and records described at 20 U.S.C. 1232g(a)(4)(B)(iv)). We do so for the reasons described by the commenters and in our NPRM, as well as because we believe that the approach in the final rule creates a logical, consistent system of protections that recognizes the dynamic nature of health information use and disclosure in a continually shifting health care environment. Rules that are specific to certain formats or media, such as "electronic" or "paper," cannot address the privacy threats resulting from evolving forms of data capture and transmission or from the transfer of the information from one form to another. This approach avoids the somewhat artificial boundary issues that stem from defining what is and is not electronic.
In addition, we have reevaluated our reasons for not extending privacy protections to all paper records in the NPRM and after review of comments believe such justifications to be less compelling than we originally thought. For example, in the NPRM, we explained that we chose not to cover all paper records in order to focus on the public concerns about health information confidentiality in electronic communications, and out of concern that the potential additional burden of covering all records may not be justified because of the lower privacy risks presented by records that are in paper form only. As discussed above however, a great many commenters asserted that dealing with a mixture of protected and non-protected records is more burdensome, and that public concerns over health information confidentiality are not at all limited to electronic communications.
We note that medical devices in and of themselves, for example, pacemakers, are not protected health information for purposes of this regulation. However, information in or from the device may be protected health information to the extent that it otherwise meets the definition.
Comment: Numerous commenters argued that the proposed coverage of any information other than that which is transmitted electronically and/or in a HIPAA transaction exceeds the Secretary's authority under section 264(c)(1) of HIPAA. The principal argument was that the initial language in section 264(c)(1) ("If language governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act ... is not enacted by [August 21, 1999], the Secretary ... shall promulgate final regulations containing such standards...") limits the privacy standards to "information transmitted in connection with the [HIPAA] transactions." The precise argument made by some commenters was that the grant of authority is contained in the words "such standards," and that the referent of that phrase was "standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a)...".
Commenters also argued that this limitation on the Secretary's authority is discernible from the statutory purpose statement at section 261 of HIPAA, from the title to section 1173(a) ("Standards to Enable Electronic Exchange"), and from various statements in the legislative history, such as the statement in the Conference Report that the "Secretary would be required to establish standards and modifications to such standards regarding the privacy of individually identifiable health information that is in the health information network." H. Rep. No. 104-736,104th Cong., 2d Sess., at 265. It was also argued that extension of coverage beyond the HIPAA transactions would be inconsistent with the underlying statutory trade-off between facilitating accessibility of information in the electronic transactions for which standards are adopted under section 1173(a) and protecting that information through the privacy standards.
Other commenters argued more generally that the Secretary's authority was limited to information in electronic form only, not information in any other form. These comments tended to focus on the statutory concern with regulating transactions in electronic form and argued that there was no need to have the privacy standards apply to information in paper form, because there is significantly less risk of breach of privacy with respect to such information.
The primary justifications provided by commenters for restricting the scope of covered individually identifiable health information under the regulation were that such an approach would reduce the complexity, burden, cost, and enforcement problems that would result from a rule that treats electronic and non-electronic records differently; would appropriately limit the rule's focus to the security risks that are inherent in electronic transmission or maintenance of individually identifiable health information; and would conform these provisions of the rule more closely with their interpretation of the HIPAA statutory language.
Response: We disagree with these commenters. We believe that restricting the scope of covered information under the rule consistent with any of the comments described above would generate a number of policy concerns. Any restriction in the application of privacy protections based on the media used to maintain or transmit the information is by definition arbitrary, unrelated to the potential use or disclosure of the information itself and therefore not responsive to actual privacy risks. For example, information contained in a paper record may be scanned and transmitted worldwide almost as easily as the same information contained in an electronic claims transaction, but would potentially not be protected.
In addition, application of the rule to only the standard transactions would leave large gaps in the amount of health information covered. This limitation would be particularly harmful for information used and disclosed by health care providers, who are likely to maintain a great deal of information never contained in a transaction.
We disagree with the arguments that the Secretary lacks legal authority to cover all individually identifiable health information transmitted or maintained by covered entities. The arguments raised by these comments have two component parts: (1) that the Secretary's authority is limited by form, to individually identifiable health information in electronic form only; and (2) that the Secretary's authority is limited by content, to individually identifiable health information that is contained in what commenters generally termed the "HIPAA transactions," i.e., information contained in a transaction for which a standard has been adopted under section 1173(a) of the Act.
With respect to the issue of form, the statutory definition of "health information" at section 1171(4) of the Act defines such information as "any information, whether oral or recorded in any form or medium" (emphasis added) which is created or received by certain entities and relates to the health condition of an individual or the provision of health care to an individual (emphasis added). "Individually identifiable health information", as defined at section 1171(6) of the Act, is information that is created or received by a subset of the entities listed in the definition of "health information", relates to the same subjects as "health information," and is, in addition, individually identifiable. Thus, "individually identifiable health information" is, as the term itself implies, a subset of "health information." As "health information," "individually identifiable health information" means, among other things, information that is "oral or recorded in any form or medium." Therefore, the statute does not limit "individually identifiable health information" to information that is in electronic form only.
With respect to the issue of content, the limitation of the Secretary's authority to information in HIPAA transactions under section 264(c)(1) is more apparent than real. While the first sentence of section 264(c)(1) may be read as limiting the regulations to standards with respect to the privacy of individually identifiable health information "transmitted in connection with the [HIPAA] transactions," what that sentence in fact states is that the privacy regulations must "contain" such standards, not be limited to such standards. The first sentence thus sets a statutory minimum, first for Congress, then for the Secretary. The second sentence of section 264(c)(1) directs that the regulations "address at least the subjects in subsection (b) [of section 264]." Section 264(b), in turn, refers only to "individually identifiable health information", with no qualifying language, and refers back to subsection (a) of section 264, which is not limited to HIPAA transactions. Thus, the first and second sentences of section 264(c)(1) can be read as consistent with each other, in which case they direct the issuance of privacy standards with respect to individually identifiable health information. Alternatively, they can be read as ambiguous, in which case one must turn to the legislative history.
The legislative history of section 264 does not reflect the content limitation of the first sentence of section 264(c)(1). Rather, the Conference Report summarizes this section as follows: "If Congress fails to enact privacy legislation, the Secretary is required to develop standards with respect to privacy of individually identifiable health information not later than 42 months from the date of enactment." Id., at 270. This language indicates that the overriding purpose of section 264(c)(1) was to postpone the Secretary's duty to issue privacy standards (which otherwise would have been controlled by the time limits at section 1174(a)), in order to give Congress more time to pass privacy legislation. A corollary inference, which is also supported by other textual evidence in section 264 and Part C of title XI, is that if Congress failed to act within the time provided, the original statutory scheme was to kick in. Under that scheme, which is set out in section 1173(e) of the House bill, the standards to be adopted were "standards with respect to the privacy of individually identifiable health information." Thus, the legislative history of section 264 supports the statutory interpretation underlying the rules below.
Comment: Many commenters were opposed to the rule covering specific forms of communication or records that could potentially be considered covered information, i.e., faxes, voice mail messages, etc. A subset of these commenters took issue particularly with the inclusion of oral communications within the scope of covered information. The commenters argued that covering information when it takes oral form (e.g., verbal discussions of a submitted claim) makes the regulation extremely costly and burdensome, and even impossible to administer. Another commenter also offered that it would make it nearly impossible to discuss health information over the phone, as the covered entity cannot verify that the person on the other end is in fact who he or she claims to be.
Response: We disagree. Covering oral communications is an important part of keeping individually identifiable health information private. If the final rule were not to cover oral communication, a conversation about a person's protected health information could be shared with anyone. Therefore, the same protections afforded to paper and electronically based information must apply to verbal communication as well. Moreover, the Congress explicitly included "oral" information in the statutory definition of health information.
Comment: A few commenters supported, without any change, the approach proposed in the NPRM to limit the scope of covered information to individually identifiable health information in any form once the information is transmitted or maintained electronically. These commenters asserted that our statutory authority limited us accordingly. Therefore, they believed we had proposed protections to the extent possible within the bounds of our statutory authority and could not expand the scope of such protections without new legislative authority.
Response: We disagree with these commenters regarding the limitations under our statutory authority. As explained above, we have the authority to extend the scope of the regulation as we have done in the final rule. We also note here that most of these commenters who supported the NPRM's proposed approach, voiced strong support for extending the scope of coverage to all individually identifiable health information in any form, but concluded that we had done what we could within the authority provided.
Comment: One commenter argued that the term "transaction" is generally understood to denote a business matter, and that the NPRM applied the term too broadly by including hospital directory information, communication with a patient's family, researchers' use of data and many other non-business activities.
Response: This comment reflects a misunderstanding of our use of the term "transaction." The uses and disclosures described in the comment are not "transactions" as defined in § 160.103. The authority to regulate the types of uses and disclosures described is provided under section 264 of Pub. L. 104-191. The conduct of the activities noted by the commenters are not related to the determination of whether a health care provider is a covered entity. We explain in the preamble that a health care provider is a covered entity if it transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act.
Comment: A few commenters asserted that the Secretary has no authority to regulate "use" of protected health information. They stated that although section 264(b) mentions that the Secretary should address "uses and disclosures," no other section of HIPAA employs the term "use."
Response: We disagree with these commenters. As they themselves note, the authority to regulate use is given in section 264(b) and is sufficient.
Comment: Some commenters requested clarification as to how certain types of health information, such as photographs, faxes, X-Rays, CT-scans, and others would be classified as protected or not under the rule.
Response: All types of individually identifiable health information in any form, including those described, when maintained or transmitted by a covered entity are covered in the final rule.
Comment: A few commenters requested clarification with regard to the differences between the definitions of individually identifiable health information and protected health information.
Response: In expanding the scope of covered information in the final rule, we have simplified the distinction between the two definitions. In the final rule, protected health information is the subset of individually identifiable health information that is maintained or transmitted by covered entity, and thereby protected by this rule. For additional discussion of protected health information and individually identifiable health information, see the descriptive summary of § 164.501.
Comment: A few commenters remarked that the federal government has no right to access or control any medical records and that HHS must get consent in order to store or use any individually identifiable health information.
Response: We understand the commenters' concern. It is not our intent, nor do we through this rule create any government right of access to medical records, except as needed to investigate possible violations of the rule. Some government programs, such as Medicare, are authorized under other law to gain access to certain beneficiary records for administrative purposes. However, these programs are covered by the rule and its privacy protections apply.
Comment: Some commenters asked us to clarify how schools would be treated by the rule. Some of these commenters worried that privacy would be compromised if schools were exempted from the provisions of the final rule. Other commenters thought that school medical records were included in the provisions of the NPRM.
Response: We agree with the request for clarification and provide guidance regarding the treatment of medical records in schools in the "Relationship to Other Federal Laws" preamble discussion of FERPA, which governs the privacy of education records.
Comment: One commenter was concerned that only some information from a medical chart would be included as covered information. The commenter was especially concerned that transcribed material might not be considered covered information.
Response: As stated above, all individually identifiable health information in any form, including transcribed or oral information, maintained or transmitted by a covered entity is covered under the provisions of the final rule.
Comment: In response to our solicitation of comments on the scope of the definition of protected health information, many commenters asked us to narrow the scope of the proposed definition to include only information in electronic form. Others asked us to include only information from the HIPAA standard transactions.
Response: For the reasons stated by the commenters who asked us to expand the proposed definition, we reject these comments. We reject these approaches for additional reasons, as well. Limiting the protections to electronic information would, in essence, protect information only as long as it remained in a computer or other electronic media; the protections in the rule could be avoided simply by printing out the information. This approach would thus result in the illusion, but not the reality, of privacy protections. Limiting protection to information in HIPAA transactions has many of the problems in the proposed approach: it would fail to protect significant amounts of health information, would force covered entities to figure out which information had and had not been in such a transaction, and could cause the administrative burdens the commenters feared would result from protecting some but not all information.
Comment: A few commenters asserted that the definition of protected health information should explicitly include "genetic" information. It was argued that improper disclosure and use of such information could have a profound impact on individuals and families.
Response: We agree that the definition of protected health information includes genetic information that otherwise meets the statutory definition. But we believe that singling out specific types of protected health information for special mention in the regulation text could wrongly imply that other types are not included.
Comment: One commenter recommended that the definition of protected health information be modified to clarify that an entity does not become a 'covered entity' by providing a device to an individual on which protected health information may be stored, provided that the company itself does not store the individual's health information."
Response: We agree with the commenter's analysis, but believe the definition is sufficiently clear without a specific amendment to this effect.
Comment: One commenter recommended that the definition be amended to explicitly exclude individually identifiable health information maintained, used, or disclosed pursuant to the Fair Credit Reporting Act, as amended, 15 U.S.C. 1681. It was stated that a disclosure of payment history to a consumer reporting agency by a covered entity should not be considered protected health information. Another commenter recommended that health information, billing information, and a consumer's credit history be exempted from the definition because this flow of information is regulated by both the Fair Credit Reporting Act (FCRA) and the Fair Debt Collection Practices Act (FDCPA).
Response: We disagree. To the extent that such information meets the definition of protected health information, it is covered by this rule. These statutes are designed to protect financial, not health, information. Further, these statutes primarily regulate entities that are not covered by this rule, minimizing the potential for overlap or conflict. The protections in this rule are more appropriate for protecting health information. However, we add provisions to the definition of payment which should address these concerns. See the definition of 'payment' in § 164.501.
Comment: An insurance company recommended that the rule require that medical records containing protected health information include a notation on a cover sheet on such records.
Response: Since we have expanded the scope of protected health information, there is no need for covered entities to distinguish among their records, and such a notation is not needed. This uniform coverage eliminates the mixed record problem and resultant potential for confusion.
Comment: A government agency requested clarification of the definition to address the status of information that flows through dictation services.
Response: A covered entity may disclose protected health information for transcription of dictation under the definition of health care operations, which allows disclosure for "general administrative" functions. We view transcription and clerical services generally as part of a covered entity's general administrative functions. An entity transcribing dictation on behalf of a covered entity meets this rule's definition of business associate and may receive protected health information under a business associate contract with the covered entity and subject to the other requirements of the rule.
Comment: A commenter recommended that information transmitted for employee drug testing be exempted from the definition.
Response: We disagree that is necessary to specifically exclude such information from the definition of protected health information. If a covered entity is involved, triggering this rule, the employer may obtain authorization from the individuals to be tested. Nothing in this rule prohibits an employer from requiring an employee to provide such an authorization as a condition of employment.
Comment: A few commenters addressed our proposal to exclude individually identifiable health information in education records covered by FERPA. Some expressed support for the exclusion. One commenter recommended adding another exclusion to the definition for the treatment records of students who attend institutions of post secondary education or who are 18 years old or older to avoid confusion with rules under FERPA. Another commenter suggested that the definition exclude health information of participants in "Job Corps programs" as it has for educational records and inmates of correctional facilities.
Response: We agree with the commenter on the potential for confusion regarding records of students who attend post-secondary schools or who are over 18, and therefore in the final rule we exclude records defined at 20 U.S.C. 1232g(a)(4)(B)(iv) from the definition of protected health information. For a detailed discussion of this change, refer to the "Relationship to Other Federal Laws" section of the preamble. We find no similar reason to exclude "Job Corps programs" from the requirements of this regulation.
Comment: Some commenters voiced support for the exclusion of the records of inmates from the definition of protected health information, maintaining that correctional agencies have a legitimate need to share some health information internally without authorization between health service units in various facilities and for purposes of custody and security. Other commenters suggested that the proposed exclusion be extended to individually identifiable health information: created by covered entities providing services to inmates or detainees under contract to such facilities; of "former" inmates; and of persons who are in the custody of law enforcement officials, such as the United States Marshals Service and local police agencies. They stated that corrections and detention facilities must be able to share information with law enforcement agencies such as the United States Marshals Service, the Immigration and Naturalization Services, county jails, and U.S. Probation Offices.
Another commenter said that there is a need to have access to records of individuals in community custody and explained that these individuals are still under the control of the state or local government and the need for immediate access to records for inspections and/or drug testing is necessary.
A number of commenters were opposed to the proposed exclusion to the definition of protected health information, arguing that the proposal was too sweeping. Commenters stated that while access without consent is acceptable for some purposes, it is not acceptable in all circumstances. Some of these commenters concurred with the sharing of health care information with other medical facilities when the inmate is transferred for treatment. These commenters recommended that we delete the exception for jails and prisons and substitute specific language about what information could be disclosed and the limited circumstances or purposes for which such disclosures could occur.
Others recommended omission of the proposed exclusion entirely, arguing that excluding this information from protection sends the message that, with respect to this population, abuses do not matter. Commenters argued that inmates and detainees have a right to privacy of medical records and that individually identifiable health information obtained in these settings can be misused, e.g., when communicated indiscriminately, health information can trigger assaults on individuals with stigmatized conditions by fellow inmates or detainees. It can also lead to the denial of privileges, or inappropriately influence the deliberations of bodies such as parole boards.
A number of commenters explicitly took issue with the exclusion relative to individuals, and in particular youths, with serious mental illness, seizure disorders, and emotional or substance abuse disorders. They argued that these individuals come in contact with criminal justice authorities as a result of behaviors stemming directly from their illness and assert that these provisions will cause serious problems. They argue that disclosing the fact that an individual was treated for mental illness while incarcerated could seriously impair the individual's reintegration into the community. Commenters stated that such disclosures could put the individual or family members at risk of discrimination by employers and in the community at large.
Some commenters asserted that the rule should be amended to prohibit jails and prisons from disclosing private medical information of individuals who have been discharged from these facilities. They argued that such disclosures may seriously impair individuals' rehabilitation into society and subject them to discrimination as they attempt to re-establish acceptance in the community.
Response: We find commenters' arguments against a blanket exemption from privacy protection for inmates persuasive. We agree health information in these settings may be misused, which consequently poses many risks to the inmate or detainee and in some cases, their families as described above by the commenters. Accordingly, we delete this exception from the definition of "protected health information" in the final rule. The final rule considers individually identifiable health information of individuals who are prisoners and detainees to be protected health information to the extent that it meets the definition and is maintained or transmitted by a covered entity.
At the same time, we agree with those commenters who explained that correctional facilities have legitimate needs for use and sharing of individually identifiable health information inmates without authorization. Therefore, we add a new provision (§ 164.512(k)(5)) that permits a covered entity to disclose protected health information about inmates without individual consent, authorization, or agreement to correctional institutions for specified health care and other custodial purposes. For example, covered entities are permitted to disclose for the purposes of providing health care to the individual who is the inmate, or for the health and safety of other inmates or officials and employees of the facility. In addition, a covered entity may disclose protected health information as necessary for the administration and maintenance of the safety, security, and good order of the institution. See the preamble discussion of the specific requirements at § 164.512(k)(5), as well as discussion of certain limitations on the rights of individuals who are inmates with regard to their protected health information at §§ 164.506, 164.520, 164.524, and 164.528.
We also provide the following clarifications. Covered entities that provide services to inmates under contract to correctional institutions must treat protected health information about inmates in accordance with this rule and are permitted to use and disclose such information to correctional institutions as allowed under § 164.512(k)(5).
As to former inmates, the final rule considers such persons who are released on parole, probation, supervised release, or are otherwise no longer in custody, to be individuals who are not inmates. Therefore, the permissible disclosure provision at § 164.512(k)(5) does not apply in such cases. Instead, a covered entity must apply privacy protections to the protected health information about former inmates in the same manner and to the same extent that it protects the protected health information of other individuals. In addition, individuals who are former inmates hold the same rights as all other individuals under the rule.
As to individuals in community custody, the final rule considers inmates to be those individuals who are incarcerated in or otherwise confined to a correctional institution. Thus, to the extent that community custody confines an individual to a particular facility, § 164.512(k)(5) is applicable.
Comment: Some commenters thought the definition of psychotherapy notes was contrary to standard practice. They claimed that reports of psychotherapy are typically part of the medical record and that psychologists are advised, for ethical reasons and liability risk management purposes, not to keep two separate sets of notes. Others acknowledged that therapists may maintain separate notations of therapy sessions for their own purpose. These commenters asked that we make clear that psychotherapy notes, at least in summary form, should be included in the medical record. Many plans and providers expressed concern that the proposed definition would encourage the creation of "shadow" records which may be dangerous to the patient and may increase liability for the health care providers. Some commenters claimed that psychotherapy notes contain information that is often essential to treatment.
Response: We conducted fact-finding with providers and other knowledgeable parties to determine the standard practice of psychotherapists and determined that only some psychotherapists keep separate files with notes pertaining to psychotherapy sessions. These notes are often referred to as "process notes," distinguishable from "progress notes," "the medical record," or "official records." These process notes capture the therapist's impressions about the patient, contain details of the psychotherapy conversation considered to be inappropriate for the medical record, and are used by the provider for future sessions. We were told that process notes are often kept separate to limit access, even in an electronic record system, because they contain sensitive information relevant to no one other than the treating provider. These separate "process notes" are what we are calling "psychotherapy notes." Summary information, such as the current state of the patient, symptoms, summary of the theme of the psychotherapy session, diagnoses, medications prescribed, side effects, and any other information necessary for treatment or payment, is always placed in the patient's medical record. Information from the medical record is routinely sent to insurers for payment.
Comment: Various associations and their constituents asked that the exceptions for psychotherapy notes be extended to health care information from other health care providers. These commenters argued that psychotherapists are not the only providers or even the most likely providers to discuss sensitive and potentially embarrassing issues, as treatment and counseling for mental health conditions, drug abuse, HIV/AIDS, and sexual problems are often provided outside of the traditional psychiatric settings. One writer stated, "A prudent health care provider will always assess the past and present psychiatric medical history and symptoms of a patient."
Many commenters believed that the psychotherapy notes should include frequencies of treatment, results of clinical tests, and summary of diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date. They claimed that this information is highly sensitive and should not be released without the individual's written consent, except in cases of emergency. One commenter suggested listing the types of mental health information that can be requested by third party payors to make payment determinations and defining the meaning of each term.
Response: As discussed above and in the NPRM, the rationale for providing special protection for psychotherapy notes is not only that they contain particularly sensitive information, but also that they are the personal notes of the therapist, intended to help him or her recall the therapy discussion and are of little or no use to others not involved in the therapy. Information in these notes is not intended to communicate to, or even be seen by, persons other than the therapist. Although all psychotherapy information may be considered sensitive, we have limited the definition of psychotherapy notes to only that information that is kept separate by the provider for his or her own purposes. It does not refer to the medical record and other sources of information that would normally be disclosed for treatment, payment, and health care operations.
Comment: One commenter was particularly concerned that the use of the term "counseling" in the definition of psychotherapy notes would lead to confusion because counseling and psychotherapy are different disciplines.
Response: In the final rule, we continue to use the term "counseling" in the definition of "psychotherapy." During our fact-finding, we learned that "counseling" had no commonly agreed upon definition, but seemed to be widely understood in practice. We do not intend to limit the practice of psychotherapy to any specific professional disciplines.
Comment: One commenter noted that the public mental health system is increasingly being called upon to integrate and coordinate services among other providers of mental health services and they have developed an integrated electronic medical record system for state-operated hospitals, part of which includes psychotherapy notes, and which cannot be easily modified to provide different levels of confidentiality. Another commenter recommended allowing use or disclosure of psychotherapy notes by members of an integrated health care facility as well as the originator.
Response: The final rule makes it clear that any notes that are routinely shared with others, whether as part of the medical record or otherwise, are, by definition, not psychotherapy notes, as we have defined them. To qualify for the definition and the increased protection, the notes must be created and maintained for the use of the provider who created them i.e., the originator, and must not be the only source of any information that would be critical for the treatment of the patient or for getting payment for the treatment. The types of notes described in the comment would not meet our definition for psychotherapy notes.
Comment: Many providers expressed concern that if psychotherapy notes were maintained separately from other protected health information, other health providers involved in the individual's care would be unable to treat the patient properly. Some recommended that if the patient does not consent to sharing of psychotherapy notes for treatment purposes, the treating provider should be allowed to decline to treat the patient, providing a referral to another provider.
Response: The final rule retains the policy that psychotherapy notes be separated from the remainder of the medical record in order to receive additional protection. We based this decision on conversations with mental health providers who have told us that information that is critical to the treatment of individuals is normally maintained in the medical record and that psychotherapy notes are used by the provider who created them and rarely for other purposes. A strong part of the rationale for the special treatment of psychotherapy notes is that they are the personal notes of the treating provider and are of little or no use to others who were not present at the session to which the notes refer.
Comment: Several commenters requested that we clarify that the information contained in psychotherapy notes is being protected under the rule and not the notes themselves. They were concerned that the protection for psychotherapy notes would not be meaningful if health plans could demand the same information in a different format.
Response: This rule provides special protection for the information in psychotherapy notes, but it does not extend that protection to the same information that may be found in other locations. We do not require the notes to be in a particular format, such as hand-written. They may be typed into a word processor, for example. Copying the notes into a different format, per se, would not allow the information to be accessed by a health plan. However, the requirement that psychotherapy notes be kept separate from the medical record and solely for the use of the provider who created them means that the special protection does not apply to the same information in another location.
Comment: A number of the comments called for the elimination of all permissible disclosures without authorization, and some specifically cited the public health section and its liberal definition of public health authority as an inappropriately broad loophole that would allow unfettered access to private medical information by various government authorities.
Other commenters generally supported the provision allowing disclosure to public health authorities and to non-governmental entities authorized by law to carry out public health activities. They further supported the broad definition of public health authority and the reliance on broad legal or regulatory authority by public health entities although explicit authorities were preferable and better informed the public.
Response: In response to comments arguing that the provision is too broad, we note that section 1178(b) of the Act, as explained in the NPRM, explicitly carves out protection for state public health laws. This provision states that: "[N]othing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth or death, public health surveillance, or public health investigation or intervention." In light of this broad Congressional mandate not to interfere with current public health practices, we believe the broad definition of "public health authority is appropriate to achieve that end.
Comment: Some commenters said that they performed public health activities in analyzing data and information. These comments suggested that activities conducted by provider and health plan organizations that compile and compare data for benchmarking performance, monitoring, utilization, and determining the health needs of a given market should be included as part of the public health exemption. One commenter recommended amending the regulation to permit covered entities to disclose protected health information to private organizations for public health reasons.
Response: We disagree that such a change should be made. In the absence of some nexus to a government public health authority or other underlying legal authority, covered entities would have no basis for determining which data collections are "legitimate" and how the confidentiality of the information will be protected. In addition, the public health functions carved out for special protection by Congress are explicitly limited to those established by law.
Comment: Two commenters asked for additional clarification as to whether the Occupational Safety and Health Administration (OSHA) and the Mine Safety and Health Administration (MSHA) would be considered public health authorities as indicated in the preamble. They suggested specific language for the final rule. Commenters also suggested that we specify that states operating OSHA-approved programs also are considered public health authorities. One comment applauded the Secretary's recognition of OSHA as both a health oversight agency and public health authority. It suggested adding OSHA-approved programs that operate in states to the list of entities included in these categories. In addition, the comment requested the final regulation specifically mention these entities in the text of the regulation as well.
Response: We agree that OSHA, MSHA and their state equivalents are public health authorities when carrying out their activities related to the health and safety of workers. We do not specifically reference any agencies in the regulatory definition, because the definition of public health authority and this preamble sufficiently address this issue. As defined in the final rule, the definition of "public health authority" at § 164.501 continues to include OSHA as a public health authority. State agencies or authorities responsible for public health matters as part of their official mandate, such as OSHA-approved programs, also come within this definition. See discussion of § 164.512(b) below. We have refrained, however, from listing specific agencies and have retained a general descriptive definition.
Comments: Several commenters recommended expanding the definition of public health authority to encompass other governmental entities that may collect and hold health data as part of their official duties. One recommended changing the definition of public health authority to read as follows: public health authority means an agency or authority... that is responsible for public health matters or the collection of health data as part of its official mandate.
Response: We do not adopt this recommendation. The public health provision is not intended to cover agencies that are not responsible for public health matters but that may in the course of their responsibilities collect health-related information. Disclosures to such authorities may be permissible under other provision of this rule.
Comment: Many commenters asked us to include a formal definition of "required by law" incorporating the material noted in this preamble and additional suggested disclosures.
Response: We agree generally and modify the definition accordingly. See discussion above.
Comment: We received many comments from supporting the proposed definition of "research." These commenters agreed that the definition of "research" should be the same as the definition in the Common Rule. These commenters argued that it was important that the definition of "research" be consistent with the Common Rule's definition to ensure the coherent oversight of medical research. In addition, some of these commenters also supported this definition because they believed it was already well-understood by researchers and provided reasonably clear guidance needed to distinguish between research and health care operations.
Some commenters, believed that the NPRM's definition was too narrow. Several of these commenters agreed that the Common Rule's definition should be adopted in the final rule, but argued that the proposed definition of "generalizable knowledge" within the definition of "research," which limited generalizable knowledge to knowledge that is "related to health," was too narrow. For example, one commenter stated that gun shot wound, spousal abuse, and other kinds of information from emergency room statistics are often used to conduct research with ramifications for social policy, but may not be "related to health." Several of these commenters recommended that the definition of research be revised to delete the words "related to health." Additional commenters who argued that the definition was too narrow raised the following concerns: the difference between "research" and "health care operations" is irrelevant from the patients' perspective, and therefore, the proposed rule should have required documentation of approval by an IRB or privacy board before protected health information could be used or disclosed for either of these purposes, and the proposed definition was too limited because it did not capture research conducted by non-profit entities to ensure public health goals, such as disease-specific registries.
Commenters who argued that the definition was too broad recommended that certain activities should be explicitly excluded from the definition. In general, these commenters were concerned that if certain activities were considered to be "research" the rule's research requirements would represent a problematic level of regulation on industry initiatives. Some activities that these commenters recommended be explicitly excluded from the definition of "research" included: marketing research, health and productivity management, quality assessment and improvement activities, and internal research conducted to improve health.
Response: We agree that the final rule's definition of "research" should be consistent with the Common Rule's definition of this term. We also agree that our proposal to limit "generalizable knowledge" to knowledge that is "related to health," and "knowledge that could be applied to populations outside of the population served by the covered entity," was too narrow. Therefore, in the final rule, we retain the Common Rule's definition of "research"and eliminate the further elaboration of "generalizable knowledge." We understand knowledge to be generalizable when it can be applied to either a population inside or outside of the population served by the covered entity. Therefore, knowledge may be "generalizable" even if a research study uses only the protected health information held within a covered entity, and the results are generalizable only to the population served by the covered entity. For example, generalizable knowledge could be generated from a study conducted by the HCFA, using only Medicare data held by HCFA, even if the knowledge gained from the research study is applicable only to Medicare beneficiaries.
We rejected the other arguments claiming that the definition of "research"was either too narrow or too broad. While we agree that it is sometimes difficult to distinguish between "research" and "health care operations," we disagree that the difference between these activities is irrelevant from the patients' perspective. We believe, based on many of the comments, that individuals expect that individually identifiable health information about themselves will be used for health care operations such as reviewing the competence or qualifications of health care professionals, evaluating provider and plan performance, and improving the quality of care. A large number of commenters, however, indicated that they did not expect that individually identifiable health information about themselves would be used for research purposes without their authorization. Therefore, we retain more stringent protections for research disclosures without patient authorization.
We also disagree with the commenters who were concerned that the proposed definition was too limited because it did not capture research conducted by non-profit entities to ensure public health goals, such as disease-specific registries. Such activities conducted by either non-profit or for-profit entities could meet the rule's definition of research, and therefore are not necessarily excluded from this definition.
We also disagree with many of the commenters who argued that certain activities should be explicitly excluded from the definition of research. We found no persuasive evidence that, when particular activities are also systematic investigations designed to contribute to generalizable knowledge, they should be treated any different from other such activities.
We are aware that the National Bioethics Advisory Commission (NBAC) is currently assessing the Common Rule's definition of "research" as part of a report they are developing on the implementation and adequacy of the Common Rule. Since we agree that a consistent definition is important to the conduct and oversight of research, if the Common Rule's definition of "research" is modified in the future, the Department of Health and Human Services will consider whether the definition should also be modified for this subpart.
Comment: Some commenters urged the Department to establish precise definitions for "health care operations" and "research" to provide clear guidance to covered entities and adequate privacy protections for the subjects of the information whose information is disclosed for these purposes. One commenter supported the definition of "research" proposed in the NPRM, but was concerned about the "crossover" from data analyses that begin as health care operations but later become "research" because the analytical results are of such importance that they should be shared through publication, thereby contributing to generalizable knowledge. To distinguish between the definitions of "health care operations" and "research," a few commenters recommended that the rule make this distinction based upon whether the activity is a "use" or a "disclosure." These commenters recommend that the "use" of protected health information for research without patient authorization should be exempt from the proposed research provisions provided that protected health information was not disclosed in the final analysis, report, or publication.
Response: We agree with commenters that at times it may be difficult to distinguish projects that are health operations and projects that are research. We note that this ambiguity exists today, and disagree that we can address this issue with more precise definitions of research and health care operations. Today, the issue is largely one of intent. Under the Common Rule, the ethical and regulatory obligations of the researcher stem from the intent of the activity. We follow that approach here. If such a project is a systematic investigation that designed to develop or contribute to generalizable knowledge, it is considered to be "research," not "health care operations."
In some instances, the primary purpose of the activity may change as preliminary results are analyzed. An activity that was initiated as an internal outcomes evaluation may produce information that could be generalized. If the purpose of a study changes and the covered entity does intend to generalize the results, the covered entity should document the fact as evidence that the activity was not subject to § 164.512(i) of this rule.
We understand that for research that is subject to the Common Rule, this is not the case. The Office for Human Research Protection interprets 45 CFR 46 to require IRB review as soon as an activity meets the definition of research, regardless of whether the activity began as "health care operations" or "public health," for example. The final rule does not affect the Office of Human Research Protection's interpretation of the Common Rule.
We were not persuaded that an individual's privacy interest is of less concern when covered entities use protected health information for research purposes than when covered entities disclose protected health information for research purposes. We do not agree generally that internal activities of covered entities do not potentially compromise the privacy interests of individuals. Many persons within a covered entity may have access to protected health information. When the activity is a systematic investigation, the number of persons who may be involved in the records review and analysis may be substantial. We believe that IRB or privacy board approval of the waiver of authorization will provide important privacy protections to individuals about whom protected health information is used or disclosed for research. If a covered entity wishes to use protected health information about its enrollees for research purposes, documentation of an IRBs' or privacy board's assessment of the privacy impact of such a use is as important as if the same research study required the disclosure of protected health information. This conclusion is consistent with the Common Rule's requirement for IRB review of all human subjects research.
Comment: Some commenters advocated for a narrow interpretation of treatment that applies only to the individual who is the subject of the information. Other commenters asserted that treatment should be broadly defined when activities are conducted by health care providers to improve or maintain the health of the patient. A broad interpretation may raise concerns about potential misuse of information, but too limited an interpretation will limit beneficial activities and further contribute to problems in patient compliance and medical errors.
Response: We find the commenters' arguments for a broad definition of treatment persuasive. Today, health care providers consult with one another, share information about their experience with particular therapies, seek advise about how to handle unique or challenging cases, and engage in a variety of other discussions that help them maintain and improve the quality of care they provide. Quality of care improves when providers exchange information about treatment successes and failures. These activities require sharing of protected health information. We do not intend this rule to interfere with these important activities. We therefore define treatment broadly and allow use and disclosure of protected health information about one individual for the treatment of another individual.
Under this definition, only health care providers or a health care provider working with a third party can perform treatment activities. In this way, we temper the breadth of the definition by limiting the scope of information sharing. The various codes of professional ethics also help assure that information sharing among providers for treatment purposes will be appropriate.
We note that poison control centers are health care providers for purposes of this rule. We consider the counseling and follow-up consultations provided by poison control centers with individual providers regarding patient outcomes to be treatment. Therefore, poison control centers and other health care providers can share protected health information about the treatment of an individual without a business associate contract.
Comment: Many commenters suggested that "treatment" activities should include services provided to both a specific individual and larger patient populations and therefore urged that the definition of treatment specifically allow for such activities, sometimes referred to as "disease management" activities. Some argued that an analysis of an overall population is integral to determining which individuals would benefit from disease management services. Thus, an analysis of health care claims for enrolled populations enables proactive contact with those identified individuals to notify them of the availability of services. Certain commenters noted that "disease management" services provided to their patient populations, such as reminders about recommended tests based on nationally accepted clinical guidelines, are integral components of quality health care.
Response: We do not agree that population based services should be considered treatment activities. The definition of "treatment" is closely linked to the § 160.103 definition of "health care," which describes care, services and procedures related to the health of an individual. The activities described by "treatment," therefore, all involve health care providers supplying health care to a particular patient. While many activities beneficial to patients are offered to entire populations or involve examining health information about entire populations, treatment involves health services provided by a health care provider and tailored to the specific needs of an individual patient. Although a population-wide analysis or intervention may prompt a health care provider to offer specific treatment to an individual, we consider the population-based analyses to improve health care or reduce health care costs to be health care operations (see definition of "health care operations," above).
Comment: A number of commenters requested clarification about whether prescription drug compliance management programs would be considered "treatment." One commenter urged HHS to clarify that provision by a pharmacy to a patient of customized prescription drug information about the risks, benefits, and conditions of use of a prescription drug being dispensed is considered a treatment activity. Others asked that the final rule expressly recognize that prescription drug advice provided by a dispensing pharmacist, such as a customized pharmacy letter, is within the scope of treatment.
Response: The activities that are part of prescription drug compliance management programs were not fully described by these commenters, so we cannot state a general rule regarding whether such activities constitute treatment. We agree that pharmacists' provision of
customized prescription drug information and advice about the prescription drug being dispensed is a treatment activity. Pharmacists' provisions of information and counseling about pharmaceuticals to their customers constitute treatment, and we exclude certain communications made in the treatment context from the definition of marketing. (See discussion above.)
Comment: Some commenters noted the issues and recommendations raised in the Institutes of Medicine report 'To Err Is Human' and the critical need to share information about adverse drug and other medical events, evaluation of the information, and its use to prevent future medical errors. They noted that privacy rules should not be so stringent as to prohibit the sharing of patient data needed to reduce errors and optimize health care outcomes. To bolster the notion that other programs associated with the practice of pharmacy must be considered as integral to the definition of health care and treatment, they reference OBRA '90 (42 U.S.C. 1396r-8) and the minimum required activities for dispensing drugs; they also note that virtually every state Board of Pharmacy adopted regulations imposing OBRA'90 requirements on pharmacies for all patients and not just Medicaid recipients.
Response: We agree that reducing medical errors is critical, and do not believe that this regulation impairs efforts to reduce medical errors. We define treatment broadly and include quality assessment and improvement activities in the definition of health care operations. Covered pharmacies may conduct such activities, as well as treatment activities appropriate to improve quality and reduce errors. We believe that respect for the privacy rights of individuals and appropriate protection of the confidentiality of their health information are compatible with the goal of reducing medical errors.
Comment: Some commenters urged us to clarify that health plans do not perform "treatment" activities; some of these were concerned that a different approach in this regulation could cause conflict with state corporate practice of medicine restrictions. Some commenters believed that the proposed definition of treatment crossed into the area of cost containment, which would seem to pertain more directly to payment. They supported a narrower definition that would eliminate any references to third party payors. One commenter argued that the permissible disclosure of protected health information to carry out treatment is too broad for health plans and that health plans that have no responsibility for treatment or care coordination should have no authority to release health information without authorization for treatment purposes.
Response: We do not consider the activities of third party payors, including health plans, to be "treatment." Only health care providers, not health plans, conduct "treatment" for purposes of this rule. A health plan may, however, disclose protected health information without consent or authorization for treatment purposes if that disclosure is made to a provider. Health plans may have information the provider needs, for example information from other providers or information about the patient's treatment history, to develop an appropriate plan of care.
Comment: We received many comments relating to "disease management" programs and whether activities described as disease management should be included in the definition of treatment. One group of commenters supported the proposed definition of treatment that includes disease management. One commenter offered the position that disease management services are more closely aligned with treatment because they involve the coordination of treatment whereas health care operations are more akin to financial and ministerial functions of plans.
Some recommended that the definition of treatment be limited to direct treatment of individual patients and not allow for sharing of information for administrative or other programmatic reasons. They believed that allowing disclosures for disease management opens a loophole for certain uses and disclosures, such as marketing, that should only be permitted with authorization. Others recommended that the definition of disease management be restricted to prevent unauthorized use of individual health records to target individuals in a health plan or occupational health program. Many asked that the definition of disease management be clarified to identify those functions that, although some might consider them to be subsumed by the term, are not permitted under this regulation without authorization, such as marketing and disclosures of protected health information to employers. They suggested that disease management may describe desirable activities, but is subject to abuse and therefore should be restricted and controlled. One commenter recommends that we adopt a portion of the definition adopted by the Disease Management Association of America in October 1999.
On the other hand, many comments urged that disease management be part of the "treatment" definition or the "health care operations" definition and asked that specific activities be included in a description of the term. They viewed disease management as important element of comprehensive health care services and cost management efforts. They recommended that the definition of disease management include services directed at an entire population and not just individual care, in order to identify individuals who would benefit from services based on accepted clinical guidelines. They recommended that disease management be included under health care operations and include population level services. A commenter asserted that limiting disease management programs to the definition of treatment ignores that these programs extend beyond providers, especially since NCQA accreditation standards strongly encourage plans and insurers to provide these services.
Response: Disease management appeared to represent different activities to different commenters. Our review of the literature, industry materials, state and federal statutes, (6)and discussions with physician groups, health plan groups and disease management associations confirm that a consensus definition from the field has not yet evolved, although efforts are underway. Therefore, rather than rely on this label, we delete "disease management" from the treatment definition and instead include the functions often discussed as disease management activities in this definition or in the definition of health care operations and modify both definitions to address the commenters' concerns.
We add population-based activities to improve health care or reduce health care costs to the definition of health care operations. Outreach programs as described by the commenter may be considered either health care operations or treatment, depending on whether population-wide or patient-specific activities occur, and if patient-specific, whether the individualized communication with a patient occurs on behalf of health care provider or a health plan. For example, a call placed by a nurse in a doctor's office to a patient to discuss follow-up care is a treatment activity. The same activity performed by a nurse working for a health plan would be a health care operation. In both cases, the database analysis that created a list of patients that would benefit from the intervention would be a health care operation. Use or disclosure of protected health information to provide education materials to patients may similarly be either treatment or operations, depending on the circumstances and on who is sending the materials. We cannot say in the abstract whether any such activities constitute marketing under this rule. See §§ 164.501 and 164.514 for details on what communications are marketing and when the authorization of the individual may be required.
Comment: Many commenters were concerned that the definition of treatment would not permit Third Party Administrators (TPAs) to be involved with disease management programs without obtaining authorization. They asserted that while the proposed definition of treatment included disease management conducted by health care providers it did not recognize the role of employers and TPAs in the current disease management process.
Response:. Covered entities disclose protected health information to other persons, including TPAs, that they hire to perform services for them or on their behalf. If a covered entity hires a TPA to perform the disease management activities included in the rule's definitions of treatment and health care operations that disclosure will not require authorization. The relationship between the covered entity and the TPA may be subject to the business associate requirements of §§ 164.502 and 164.504. Disclosures by covered entities to plan sponsors, including employers, for the purpose of plan administration are addressed in § 164.504.
Comment: Commenters suggested that as disease management is defined only as an element of treatment, it could only be carried out by health care providers, and not health plans. They opposed this approach because health plans also conduct such programs, and are indeed required to do it by accreditation standards and HCFA Managed Care Organization standards.
Response: We agree that the placement of disease management in the proposed definition of treatment suggested that health plans could not conduct such programs. We revise the final rule to clarify that health plans may conduct population based care management programs as a health care operation activity.
Comment: Some commenters stated that the rule should require that disease management only be done with the approval of the treating physician or at least with the knowledge of the physician.
Response: We disagree with this comment because we do not believe that this privacy rule is an appropriate venue for setting policies regarding the management of health care costs or treatment.
Comment: Some industry groups stated that if an activity involves selling products, it is not disease management. They asked for a definition that differentiates use of information for the best interests of patient from uses undertaken for "ulterior purposes" such as advertising, marketing, or promoting separate products.
Response: We eliminate the definition of 'disease management' from the rule. Often however, treatment decisions involve discussing the relevant advantages and disadvantages if products and services. Health plans, as part of payment and operations, sometimes communicate with individuals about particular products and services. We address these distinctions in the definitions of marketing and "health care operations" in § 164.501, and in the requirements for use and disclosure of protected health information for marketing in § 164.514.
Comment: Some health care providers noted that there is a danger that employers will "force" individual employees with targeted conditions into self-care or compliance programs in ways that violate both the employee's privacy interest and his or her right to control own medical care.
Response: Employers are not covered entities under HIPAA, so we cannot prohibit them under this rule from undertaking these or other activities with respect to health information. In § 164.504 we limit disclosure of health information from group health plans to the employers sponsoring the plans. However, other federal and/or state laws, such as disability nondiscrimination laws, may govern the rights of employees under such circumstances.
Comment: Many commenters urged that disease management only be allowed with the written consent of the individual. Others also desired consent but suggested that an opt-out would be sufficient. Other commenters complained that the absence of a definition for disease management created uncertainty in view of the proposed rule's requirement to get authorization for marketing. They were concerned that the effect would be to require patient consent for many activities that are desirable, not practicably done if authorization is required, and otherwise classifiable as treatment, payment, or health care operations. Examples provided include reminders for appointments, reminders to get preventive services like mammograms, and information about home management of chronic illnesses.
Response: We agree with the commenters who stated that the requirement for specific authorization for certain activities considered part of disease management could impede the ability of health plans and covered providers to implement effective health care management and cost containment programs. In addition, this approach would require us to distinguish activities undertaken as part of a formal disease management program from the same activities undertaken outside the context of disease management program. For example, we see no clear benefit to privacy in requiring written authorization before a physician may call a patient to discuss treatment options in all cases, nor do we see a sound basis for requiring it only when the physician was following a formal protocol as part of a population based intervention. We also are not persuaded that the risk to privacy for these activities warrants a higher degree of protection than do other payment, health care operations or treatment activities for which specific authorization was not suggested by commenters.
Comment: A few commenters asked that we clarify that disclosure of protected health information about a prospective patient to a health care provider (e.g., a possible admission to an assisted living facility from a nursing facility) is a treatment activity that does not require authorization.
Response: We agree that the described activity is "treatment," because it constitutes referral and coordination of health care.
Comment: Comments called for the removal of "other services" from the definition.
Response: We disagree with the concept that only health care services are appropriately included in the treatment definition. We have modified this definition to instead include "the provision, coordination, or management of health care and related services." This definition allows health care providers to offer or coordinate social, rehabilitative, or other services that are associated with the provision of health care. Our use of the term "related" prevents "treatment" from applying to the provision of services unrelated to health care.
Comment: Several commenters stated that the definition of treatment should include organ and tissue recovery activities. They asserted that the information exchanged and collected to request consent, evaluate medical information about a potential donor and perform organ recoveries relates to treatment and are not administrative activities. When hospitals place a patient on the UNOS list it is transferring individually identifiable health information. Also, when an organ procurement organization registers a donor with UNOS it could be disclosing protected health information. Commenters questioned whether these activities would be administrative or constitute treatment.
Response: In the proposed rule we included in the definition of "health care" activities related to the procurement or organs, blood, eyes and other tissues. This final rule deletes those activities from the definition of "health care." We do so because, while organ and tissue procurement organizations are integral components of the health care system, we do not believe that the testing, procurement, and other procedures they undertake describe "health care" offered to the donors of the tissues or organs themselves. See the discussion under the definition of "health care" in § 160.103.
Comment: Some commenters recommended including health promotion activities in the definition of health care.
Response: We consider health promotion activities to be preventive care, and thus within the definition of health care. In addition, such activities that are population based are included in the definition of health care operations.
Comment: We received a range of comments regarding the proper placement of case and disease management in the definitions and the perceived overlap between health care operations and treatment. Some consider that these activities are a function of improving quality and controlling costs. Thus, they recommend that the Secretary move risk assessment, case and disease management to the definition of health care operations.
Response: In response to these comments, we remove these terms from the definition of treatment and add case management to the definition of health care operations. We explain our treatment of disease management in responses to comments above. Whether an activity described as disease or case management falls under treatment or health care operations would depend in part on whether the activity is focused on a particular individual or a population. A single program described as a "case management" effort may include both health care operations activities (e.g., records analysis, protocol development, general risk assessment) and treatment activities (e.g., particular services provided to or coordinated for an individual, even if applying a standardized treatment protocol).
Comment: We received comments that argued for the inclusion of "disability management" in the treatment definition. They explained that through disability management, health care providers refer and coordinate medical management and they require contemporaneous exchange of an employee's specific medical data for the provider to properly manage.
Response: To the extent that a covered provider is coordinating health care services, the provider is providing treatment. We do not include the term "disability management" because the scope of the activities covered by that term is not clear. In addition, the commenters did not provide enough information for us to make a fact-based determination of how this rule applies to the uses and disclosures of protected health information that are made in a particular "disability management" program.
Comment: One commenter asserted that the scope of the proposal had gone beyond the intent of Congress in addressing uses of information within the covered entity, as opposed to transactions and disclosures outside the covered entity. This commenter argued that, although HIPAA mentions use, it is unclear that the word "use" in the proposed rule is what Congress intended. The commenter pointed to the legislative history to argue that "use" is related to an information exchange outside of the entity.
Response: We disagree with the commenter regarding the Congress' intent. Section 264 of HIPAA requires that the Secretary develop and send to Congress recommendations on standards with respect to the privacy of individually identifiable health information (which she did on September 11, 1997) and prescribes that the recommendations address among other items "the uses and disclosures of such information that should be authorized or required." Section 264 explicitly requires the Secretary to promulgate standards that address at least the subjects described in these recommendations. It is therefore our interpretation that Congress intended to cover "uses" as well as disclosures of individually identifiable health information. We find nothing in the legislative history to indicate that Congress intended to deviate from the common meaning of the term "use."
Comment: One commenter observed that the definition could encompass the processing of data by computers to execute queries. It was argued that this would be highly problematic because computers are routinely used to identify subsets of data sets. It was explained that in performing this function, computers examine each record in the data set and return only those records in the data set that meet specific criteria. Consequently, a human being will see only the subset of data that the computer returns. Thus, the commenter stated that it is only this subset that could be used or disclosed.
Response: We interpret "use" to mean only the uses of the product of the computer processing, not the internal computer processing that generates the product.
Comments: Some commenters asked that the Department clarify that individualized medical information obtained through a fitness for duty examination is not subject to the privacy protections under the regulation.
Response: As discussed above, we have clarified that the definition of "treatment" to include assessments of an individual. If the assessment is performed by a covered health care provider, the health information resulting from the assessment is protected health information. We note that a covered entity is permitted to condition the provision of health care when the sole purpose is to create protected health information for the benefit of a third person. See § 164.508(b). For example, a covered health care provider may condition the provision of a fitness for duty examination to an individual on obtaining an authorization from the individual for disclosure to the employer who has requested the examination.
Comment: A few commenters requested an exemption from the rule for the Social Security and Supplemental Security Income Disability Programs so that disability claimants can be served in a fair and timely manner. The commenters were concerned that the proposal would be narrowly interpreted, thereby impeding the release of medical records for the purposes of Social Security disability programs.
Another commenter similarly asked that a special provision be added to the proposal's general rule for uses and disclosures without authorization for treatment, payment, and health care operations purposes to authorize disclosure of all medical information from all sources to the Social Security Administration, including their contracted state agencies handling disability determinations.
Response: A complete exemption for disclosures for these programs is not necessary. Under current practice, the Social Security Administration obtains authorization from applicants for providers to release an individual's records to SSA for disability and other determinations. Thus, there is no reason to believe that an exemption from the authorization required by this rule is needed to allow these programs to function effectively. Further, such an exemption would reduce privacy protections from current levels. When this rule goes into effect, those authorizations will need to meet the requirements for authorization under § 164.508 of this rule.
We do, however, modify other provisions of the proposed rule to accommodate the special requirements of these programs. In particular, Social Security Disability and other federal programs, and public benefits programs run by the states, are authorized by law to share information for eligibility purposes. Where another public body has determined that the appropriate balance between need for efficient administration of public programs and public funds and individuals' privacy interests is to allow information sharing for these limited purposes, we do not upset that determination. Where the sharing of enrollment and eligibility information is required or expressly authorized by law, this rule permits such sharing of information for eligibility and enrollment purposes (see § 164.512(k)(6)(i)), and also excepts these arrangements from the requirements for business associate agreements (see § 164.502(e)(1)).
Comment: A few commenters asked that the rule be revised to authorize disclosures to clergy, for directory purposes, to organ and tissue procurement organizations, and to the American Red Cross without patient authorization.
Response: We agree and revise the final rule accordingly. The new policies and the rationale for these policies are found in §§ 164.510 and 164.512, and the corresponding preamble.
Comment: One commenter recommended that the rule apply only to the "disclosure" of protected health information by covered entities, rather than to both "use" and "disclosure." The commenter stated that the application of the regulation to a covered entity's use of individually identifiable health information offers little benefit in terms of protecting protected health information, yet imposes costs and may hamper many legitimate activities, that fall outside the definition of treatment, payment or health care operations.
Another commenter similarly urged that the final regulation draw substantive distinctions between restrictions on the "use" of individually identifiable health information and on the "disclosure" of such information, with broader latitude for "uses" of such information. The commenter believed that internal "uses" of such information generally do not raise the same issues and concerns that a disclosure of that information might raise. It was argued that any concerns about the potential breadth of use of this information could be addressed through application of the "minimum necessary" standard. The commenter also argued that Congressional intent was that a "disclosure" of individually identifiable health information is potentially much more significant than a "use" of that information.
Response: We do not accept the commenter's broad recommendation to apply the regulation only to the "disclosure" of protected health information and not to "use" of such information. Section 264 charges the Secretary with promulgating standards that address, among other things, "the uses and disclosures" of individually identifiable health information. We also do not agree that applying the regulation to "use" offers little benefit to protecting protected health information. The potential exists for misuse of protected health information within entities. This potential is even greater when the covered entity also provides services or products outside its role as a health care provider, health plan, or health care clearinghouse for which "use" of protected health information offers economic benefit to the entity. For example, if this rule did not limit "uses" generally to treatment, payment and health care operations, a covered entity that also offered financial services could be able to use protected health information without authorization to market or make coverage or rate decisions for its financial services products. Without the minimum necessary standard for uses, a hospital would not be constrained from allowing their appointment scheduling clerks free access to medical records.
We agree, however, that it is appropriate to apply somewhat different requirements to uses and disclosures of protected health information permitted by this rule. We therefore modify the application of the minimum necessary standard to accomplish this. See the preamble to § 164.514 for a discussion of these changes.
Comment: A commenter argued that the development, implementation, and use of integrated computer-based patient medical record systems, which requires efficient information sharing, will likely be impeded by regulatory restrictions on the "use" of protected health information and by the minimum necessary standard.
Response: We have modified the proposed approach to regulating "uses" of protected health information within an entity, and believe our policy is compatible with the development and implementation of computer-based medical record systems. In fact, we drew part of the revised policy on "minimum necessary" use of protected health information from the role-based access approach used in several computer-based records systems today. These policies are described further in§ 164.514.
Comment: One commenter asked that the general rules for uses and disclosures be amended to permit covered entities to disclose protected health information for purposes relating to property and casualty benefits. The commenter argued that the proposal could affect its ability to obtain protected health information from covered entities, thereby constricting the flow of medical information needed to administer property and casualty benefits, particularly in the workers' compensation context. It was stated that this could seriously impede property and casualty benefit providers' ability to conduct business in accordance with state law.
Response: We disagree that the rule should be expanded to permit all uses and disclosures that relate to property and casualty benefits. Such a broad provision is not in keeping with protecting the privacy of individuals. Although we generally lack the authority under HIPAA to regulate the practices of this industry, the final rule addresses when covered entities may disclose protected health information to property and casualty insures. We believe that the final rule permits property and casualty insurers to obtain the protected health information that they need to maintain their promises to their policyholders. For example, the rule permits a covered entity to use or disclose protected health information relating to an individual when authorized by the individual. Property and casualty insurers are free to obtain authorizations from individuals for release by covered entities of the health information that the insurers need to administer claims, and this rule does not affect their ability to condition payment on obtaining such an authorization from insured individuals. Property and casualty insurers providing payment on a third-party basis have an opportunity to obtain authorization from the individual and to condition payment on obtaining such authorization. The final rule also permits covered entities to make disclosures to obtain payment, whether from a health plan or from another person such as a property and casualty insurer. For example, where an automobile insurer is paying for medical benefits on a first-party basis, a health care provider may disclose protected health information to the insurer as part of a request for payment. We also include in the final rule a new provision that permits covered entities to use or disclose protected health information as authorized by workers' compensation or similar programs established by law addressing work-related injuries or illness. See § 164.512(l). These statutory programs establish channels of information sharing that are necessary to permit compensation of injured workers.
Comment: A few commenters suggested that the Department specify "prohibited" uses and disclosures rather than "permitted" uses and disclosures.
Response: We reject these commenters' because we believe that the best privacy protection in most instances is to require the individual's authorization for use or disclosure of information, and that the role of this rule is to specify those uses and disclosures for which the balance between the individuals' privacy interest and the public's interests dictates a different approach. The opposite approach would require us to anticipate the much larger set of all possible uses of information that do not implicate the public's interest, rather than to specify the public interests that merit regulatory protection.
Comment: A commenter recommended that the rule be revised to more strongly discourage the use of individually identifiable health information where de-identified information could be used.
Response: We agree that the use of de-identified information wherever possible is good privacy practice. We believe that by requiring covered entities to implement these privacy restrictions only with respect to individually identifiable health information, the final rule strongly encourages covered entities to use de-identified information as much as practicable.
Comment: One commenter recommended that when information from health records is provided to authorized external users, this information should be accompanied by a statement prohibiting use of the information for other than the stated purpose; prohibiting disclosure by the recipient to any other party without written authorization from the patient, or the patient's legal representative, unless such information is urgently needed for the patient's continuing care or otherwise required by law; and requiring destruction of the information after the stated need has been fulfilled.
Response: We agree that restricting other uses or re-disclosure of protected health information by a third party that may receive the information for treatment, payment, and health care operations purposes or other purposes permitted by rule would be ideal with regard to privacy protection. However, as described elsewhere in this preamble, once protected health information leaves a covered entity the Department no longer has jurisdiction under the statute to apply protections to the information. Since we would have no enforcement authority, the costs and burdens of requiring covered entities to produce and distribute such a statement to all recipients of protected heath information, including those with whom the covered entity has no on-going relationship, would outweigh any benefits to be gained from such a policy. Similarly, where protected health information is disclosed for routine treatment, payment and operations purposes, the sheer volume of these disclosures makes the burden of providing such a statement unacceptable. Appropriate protection for these disclosures requires law or regulation directly applicable to the recipient of the information, not further burden on the disclosing entity. Where, however, the recipient of protected health information is providing a service to or on behalf of the covered entity this balance changes. It is consistent with long-standing legal principles to hold the covered entity to a higher degree of responsibility for the actions of its agents and contractors. See § 164.504 for a discussion of the responsibilities of covered entities for the actions of their business associates with respect to protected health information.
Comments on the minimum necessary standard are addressed in the preamble to § 164.514(d).
Comments on the agreed upon restriction standard are addressed in the preamble to § 164.522(a).
Comments on the requirements for de-identifying information are addressed in the preamble to § 164.514(a)-(c).
Comments on business associates are addressed in the preamble to § 164.504(e).
Comment: Most commenters on this topic generally did not approve of the Secretary's proposal with regard to protected health information about deceased individuals. The majority of these commenters argued that our proposal was not sufficiently protective of such information. Commenters agreed with the statements made in the preamble to the proposed rule that the privacy concerns addressed by this policy are not limited to the confidential protection of the deceased individual but instead also affects the decedent's family, as genetic information and information pertinent to hereditary diseases and risk factors for surviving relatives and direct family members may be disclosed through the disclosure of the deceased individual's confidential data. It was argued that the proposal would be inadequate to protect the survivors who could be negatively affected and in most cases will outlive the two-year period of protection. A number of medical associations asserted that individuals may avoid genetic testing, diagnoses, and treatment and suppress information important to their health care if they fear family members will suffer discrimination from the release of their medical information after their death. One commenter pointed out that ethically little distinction can be made between protecting an individual's health information during life and protecting it post-mortem. Further, it was argued that the privacy of the deceased individual and his or her family is far more important than allowing genetic information to be abstracted by an institutional or commercial collector of information. A few commenters asked that we provide indefinite protection on the protected health information about a deceased person contained in psychotherapy notes. One commenter asked that we extend protections on records of children who have died of cancer for the lifetime of a deceased child's siblings and parents.
The majority of commenters who supported increased protections on the protected health information about the deceased asked that we extend protections on such information indefinitely or for as long as the covered entity maintains the information. It was also argued that the administrative burden of perpetual protection would be no more burdensome than it is now as current practice is that the confidentiality of identifiable patient information continues after death. A number of others pointed out that there was no reason to set a different privacy standard for deceased individuals than we had for living individuals and that it has been standard practice to release the information of deceased individuals with a valid consent of the executor, next of kin, or specific court order. In addition, commenters referenced Hawaii's health care information privacy law (see Haw. Rev. Stat. section 323C-43) as at least one example of a state law where the privacy and access provisions of the law continue to apply to the protected health information of a deceased individual following the death of that individual.
Response: We find the arguments raised by these commenters persuasive. We have reconsidered our position and believe these arguments for maintaining privacy on protected health information without temporal limitations outweigh any administrative burdens associated with maintaining such protections. As such, in the final rule we revise our policy to extend protections on the protected health information about a deceased individual to remain in effect for as long as the covered entity maintains the information.
For purposes of this regulation, this means that, except for uses and disclosures for research purposes (see § 164.512(i)), covered entities must under this rule protect the protected health information about a deceased individual in the same manner and to the same extent as required for the protected health information of living individuals. This policy alleviates the burden on the covered entity from having to determine whether or not the person has died and if so, how long ago, when determining whether or not the information can be released.
Comment: One commenter asked us to delete our standard for deceased individuals, asserting that the deceased have no constitutional right to privacy and state laws are sufficient to maintain protections for protected health information about deceased individuals.
Response: We understand that traditional privacy law has historically stripped privacy protection on information at the time the subject of the information dies. However, as we pointed out in the preamble to the proposed rule, the dramatic proliferation of electronic-based interchanges and maintenance of information has enabled easier and more ready access to information that once may have been de facto protected for most people because of the difficulty of its collection and aggregation. It is also our understanding that current state laws vary widely with regard to the privacy protection of a deceased individual's individually identifiable health information. Some are less protective than others and may not take into account the implications of disclosure of genetic and hereditary information on living individuals. For these reasons, a regulatory standard is needed here in order to adequately protect the privacy interests of those who are living.
Comment: Another commenter expressed concern over the administrative problems that the proposed standard would impose, particularly in the field of retrospective health research.
Response: For certain research purposes, we permit a covered entity to use and disclose the protected health information of a deceased individual without authorization by a personal representative and absent review by an IRB or privacy board. The verification standard (§ 164.514(h)) requires that covered entities obtain an oral or written representation that the protected health information sought will be used or disclosed solely for research, and § 164.512(i)(1)(iii) requires the covered entity to obtain from the researcher documentation of the death of the individual. We believe the burden on the covered entity will be small, because it can reasonably rely on the representation of purpose and documentation of death presented by the researcher.
Comment: A few commenters argued that the standard in the proposed rule would cause significant administrative burdens on their record retention and storage policies. Commenters explained that they have internal policy record-retention guidelines which do not envision the retention of records beyond a few years. Some commenters complained about the burden of having to track dates of death, as the commenters are not routinely notified when an individual has died.
Response: The final rule does not dictate any record retention requirements for the records of deceased individuals. Since we have modified the NPRM to cover protected health information about deceased individuals for as long as the covered entity maintains the information, there will be no need for the covered entity to track dates of death.
Comment: A few commenters voiced support for the approach proposed in the proposal to maintain protections for a period of two years.
Response: After consideration of public comments, we chose not to retain this approach because the two-year period would be both inadequate and arbitrary. As discussed above, we agree with commenter arguments in support of providing indefinite protection.
Comment: A few commenters expressed concern that the regulations may be interpreted as providing a right of access to a deceased's records only for a two-year period after death. They asked the Department to clarify that the right of access of an individual, including the representatives of a deceased individual, exists for the entire period the information is held by a covered entity.
Response: We agree with these comments, given the change in policy discussed above.
Comment: A few commenters suggested that privacy protections on protected health information about deceased individuals remain in effect for a specified time period longer than 2 years, arguing that two years was not long enough to protect the privacy rights of living individuals. These commenters, however, were not in agreement as to what other period of protection should be imposed, suggesting various durations from 5 to 20 years.
Response: We chose not to extend protections in this way because specifying another time period would raise many of the same concerns voiced by the commenters regarding our proposed two year period and would not reduce the administrative burden of having to track or learn dates of death. We believe that the policy in this final rule extending protections for as long as the covered entity maintains the information addresses commenter concerns regarding the need for increased protections on the protected health information about the deceased.
Comment: Some commenters asserted that information on the decedent from the death certificate is important for assessment and research purposes and requested that the Department clarify accordingly that death certificate data be allowed for use in traditional public health assessment activities.
Response: Nothing in the final rule impedes reporting of death by covered entities as required or authorized by other laws, or access to death certificate data to the extent that such data is available publicly from non-covered entities. Death certificate data maintained by a covered entity is protected health information and must only be used or disclosed by a covered entity in accordance with the requirements of this regulation. However, the final rule permits a covered entity to disclose protected health information about a deceased individual for research purposes without authorization and absent IRB or privacy board approval.
Comment: A few commenters asked that we include in the regulation a mechanism to provide for notification of date of death. These commenters questioned how a covered entity or business partner would be notified of a death and subsequently be able to determine whether the two-year period of protection had expired and if they were permitted to use or disclose the protected health information about the deceased. One commenter further stated that absent such a mechanism, a covered entity would continue to protect the information as if the individual were still living. This commenter recommended that the burden for providing notification and confirmation of death be placed on any authorized entity requesting information from the covered entity beyond the two-year period.
Response: In general, such notification is no longer necessary as, except for uses and disclosures for research purposes, the final rule protects the protected health information about a deceased individual for as long as the covered entity holds the record. With regard to uses and disclosures for research, the researcher must provide covered entities with appropriate documentation of proof of death, the burden is not on the covered entity.
Comment: A few commenters pointed to the sensitivity of genetic and hereditary information and its potential impact on the privacy of living relatives as a reason for extending protections on the information about deceased individuals for as long as the covered entity maintains the information. However, a few commenters recommended additional protections for genetic and hereditary information. For example, one commenter suggested that researchers should be able to use sensitive information of the deceased but then be required to publish findings in de-identified form. Another commenter recommended that protected health information about a deceased individual be protected as long as it implicates health problems that could be developed by living relatives.
Response: We agree with many of the commenters regarding the sensitivity of genetic or hereditary information and, in part for this reason, extended protections on the protected health information of deceased individuals. Our reasons for retaining the exception for research are explained above.
We agree with and support the practice of publishing research findings in de-identified form. However, we cannot regulate researchers who are not otherwise covered entities in this regulation.
Comment: One commenter asked that the final rule allow for disclosure of protected health information to funeral directors as necessary for facilitating funeral and disposition arrangements. The commenter believed that our proposal could seriously disrupt a family's ability to make funeral arrangements as hospitals, hospices, and other health care providers would not be allowed to disclose the time of death and other similar information critical to funeral directors for funeral preparation. The commenter also noted that funeral directors are already precluded by state licensing regulations and ethical standards from inappropriately disclosing confidential information about the deceased.
Further, the commenter stated that funeral directors have legitimate needs for protected health information of the deceased or of an individual when death is anticipated. For example, often funeral directors are contacted when death is foreseen in order to begin the process of planning funeral arrangements and prevent unnecessary delays. In addition, the embalming of the body is affected by the medical condition of the body.
In addition, it was noted that funeral directors need to be aware of the presence of a contagious or infectious disease in order to properly advise family members of funeral and disposition options and how they may be affected by state law. For example, certain states may prohibit cremation of remains for a certain period unless the death was caused by a contagious or infectious disease, or prohibit family members from assisting in preparing the body for disposition if there is a risk of transmitting a communicable disease from the corpse.
Response: We agree that disclosures to funeral directors for the above purposes should be allowed. Accordingly, the final rule at § 164.512(g)(2) permits covered entities to disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. Such disclosures are also permitted prior to, and in reasonable anticipation of, the individual's death.
Comment: Several commenters urged that the proposed standard for deceased individuals be clarified to allow access by a family member who has demonstrated a legitimate health-related reason for seeking the information when there is no executor, administrator, or other person authorized under applicable law to exercise the right of access of the individual.
Another commenter asked that the rule differentiate between blood relatives and family members and address their different access concerns, such as with genetic information versus information about transmittable diseases. They also recommended that the regulation allow access to protected health information by blood-related relatives prior to the end of the two-year period and provide them with the authority to extend the proposed two-year period of protection if they see fit. Lastly, the commenter suggested that the regulation address the concept of when the next-of-kin may not be appropriate to control a deceased person's health information.
Response: We agree that family members may need access to the protected health information of a deceased individual, and this regulation permits such disclosure in two ways. First, a family member may qualify as a "personal representative" of the individual (see § 164.502(g)). Personal representatives include anyone who has authority to act on behalf of a deceased individual or such individual's estate, not just legally-appointed executors. We also allow disclosure of protected health information to health care providers for purposes of treatment, including treatment of persons other than the individual. Thus, where protected health information about a deceased person is relevant to the treatment of a family member, the family member's physician may obtain that information. Because we limit these disclosures to disclosures for treatment purposes, there is no need to distinguish between disclosure of information about communicable diseases and disclosure of genetic information.
With regard to fitness to control information, we defer to existing state and other laws that address this matter.
Comment: It was observed that under the proposed regulation, legal representatives with "power of attorney" for matters unrelated to health care would have unauthorized access to confidential medical records. Commenters recommended that access to a person's protected health information be limited to those representatives with a "power of attorney" for health care matters only. Related comments asked that the rule limit the definition of "power of attorney" to include only those instruments granting specific power to deal with health care functions and health care records.
Response: We have deleted the reference to "power of attorney." Under the final rule, a person is a personal representative of a living individual if, under applicable law, such person has authority to act on behalf of an individual in making decisions related to health care. "Decisions relating to health care" is broader than consenting to treatment on behalf of an individual; for example, it would include decisions relating to payment for health care. We clarify that the rights and authorities of a personal representative under this rule are limited to protected health information relevant to the rights of the person to make decisions about an individual under other law. For example, if a husband has the authority only to make health care decisions about his wife in an emergency, he would have the right to access protected health information related to that emergency, but he may not have the right to access information about treatment that she had received ten years ago.
We note that the rule for deceased individuals differs from that of living individuals. A person may be a personal representative of a deceased individual if they have the authority to act on behalf of such individual or such individual's estate for any decision, not only decisions related to health care. We create a broader scope for a person who is a personal representative of a deceased individual because the deceased individual can not request that information be disclosed pursuant to an authorization, whereas a living individual can do so.
Comment: Some commenters asked that the NPRM provision allowing informal decision-makers access to the protected health information of an incapacitated individual should be maintained in the final rule.
Response: We agree with the commenters, and retain permission for covered entities to share protected health information with informal decision makers, under conditions specified in § 164.510(b). A person need not be a personal representative for such disclosure of protected health information to be made to an informal decision-maker.
Comment: Commenters urged that individuals with mental retardation, who can provide verbal agreement or authorization, should have control over dissemination of their protected health information, in order to increase the privacy rights of such individuals.
Response: Individuals with mental retardation have control over dissemination of their protected health information under this rule to the extent that state law provides such individuals with the capacity to act on their own behalf. We note that a covered entity need not disclose information pursuant to a consent or authorization. Therefore, even if state law determines that an individual with mental retardation is not competent to act and a personal representative provides authorization for a disclosure, a covered entity may choose not to disclose such information if the individual who lacks capacity to act expresses his or her desire that such information not be disclosed.
Comment: A commenter suggested that the final rule should provide health plans with a set of criteria for formally identifying an incapacitated individual's decision-maker. Such criteria would give guidance to health plans that would help in not releasing information to the wrong person.
Response: The determination about who is a personal representative under this rule is based on state or other applicable law. We require that a covered entity verify the authority of a personal representative, in accordance with § 164.514(h) in order to disclose information to such person.
Comment: Commenters were troubled by the inclusion of minors in the definition of "individual" and believed that the presumption should be that parents have the right to care for their children.
Response: We agree that a parent should have access to the protected health information about their unemancipated minor children, except in limited circumstances based on state law. The approach in the final rule helps clarify this policy. The definition of "individual" is simplified in the final rule to "the person who is the subject of protected health information." (§ 164.501). We created a new section (§ 164.502(g)) to address "personal representatives," which includes parents and guardians of unemancipated minors. Generally, we provide that if under applicable law a parent has authority to act on behalf of an unemancipated minor in making decisions relating to health care about the minor, a covered entity must treat the parent as the personal representative with respect to protected health information relevant to such personal representation. The regulation provides only three limited exceptions to this rule based upon current state law and physician practice.
Comment: Many commenters agreed with our approach in the NPRM to give minors who may lawfully access health care the rights to control the protected health information related to such health care.
Several commenters disagreed with this approach and recommended that where states allow minors too much independence from parents, the rule should not defer to state law. One commenter suggested that we give an individual the right to control protected health information only when the individual reaches the age of majority.
Response: In the final rule, the parent, as the personal representative of a minor child, controls the protected health information about the minor, except that the parent does not act as a personal representative of the minor under the rule in three limited circumstances based on state consent law and physician practice. The final rule defers to consent laws of each state and does not attempt to evaluate the amount of control a state gives to a parent or minor. If a state provides an alternative means for a minor to obtain health care, other than with the consent of a parent, this rule preserves the system put in place by the state.
The first two exceptions, whereby a parent is not the personal representative for the minor and the minor can act for himself or herself under the rule, occur if the minor consents to a health care service, and no other consent to such health care service is required by law, or when the minor may lawfully obtain a health care service without the consent of a parent, and the minor, a court, or another person authorized by law consents to such service. The third exception is based on guidelines of the American Pediatric Association, current practice, and agreement by parents. If a parent assents to an agreement of confidentiality between a covered provider and a minor with respect to a health care service, the parent is not the personal representative of the minor with respect to the protected health information created or received subject to that confidentiality agreement. In such circumstances, the minor would have the authority to act as an individual, with respect to such protected health information.
Comment: Some commenters requested that we permit minors to exercise the rights of an individual when applicable law requires parental notification as opposed to parental consent.
Response: We adopt this policy in the final rule. If the minor consents to a health care service, and no other consent to such health care service is required by law, regardless of whether the consent of another person has also been obtained or notification to another person has been given, only the minor may be treated as the individual with respect to the protected health information relating to such health care service. The rule does not affect state law that authorizes or requires notification to a parent of a minor's decision to obtain a health care service to the extent authorized or required by such law. In addition, state parental notification laws do not affect the rights of minors under this regulation.
Comment: Some commenters requested clarification that when a minor may obtain a health care service without parental consent and voluntarily chooses to involve a parent, the minor retains the rights, authorities and confidentiality protections established in this rule.
Response: We agree that minors should be encouraged to voluntarily involve a parent or other responsible adult in their health care decisions. The rule is not intended to require that minors choose between involving a parent and maintaining confidentiality protections. We have added language in § 164.502(g)(3)(i) to clarify that when a minor consents to a health care service and no other consent is required by law, if the minor voluntarily chooses to involve a parent or other adult, the minor nonetheless maintains the exclusive ability to exercise their rights under the rule. This is true even if a parent or other person also has consented to the health care service for which the minor lawfully consented. Under the rule, a minor may involve a parent and still preserve the confidentiality of their protected health information. In addition, a minor may choose to have a parent act as his or her personal representative even if the minor could act on his or her own behalf under the rule. If the minor requests that a covered entity treat a parent as his or her personal representative, the covered entity must treat such person as the minor's personal representative even if the minor consents to a health care service and no other consent to such health care service is required by law.
Comment: Some commenters requested that the rule provide for the preservation of patient confidences if a health care provider and a minor patient enter into an agreement of confidentiality and a parent assents to this arrangement.
Response: We have addressed this concern in the final rule by adding a provision that ensures that a minor maintains the confidentiality protections provided by the rule for information that is created or received pursuant to a confidential communication between a provider and a minor when the minor's parent assents to an agreement of confidentiality between the provider and the minor. (§ 164.502(g)(3)(ii)). The American Academy of Pediatrics Guidelines for Health Supervision III, which are meant to serve as "a framework to help clinicians focus on important issues at developmentally appropriate time intervals," recommends that physicians interview children alone beginning at the age of twelve (or as early as the age of ten if it is comfortable for the child). This recommendation is based on the fact that adolescents tend to underutilize existing health care resources, in part, because of a concern for confidentiality. (7) The recommended interview technique in the Guidelines states that the provider discuss the rules of confidentiality with the adolescent and the parent and that the adolescent's confidentiality should be respected. We do not intend to interfere with these established protocols or current practices. Covered entities will need to establish procedures to separate protected health information over which the minor maintains control from protected health information with respect to which the minor's parent has rights as a personal representative of the minor.
A covered provider may disclose protected health information to a parent, regardless of a confidentiality agreement, if there is an imminent threat to the minor or another person, in accordance with § 164.512(j)(1)(i).
Comment: Several commenters suggested that we add a provision in the final rule to provide minors and parents with concurrent rights under certain circumstances, particularly when the minor reaches 16 years of age or when a parent authorizes his or her minor child to exercise these rights concurrently.
Response: We do not add such provision in the final rule. We believe that establishing concurrent rights through this rule could result in problems that effect the quality of health care if the minor and the parent were to disagree on the exercise of their rights. The rule would not prevent a parent from allowing a minor child to make decisions about his or her protected health information and acting consistently with the minor's decision. In all cases, either the parent has the right to act for the individual with respect to protected health information, or the minor has the right to act for himself or herself. The rule does not establish concurrent rights for parents and minors.
Comment: Commenters requested clarification about the rights of an adult or emancipated minor with respect to protected health information concerning health care services rendered while the person was an unemancipated minor.
Response: Once a minor becomes emancipated or attains the age of majority, as determined by applicable state law, the parent is no longer the personal representative under § 164.502(g)(3) of such individual, unless the parent has the authority to act on behalf of the individual for some reason other than their authority as a parent. An adult or emancipated minor has rights under the rule with respect to all protected health information about them, including information obtained while the individual was an unemancipated minor.
Comment: One commenter pointed out that language in the definition of individual in the NPRM that grants a minor the rights of an individual when he or she "lawfully receives care without the consent of, or notification to, a parent . . ." would have the effect of granting rights to an infant minor who receives emergency care when the parent is not available.
Response: This result was not our intent. We have changed the language in § 164.502(g)(3)(i) of the final rule to provide a minor the right to act as an individual when the minor can obtain care without the consent of a parent and the minor consents to such care. Because an infant treated in an emergency situation would not be able to consent to care, the infant's parent would be treated as the personal representative of the infant. Section 164.502(g)(3)(ii) provides that the parent is not the personal representative of the minor under the rule if the minor may obtain health care without the consent of a parent and the minor, a court, or another person authorized by law consents to such service. If an infant obtains emergency care without the consent of a parent, a health care provider may provide such care without consent to treatment. This situation would fall outside the second exception, and the parent would remain the personal representative of the minor.
Comment: Commenters were concerned about the interaction of this rule with FERPA with respect to parents' right to access the medical records of their children.
Response: We direct the commenters to a discussion of the interaction between our rule and FERPA in the "Relationship to Other Federal Laws" section of the preamble.
Comments on confidential communications are addressed in the preamble to § 164.522(b).
Comments on the notice requirements are addressed in the preamble to § 164.520.
Comments: Some commenters wanted to see more limitations put on the ability to whistleblow in the final rule. These commenters were concerned about how disclosed protected health information would be used during and subsequent to the whistleblowing event and felt that adding additional limitations to the ability to whistleblow would help to alleviate these concerns. Some of these commenters were concerned that there was no protection against information later being leaked to the public or re-released after the initial whistleblowing event, and that this could put covered entities in violation of the law. Many commenters wanted to see the whistleblower provision deleted entirely. According to a number of health care associations who commented on this topic, current practices already include adequate mechanisms for informing law enforcement, oversight and legal counsel of possible violations without the need for patient identifiable information; thus, the provision allowing whistleblowers to share protected health information is unnecessary. Additionally, some commenters felt that the covered entity needs to be allowed to prohibit disclosures outside of legitimate processes. Some commenters were concerned about not having any recourse if the whistleblower's suspicions were unfounded.
Response: In this rule, we do not regulate the activities of whistleblowers. Rather, we regulate the activities of covered entities, and determine when they may be held responsible under this rule for whistleblowing activities of their workforce or business associates when that whistleblowing involves the disclosure of protected health information. Similarly, we regulate when covered entities must and need not sanction their workforce who disclose protected health information in violation of the covered entity's policies and procedures, when that disclosure is for whistleblowing purposes. See § 164.530(e). This rule does not address a covered entity's recourse against a whistleblower under other applicable law.
We do not hold covered entities responsible under this rule for whistleblowing disclosures of protected health information under the circumstances described in § 164.502(j). Our purpose in including this provision is to make clear that we are not erecting a new barrier to whistleblowing, and that covered entities may not use this rule as a mechanism for sanctioning workforce members or business associates for whistleblowing activity. We do not find convincing commenters' arguments for narrowing or eliminating the scope of the whistleblowing which triggers this protection.
Congress, as well as several states, have recognized the importance of whistleblower activity to help identify fraud and mismanagement and protect the public's health and safety. Whistleblowers, by their unique insider position, have access to critical information not otherwise easily attainable by oversight and enforcement organizations.
While we recognize that in many instances, de-identified or anonymous information can be used to accomplish whistleblower objectives, there are instances, especially involving patient care and billing, where this may not be feasible. Oversight investigative agencies such as the Department of Justice rely on identifiable information in order to issue subpoenas that are enforceable. Relevant court standards require the government agency issuing the subpoena to explain why the specific records requested are relevant to the subject of the investigation, and without such an explanation the subpoena will be quashed. Issuing a subpoena for large quantities of individual records to find a few records involving fraud is cost prohibitive as well as likely being unenforceable.
We note that any subsequent inappropriate disclosure by a recipient of whistleblower information would not put the covered entity in violation of this rule, since the subsequent disclosure is not covered by this regulation.
Comments: A few commenters felt that the whistleblower should be held to a "reasonableness standard" rather than a "belief" that a violation has taken place before engaging in whistleblower activities. The commenters felt that a belief standard is too subjective. By holding the whistleblower to this higher standard, this would serve to protect protected health information from being arbitrarily released. Some commenters saw the whistleblower provision as a loophole that gives too much power to disgruntled employees to inappropriately release information in order cause problems for the employer.
On the other hand, some commenters felt that all suspicious activities should be reported. This would ease potential whistleblowers concerns over whether or not they had a legitimate concern by leaving this decision up to someone else. A number of commenters felt that employees should be encouraged to report violations of professional or clinical standards, or when a patient, employee, or the public would be put at risk. A small number of commenters felt that the whistleblower should raise the issue within the covered entity before going to the attorney, oversight agency, or law enforcement entity.
Response: We do not attempt to regulate the conduct of whistleblowers in this rule. We address uses and disclosures of protected health information by covered entities, and when a covered entity will violate this rule due to the actions of a workforce member or business associate. In the final rule, we provide that a covered entity is not in violation of the rule when a workforce member or business associate has a good faith belief that the conduct being reported is unlawful or otherwise violates professional or clinical standards, or potentially endangers patients, employees or the public. We concur that the NPRM language requiring only a "belief" was insufficient. Consequently, we have strengthened the standard to require a good faith belief that an inappropriate behavior has occurred.
Comment: A number of commenters believe that employees should be encouraged to report violations of professional or clinical standards, or report situations where patients, employees, or the public would be put at risk. Their contention is that employees, especially health care employees, may not know whether the problem they have encountered meets a legal threshold of wrongdoing, putting them at jeopardy of sanction if they are incorrect, even if the behavior did reflect violation of professional and clinical standards or put patients, employees, or the public at risk.
Response: We agree that covered entities should be protected when their employees and others engage in the conduct described by these commenters. We therefore modify the proposal to protect covered entities when the whistleblowing relates to violations of professional or clinical standards, or situations where the public may be at risk, and eliminate the reference to "evidence."
Comments: A significant number of those commenting on the whistleblower provision felt that this provision was contrary to the rest of the rule. Whistleblowers could very easily release protected health information under this provision despite the fact that the rest of this rule works very hard to ensure privacy of protected health information in all other contexts. To this end, some commenters felt that whistleblowers should not be exempt from the minimum necessary requirement.
Response: As stated above, we do not regulate the conduct of whistleblowers. We discuss above the importance of whistleblowing, and our intention not to erect a new barrier to such activity. The minimum necessary standard applies to covered entities, not to whistleblowers.
Comments: Some commenters felt that disclosures of suspected violations should only be made to a law enforcement official or oversight agency. Other commenters said that whistleblowers should be able to disclose their concerns to long-term care ombudsmen or health care accreditation organizations, particularly because certain protected health information may contain evidence of abuse. Some commenters felt that whistleblowers should not be allowed to freely disclose information to attorneys. They felt that this may cause more lawsuits within the health care industry and be costly to providers. Furthermore, allowing whistleblowers to go to attorneys increases the number of people who have protected health information without any jurisdiction for the Secretary to do anything to protect this information.
Response: We agree with the commenters who suggested that we recognize other appropriate entities to which workforce members and business associates might reasonably make a whistleblowing disclosure. In the final rule we expand the provision to protect covered entities for disclosures of protected health information made to accreditation organizations by whistleblowers. We agree with the commenters that whistleblowers may see these organizations as appropriate recipients of health information, and do not believe that covered entities should be penalized for such conduct.
We also agree that covered entities should be protected when whistleblowers disclose protected health information to any health oversight agency authorized by law to investigate or oversee the conditions of the covered entity, including state Long-Term Care Ombudsmen appointed in accordance with the Older Americans Act. Among their mandated responsibilities is their duty to identify, investigate and resolve complaints that are made by, or on behalf of, residents related to their health, safety, welfare, or rights. Nursing home staff often bring complaints regarding substandard care or abuse to ombudsmen. Ombudsmen provide a potentially more attractive outlet for whistleblowers since resolution of problems may be handled short of legal action or formal investigation by an oversight agency.
We disagree with commenters that the provision permitting disclosures to attorneys is too broad. Workforce members or business associates may not understand their legal options or their legal exposure when they come into possession of information about unlawful or other inappropriate or dangerous conduct. Permitting potential whistleblowers to consult an attorney provides them with a better understanding of their legal options. We rephrase the provision to improve its clarity.
Comment: One commenter suggested that a notice of information practices that omits disclosure for voluntary reporting of fraud will chill internal whistleblowers who will be led to believe - falsely - that they would violate federal privacy law, and be lawfully subject to sanction by their employer, if they reported fraud to health oversight agencies.
Response: The notice of information practices describes a covered entity's information practices. A covered entity does not make whistleblower disclosures of protected health information, nor can it be expected to anticipate any such disclosures by its workforce.
Comment: One commenter suggested that the whistleblower provisions could allow covered entities to make illegal disclosures to police through the back door by having an employee who believes there is a violation of law do the disclosing. Any law could have been violated and the violator could be anyone (a patient, a member of the patient's family, etc.)
Response: We have eliminated whistleblower disclosures for law enforcement purposes from the list of circumstances in which the covered entity will be protected under this rule. This provision is intended to protect the covered entity when a member of its workforce or a business associate discloses protect health information to whistleblow on the covered entity (or its business associates); it is not intended for disclosures of conduct by the individual who is the subject of the information or third parties.
Comment: A few commenters asked that the concept of "use" be modified to allow uses within an integrated healthcare delivery system. Commenters argued that the rule needs to ensure that the full spectrum of treatment is protected from the need for authorizations at the points where treatment overlaps entities. It was explained that, for example, treatment for a patient often includes services provided by various entities, such as by a clinic and hospital, or that treatment may also necessitate referrals from one provider entity to another unrelated entity. Further, the commenter argued that the rule needs to ensure that the necessary payment and health care operations can be carried out across entities without authorizations.
Response: The Department understands that in today's health care industry, the organization of and relationships among health care entities are highly complex and varied. We modify the proposed rule significantly to allow affiliated entities to designate themselves as a single covered entity. A complex organization, depending on how it self-designates, may have one or several "health care component(s)" that are each a covered entity. Aggregation into a single covered entity will allow the entities to use a single notice of information practices and will allow providers that must obtain consent for uses and disclosures for treatment, payment, and operations to obtain a single consent.
We do not allow this type of aggregation for unrelated entities, as suggested by some commenters, because unrelated entities' information practices will be too disparate to be accurately reflected on a single consent or notice form. Our policies on when consent and authorization are required for sharing information among unrelated entities, and the rationale for these policies, is described in §§ 164.506 and 164.508 and corresponding preamble.
As discussed above, in the final rule we have added a definition of organized health care arrangement and permit covered entities participating in such arrangements to disclose protected health information to support the health care operations of the arrangement. See the preamble discussion of the definitions of organized health care arrangement and health care operations, § 164.501.
Comment: Some commenters expressed concern that the requirement to obtain authorization for the disclosure of information to a non-health related division of the covered entity would impede covered entities' ability to engage in otherwise-permissible activities such as health care operations. Some of these commenters requested clarification that covered entities are only required to obtain authorization for disclosures to non-health related divisions if the disclosure is for marketing purposes.
Response: In the final rule, we remove the example of use and disclosure to non-health related divisions of the covered entity from the list of examples of uses and disclosures requiring authorization in § 164.508. We determined that the example could lead covered entities to the mistaken conclusion that some uses or disclosures that would otherwise be permitted under the rule without authorization would require authorization when made to a non-health related division of the covered entity. In the final rule, we clarify that disclosure to a non-health related division does not require authorization if the use or disclosure is otherwise permitted or required under the rule. For example, in § 164.501 we define health care operations to include conducting or arranging for legal and auditing services. A covered entity that is the health care component of a larger entity is permitted under the final rule to include the legal department of the larger entity as part of the health care component. The covered entity may not, however, generally permit the disclosure of protected health information from the health care component to non-health related divisions unless they support the functions of the health care component and there are policies and procedures in place to restrict the further use to the support of the health related functions.
Comment: Many commenters, especially those who employed providers, supported our position in the proposed rule to consider only the health care component of an entity to be the covered entity. They stated that this was a balanced approach that would allow them to continue conducting business. Some commenters felt that there was ambiguity in the regulation text of the proposed rule and requested that the final rule explicitly clarify that only the health care component is considered the covered entity, not the entity itself. Similarly, another commenter requested that we clarify that having a health care component alone did not make the larger entity a covered entity under the rule.
Response: We appreciate the support of the commenters on the health care component approach and we agree that there was some ambiguity in the proposed rule. The final rule creates a new § 164.504(b) for health care components. Under § 164.504(b), for a covered entity that is a single legal entity which predominantly performs functions other than the functions performed by a health plan, provider, or clearinghouse, the privacy rules apply only to the entity's health care component. A policy, plan, or program that is an "excepted benefit" under section 2791(c)(1) of HIPAA cannot be part of a health care component because it is expressly excluded from the definition of "health plan" for the reasons discussed above. The health care component is prohibited from sharing protected health information outside of the component, except as otherwise permitted or required by the regulation.
At a minimum, the health care component includes the organizational units of the covered entity that operate as or perform the functions of the health plan, health care provider, or clearinghouse and does not include any unit or function of the excepted benefits plan, policy, or program. While the covered entity remains responsible for compliance with this rule because it is responsible for the actions of its workforce, we otherwise limit the responsibility to comply to the health care component of the covered entity. The requirements of this rule apply only to the uses and disclosures of the protected health information by the component entity. See § 164.504(b).
Comment: Some commenters stated that the requirement to erect firewalls between different components would unnecessarily delay treatment, payment, and health care operations and thereby increase costs. Other commenters stressed that it is necessary to create firewalls between the health care component and the larger entity to prevent unauthorized disclosures of protected health information.
Response: We believe that the requirement to implement firewalls or safeguards is necessary to provide meaningful privacy protections, particularly because the health care component is part of a larger legal organization that performs functions other than those covered under this rule. Without the safeguard requirement we cannot ensure that the component will not share protected health information with the larger entity. While we do not specifically identify the safeguards that are required, the covered entity must implement policies and procedures to ensure that: the health care component's use and disclose of protected health information complies with the regulation; members of the health care component who perform duties for the larger entity do not use and disclose protected health information obtained through the health care component while performing non-component functions unless otherwise permitted or required by the regulation; and when a covered entity conducts multiple functions regulated under this rule, the health care component adheres to the appropriate requirements (e.g. when acting as a health plan, adheres to the health plan requirements) and uses or discloses protected health information of individuals who receive limited functions from the component only for the appropriate functions. See §§ 164.504(c)(2) and 164.504(g). For example, a covered entity that includes both a hospital and a health plan may not use protected health information obtained from an individual's hospitalization for the health plan, unless the individual is also enrolled in the health plan. We note that covered entities are permitted to make a disclosure to a health care provider for treatment of an individual without restrictions.
Comment: One commenter stated that multiple health care components of a single organization should be able to be treated as a single component entity for the purposes of this rule. Under this approach, they argued, one set of policies and procedures would govern the entire component and protected health information could be shared among components without authorization. Similarly, other commenters stated that corporate subsidiaries and affiliated entities should not be treated as separate covered entities.
Response: We agree that some efficiencies may result from designating multiple component entities as a single covered entity. In the final rule we allow legally distinct covered entities that share common ownership or control to designate themselves or their health care components as a single covered entity. See § 164.504(d). Common ownership is defined as an ownership or equity interest of five percent or more. Common control exists if an entity has the power - directly or indirectly - to significantly influence or direct the actions or policies of another entity. If the affiliated entity contains health care components, it must implement safeguards to prevent the larger entity from using protected health information maintained by the component entity. As stated above, organizations that perform multiple functions may designate a single component entity as long as it does not include the functions of an excepted benefit plan that is not covered under the rule. In addition, it must adhere to the appropriate requirements when performing its functions (e.g. when acting as a health plan, adhere to the health plan requirements) and uses or discloses protected health information of individuals who receive limited functions from the component only for the appropriate functions. At the same time, a component that is outside of the health care component may perform activities that otherwise are not permitted by a covered entity, as long as it does not use or disclose protected health information created or received by or on behalf of the health care component in ways that violate this rule.
Comment: Some commenters asked whether or not workers' compensation carriers could be a part of the health care component as described in the proposed rule. They argued that this would allow for sharing of information between the group health plan and workers' compensation insurers.
Response: Under HIPAA, workers' compensation is an excepted benefit program and is excluded from the definition of "health plan." As such, a component of a covered entity that provides such excepted benefits may not be part of a health care component that performs the functions of a health plan. If workforce members of the larger entity perform functions for both the health care component and the non-covered component, they may not use protected health information created or received by or on behalf of the health care component for the purposes of the non-covered component, unless otherwise permitted by the rule. For example, information may be shared between the components for coordination of benefits purposes.
Comment: Several commenters requested specific guidance on identifying the health care component entity. They argued that we underestimated the difficulty in determining the component and that many organizations have multiple functions with the same people performing duties for both the component and the larger entity.
Response: With the diversity of organizational structures, it is impossible to provide a single specific guidance for identifying health care components that will meet the needs of all organizations. Covered entities must designate their health care components consistent with the definition at § 164.504(a). We have tried to frame this definition to delineate what comes within a health care component and what falls outside the component.
Comment: A commenter representing a government agency recommended that only the component of the agency that runs the program be considered a covered entity, not the agency itself. In addition, this commenter stated that often subsets of other government agencies work in partnership with the agency that runs the program to provide certain services. For example, one state agency may provide maternity support services to the Medicaid program which is run by a separate agency. The commenter read the rule to mean that the agency providing the maternity support services would be a business associate of the Medicaid agency, but was unclear as to whether it would also constitute a health care component within its own agency.
Response: We generally agree. We expect that in most cases, government agencies that run health plans or provide health care services would typically meet the definition of a "hybrid entity" under § 164.504(a), so that such an agency would be required to designate the health care component or components that run the program or programs in question under § 164.504(c)(3), and the rules would not apply to the remainder of the agency's operations, under § 164.504(b). In addition, we have created an exception to the business associate contract requirement for government agencies who perform functions on behalf of other government agencies. Government agencies can enter into a memorandum of understanding with another government entity or adopt a regulation that applies to the other government entity in lieu of a business associate contract, as long as the memorandum or regulation contains certain terms. See § 164.504(e).
Comment: One commenter representing an insurance company stated that different product lines should be treated separately under the rule. For example, the commenter argued, because an insurance company offers both life insurance and health insurance, it does not mean that the insurance company itself is a covered entity, rather only the health insurance component is a covered entity. Another commenter requested clarification of the use of the term "product line" in the proposed rule. This commenter stated that product line should differentiate between different lines of coverage such as life vs. health insurance, not different variations of the same coverage, such as HMO vs. PPO. Finally, one commenter stated that any distinction among product lines is unworkable because insurance companies need to share information across product lines for coordinating benefits. This sharing of information, the commenter urged, should be able to take place whether or not all product lines are covered under the rule.
Response: We agree that many forms of insurance do not and should not come within the definition of "health plan," and we have excepted them from the definition of this term in § 160.103 applies. This point is more fully discussed in connection with that definition. Although we do not agree that the covered entity is only the specific product line, as this comment suggests, the hybrid entity rules in § 164.504 address the substance of this concern. Under § 164.504(c)(3), an entity may create a health plan component which would include all its health insurance lines of business or separate health care components for each health plan product line. Finally, the sharing of protected health information across lines of business is allowed if it meets the permissive or required disclosures under the rule. The commenter's example of coordination of benefits would be allowed under the rule as payment.
Comment: Several commenters representing occupational health care providers supported our use of the component approach to prohibit unauthorized disclosures of protected health information. They requested that the regulation specifically authorize them to deny requests for disclosures outside of the component entity when the disclosure was not otherwise permitted or required by the regulation.
Response: We appreciate the commenters' support of the health care component approach. As members of a health care component, occupational health providers are prohibited from sharing protected health information with the larger entity (i.e., the employer), unless otherwise permitted or required by the regulation.
Comment: One commenter asked how the regulation affects employers who carry out research. The commenter questioned whether the employees carrying out the research would be component entities under the rule.
Response: If the employer is gathering its own information rather than obtaining it from an entity regulated by this rule, the information does not constitute protected health information since the employer is not a covered entity. If the employer is obtaining protected health information from a covered entity, the disclosure by the covered entity must meet the requirements of § 164.512(i) regarding disclosures for research.
Comment: One commenter stated that the proposed rule did not clearly articulate whether employees who are health care providers are considered covered entities when they collect and use individually identifiable health information acting on behalf of an employer. Examples provided include, administering mandatory drug testing, making fitness-for-duty and return-to-work determinations, testing for exposure to environmental hazards, and making short and long term disability determinations. This commenter argued that if disclosing information gained through these activities requires authorization, many of the activities are meaningless. For example, an employee who fails a drug test is unlikely to give authorization to the provider to share the information with the employer.
Response: Health care providers are covered entities under this rule if they conduct standard transactions. A health care provider who is an employee and is administering drug testing on behalf of the employer, but does not conduct standard transactions, is not a covered entity. If the health care provider is a covered entity, then we require authorization for the provider to disclose protected health information to an employer. Nothing in this rule, however, prohibits the employer from conditioning an individual's employment on agreeing to the drug testing and requiring the individual to sign an authorization allowing his or her drug test results to be disclosed to the employer.
Comment: One commenter stated its belief that only a health center at an academic institution would be a covered entity under the component approach. This commenter believed it was less clear whether or not other components that may create protected health information "incidentally" through conducting research would also become covered entities.
Response: While a covered entity must designate as a health care component the functions that make it a health care provider, the covered entity remains responsible for the actions of its workforce. Components that create protected health information through research would be covered entities to the extent they performed one of the required transactions described in § 164.500; however, it is possible that the research program would not be part of the health care component, depending on whether the research program performed or supported covered functions.
Comment: Several commenters stated that employers need access to protected health information in order to provide employee assistance programs, wellness programs, and on-site medical testing to their employees.
Response: This rule does not affect disclosure of health information by employees to the employer if the information is not obtained from a covered entity. The employer's access to information from an EAP, wellness program, or on-site medical clinic will depend on whether the program or clinic is a covered entity.
Comment: One commenter stated that access to workplace medical records by the occupational medical physicians is fundamental to workplace and community health and safety. Access is necessary whether it is a single location or multiple sites of the same company, such as production facilities of a national company located throughout the country.
Response: Health information collected by the employer directly from providers who are not covered entities is outside the scope of this regulation. We note that the disclosures which this comment concerns should be covered by § 164.512(b).
Comment: Many commenters generally opposed the business partner standard and questioned the Secretary's legal authority under section 1172(a) of HIPAA to require business partner contracts. Others stated that the proposed rule imposed too great a burden on covered entities with regard to monitoring their business partners' actions. Commenters stated that they did not have the expertise to adequately supervise their business partners' activities - including billing, accounting, and legal activities - to ensure that protected health information is not inappropriately disclosed. Commenters argued that business partners are not "under the control" of health care providers, and that the rule would significantly increase the cost of medical care. Many commenters stated that the business partner provisions would be very time consuming and expensive to implement, noting that it is not unusual for a health plan or hospital to have hundreds of business partners, especially if independent physicians and local pharmacies are considered business partners. Many physician groups pointed out that their business partners are large providers, hospitals, national drug supplier and medical equipment companies, and asserted that it would be impossible, or very expensive, for a small physician group to attempt to monitor the activity of large national companies. Commenters stated that complex contract terms and new obligations would necessitate the investment of significant time and resources by medical and legal personnel, resulting in substantial expenses. Many commenters proposed that the duty to monitor be reduced to a duty to terminate the contractual arrangement upon discovery of a failure to comply with the privacy requirements.
In addition, many commenters argued that covered entities should have less responsibility for business partners' actions regarding the use and disclosure of protected health information. The proposed rule would have held covered entities responsible for the actions of their business partners when they "knew or reasonably should have known" of improper use of protected health information and failed to take reasonable steps to cure a breach of the business partner contract or terminate the contract. Many commenters urged that the term "knew or should have known" be clearly defined, with examples. Some commenters stated that covered entities should be liable only when they have actual knowledge of the material breach of the privacy rules by the business partner. Others recommended creation of a process by which a business partner could seek advice to determine if a particular disclosure would be appropriate. Some commenters stated that, in order to create an environment that would encourage covered entities to report misuses of protected health information, a covered entity should not be punished if it discovered an inappropriate disclosure.
Response: With regard to our authority to require business associate contracts, we clarify that Congress gave the Department explicit authority to regulate what uses and disclosures of protected health information by covered entities are "authorized." If covered entities were able to circumvent the requirements of these rules by the simple expedient of contracting out the performance of various functions, these rules would afford no protection to individually identifiable health information and be rendered meaningless. It is thus reasonable to place restrictions on disclosures to business associates that are designed to ensure that the personal medical information disclosed to them continues to be protected and used and further disclosed only for appropriate (i.e., permitted or required) purposes.
We do not agree that business associate contracts would necessarily have complex terms or result in significant time and resource burdens. The implementation specifications for business associate contracts set forth in § 164.504 are straightforward and clear. Nothing prohibits covered entities from having standard contract forms which could require little or no modification for many business associates.
In response to comments that the "knew or should have known" standard in the proposed rule was too vague or difficult to apply, and concerns that we were asking too much of small entities in monitoring the activities of much larger business associates, we have changed the rule. Under the final rule, we put responsibility on the covered entity to take action when it "knew of a pattern of activity or practice of the business associate that constituted, respectively, a material breach or violation of the business associate's obligation under the contract..." This will preclude confusion about what a covered entity 'should have known.' We interpret the term "knew" to include the situation where the covered entity has credible evidence of a violation. Covered entities cannot avoid responsibility by intentionally ignoring problems with their contractors. In addition, we have eliminated the requirement that a covered entity actively monitor and ensure protection by its business associates. However, a covered entity must investigate credible evidence of a violation by a business associate and act upon any such knowledge.
In response to the concern that the covered entity should not be punished if it discovers an inappropriate disclosure by its business associate, § 164.504(e) provides that the covered entity is not in compliance with the rule if it fails to take reasonable steps to cure the breach or end the violation, while § 164.530(f) requires the covered entity to mitigate, to the extent practicable, any resultant harm. The breach itself does not cause a violation of this rule.
Comment: Some commenters voiced support for the concept of business partners. Moreover, some commenters urged that the rule apply directly to those entities that act as business partners, by restricting disclosures of protected health information after a covered entity has disclosed it to a business partner.
Response: We are pleased that commenters supported the business associate standard and we agree that there are advantages to legislation that directly regulates most entities that use or disclose protected health information. However, we reiterate that our jurisdiction under the statute limits us to regulate only those covered entities listed in § 160.102.
Comment: Many commenters strongly opposed the provision in the proposed rule requiring business partner contracts to state that individuals whose protected health information is disclosed under the contract are intended third party beneficiaries of the contract. Many noted that HIPAA did not create a private right of action for individuals to enforce a right to privacy of medical information, and questioned the Secretary's authority to create such a right through regulation. Others questioned whether the creation of such a right was appropriate in light of the inability of Congress to reach consensus on the question, and perceived the provision as a "back door" attempt to create a right that Congress did not provide. Some commenters noted that third party beneficiary law varies from state to state, and that a third party beneficiary provision may be unenforceable in some states. These commenters suggested that the complexity and variation of state third party beneficiary law would increase cost and confusion with limited privacy benefits.
Commenters predicted that the provision would result in a dramatic increase in frivolous litigation, increased costs throughout the health care system, and a chilling effect on the willingness of entities to make authorized disclosures of protected information. Many commenters predicted that fear of lawsuits by individuals would impede the flow of communications necessary for the smooth operation of the health care system, ultimately affecting quality of care. For example, some predicted that the provision would inhibit providers from making authorized disclosures that would improve care and reduce medical errors. Others predicted that it would limit vendors' willingness to support information systems requirements. One large employer stated that the provision would create a substantial disincentive for employers to sponsor group health plans. Another commenter noted that the provision creates an anomaly in that individuals may have greater recourse against business partners and covered entities that contract with them than against covered entities acting alone.
However, some commenters strongly supported the concept of providing individuals with a mechanism to enforce the provisions of the rule, and considered the provision among the most important privacy protections in the proposed rule.
Response: We eliminate the requirement that business associate contracts contain a provision stating that individuals whose protected health information is disclosed under the contract are intended third-party beneficiaries of the contract.
We do not intend this change to affect existing laws regarding when individuals may be third party beneficiaries of contracts. If existing law allows individuals to claim third party beneficiary rights, or prohibits them from doing so, we do not intend to affect those rules. Rather, we intend to leave this matter to such other law.
Comment: Some commenters objected to the proposed rule's requirement that the business partner must return or destroy all protected health information received from the covered entity at the termination of the business partner contract. Commenters argued that business partners will need to maintain business records for legal and/or financial auditing purposes, which would preclude the return or destruction of the information. Moreover, they argued that computer back-up files may contain protected health information, but business partners cannot be expected to destroy entire electronic back-up files just because part of the information that they contain is from a client for whom they have completed work.
Response: We modify the proposed requirement that the business associate must return or destroy all protected health information received from the covered entity when the business associate contract is terminated. Under the final rule, a business associate must return or destroy all protected health information when the contract is terminated if feasible and lawful. The business partner contract must state that privacy protections continue after the contract ends, if there is a need for the business associate to retain any of the protected health information and for as long as the information is retained. In addition, the permissible uses of information after termination of the contract must be limited to those activities that make return or destruction of the information not feasible.
Comment: Many commenters recommended that providers and plans be excluded from the definition of "business partner" if they are already governed by the rule as covered entities. Providers expressed particular concern about the inclusion of physicians with hospital privileges as business partners of the hospital, as each hospital would be required to have written contracts with and monitor the privacy practices of each physician with privileges, and each physician would be required to do the same for the hospital. Another commenter argued that consultations between covered entities for treatment or referral purposes should not be subject to the business partner contracting requirement.
Response: The final rule retains the general requirement that, subject to the exceptions below, a covered entity must enter into a business associate contract with another covered entity when one is providing services to or acting on behalf of the other. We retain this requirement because we believe that a covered entity that is a business associate should be restricted from using or disclosing the protected health information it creates or receives through its business associate function for any purposes other than those that are explicitly detailed in its contract.
However, the final rule expands the proposed exception for disclosures of protected health information by a covered health care provider to another health care provider. The final rule allows such disclosures without a business associate contract for any activities that fall under the definition of "treatment." We agree with the commenter that the administrative burdens of requiring contracts in staff privileges arrangements would not be outweighed by any potential privacy enhancements from such a requirement. Although the exception for disclosure of protected health information for treatment could be sufficient to relieve physicians and hospitals of the contract requirement, we also believe that this arrangement does not meet the true meaning of "business associate," because both the hospital and physician are providing services to the patient, not to each other. We therefore also add an exception to § 164.502(e)(1) that explicitly states that a contract is not required when the association involves a health care facility and another health care provider with privileges at that facility, if the purpose is providing health care to the individual. We have also added other exceptions in § 164.502(e)(1)(ii) to the requirement to obtain "satisfactory assurances" under § 164.502(e)(1)(i). We do not require a business associate arrangement between group health plans and their plan sponsors because other, albeit analogous, requirements apply under § 164.504(f) that are more tailored to the specifics of that legal relationship. We do not require business associate arrangements between government health plans providing public benefits and other agencies conducting certain functions for the health plan, because these arrangements are typically very constrained by other law.
Comment: Many commenters expressed concern that required contracts for federal agencies would adversely affect oversight activities, including investigations and audits. Some health plan commenters were concerned that if HMOs are business partners of an employer then the employer would have a right to all personal health information collected by the HMO. A commenter wanted to be sure that authorization would not be required for accreditation agencies to access information. A large manufacturing company wanted to make sure that business associate contracts were not required between affiliates and a parent corporation that provides administrative services for a sponsored health plan. Attorney commenters asserted that a business partner contract would undermine the attorney/client relationship, interfere with attorney/client privilege, and was not necessary to protect client confidences. A software vendor wanted to be excluded because the requirements for contracts were burdensome and government oversight intrusive. Some argued that because the primary purpose of medical device manufacturers is supplying devices, not patient care, they should be excluded.
Response: We clarify in the above discussion of the definition of "business associate" that a health insurance issuer or an HMO providing health insurance or health coverage to a group health plan does not become a business associate simply by providing health insurance or health coverage. The health insurance issuer or HMO may perform additional functions or activities or provide additional services, however, that would give rise to a business associate relationship. However, even when an health insurance issuer or HMO acts as a business associate of a group health plan, the group health plan has no right of access to the other protected health information maintained by the health insurance issuer or HMO. The business associate contract must constrain the uses and disclosures of protected health information obtained by the business associate through the relationship, but does not give the covered entity any right to request the business associate to disclose protected health information that it maintains outside of the business associate relationship to the group health plan. Under HIPAA, employers are not covered entities, so a health insurance issuer or HMO cannot act as a business associate of an employer. See § 164.504(f) with respect to disclosures to plan sponsors from a group health plan or health insurance issuer or HMO with respect to a group health plan.
With respect to attorneys generally, the reasons the commenters put forward to exempt attorneys from this requirement were not persuasive. The business associate requirements will not prevent attorneys from disclosing protected health information as necessary to find and prepare witness, nor from doing their work generally, because the business associate contract can allow disclosures for these purposes. We do not require business associate contracts to identify each disclosure to be made by the business associate; these disclosures can be identified by type or purpose. We believe covered entities and their attorneys can craft agreements that will allow for uses and disclosures of protected health information as necessary for these activities. The requirement for a business associate contract does not interfere with the attorney-client relationship, nor does it override professional judgement of business associates regarding the protected health information they need to discharge their responsibilities. We do not require covered entities to second guess their professional business associates' reasonable requests to use or disclose protected health information in the course of the relationship.
The attorney-client privilege covers only a small portion of information provided to attorneys and so is not a substitute for this requirement. More important, attorney-client privilege belongs to the client, in this case the covered entity, and not to the individual who is the subject of the information. The business associate requirements are intended to protect the subject of the information.
With regard to government attorneys and other government agencies, we recognize that federal and other law often does not allow standard legal contracts among governmental entities, but instead requires agreements to be made through the Economy Act or other mechanisms; these are generally reflected in a memorandum of understanding (MOU). We therefore modify the proposed requirements to allow government agencies to meet the required "satisfactory assurance" through such MOUs that contain the same provisions required of business associate contracts. As discussed elsewhere, we believe that direct regulation of entities receiving protected health information can be as or more effective in protecting health information as contracts. We therefore also allow government agencies to meet the required "satisfactory assurances" if law or regulations impose requirements on business associates consistent with the requirements specified for business associate contracts.
We do not believe that the requirement to have a business associate contract with agencies that are performing the specified services for the covered entity or undertaking functions or activities on its behalf undermines the government functions being performed. A business associate arrangement requires the business associate to maintain the confidentiality of the protected health information and generally to use and disclose the information only for the purposes for which it was provided. This does not undermine government functions. We have exempted from the business associate requirement certain situations in which the law has created joint uses or custody over health information, such as when law requires another government agency to determine the eligibility for enrollment in a covered health plan. In such cases, information is generally shared across a number of government programs to determine eligibility, and often is jointly maintained. We also clarify that health oversight activities do not give rise to a business associate relationship, and that protected health information may be disclosed by a covered entity to a health oversight agency pursuant to § 164.512(d).
We clarify for purposes of the final rule that accreditation agencies are business associates of a covered entity and are explicitly included within the definition. During accreditation, covered entities disclose substantial amounts of protected health information to other private persons. A business associate contract basically requires the business associate to maintain the confidentiality of the protected health information that it receives and generally to use and disclose such information for the purposes for which it was provided. As with attorneys, we believe that requiring a business associate contract in this instance provides substantial additional privacy protection without interfering with the functions that are being provided by the business associate.
With regard to affiliates, § 164.504(d) permits affiliates to designate themselves as a single covered entity for purposes of this rule. (See § 164.504(d) for specific organizational requirements.) Affiliates that choose to designate themselves as a single covered entity for purposes of this rule will not need business associate contracts to share protected health information. Absent such designation, affiliates are business associates of the covered entity if they perform a function or service for the covered entity that necessitates the use or disclosure of protected health information.
Software vendors are business associates if they perform functions or activities on behalf of, or provide specified services to, a covered entity. The mere provision of software to a covered entity would not appear to give rise to a business associate relationship, although if the vendor needs access to the protected health information of the covered entity to assist with data management or to perform functions or activities on the covered entity's behalf, the vendor would be a business associate. We note that when an employee of a contractor, like a software or IT vendor, has his or her primary duty station on-site at a covered entity, the covered entity may choose to treat the employee of the vendor as a member of the covered entity's workforce, rather than as a business associate. See the preamble discussion to the definition of workforce, § 160.103.
With regard to medical device manufacturers, we clarify that a device manufacturer that provides "health care" consistent with the rule's definition, including being a "supplier" under the Medicare program, is a health care provider under the final rule. We do not require a business associate contract when protected health information is shared among health care providers for treatment purposes. However, a device manufacturer that does not provide "health care" must be a business associate of a covered entity if that manufacturer receives or creates protected health information in the performance of functions or activities on behalf of, or the provision of specified services to, a covered entity.
As to financial institutions, they are business associates under this rule when they conduct activities that cause them to meet the definition of business associate. See the preamble discussion of the definition of "payment" in § 164.501, for an explanation of activities of a financial institution that do not require it to have a business associated contract.
Disease managers may be health care providers or health plans, if they otherwise meet the respective definitions and perform disease management activities on their own behalf. However, such persons may also be business associates if they perform disease management functions or services for a covered entity.
Comment: Other commenters recommended that certain entities be included within the definition of "business partner," such as transcription services; employee representatives; in vitro diagnostic manufacturers; private state and comparative health data organizations; state hospital associations; warehouses; "whistleblowers," credit card companies that deal with health billing; and patients.
Response: We do not list all the types of entities that are business associates, because whether an entity is a business associate depends on what the entity does, not what the entity is. That is, this is a definition based on function; any entity performing the function described in the definition is a business associate. Using one of the commenters' examples, a state hospital association may be a business associate if it performs a service for a covered entity for which protected health information is required. It is not a business associate by virtue of the fact that it is a hospital association, but by virtue of the service it is performing.
Comment: A few commenters urged that certain entities, i.e., collection agencies and case managers, be business partners rather than covered entities for purposes of this rule.
Response: Collection agencies and case managers are business associates to the extent that they provide specified services to or perform functions or activities on behalf of a covered entity. A collection agency is not a covered entity for purposes of this rule. However, a case manager may be a covered entity because, depending on the case manager's activities, the person may meet the definition of either a health care provider or a health plan. See definitions of "health care provider" and "health plan" in § 164.501.
Comment: Several commenters complained that the proposed HIPAA security regulation and privacy regulation were inconsistent with regard to business partners.
Response: We will conform these policies in the final Security Rule.
Comment: One commenter expressed concern that the proposal appeared to give covered entities the power to limit by contract the ability of their business partners to disclose protected health information obtained from the covered entity regardless of whether the disclosure was permitted under proposed § 164.510, "Uses and disclosures for which individual authorization is not required" (§ 164.512 in the final rule). Therefore, the commenter argued that the covered entity could prevent the business partner from disclosing protected health information to oversight agencies or law enforcement by omitting them from the authorized disclosures in the contract.
In addition, the commenter expressed concern that the proposal did not authorize business partners and their employees to engage in whistleblowing. The commenter concluded that this omission was unintended since the proposal's provision at proposed § 164.518(c)(4) relieved the covered entity, covered entity's employees, business partner, and the business partner's employees from liability for disclosing protected health information to law enforcement and to health oversight agencies when reporting improper activities, but failed to specifically authorize business partners and their employees to engage in whistleblowing in proposed § 164.510(f), "Disclosures for law enforcement."
Response: Under our statutory authority, we cannot directly regulate entities that are not covered entities; thus, we cannot regulate most business associates, or 'authorize' them to use or disclose protected health information. We agree with the result sought by the commenter, and accomplish it by ensuring that such whistle blowing disclosures by business associates and others do not constitute a violation of this rule on the part of the covered entity.
Comment: Some commenters suggested that the need to terminate contracts that had been breached would be particularly problematic when the contracts were with single-source business partners used by health care providers. For example, one commenter explained that when the Department awards single-source contracts, such as to a Medicare carrier acting as a fiscal intermediary that then becomes a business partner of a health care provider, the physician is left with no viable alternative if required to terminate the contract.
Response: In most cases, we expect that there will be other entities that could be retained by the covered entity as a business associate to carry out those functions on its behalf or provide the necessary services. We agree that under certain circumstances, however, it may not be possible for a covered entity to terminate a contract with a business associate. Accordingly, although the rule still generally requires a covered entity to terminate a contract if steps to cure such a material breach fail, it also allows an exception to this to accommodate those infrequent circumstances where there simply are no viable alternatives to continuing a contract with that particular business associate. It does not mean, however, that the covered entity can choose to continue the contract with a non-compliant business associate merely because it is more convenient or less costly than doing business with other potential business associates. We also require that if a covered entity determines that it is not feasible to terminate a non-compliant business associate, the covered entity must notify the Secretary.
Comment: Another commenter argued that having to renegotiate every existing contract within the 2-year implementation window so a covered entity can attest to "satisfactory assurance" that its business partner will appropriately safeguard protected health information is not practical.
Response: The 2-year implementation period is statutorily required under section 1175(b) of the Act. Further, we believe that two years provides adequate time to come into compliance with the regulation.
Comment: A commenter recommended that the business partner contract specifically address the issue of data mining because of its increasing prevalence within and outside the health care industry.
Response: We agree that protected health information should only be used by business associates for the purposes identified in the business associate contract. We address the issue of data mining by requiring that the business associate contract explicitly identify the uses or disclosures that the business associate is permitted to make with the protected health information. Aside from disclosures for data aggregation and business associate management, the business associate contract cannot authorize any uses or disclosures that the covered entity itself cannot make. Therefore, data mining by the business associate for any purpose not specified in the contract is a violation of the contract and grounds for termination of the contract by the covered entity.
Comment: One commenter stated that the rule needs to provide the ability to contract with persons and organizations to complete clinical studies, provide clinical expertise, and increase access to experts and quality of care.
Response: We agree, and do not prohibit covered entities from sharing protected health information under a business associate contract for these purposes.
Comment: A commenter requested clarification as to whether sister agencies are considered business partners when working together.
Response: It is unclear from the comment whether the "sister agencies" are components of a larger entity, are affiliated entities, or are otherwise linked. Requirements regarding sharing protected health information among affiliates and components are found in § 164.504.
Comment: One commenter stated that some union contracts specify that the employer and employees jointly conduct patient quality of care reviews. The commenter requested clarification as to whether this arrangement made the employee a business partner.
Response: An employee organization that agrees to perform quality assurance for a group health plan meets the definition of a business associate. We note that the employee representatives acting on behalf of the employee organization would be performing the functions of the organization, and the employee organization would be responsible under the business associate contract to ensure that the representatives abided by the restrictions and conditions of the contract. If the employee organization is a plan sponsor of the group health plan, the similar provisions of § 164.504(f) would apply instead of the business associate requirements. See § 164.502(e)(1).
Comment: Some commenters supported regulating employers as business partners of the health plan. These commenters believed that this approach provided flexibility by giving employers access to information when necessary while still holding employers accountable for improper use of the information. Many commenters, however, stressed that this approach would turn the relationship between employers, employees and other agents "on its head" by making the employer subordinate to its agents. In addition, several commenters objected to the business partner approach because they alleged it would place employers at risk for greater liability.
Response: We do not require a business associate contract for disclosure of protected health information from group health plans to employers. We do, however, put other conditions on the disclosure of protected health information from group health plans to employers who sponsor the plan. See further discussion in § 164.504 on disclosure of protected health information to employers.
Comment: One commenter expressed concern that the regulation would discourage organizations from participating with Planned Parenthood since pro bono and volunteer services may have no contract signed.
Response: We design the rule's requirements with respect to volunteers and pro bono services to allow flexibility to the covered entity so as not to disturb these arrangements. Specifically, when such volunteers work on the premises of the covered entity, the covered entity may choose to treat them as members of the covered entity's workforce or as business associates. See the definitions of business associate and workforce in § 160.103. If the volunteer performs its work off-site and needs protected health information, a business associate arrangement will be required. In this instance, where protected health information leaves the premises of the covered entity, privacy concerns are heightened and it is reasonable to require an agreement to protect the information. We believe that pro bono contractors will easily develop standard contracts to allow those activities to continue smoothly while protecting the health information that is shared.
Comment: Several commenters interpreted the preamble in the proposed rule to mean that only self-insured group health plans were covered entities. Another commenter suggested there was an error in the definition of group health plans because it only included plans with more than 50 participants or plans administered by an entity other than the employer (emphasis added by commenter). This commenter believed the "or" should be an "and" because almost all plans under 50 are administered by another entity and therefore this definition does not exclude most small plans.
Response: We did not intend to imply that only self-insured group health plans are covered health plans. We clarify that all group health plans, both self-insured and fully-funded, with 50 or more participants are covered entities, and that group health plans with fewer than 50 participants are covered health plans if they are administered by another entity. While we agree with the commenter that few group health plans with fewer than 50 participants are self-administered, the "or" is dictated by the statute. Therefore, the statute only exempts group health plans with fewer than 50 participants that are not administered by an entity other than the employer.
Comment: Several commenters stated that the proposed rule mis-characterized the relationship between the employer and the group health plan. The commenters stated that under ERISA and the Internal Revenue Code group health plans are separate legal entities from their employer sponsors. The group health plan itself, however, generally does not have any employees. Most operations of the group health plan are contracted out to other entities or are carried out by employees of the employer who sponsors the plan. The commenters stressed that while group health plans are clearly covered entities, the Department does not have the statutory authority to cover employers or other entities that sponsor group health plans. In contrast, many commenters stated that without covering employers, meaningful privacy protection is unattainable.
Response: We agree that group health plans are separate legal entities from their plan sponsors and that the group health plan itself may be operated by employees of the plan sponsor. We make significant modification to the proposed rule to better reflect this reality. We design the requirements in the final regulation to use the existing regulatory tools provided by ERISA, such as the plan documents required by that law and the constellation of plan administration functions defined by that law that established and maintain the group health plan.
We recognize plan sponsors' legitimate need for health information in certain situations while, at the same time, protecting health information from being used for employment-related functions or for other functions related to other employee benefit plans or other benefits provided by the plan sponsor. We do not attempt to directly regulate plan sponsors, but pursuant to our authority to regulate health plans, we place restrictions on the flow of information from covered entities to non-covered entities. The final rule permits group health plans to disclose protected health information to plan sponsors, and allows them to authorize health insurance issuers or HMOs to disclose protected health information to plan sponsors, if the plan sponsors agree to use and disclose the information only as permitted or required by the regulation. The information may be used only for plan administration functions performed on behalf of the group health plan and specified in the plan documents. Hereafter, any reference to employer in a response to a comment uses the term "plan sponsor," since employers can only receive protected health information in their role as plan sponsors, except as otherwise permitted under this rule, such as with an authorization.
Specifically, in order for a plan sponsor to obtain without authorization protected health information from a group health plan, health insurance issuer, or HMO, the documents under which the group health plan was established and is maintained must be amended to: (1) describe the permitted uses and disclosures of protected health information by the plan sponsor (see above for further explanation); (2) specify that disclosure is permitted only upon receipt of a written certification that the plan documents have been amended; and (3) provide adequate firewalls. The firewalls must identify the employees or classes of employees or other persons under the plan sponsor's control who will have access to protected health information; restrict access to only the employees identified and only for the administrative functions performed on behalf of the group health plan; and provide a mechanism for resolving issues of noncompliance by the employees identified. Any employee of the plan sponsor who receives protected health information in connection with the group health plan must be included in the amendment to the plan documents. As required by ERISA, the named fiduciary is responsible for ensuring the accuracy of amendments to the plan documents.
Group health plans, and health insurance issuers or HMOs with respect to the group health plan, that disclose protected health information to plan sponsors are bound by the minimum necessary standard as described in § 164.514.
Group health plans, to the extent they provide health benefits only through an insurance contract with a health insurance issuer or HMO and do not create, receive, or maintain protected health information (except for summary information or enrollment and disenrollment information), are not required to comply with the requirements of §§ 164.520 or 164.530, except for the documentation requirements of § 164.530(j). In addition, because the group health plan does not have access to protected health information, the requirements of §§ 164.524, 164.526, and 164.528 are not applicable. Individuals enrolled in a group health plan that provides benefits only through an insurance contract with a health insurance issuer or HMO would have access to all rights provided by this regulation through the health insurance issuer or HMO, because they are covered entities in their own right.
Comment: We received several comments from self-insured plans who stated that the proposed rule did not fully appreciate the dual nature of an employer as a plan sponsor and as a insurer. These commenters stated that the regulation should have an exception for employers who are also insurers.
Response: We believe the approach we have taken in the final rule recognizes the special relationship between plan sponsors and group health plans, including group health plans that provide benefits through a self-insured arrangement. The final rule allows plan sponsors and employees of plan sponsors access to protected health information for purposes of plan administration. The group health plan is bound by the permitted uses and disclosures of the regulation, but may disclose protected health information to plan sponsors under certain circumstances. To the extent that group health plans do not provide health benefits through an insurance contract, they are required to establish a privacy officer and provide training to employees who have access to protected health information, as well as meet the other applicable requirements of the regulation.
Comment: Some commenters supported our position not to require individual consent for employers to have access to protected health information for purposes of treatment, payment, and health care operations. For employer sponsored insurance to continue to exist as it does today, the commenters stressed, this policy is essential. Other commenters encouraged the Department to amend the regulation to require authorization for disclosure of information to employers. These commenters stressed that because the employer was not a covered entity, individual consent is the only way to prohibit potential abuses of information.
Response: In the final regulation, we maintain the position in the proposed rule that a health plan, including a group health plan, need not obtain individual consent for use and disclosure of protected health information for treatment, payment and or health care operations purposes. However, we impose conditions (described above) for making such disclosures to the plan sponsor. Because employees of the plan sponsor often perform health care operations and payment (e.g. plan administration) functions, such as claims payment, quality review, and auditing, they may have legitimate need for such information. Requiring authorization from every participant in the plan could make such fundamental plan administration activities impossible. We therefore impose regulatory restrictions, rather than a consent requirement, to prevent abuses. For example, the plan sponsor must certify that any protected health information obtained by its employees through such plan administration activities will not be used for employment-related decisions.
Comment: Several commenters stressed that the regulation must require the establishment of firewalls between group health plans and employers. These commenters stated that firewalls were necessary to prevent the employer from accessing information improperly and using it in making job placements, promotions, and firing decisions. In addition, one commenter stated that employees with access to protected health information must be empowered through this regulation to deny unauthorized access to protected health information to corporate managers and executives.
Response: We agree with the commenters that firewalls are necessary to prevent unauthorized use and disclosure of protected health information. Among the conditions for group health plans to disclose information to plan sponsors, the plan sponsor must establish firewalls to prevent unauthorized uses and disclosures of information. The firewalls include: describing the employees or classes of employees with access to protected health information; restricting access to and use of the protected health information to the plan administration functions performed on behalf of the group health plan and described in plan documents; and providing an effective mechanism for resolving issues of noncompliance.
Comment: Several commenters supported our proposal to cover the health care component of an employer in its capacity as an administrator of the group health plan. These commenters felt the component approach was necessary to prevent the disclosure of protected health information to other parts of the employer where it might be used or disclosed improperly. Other commenters believed the component approach was unworkable and that distinguishing who was in the covered entity would not be as easy as assumed in the proposed rule. One commenter stated it was unreasonable for an employer to go through its workforce division by division and employee by employee designating who is included in the component and who is not. In addition, some commenters argued that we did not have the statutory authority to regulate employers at all, including their health care components.
One commenter requested more guidance with respect to identifying the health care component as proposed under the proposed rule. In particular, the commenter requested that the regulation clearly define how to identify such persons and what activities and functional areas may be included. The commenter alleged that identification of persons needing access to protected health information will be administratively burdensome. Another commenter requested clarification on distinguishing the component entity from non-component entities within an organization and how to administer such relationships. The commenter stated that individuals included in the covered entity could change on a daily basis and advocated for a simpler set of rules governing intra-organizational relationships as opposed to inter-organizational relationships.
Response: While we have not adopted the component approach for plan sponsors in the final rule, plan sponsors who want protected health information must still identify who in the organization will have access to the information. Several of the changes we make to the NPRM will make this designation easier. First, we move from "component" to a more familiar functional approach. We limit the employees of the plan sponsor who may receive protected health information to those employees performing plan administration functions, as that term is understood with respect to ERISA compliance, and as limited by this rule's definitions of payment and health care operation. We also allow designation of a class of employees (e.g., all employees assigned to a particular department) or individual employees.
Although some commenters have asked for guidance, we have intentionally left the process flexible to accommodate different organizational structures. Plan sponsors may identify who will have access to protected health information in whatever way best reflects their business needs as long as participants can reasonably identify who will have access. For example, persons may be identified by naming individuals, job titles (e.g. Director of Human Resources), functions (e.g. employees with oversight responsibility for the outside third party claims administrator), divisions of the company (e.g. Employee Benefits) or other entities related to the plan sponsor. We believe this flexibility will also ease any administrative burden that may result from the identification process. Identification in terms such as "individuals who from time to time may need access to protected health information" or in other broad or generic ways, however, would not be sufficient.
Comment: In addition to the comments on the component approach itself, several commenters pointed out that many employees wear two hats in the organization, one for the group health plan and one for the employer. The commenters stressed that these employees should not be regulated when they are performing group health plan functions. This arrangement is necessary, particularly in small employers where the plan fiduciary may also be in charge of other human resources functions. The commenter recommended that employees be allowed access to information when necessary to perform health plan functions while prohibiting them from using the information for non-health plan functions.
Response: We agree with the commenters that many employees perform multiple functions in an organization and we design these provisions specifically to accommodate this way of conducting business. Under the approach taken in the final regulation, employees who perform multiple functions (i.e. group health plan and employment-related functions) may receive protected health information from group health plans, but among other things, the plan documents must certify that these employees will not use the information for activities not otherwise permitted by this rule including for employment-related activities.
Comment: Several commenters pointed out that the amount of access needed to protected health information varies greatly from employer to employer. Some employers may perform many plan administration functions themselves which are not possible without access to protected health information. Other employers may simply offer health insurance by paying a premium to a health insurance issuer rather than provide or administer health benefits themselves. Some commenters argued that fully insured plans should not be covered under the rule. Similarly, some commenters argued that the regulation was overly burdensome on small employers, most of whom fully insure their group health plans. Other commenters pointed out that health insurance issuers - even in fully insured arrangements - are often asked for identifiable health information, sometimes for legitimate purposes such as auditing or quality assurance, but sometimes not. One commenter, representing an insurer, gave several examples of employer requests, including claims reports for employees, individual and aggregate amounts paid for employees, identity of employees using certain drugs, and the identity, diagnosis and anticipated future costs for "high cost" employees. This same commenter requested guidance in what types of information can be released to employers to help them determine the organization's responsibilities and liabilities.
Response: In the final regulation we recognize the diversity in plan sponsors' need for protected health information. Many plan sponsors need access to protected health information to perform plan administration functions, including eligibility and enrollment functions, quality assurance, claims processing, auditing, monitoring, trend analysis, and management of carve-out plans (such as vision and dental plans). In the final regulation we allow group health plans to disclose protected health information to plan sponsors if the plan sponsor voluntarily agrees to use the information only in accordance with the purposes stated in the plan documents and as permitted by the regulation. We clarify, however, that plan administration does not include any employment-related decisions, including fitness for duty determinations, or duties related to other employee benefits or plans. Plan documents may only permit health insurance issuers to disclose protected health information to a plan sponsor as is otherwise permitted under this rule and consistent with the minimum necessary standard.
Some plan sponsors, including those with a fully insured group health plan, do not perform plan administration functions on behalf of group health plans, but still may require health information for other purposes, such as modifying, amending or terminating the plan or soliciting bids from prospective issuers or HMOs. In the ERISA context actions undertaken to modify, amend or terminate a group health plan may be known as "settlor" functions (see Lockheed Corp. v. Spink, 517 U.S. 882 (1996)). For example, a plan sponsor may require access to information to evaluate whether to adopt a three-tiered drug formulary. Additionally, a prospective health insurance issuer may need claims information from a plan sponsor in order to provide rating information. The final rule permits plan sponsors to receive summary health information with identifiers removed in order to carry out such functions. Summary health information is information that summarizes the claims history, expenses, or types of claims by individuals enrolled in the group health plan. In addition, the identifiers listed in § 164.514(b)(2)(i) must be removed prior to disclosing the information to a plan sponsor for purposes of modifying, amending, or terminating the plan. See § 164.504(a). This information does not constitute de-identified information because there may be a reasonable basis to believe the information is identifiable to the plan sponsor, especially if the number of participants in the group health plan is small. A group health plan, however, may not permit an issuer or HMO to disclose protected health information to a plan sponsor unless the requirement in § 164.520 states that this disclosure may occur.
Comment: Several commenters stated that health insurance issuers cannot be held responsible for employers' use of protected health information. They stated that the issuer is the agent of the employer and it should not be required to monitor the employer's use and disclosure of information.
Response: Under this regulation, health insurance issuers are covered entities and responsible for their own uses and disclosures of protected health information. A group health plan must require a health insurance issuer or HMO providing coverage to the group health plan to disclose information to the plan sponsor only as provided in the plan documents.
Comment: Several commenters urged us to require de-identified information to be used to the greatest extent possible when information is being shared with employers.
Response: De-identified information is not sufficient for many functions plan sponsors perform on behalf of their group health plans. We have created a process to allow plan sponsors and their employees access to protected health information when necessary to administer the plan. We note that all uses and disclosures of protected health information by the group health plan are bound by the minimum necessary standard.
Comment: One commenter representing church plans argued that the regulation should treat such plans differently from other group health plans. The commenter was concerned about the level of access to information the Secretary would have in performing compliance reviews and suggested that a higher degree of sensitivity is need for information related to church plans than information related to other group health plans. This sensitivity is needed, the commenter alleged, to reduce unnecessary intrusion into church operations. The commenter also advocated that church plans found to be out of compliance should be able to self-correct within a stated time frame (270 days) and avoid paying penalty taxes as allowed in the Internal Revenue Code.
Response: We do not believe there is sufficient reason to treat church plans differently than other covered entities. The intent of the compliance reviews is to determine whether or not the plan is abiding by the regulation, not to gather information on the general operations of the church. As required by § 160.310(c), the covered entity must provide access only to information that is pertinent to ascertaining compliance with part 160 or subpart E of 164.
Comment: Several commenters stated that employers often advocate on behalf of their employees in benefit disputes and appeals, answer questions with regard to the health plan, and generally help them navigate their health benefits. These commenters questioned whether this type of assistance would be allowed under the regulation, whether individual consent was required, and whether this intervention would make them a covered entity.
Response: The final rule does nothing to hinder or prohibit plan sponsors from advocating on behalf of group health plan participants or providing assistance in understanding their health plan. Under the privacy rule, however, the plan sponsor could not obtain any information from the group health plan or a covered provider unless authorization was given. We do not believe obtaining authorization when advocating or providing assistance will be impractical or burdensome since the individual is requesting assistance and therefore should be willing to provide authorization. Advocating on behalf of participants or providing other assistance does not make the plan sponsor a covered entity.
Comment: Many commenters supported regulatory authorization for treatment, payment, and health care operations. In particular, health plans, employers, and institutional providers supported the use of regulatory authorization for treatment, payment, and health care operations.
In contrast, a large number of commenters, particularly health care professionals, patients, and patient advocates, suggested that consent for treatment, payment, and health care operations should be required. Many commenters supported the use of consent for treatment, payment, and health care operations, considering this a requirement for maintaining the integrity of the health care system. Some commenters made a distinction between requiring and permitting providers to obtain consent.
Commenters nearly uniformly agreed that covered health care providers, health plans, and clearinghouses should not be prohibited from seeking authorization for treatment, payment, and health care operations. Some commenters stated that the prohibition against obtaining an authorization goes against professional ethics, undermines the patient-provider relationship, and is contrary to current industry practice.
Some commenters specifically noted the primacy of the doctor-patient relationship regarding consent. In general, commenters recommended that individually identifiable health information not be released by doctors without patient consent. A few commenters stated that prohibiting health care providers from obtaining consent could cause the patient to become suspicious and distrustful of the health care provider. Other commenters believed that clinicians have the responsibility for making sure that patients are fully informed about the consequences of releasing information. A few commented that the process of obtaining consent provided an opportunity for the patient and provider to negotiate the use and disclosure of patient information.
Commenters discussed how, when, and by whom consent should be sought. For example, some commenters viewed a visit between a health care provider and patient as the appropriate place for consent to be discussed and obtained. While others did not necessarily dispute the appropriateness of health care providers obtaining consent for uses and disclosures of protected health information from individuals, some said that it was appropriate for health plans to be permitted to obtain consent.
Response: In the NPRM we stated our concern that the blanket consents that individuals sign today provide these individuals with neither notice nor control over how their information is to be used. While we retain those concerns, we also understand that for many who participate in the health care system, the acts of providing and obtaining consent represent important values that these parties wish to retain. Many individuals argued that providing consent enhances their control; many advocates argued that the act of consent focuses patient attention on the transaction; and many health care providers argued that obtaining consent is part of ethical behavior.
The final rule amends our proposed approach and requires most covered health care providers to obtain a consent from their patients to use or disclose protected health information for treatment, payment, and health care operations. Providers who have an indirect treatment relationship with the patient, as defined in § 164.501, cannot be expected to have an opportunity to obtain consent and may continue to rely on regulatory authorization for their uses and disclosures for these purposes.
As described in the comments, it is the relationship between the health care provider and the patient that is the basis for many decisions about uses and disclosures of protected health information. Much of the individually identifiable health information that is the subject of this rule is created when a patient interacts with a health care provider. By requiring covered providers to obtain consent for treatment, payment, and health care operations, the individual will have appropriate opportunity to consider the appropriate uses and disclosures of his or her protected health information. We also require that the consent contain a reference to the provider's notice, which contains a more detailed description of the provider's practices relating to uses and disclosures of protected health information. This combination provides the basis for an individual to have an informed conversation with his or her provider and to request restrictions.
It is our understanding that it is common practice for providers to obtain consent for this type of information-sharing today. Many providers and provider organizations stated that they are ethically obligated to obtain the patient's consent and that it is their practice to do so. A 1998 study by Merz, et al, published in the Journal of Law, Medicine and Ethics examined hospital consent forms regarding disclosure of medical information. (8) They found that 97% of all hospitals seek consent for the release of information for payment purposes; 45% seek consent for disclosure for utilization review, peer review, quality assurance, and/or prospective review; and 50% seek consent for disclosure to providers, other health care facilities, or others for continuity of care purposes. All of these activities fall within our definitions of treatment, payment, or health care operations.
In the final rule we have not required that health plans or health care clearinghouses obtain consent for their uses and disclosures of protected health information for treatment, payment, or health care operations. The rationale underlying the consent requirements for uses and disclosures by health care providers do not pertain to health plans and health care clearinghouses. First, current practice is varied, and there is little history of health plans obtaining consent relating to their own information practices unless required to do so by some other law. This is reflected in the public comments, in which most health plans supported the regulatory authorization approach proposed in the NPRM. Further, unlike many health care providers, health plans did not maintain that they were ethically obligated to seek the consent of their patients for their use and disclosure activities. Finally, it is the unique relationship between an individual and his or her health care provider that provides the foundation for a meaningful consent process. Requiring that consent process between an individual and a health plan or clearinghouse, when no such unique relationship exists, we believe is not necessary.
Unlike their relationship with health care providers, individuals in most instances do not have a direct opportunity to engage in a discussion with a health plan or clearinghouse at the time that they enter into a relationship with those entities. Most individuals choose a health plan through their employer and often sign up through their employer without any direct contact with the health plan. We concluded that providing for a signed consent in such a circumstance would add little to the proposed approach, which would have required health plans to provide a detailed notice to their enrollees. In the final rule, we also clarify that an individual can request a restriction from a health plan or health care clearinghouse. Since individuals rarely if ever have any direct contact with clearinghouses, we concluded that requiring a signed consent would have virtually no effect beyond the provision of the notice and the opportunity to request restrictions.
We agree with the comments we received objecting to the provision prohibiting covered entities from obtaining consent from individuals. As discussed above, in the final rule we require covered health care providers with direct treatment relationships to obtain consent to use or disclose protected health information for treatment, payment, and health care operations. In addition, we have eliminated the provision prohibiting other covered entities from obtaining such consents. We note that the consents that covered entities are permitted to obtain relate to their own uses and disclosures of protected health information for treatment, payment, and health care operations and not to the practices of others. If a covered entity wants to obtain the individual's permission to receive protected health information from another covered entity, it must do so using an authorization under § 164.508.
Comment: In general, commenters did not distinguish between "consent" and "authorization". Commenters used both terms to refer to the individual's giving permission for the use and disclosure of protected health information by any entity.
Response: In the final rule we have made an important distinction between consent and authorization. Under the final rule, we refer to the process by which a covered entity seeks agreement from an individual regarding how it will use and disclose the individual's protected health information for treatment, payment, and health care operations as "consent." The provisions in the final rule relating to consent are largely contained in § 164.506. The process by which a covered entity seeks agreement from an individual to use or disclose protected health information for other purposes, or to authorize another covered entity to disclose protected health information to the requesting covered entity, are termed "authorizations" and the provisions relating to them are found in § 164.508.
Comment: Many commenters believed that consent might be problematic in that it could allow covered entities to refuse enrollment or services if the individual does not grant the consent. Some commenters proposed that covered entities be allowed to condition treatment, payment, or health care operations on whether or not an individual granted consent. Other commenters said that consent should be voluntary and not coerced.
Response: In the final rule (§ 164.506(b)(1)), we permit covered health care providers to condition treatment on the individual's consent to the covered provider's use or disclosure of protected health information to carry out treatment, payment, and health care operations. We recognize that it would be difficult, if not impossible, for health care providers to treat their patients and run their businesses without being able to use or disclose protected health information for these purposes. For example, a health care provider could not be reimbursed by a health plan unless the provider could share protected health information about the individual with the health plan. Under the final rule, if the individual refuses to grant consent for this disclosure, the health care provider may refuse to treat the individual. We encourage health care providers to exhaust other options, such as making alternative payment arrangements with the individual, before refusing to treat the individual on these grounds.
We also permit health plans to condition enrollment in the health plan on the individual's consent for the health plan to use and disclose protected health information to carry out treatment, payment, and health care operations (see § 164.506(b)(2)). The health plan must seek the consent in conjunction with the individual's enrollment in the plan for this provision to apply. For example, a health plan's application for enrollment may include a consent for the health plan to use or disclose protected health information to carry out treatment, payment, and/or health care operations. If the individual does not sign this consent, the health plan, under § 164.502(a)(1)(iii), is prohibited from using or disclosing protected health information about the individual for the purposes stated in the consent form. Because the health plan may not be able adequately to provide services to the individual without these uses and disclosures, we permit the health plan to refuse to enroll the individual if the consent is not signed.
Comment: Some commenters were concerned that the NPRM conflicted with state law regarding when covered entities would be required to obtain consent for uses and disclosures of protected health information.
Response: We have modified the provisions in the final rule to require certain health care providers to obtain consent for uses and disclosures for treatment, payment, and health care operations and to permit other covered entities to do so. A consent under this rule may be combined with other types of written legal permission from the individual, such as state-required consents for uses and disclosures of certain types of health information (e.g., information relating to HIV/AIDS or mental health). We also permit covered entities to seek authorization from the individual for another covered entity's use or disclosure of protected health information for these purposes, including if the covered entity is required to do so by other law. Though we do not believe any states currently require such authorizations, we wanted to avoid future conflicts. These changes should resolve the concerns raised by commenters regarding conflicts with state laws that require consent, authorization, or other types of written legal permission for uses and disclosures of protected health information.
Comment: Some commenters noted that there would be circumstances when consent is impossible or impractical. A few commenters suggested that in such situations patient information be de-identified or reviewed by an objective third party to determine if consent is necessary.
Response: Covered health care providers with direct treatment relationships are required to obtain consent to use or disclose protected health information to carry out treatment, payment, and health care operations. In certain treatment situations where the provider is permitted or required to treat an individual without the individual's written consent to receive health care, the provider may use and disclose protected health information created or obtained in the course of that treatment without the individual's consent under this rule (see § 164.506(a)(3)). In these situations, the provider must attempt to obtain the individual's consent and, if the provider is unable to obtain consent, the provider must document the attempt and the reason consent could not be obtained. Together with the uses and disclosures permitted under §§ 164.510 and 164.512, the concerns raised regarding situations in which it is impossible or impractical for covered entities to obtain the individual's permission to use or disclose protected health information about the individual have been addressed.
Comment: An agency that provides care to individuals with mental retardation and developmental disabilities expressed concern that many of their consumers lack capacity to consent to the release of their records and may not have a surrogate readily available to provide consent on their behalf.
Response: Under § 164.506(a)(3), we provide exceptions to the consent requirement for certain treatment situations in which consent is difficult to obtain. In these situations, the covered provider must attempt to obtain consent and must document the reason why consent was not obtained. If these conditions are met, the provider may use and disclose the protected health information created or obtained during the treatment for treatment, payment, or health care operations purposes, without consent.
Comment: Many commenters were concerned that covered entities working together in an integrated health care system would each separately be required to obtain consent for use and disclosure of protected health information for treatment, payment, and health care operations. These commenters recommend that the rule permit covered entities that are part of the same integrated health care system to obtain a single consent allowing each of the covered entities to use and disclose protected health information in accordance with that consent form. Some commenters said that it would be confusing to patients and administratively burdensome to require separate consents for health care systems that include multiple covered entities.
Response: We agree with commenters' concerns. In § 164.506(f) of the final rule we permit covered entities that participate in an organized health care arrangement to obtain a single consent on behalf of the arrangement. See § 164.501 and the corresponding preamble discussion regarding organized health care arrangements. To obtain a joint consent, the covered entities must have a joint notice and must refer to the joint notice in the joint consent. See § 164.520(d) and the corresponding preamble discussion regarding joint notice. The joint consent must also identify the covered entities to which it applies so that individuals will know who is permitted to use and disclose information about them.
Comment: Many commenters stated that individuals own their medical records and, therefore, should have absolute control over them, including knowing by whom and for what purpose protected health information is used, disclosed, and maintained. Some commenters asserted that, according to existing law, a patient owns the medical records of which he is the subject.
Response: We disagree. In order to assert an ownership interest in a medical record, a patient must demonstrate some legitimate claim of entitlement to it under a state law that establishes property rights or under state contract law. Historically, medical records have been the property of the health care provider or medical facility that created them, and some state statutes directly provide that medical records are the property of a health care provider or a health care facility. The final rule is consistent with current state law that provides patients access to protected health information but not ownership of medical records. Furthermore, state laws that are more stringent than the rule, that is, state laws that provide a patient with greater access to protected health information, remain in effect. See discussion of "Preemption" above.
Comment: Some commenters stated that privacy concerns would be significantly reduced if patient information is not stored electronically. One commenter suggested that consent should be given for patient information to be stored electronically. One commenter believed that information stored in data systems should not be individually identifiable.
Response: We agree that storing and transmitting health information electronically creates concerns about the privacy of health information. We do not agree, however, that covered entities should be expected to maintain health information outside of an electronic system, particularly as health care providers and health plans extend their reliance on electronic transactions. We do not believe that it would be feasible to permit individuals to opt out of electronic transactions by withholding their consent. We note that individuals can ask providers and health plans whether or not they store information electronically, and can choose only providers who do not do so or who agree not to do so. We also do not believe that it is practical or efficient to require that electronic data bases contain only de-identified information. Electronic transactions have achieved tremendous savings in the health care system and electronic records have enabled significant improvements in the quality and coordination of health care. These improvements would not be possible with de-identified information.
Comment: We received many comments in general support of requiring authorization for the use or disclosure of protected health information. Some comments suggested, however, that we should define those uses and disclosures for which authorization is required and permit covered entities to make all other uses and disclosures without authorization.
Response: We retain the requirement for covered entities to obtain authorization for all uses and disclosures of protected health information that are not otherwise permitted or required under the rule without authorization. We define exceptions to the general rule requiring authorization for the use or disclosure of protected health information, rather than defining narrow circumstances in which authorization is required.
We believe this approach is consistent with well-established privacy principles, with other law, and with industry standards and ethical guidelines. The July 1977 Report of the Privacy Protection Study Commission recommended that "each medical-care provider be considered to owe a duty of confidentiality to any individual who is the subject of a medical record it maintains, and that, therefore, no medical care provider should disclose, or be required to disclose, in individually identifiable form, any information about any such individual without the individual's explicit authorization, unless the disclosures would be" for specifically enumerated purposes such as treatment, audit or evaluation, research, public health, and law enforcement. (9) The Commission made similar recommendations with respect to insurance institutions. (10) The Privacy Act (5 U.S.C. 552a) prohibits government agencies from disclosing records except pursuant to the written request of or pursuant to a written consent of the individual to whom the record pertains, unless the disclosure is for certain specified purposes. The National Association of Insurance Commissioners' Health Information Privacy Model Act states, "A carrier shall not collect, use or disclose protected health information without a valid authorization from the subject of the protected health information, except as permitted by... this Act or as permitted or required by law or court order. Authorization for the disclosure of protected health information may be obtained for any purpose, provided that the authorization meets the requirements of this section." In its report "Best Principles for Health Privacy," the Health Privacy Working Group stated, "Personally identifiable health information should not be disclosed without patient authorization, except in limited circumstances" such as when required by law, for oversight, and for research. (11) The American Medical Association's Council on Ethical and Judicial Affairs has issued an opinion stating, "The physician should not reveal confidential communications or information without the express consent of the patient, unless required to do so by law [and] subject to certain exceptions which are ethically and legally justified because of overriding social considerations." (12) We build on these standards in this final rule.
Comment: Some comments suggested that, under the proposed rule, a covered entity could not use protected health information to solicit authorizations from individuals. For example, a covered entity could not use protected health information to generate a mailing list for sending an authorization for marketing purposes.
Response: We agree with this concern and clarify that covered entities are permitted to use protected health information in this manner without authorization as part of the management activities relating to implementation of and compliance with the requirements of this rule. See § 164.501 and the corresponding preamble regarding the definition of health care operations.
Comment: We received several comments suggesting that we not require written authorizations for disclosures to the individual or for disclosures initiated by the individual or the individual's legal representative.
Response: We agree with this concern and in the final rule we clarify that disclosures of protected health information to the individual who is the subject of the information do not require the individual's authorization. See § 164.502(a)(1). We do not intend to impose barriers between individuals and disclosures of protected health information to them.
When an individual requests that the covered entity disclose protected health information to a third party, however, the covered entity must obtain the individual's authorization, unless the third party is a personal representative of the individual with respect to such protected health information. See § 164.502(g). If under applicable law a person has authority to act on behalf of an individual in making decisions related to health care, except under limited circumstances, that person must be treated as the personal representative under this rule with respect to protected health information related to such representation. A legal representative is a personal representative under this rule if, under applicable law, such person is able to act on behalf of an individual in making decisions related to health care, with respect to the protected health information related to such decisions. For example, an attorney of an individual may or may not be a personal representative under the rule depending on the attorney's authority to act on behalf of the individual in decisions related to health care. If the attorney is the personal representative under the rule, he may obtain a copy of the protected health information relevant to such personal representation under the individual's right to access. If the attorney is not the personal representative under the rule, or if the attorney wants a copy of more protected health information than that which is relevant to his personal representation, the individual would have to authorize such disclosure.
Comment: Commenters expressed concern about whether a covered entity can rely on authorizations made by parents on behalf of their minor children once the child has reached the age of majority and recommended that covered entities be able to rely on the most recent, valid authorization, whether it was authorized by the parent or the minor.
Response: We agree. If an authorization is signed by a parent, who is the personal representative of the minor child at the time the authorization is signed, the covered entity may rely on the authorization for as long as it is a valid authorization, in accordance with § 164.508(b). A valid authorization remains valid until it expires or is revoked. This protects a covered entity's reasonable reliance on such authorization. The expiration date of the authorization may be the date the minor will reach the age of majority. In that case, the covered entity would be required to have the individual sign a new authorization form in order to use or disclose information covered in the expired authorization form.
Comment: Some commenters were concerned that covered entities working together in an integrated system would each be required to obtain authorization separately. These commenters suggested the rule should allow covered entities that are part of the same system to obtain a single authorization allowing each of the covered entities to use and disclose protected health information in accordance with that authorization.
Response: If the rule does not permit or require a covered entity to use or disclose protected health information without the individual's authorization, the covered entity must obtain the individual's authorization to make the use or disclosure. Multiple covered entities working together as an integrated delivery system or otherwise may satisfy this requirement in at least three ways. First, each covered entity may separately obtain an authorization directly from the individual who is the subject of the protected health information to be used or disclosed. Second, one covered entity may obtain a compound authorization in accordance with § 164.508(b)(3) that authorizes multiple covered entities to use and disclose protected health information. In accordance with § 164.508(c)(1)(ii), each covered entity, or class of covered entities, that is authorized to make the use or disclosure must be clearly identified. Third, if the requirements in § 164.504(d) are met, the integrated delivery system may elect to designate itself as a single affiliated covered entity. A valid authorization obtained by that single affiliated covered entity would satisfy the authorization requirements for each covered entity within the affiliated covered entity. Whichever option is used, because these authorizations are being requested by a covered entity for its own use or disclosure, the authorization must contain both the core elements in § 164.508(c) and the additional elements in § 164.508(d).
Comment: Proposed § 164.508 listed examples of activities that would have required authorization, which included disclosure by sale, rental, or barter. Some commenters requested clarification that this provision is not intended to affect mergers, sale, or similar transactions dealing with entire companies or their individual divisions. A few commenters stated that covered entities should be allowed to sell protected health information, including claims data, as an asset of the covered entity.
Response: We clarify in the definition of health care operations that a covered entity may sell or transfer its assets, including protected health information, to a successor in interest that is or will become a covered entity. See § 164.501 and the corresponding preamble discussion regarding this change. We believe this change meets commenters' business needs without compromising individuals' privacy interests.
Comment: Some commenters supported the requirement for covered entities to obtain authorization for the sale, rental, or barter of protected health information. Some commenters argued that protected health information should never be bought or sold by anyone, even with the individual's authorization.
Response: We removed the reference to sale, rental, or barter in the final rule because we determined that the term was overly broad. For example, if a researcher reimbursed a provider for the cost of configuring health data to be disclosed under the research provisions at § 164.512(i), there may have been ambiguity that this was a sale and, therefore, required authorizations from the individuals who were the subjects of the information. We clarify in the final rule that if the use or disclosure is otherwise permitted or required under the rule without authorization, such authorization is not required simply because the disclosure is made by sale, rental, or barter.
Comment: Many commenters expressed concerns that their health information will be sold to pharmaceutical companies.
Response: Although we have removed the reference to sale, rental or barter, the final rule generally would not permit the sale of protected health information to a pharmaceutical company without the authorization of individuals who are the subjects of the information. In some cases, a covered entity could disclose protected health information to a pharmaceutical company for research purposes if the disclosure met the requirements of § 164.512(i).
Psychotherapy Notes
Comment: Public response to the concept of providing additional protections for psychotherapy notes was divided. Many individuals and most providers, particularly mental health practitioners, advocated requiring consent for use or disclosure of all or most protected health information, but particularly sensitive information such as mental health information, not necessarily limited to psychotherapy notes. Others thought there should be special protections for psychotherapy information based on the federal psychotherapist-patient privilege created by the U.S. Supreme Court in Jaffee v. Redmond and the need for an atmosphere of trust between therapist and patient that is required for effective psychotherapy. Several consumer groups recommended prohibiting disclosure of psychotherapy notes for payment purposes.
Some commenters, however, saw no need for special protections for psychotherapy communications and thought that the rules should apply the same protections for all individually identifiable information. Other commenters who advocated for no special protections based their opposition on the difficulty in drawing a distinction between physical and mental health and that special protections should be left to the states. Many health plans and employers did not support additional protections for psychotherapy notes because they stated they need access to this information to assess the adequacy of treatment, the severity of a patient's condition, the extent of a disability, or the ability to monitor the effectiveness of an individual's mental health care and eligibility for benefits. Other commenters, many from insurance companies, cited the need to have psychotherapy notes to detect fraud.
A few commenters said that it was not necessary to provide additional protections to psychotherapy notes because the "minimum necessary" provisions of the NPRM provide sufficient protections.
Response: In the final rule, a covered entity generally must obtain an authorization for disclosure of psychotherapy notes, or for use by a person other than the person who created the psychotherapy notes. This authorization is specific to psychotherapy notes and is in addition to the consent an individual may have given for the use or disclosure of other protected health information to carry out treatment, payment, and health care operations. This additional level of individual control provides greater protection than a general application of the "minimum necessary" rule. Nothing in this regulation weakens existing rules applicable to mental health information that provide more stringent protections. We do not intend to alter the holding in Jaffee v. Redmond.
Generally, we have not treated sensitive information differently from other protected health information; however, we have provided additional protections for psychotherapy notes because of Jaffee v. Redmond and the unique role of this type of information. There are few reasons why other health care entities should need access to psychotherapy notes, and in those cases, the individual is in the best position to determine if the notes should be disclosed. As we have defined them, psychotherapy notes are primarily of use to the mental health professional who wrote them, maintained separately from the medical record, and not involved in the documentation necessary to carry out treatment, payment, or health care operations. Since psychotherapy notes have been defined to exclude information that health plans would typically need to process a claim for benefits, special authorization for payment purposes should be rare. Unlike information shared with other health care providers for the purposes of treatment, psychotherapy notes are more detailed and subjective and are today subject to unique privacy and record retention practices. In fact, it is this separate existence and isolated use that allows us to grant the extra protection without causing an undue burden on the health care system.
Comment: Many commenters suggested we prohibit disclosure of psychotherapy notes without authorization for uses and disclosures under proposed § 164.510 of the NPRM, or that protections should be extended to particular uses and disclosures, such as disclosures for public health, law enforcement, health oversight, and judicial and administrative proceedings. One of these commenters stated that the only purpose for which psychotherapy notes should be disclosed without authorization is for preventing or lessening a serious or imminent threat to health or safety (proposed §154.510(k)). Another commenter stated that the rule should allow disclosure of psychotherapy notes without authorization for this purpose, or as required by law in cases of abuse or neglect.
Other commenters did not want these protections to be extended to certain national priority activities. They claimed that information relative to psychotherapy is essential to states' activities to protect the public from dangerous mentally ill offenders and abusers, to deliver services to individuals who are unable to authorize release of health care information, and for public health assessments. One commenter requested clarification of when psychotherapy notes could be released in emergency circumstances. Several commenters stated that psychotherapy notes should not be disclosed for public health purposes.
Response: We agree with the commenters who suggested extending protections of psychotherapy notes and have limited the purposes for which psychotherapy notes may be disclosed without authorization for purposes other than treatment, payment, or health care operations. The final rule requires covered entities to obtain authorization to use or disclose psychotherapy notes for purposes listed in § 164.512, with the following exceptions: An authorization is not required for use or disclosure of psychotherapy notes when the use or disclosure is required for enforcement of this rule, in accordance with § 164.502(a)(2)(ii); when required by law, in accordance with § 164.512(a); when needed for oversight of the covered health care provider who created the psychotherapy notes, in accordance with § 164.512(d); when needed by a coroner or medical examiner, in accordance with § 164.512(g)(1); or when needed to avert a serious and imminent threat to health or safety, in accordance with § 164.512(j)(1)(i).
Comment: A commenter suggested that we follow the federal regulations governing confidentiality of alcohol and substance abuse records as a model for limited disclosure of psychotherapy notes for audits or evaluations. Under these regulations, a third party payor or a party providing financial assistance may access confidential records for auditing purposes if the party agrees in writing to keep the records secure and destroy any identifying information upon completion of the audit. (42 CFR Part 2)
Response: We agree that the federal regulations concerning alcohol and drug abuse provide a good model for protection of information. However, according to our fact-finding discussions, audit or evaluation should not require access to psychotherapy notes. Protected health information kept in the medical record about an individual should be sufficient for these purposes. The final rule does not require authorization for use or disclosure of psychotherapy notes when needed for oversight of the covered health care provider who created the psychotherapy notes.
Comment: A provider organization urged that the disclosure of psychotherapy notes be strictly prohibited except to the extent needed in litigation brought by the client against the mental health professional on the grounds of professional malpractice or disclosure in violation of this section.
Response: We agree that psychotherapy notes should be available for the defense of the provider who created the notes when the individual who is the subject of the notes puts the contents of the notes at issue in a legal case. In the final rule, we allow the provider to disclose the notes to his or her lawyer for the purpose of preparing a defense. Any other disclosure related to judicial and administrative proceedings is governed by § 164.512(e).
Comment: One commenter requested that we prohibit mental health information that has been disclosed from being re-disclosed without patient authorization.
Response: Psychotherapy notes may only be disclosed pursuant to an authorization, except under limited circumstances. Covered entities must adhere to the terms of authorization and not disclose psychotherapy notes to persons other than those identified as intended recipients or for other purposes. A covered entity that receives psychotherapy notes must adhere to the terms of this rule - including obtaining an authorization for any further use or disclosure. We do not have the authority, however, to prohibit non-covered entities from re-disclosing psychotherapy notes or any other protected health information.
Comment: A provider organization argued for inclusion of language in the final rule that specifies that real or perceived "ownership" of the mental health record does not negate the requirement that patients must specifically authorize the disclosure of their psychotherapy notes. They cited a July 1999 National Mental Health Association survey, which found that for purposes of utilization review, every managed care plan policy reviewed "maintains the right to access the full medical record (including detailed psychotherapy notes) of any consumer covered under its benefit plan at its whim." At least one of the major managed health plans surveyed considered the patient record to be the property of the health plan and governed by the health plan's policies.
Response: Although a covered entity may own a mental health record, the ability to use or disclose an individual's information is limited by state law and this rule. Under this rule, a mental health plan would not have access to psychotherapy notes created by a covered provider unless the individual who is the subject of the notes authorized disclosure to the health plan.
Comment: Some commenters expressed concern regarding the burden created by having to obtain multiple authorizations and requested clarification as to whether separate authorization for use and disclosure of psychotherapy notes is required.
Response: For the reasons explained above, we retain in the final rule a requirement that a separate authorization must be obtained for most uses or disclosures of psychotherapy notes, including those for treatment, payment, and health care operations. The burden of such a requirement is extremely low, however, because under our definition of psychotherapy notes, the need for such authorization will be very rare.
Comment: One commenter stated that Medicare should not be able to require the disclosure of psychotherapy notes because it would destroy a practitioner's ability to treat patients effectively.
Response: We agree. As in the proposed rule, covered entities may not disclose psychotherapy notes for payment purposes without an authorization. If a specific provision of law requires the disclosure of these notes, a covered entity may make the disclosure under § 164.512(a). The final rule, however, does not require the disclosure of these notes to Medicare.
Comment: One commenter expressed concern that by filing a complaint an individual would be required to reveal sensitive information to the public. Another commenter suggested that complaints regarding noncompliance in regard to psychotherapy notes should be made to a panel of mental health professionals designated by the Secretary. This commenter also proposed that all patient information would be maintained as privileged, would not be revealed to the public, and would be kept under seal after the case is reviewed and closed.
Response: We appreciate this concern and the Secretary will ensure that individually identifiable health information and other personal information contained in complaints will not be available to the public. This Department seeks to protect the privacy of individuals to the fullest extent possible, while permitting the exchange of records required to fulfill its administrative and program responsibilities. The Freedom of Information Act, 5 U.S.C. 552, and the HHS implementing regulation, 45 CFR Part 5, protect records about individuals if the disclosure would constitute an unwarranted invasion of their personal privacy, as does the Privacy Act, 5 U.S.C. 552a. See the discussion of FOIA and the Privacy Act in the "Relationship to Other Federal Laws" section of the preamble. Information that the Secretary routinely withholds from the public in its current enforcement activities include individual names, addresses, and medical information. Additionally, the Secretary attempts to guard against the release of information that might involve a violation of personal privacy by someone being able to "read between the lines" and piece together items that would constitute information that normally would be protected from release to the public. In implementing the privacy rule, the Secretary will continue this practice of protecting personal information.
It is not clear whether the commenter with regard to the use of mental health professionals believes that such professionals should be involved because they would be best able to keep psychotherapy notes confidential or because such professionals can best understand the meaning or relevance of such notes. We anticipate that we would not have to obtain a copy or review psychotherapy notes in investigating most complaints regarding noncompliance in regard to such notes. There may be some cases in which a quick review of the notes may be needed, such as when we need to identify that the information a covered entity disclosed was in fact psychotherapy notes. If we need to obtain a copy of psychotherapy notes, we will keep these notes confidential and secure. Investigative staff will be trained in privacy to ensure that they fully respect the confidentiality of personal information. In addition, while the content of these notes is generally not relevant to violations under this rule, we will secure the expertise of mental health professionals if needed in reviewing psychotherapy notes.
Comment: A mental health organization recommended prohibiting health plans and covered health care providers from disclosing psychotherapy notes to coroners or medical examiners.
Response: In general, we have severely limited disclosures of psychotherapy notes without the individual's authorization. One case where the information may prove invaluable, but authorization by the individual is impossible and authorization by a surrogate is potentially contraindicated, is in the investigation of the death of the individual. The final rule allows for disclosures to coroners or medical examiners in this limited case.
Comment: One commenter recommended prohibiting disclosure without authorization of psychotherapy notes to government health data systems.
Response: The decision to eliminate the general provision permitting disclosures to government health data systems addresses this comment.
Comment: Several commenters were concerned that in practice, a treatment team in a mental health facility shares information about a patient in order to care for the patient and that the provision requiring authorization for use and disclosure of psychotherapy notes would expose almost all privileged information to disclosure. They requested that we add a provision that any authorization or disclosure under that statute shall not constitute a waiver of the psychotherapist-patient privilege.
Response: Because of the restricted definition we have adopted for psychotherapy notes, we do not expect that members of a team will share such information. Information shared in order to care for the patient is, by definition, not protected as psychotherapy notes. With respect to waiving privilege, however, we believe that the consents and authorizations described in §§ 164.506 and 164.508 should not be construed as waivers of a patient's evidentiary privilege. See the discussions under § 164.506 and "Relationship to Other Laws," above.
Definition of Research Information Unrelated to Treatment
Comment: The majority of commenters, including many researchers and health care providers, objected to the proposed definition of research information unrelated to treatment, asserting that the privacy rule should not distinguish research information unrelated to treatment from other forms of protected health information. Even those who supported the proposed distinction between research information related and unrelated to treatment suggested alternative definitions for research information unrelated to treatment.
A large number of commenters were concerned that the definition of research information unrelated to treatment was vague and unclear and, therefore, would be difficult or impossible to apply. These commenters asserted that in many instances it would not be feasible to ascertain whether research information bore some relation to treatment. In addition, several commenters asserted that the need for distinguishing research information unrelated to treatment from other forms of protected health information was not necessary because the proposed rule's general restrictions for the use and disclosure of protected health information and the existing protections for research information were sufficiently strong.
Of the commenters who supported the proposed distinction between research information related and unrelated to treatment, very few supported the proposed definition of research unrelated to treatment. A few commenters recommended that the definition incorporate a good faith provision and apply only to health care providers, because they thought it was unlikely that a health plan or health care clearinghouse would be conducting research. One commenter recommended defining research information unrelated to treatment as information which does not directly affect the treatment of the individual patient. As a means of clarifying and standardizing the application of this definition, one commenter also asserted that the definition should be based on whether the research information was for publication. In addition, one commenter specifically objected to the provision of the proposed definition that would have required that research information unrelated to treatment be information "with respect to which the covered entity has not requested payment from a third party payor." This commenter asserted that patient protection should not be dependent on whether a health plan will pay for certain care.
Response: We agree with the commenters who found the proposed definition of research information unrelated to treatment to be impractical and infeasible to apply and have eliminated this definition and its related provisions in the final rule. Although we share concerns raised by some commenters that research information generated from research studies that involve the delivery of treatment to individual subjects may need additional privacy protection, we agree with the commenters who asserted that there is not always a clear distinction between research information that is related to treatment and research information that is not. We found that the alternative definitions proposed by commenters did not alleviate the serious concerns raised by the majority of comments received on this definition.
Instead, in the final rule, we require covered entities that create protected health information for the purpose, in whole or in part, of research that includes treatment of individuals to include additional elements in authorizations they request for the use or disclosure of that protected health information. As discussed in § 164.508(f), these research-related authorizations must include a description of the extent to which some or all of the protected health information created for the research will also be used or disclosed for purposes of treatment, payment, and health care operations. For example, if the covered entity intends to seek reimbursement from the individual's health plan for the routine costs of care associated with the research protocol, it must explain in the authorization the types of information that it will provide to the health plan for this purpose. This information, and the circumstances under which disclosures will be made for treatment, payment, and health care operations, may be more limited than the information and circumstances described in the covered entity's general notice of information practices and are binding on the covered entity.
Under this approach, the covered entity that creates protected health information for research has discretion to determine whether there is a subset of research information that will have fewer allowable disclosures without authorization, and prospective research subjects will be informed about how research information about them would be used and disclosed should they agree to participate in the research study. We believe this provision in the final rule provides covered entities that participate in research necessary flexibility to enhance privacy protections for research information and provides prospective research subjects with needed information to determine whether their privacy interests would be adequately protected before agreeing to participate in a research study that involves the delivery of health care.
The intent of this provision is to permit covered entities that participate in research to bind themselves to a more limited scope of uses and disclosures for all or identified subsets of research information generated from research that involves the delivery of treatment than it may apply to other protected health information. In designing their authorizations, we expect covered entities to be mindful of the often highly sensitive nature of research information and the impact of individuals' privacy concerns on their willingness to participate in research. For example, a covered entity conducting a study which involves the evaluation of a new drug, as well as an assessment of a new un-validated genetic marker of a particular disease, could choose to stipulate in the research authorization that the genetic information generated from this study will not be disclosed without authorization for some of the public policy purposes that would otherwise be permitted by the rule under §§ 164.510 and 164.512 and by the covered entity's notice. A covered entity may not, however, include a limitation affecting its right to make a use or disclosure that is either required by law or is necessary to avert a serious and imminent threat to health or safety.
The final rule also permits the covered entity to combine the research authorization under § 164.508(f) with the consent to participate in research, such as the informed consent document as stipulated under the Common Rule or the Food and Drug Administration's human subjects regulations.
Enhance privacy protections for research information
Comment: A number of commenters argued that research information unrelated to treatment should have fewer allowable disclosures without authorization than those that would have been permitted by the proposed rule. The commenters who made this argument included those commenters who recommended that the privacy rule not cover the information we proposed to constitute research information unrelated to treatment, as well as those who asserted that the rule should cover such information. These commenters agreed with the concern expressed in the proposed rule that patients would be reluctant to participate in research if they feared that research information could be disclosed without their permission or used against them. They argued that fewer allowable disclosures should be permitted for research information because the clinical utility of the research information is most often unknown, and thus, it is unsuitable for use in clinical decision making. Others also argued that it is critical to the conduct of clinical research that researchers be able to provide individual research subjects, and the public at large, the greatest possible assurance that their privacy and the confidentiality of any individually identifiable research information will be protected from disclosure.
Several commenters further recommended that only the following uses and disclosures be permitted for research information unrelated to treatment without authorization: (1) for the oversight of the researcher or the research study; (2) for safety and efficacy reporting required by FDA; (3) for public health; (4) for emergency circumstances; or (5) for another research study. Other commenters recommended that the final rule explicitly prohibit law enforcement officials from gaining access to research records.
In addition, several commenters asserted that the rule should be revised to ensure that once protected health information was classified as research information unrelated to treatment, it could not be re-classified as something else at a later date. These commenters believed that if this additional protection were not added, this information would be vulnerable to disclosure in the future, if the information were later to gain scientific validity. They argued that individuals may rely on this higher degree of confidentiality when consenting to the collection of the information in the first instance, and that confidentiality should not be betrayed in the future just because the utility of the information has changed.
Response: We agree with commenters who argued that special protections may be appropriate for research information in order to provide research subjects with assurances that their decision to participate in research will not result in harm stemming from the misuse of the research information. We are aware that some researchers currently retain separate research records and medical records as a means of providing more stringent privacy protections for the research record. The final rule permits covered entities that participate in research to continue to provide more stringent privacy protections for the research record, and the Secretary strongly encourages this practice to protect research participants from being harmed by the misuse of their research information.
As discussed above, in the final rule, we eliminate the special rules for this proposed definition of research information unrelated to treatment and its related provisions, so the comments regarding its application are moot.
Comment: Some commenters recommended that the final rule prohibit a covered entity from conditioning treatment, enrollment in a health plan, or payment on a requirement that the individual authorize the use or disclosure of information we proposed to constitute research information unrelated to treatment.
Response: Our decision to eliminate the definition of research information unrelated to treatment and its related provisions in the final rule renders this comment moot.
Comment: A few commenters opposed distinguishing between research information related to treatment and research information unrelated to treatment, arguing that such a distinction could actually weaken the protection afforded to clinically-related health information that is collected in clinical trials. These commenters asserted that Certificates of Confidentiality shield researchers from being compelled to disclose individually identifiable health information relating to biomedical or behavioral research information that an investigator considers sensitive.
Response: Our decision to eliminate the definition of research information unrelated to treatment and its related provisions in the final rule renders this comment moot. We would note that nothing in the final rule overrides Certificates of Confidentiality, which protect against the compelled disclosure of identifying information about subjects of biomedical, behavioral, clinical, and other research as provided by the Public Health Service Act section 301(d), 42 U.S.C. 241(d).
Privacy protections for research information too stringent
Comment: Many of the commenters who opposed the proposed definition of research information unrelated to treatment and its related provisions believed that the proposed rule would have required authorization before research information unrelated to treatment could have been used or disclosed for any of the public policy purposes outlined in proposed § 164.510, and that this restriction would have significantly hindered many important activities. Many of these commenters specifically opposed this provision, arguing that the distinction would undermine and impede research by requiring patient authorization before research information unrelated to treatment could be used or disclosed for research.
Furthermore, some commenters recommended that the disclosure of research information should be governed by an informed consent agreement already in place as part of a clinical protocol, or its disclosure should be considered by an institutional review board or privacy board.
Response: Our decision to eliminate the definition of research information unrelated to treatment and its related provisions in the final rule renders the first two comments moot.
We disagree with the comment that suggests that existing provisions under the Common Rule are sufficient to protect the privacy interests of individuals who are subjects in research that involves the delivery of treatment. As discussed in the NPRM, not all research is subject to the Common Rule. In addition, we are not convinced that existing procedures adequately inform individuals about how their information will be used as part of the informed consent process. In the final rule, we provide for additional disclosure to subjects of research that involves the delivery of treatment as part of the research authorization under § 164.508(f). We also clarify that the research authorization could be combined with the consent to participate in research, such as the informed consent document as stipulated under the Common Rule or the Food and Drug Administration's human subjects regulations. The Common Rule (§__.116(a)(5)) requires that "informed consent" include "a statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained." We believe that the research authorization requirements of § 164.508(f) complement the Common Rule's requirement for informed consent.
The Secretary's Authority
Comment: Several commenters, many from the research community, asserted that the coverage of "research information unrelated to treatment" was beyond the Department's legal authority since HIPAA did not give the Secretary authority to regulate researchers. These commenters argued that the research records held by researchers who are performing clinical trials and who keep separate research records should not be subject to the final rule. These commenters strongly disagreed that a health provider-researcher cannot carry out two distinct functions while performing research and providing clinical care to research subjects and, thus, asserted that research information unrelated to treatment that is kept separate from the medical record, would not be covered by the privacy rule.
Response: We do not agree the Secretary lacks the authority to adopt standards relating to research information, including research information unrelated to treatment. HIPAA provides authority for the Secretary to set standards for the use and disclosure of individually identifiable health information created or received by covered entities. For the reasons commenters identified for why it was not practical or feasible to divide research information into two categories-research information related to treatment and research information unrelated to treatment-we also determined that for a single research study that includes the treatment of research subjects, it is not practical or feasible to divide a researcher into two categories-a researcher who provides treatment and a researcher who does not provide treatment to research subjects. When a researcher is interacting with research subjects for a research study that involves the delivery of health care to subjects, it is not always clear to either the researcher or the research subject whether a particular research activity will generate research information that will be pertinent to the health care of the research subject. Therefore, we clarify that a researcher may also be a health care provider if that researcher provides health care, e.g., provides treatment to subjects in a research study, and otherwise meets the definition of a health care provider, regardless of whether there is a component of the research study that is unrelated to the health care of the research subjects. This researcher/health care provider is then a covered entity with regard to her provider activities if she conducts standard transactions.
Comment: In proposed § 164.508(b)(1), we specified that an authorization containing the applicable required elements "must be accepted by the covered entity." A few comments requested clarification of this requirement.
Response: We agree with the commenters that the proposed provision was ambiguous and we remove it from the final rule. We note that nothing in the rule requires covered entities to act on authorizations that they receive, even if those authorizations are valid. A covered entity presented with an authorization is permitted to make the disclosure authorized, but is not required to do so.
We want to be clear, however, that covered entities will be in compliance with this rule if they use or disclose protected health information pursuant to an authorization that meets the requirements of § 164.508. We have made changes in § 164.508(b)(1) to clarify this point. First, we specify that an authorization containing the applicable required elements is a valid authorization. A covered entity may not reject as invalid an authorization containing such elements. Second, we clarify that a valid authorization may contain elements or information in addition to the required elements, as long as the additional elements are not inconsistent with the required elements.
Comment: A few comments requested that we provide a model authorization or examples of wording meeting the "plain language" requirement. One commenter requested changes to the language in the model authorization to avoid confusion when used in conjunction with an insurer's authorization form for application for life or disability income insurance. Many other comments, however, found fault with the proposed model authorization form.
Response: Because of the myriad of types of forms that could meet these requirements and the desire to encourage covered entities to develop forms that meet their specific needs, we do not include a model authorization form in the final rule. We intend to issue additional guidance about authorization forms prior to the compliance date. We also encourage standard-setting organizations to develop model forms meeting the requirements of this rule.
Comment: Some commenters suggested we insert a "good-faith reliance" or "substantial compliance" standard into the authorization requirements. Commenters suggested that covered entities should be permitted to rely on an authorization as long as the individual has signed and dated the document. They stated that individuals may not fill out portions of a form that they feel are irrelevant or for which they do not have an answer. They argued that requiring covered entities to follow up with each individual to complete the form will cause unwarranted delays. In addition, commenters were concerned that large covered entities might act in good faith on a completed authorization, only to find out that a component of the entity "knew" some of the information on the form to be false or that the authorization had been revoked. These commenters did not feel that covered entities should be held in violation of the rule in such situations.
Response: We retain the provision as proposed and include one additional element: the authorization is invalid if it is combined with other documents in violation of the standards for compound authorizations. We also clarify that an authorization is invalid if material information on the form is known to be false. The elements we require to be included in the authorization are intended to ensure that individuals knowingly and willingly authorize the use or disclosure of protected health information about them. If these elements are missing or incomplete, the covered entity cannot know which protected health information to use or disclose to whom and cannot be confident that the individual intends for the use or disclosure to occur.
We have attempted to make the standards for defective authorizations as unambiguous as possible. In most cases, the covered entity will know whether the authorization is defective by looking at the form itself. Otherwise, the covered entity must know that the authorization has been revoked, that material information on the form is false, or that the expiration date or event has occurred. If the covered entity does not know these things and the authorization is otherwise satisfactory on its face, the covered entity is permitted to make the use or disclosure in compliance with this rule.
We have added two provisions to make it easier for covered entities to "know" when an authorization has been revoked. First, under § 164.508(b)(5), the revocation must be made in writing. Second, under § 164.508(c)(1)(v), authorizations must include instructions for how the individual may revoke the authorization. Written revocations submitted in the manner appropriate for the covered entity should ease covered entities' compliance burden.
Comment: Many commenters raised concerns about the specificity of the authorization requirement. Some comments recommended that we permit covered entities to include multiple uses and disclosures in a single authorization and allow individuals to authorize or not authorize specific uses and disclosures in the authorization. Other commenters asked whether a single authorization is sufficient for multiple uses or disclosures for the same purpose, for multiple uses and disclosures for related purposes, and for uses and disclosures of different types of information for the same purpose. Some comments from health care providers noted that specific authorizations would aid their compliance with requests.
Response: As a general rule, we prohibit covered entities from combining an authorization for the use or disclosure of protected health information with any other document. For example, an authorization may not be combined with a consent to receive treatment or a consent to assign payment of benefits to a provider. We intend the authorizations required under this rule to be voluntary for individuals, and, therefore, they need to be separate from other forms of consent that may be a condition of treatment or payment or that may otherwise be coerced.
We do, however, permit covered entities to combine authorizations for uses and disclosures for multiple purposes into a single authorization. The only limitations are that an authorization for the use or disclosure of psychotherapy notes may not be combined with an authorization for the use or disclosure of other types of protected health information and that an authorization that is a condition of treatment, payment, enrollment, or eligibility may not be combined with any other authorization.
In § 164.508(b)(3), we also permit covered entities to combine an authorization for the use or disclosure of protected health information created for purposes of research including treatment of individuals with certain other documents.
We note that covered entities may only make uses or disclosures pursuant to an authorization that are consistent with the terms of the authorization. Therefore, if an individual agrees to one of the disclosures described in the compound authorization but not another, the covered entity must comply with the individual's decision. For example, if a covered entity asks an individual to sign an authorization to disclose protected health information for both marketing and fundraising purposes, but the individual only agrees to the fundraising disclosure, the covered entity is not permitted to make the marketing disclosure.
Comment: Many commenters supported the NPRM's prohibition of covered entities from conditioning treatment or payment on the individual's authorization of uses and disclosures. Some commenters requested clarification that employment can be conditioned on an authorization. Some commenters recommended that we eliminate the requirement for covered entities to state on the authorization form that the authorization is not a condition of treatment or payment. Some commenters suggested that we prohibit the provision of anything of value, including employment, from being conditioned on receipt of an authorization.
In addition, many commenters argued that patients should not be coerced into signing authorizations for a wide variety of purposes as a condition of obtaining insurance coverage. Some health plans, however, requested clarification that health plan enrollment and eligibility can be conditioned on an authorization.
Response: We proposed to prohibit covered entities from conditioning treatment, payment, or enrollment in a health plan on an authorization for the use or disclosure of psychotherapy notes (see proposed § 164.508(a)(3)(iii)). We proposed to prohibit covered entities from conditioning treatment or payment on authorization for the use or disclosure of any other protected health information (see proposed § 164.508(a)(2)(iii)).
We resolve this inconsistency by clarifying in § 164.508(b)(4) that, with certain exceptions, a covered entity may not condition the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits on an authorization for the use or disclosure of any protected health information, including psychotherapy notes. We intend to minimize the potential for covered entities to coerce individuals into signing authorizations for the use or disclosure of protected health information when such information is not essential to carrying out the relationship between the individual and the covered entity.
Pursuant to that goal, we have created limited exceptions to the prohibition. First, a covered health care provider may condition research-related treatment of an individual on obtaining the individual's authorization to use or disclose protected health information created for the research. Second, except with respect to psychotherapy notes, a health plan may condition the individual's enrollment or eligibility in the health plan on obtaining an authorization for the use or disclosure of protected health information for making enrollment or eligibility determinations relating to the individual or for its underwriting or risk rating determinations. Third, a health plan may condition payment of a claim for specified benefits on obtaining an authorization under § 164.508(e) for disclosure to the plan of protected health information necessary to determine payment of the claim. Fourth, a covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party (such as fitness-for-duty exams and physicals necessary to obtain life insurance coverage) on obtaining an authorization for the disclosure of the protected health information. We recognize that covered entities need protected health information in order to carry out these functions and provide services to the individual; therefore, we allow authorization for the disclosure of the protected health information to be a condition of obtaining the services.
We believe that we have prohibited covered entities from conditioning the services they provide to individuals on obtaining an authorization for uses and disclosures that are not essential to those services. Due to our limited authority, however, we cannot entirely prevent individuals from being coerced into signing these forms. We do not, for example, have the authority to prohibit an employer from requiring its employees to sign an authorization as a condition of employment. Similarly, a program such as the Job Corps may make such an authorization a condition of enrollment in the Job Corps program. While the Job Corps may include a health care component, the non-covered component of the Job Corps may require as a condition of enrollment that the individual authorize the health care component to disclose protected health information to the non-covered component. See § 164.504(b). However, we note that other nondiscrimination laws may limit the ability to condition these authorizations as well.
Comment: A Medicaid fraud control association stated that many states require or permit state Medicaid agencies to obtain an authorization for the use and disclosure of protected health information for payment purposes as a condition of enrolling an individual as a Medicaid recipient. The commenter, therefore, urged an exception to the prohibition on conditioning enrollment on obtaining an authorization.
Response: As explained above, under § 164.506(a)(4), health plans and other covered entities may seek the individual's consent for the covered entity's use and disclosure of protected health information to carry out treatment, payment, or health care operations. If the consent is sought in conjunction with enrollment, the health plan may condition enrollment in the plan on obtaining the individual's consent.
Under § 164.506(a)(5), we specify that a consent obtained by one covered entity is not effective to permit another covered entity to use or disclose protected health information for payment purposes. If state law requires a Medicaid agency to obtain the individual's authorization for providers to disclose protected health information to the Medicaid agency for payment purposes, the agency may do so under § 164.508(e). This authorization must not be a condition of enrollment or eligibility, but may be a condition of payment of a claim for specified benefits if the disclosure is necessary to determine payment of the claim.
Comment: Many commenters supported the right to revoke an authorization. Some comments, however, suggested that we require authorizations to remain valid for a minimum period of time, such as one year or the duration of the individual's enrollment in a health plan.
Response: We retain the right for individuals to revoke an authorization at any time, with certain exceptions. We believe this right is essential to ensuring that the authorization is voluntary. If an individual determines that an authorized use or disclosure is no longer in her best interest, she should be able to withdraw the authorization and prevent any further uses or disclosures.
Comment: Several commenters suggested that we not permit individuals to revoke an authorization if the revocation would prevent an investigation of material misrepresentation or fraud. Other commenters similarly suggested that we not permit individuals to revoke an authorization prior to a claim for benefits if the insurance was issued in reliance on the authorization.
Response: To address this concern, we include an additional exception to the right to revoke an authorization. Individuals do not have the right to revoke an authorization that was obtained as a condition of insurance coverage during any contestability period under other law. For example, if a life insurer obtains the individual's authorization for the use or disclosure of protected health information to determine eligibility or premiums under the policy, the individual does not have the right to revoke the authorization during any period of time in which the life insurer can contest a claim for benefits under the policy in accordance with state law. If an individual were able to revoke the authorization after enrollment but prior to making a claim, the insurer would be forced to pay claims without having the necessary information to determine whether the benefit is due. We believe the existing exception for covered entities that have acted in reliance on the authorization is insufficient to address this concern because it is another person, not the covered entity, that has acted in reliance on the authorization. In the life insurance example, it is the life insurer that has taken action (i.e., issued the policy) in reliance on the authorization. The life insurer is not a covered entity, therefore the covered entity exception is inapplicable.
Comment: Some comments suggested that a covered entity that had compiled, but not yet disclosed, protected health information would have already taken action in reliance on the authorization and could therefore disclose the information even if the individual revoked the authorization.
Response: We intend for covered entities to refrain from further using or disclosing protected health information to the maximum extent possible once an authorization is revoked. The exception exists only to the extent the covered entity has taken action in reliance on the authorization. If the covered entity has not yet used or disclosed the protected health information, it must refrain from doing so, pursuant to the revocation. If, however, the covered entity has already disclosed the information, it is not required to retrieve the information.
Comment: One comment suggested that the rule allow protected health information to be only rented, not sold, because there can be no right to revoke authorization for disclosure of protected health information that has been sold.
Response: We believe this limitation would be an unwarranted abrogation of covered entities' business practices and outside the scope of our authority. We believe individuals should have the right to authorize any uses or disclosures they feel are appropriate. We have attempted to create authorization requirements that make the individual's decisions as clear and voluntary as possible.
Comment: One commenter expressed concern as to whether the proposed rule's standard to protect the protected health information about a deceased individual for two years would interfere with the payment of death benefit claims. The commenter asked that the regulation permit the beneficiary or payee under a life insurance policy to authorize disclosure of protected health information pertaining to the cause of death of a decedent or policyholder. Specifically, the commenter explained that when substantiating a claim a beneficiary, such as a fiancee or friend, may be unable to obtain the authorization required to release information to the insurer, particularly if, for example, the decedent's estate does not require probate or if the beneficiary is not on good terms with the decedent's next of kin. Further, the commenter stated that particularly in cases where the policyholder dies within two years of the policy's issuance (within the policy's contestable period) and the cause of death is uncertain, the insurer's inability to access relevant protected health information would significantly interfere with claim payments and increase administrative costs.
Response: We do not believe this will be a problem under the final regulation, because we create an exception to the right to revoke an authorization if the authorization was obtained as a condition of obtaining insurance coverage and other applicable law provides the insurer that obtained the authorization with the right to contest a claim under the policy. Thus, if a policyholder dies within the two year contestability period, the authorization the insurer obtained from the policyholder prior to death could not be revoked during the contestability period.
Comment: Many commenters raised concerns about the required elements for a valid authorization. They argued that the requirements were overly burdensome and that covered entities should have greater flexibility to craft authorizations that meet their business needs. Other commenters supported the required elements as proposed because the elements help to ensure that individuals make meaningful, informed choices about the use and disclosure of protected health information about them.
Response: As in the proposed rule, we define specific elements that must be included in any authorization. We draw on established laws and guidelines for these requirements. For example, the July 1977 Report of the Privacy Protection Study Commission recommended that authorizations obtained by insurance institutions include plain language, the date of authorization, and identification of the entities authorized to disclose information, the nature of the information to be disclosed, the entities authorized to receive information, the purpose(s) for which the information may be used by the recipients, and an expiration date. (13) The Commission made similar recommendations concerning the content of authorizations obtained by health care providers. (14) The National Association of Insurance Commissioners' Health Information Privacy Model Act requires authorizations to be in writing and include a description of the types of protected health information to be used or disclosed, the name and address of the person to whom the information is to be disclosed, the purpose of the authorization, the signature of the individual or the individual's representative, and a statement that the individual may revoke the authorization at any time, subject to the rights of any person that acted in reliance on the authorization prior to revocation and provided the revocation is in writing, dated, and signed. Standards of the American Society for Testing and Materials recommend that authorizations identify the subject of the protected health information to be disclosed; the name of the person or institution that is to release the information; the name of each individual or institution that is to receive the information; the purpose or need for the information; the information to be disclosed; the specific date, event, or condition upon which the authorization will expire, unless revoked earlier; and the signature and date signed. They also recommend the authorization include a statement that the authorization can be revoked or amended, but not retroactive to a release made in reliance on the authorization. (15)
Comment: Some commenters requested clarification that authorizations "initiated by the individual" include authorizations initiated by the individual's representative.
Response: In the final rule, we do not classify authorizations as those initiated by the individual versus those initiated by a covered entity. Instead, we establish a core set of elements and requirements that apply to all authorizations and require certain additional elements for particular types of authorizations initiated by covered entities.
Comment: Some commenters urged us to permit authorizations that designate a class of entities, rather than specifically named entities, that are authorized to use or disclose protected health information. Commenters made similar recommendations with respect to the authorized recipients. Commenters suggested these changes to prevent covered entities from having to seek, and individuals from having to sign, multiple authorizations for the same purpose.
Response: We agree. Under § 164.508(c)(1), we require authorizations to identify both the person(s) authorized to use or disclose the protected health information and the person(s) authorized to receive protected health information. In both cases, we permit the authorization to identify either a specific person a class of persons.
Comment: Many commenters requested clarification that covered entities may rely on electronic authorizations, including electronic signatures.
Response: All authorizations must be in writing and signed. We intend e-mail and electronic documents to qualify as written documents. Electronic signatures are sufficient, provided they meet standards to be adopted under HIPAA. In addition, we do not intend to interfere with the application of the Electronic Signature in Global and National Commerce Act.
Comment: Some commenters requested that we permit covered entities to use and disclose protected health information pursuant to verbal authorizations.
Response: To ensure compliance and mutual understanding between covered entities and individuals, we require all authorizations to be in writing.
Comment: Some commenters asked whether covered entities can rely on copies of authorizations rather than the original. Other comments asked whether covered entities can rely on the assurances of a third party, such as a government entity, that a valid authorization has been obtained to use or disclose protected health information. These commenters suggested that such procedures would promote the timely provision of benefits for programs that require the collection of protected health information from multiple sources, such as determinations of eligibility for disability benefits.
Response: Covered entities must obtain the individual's authorization to use or disclose protected health information for any purpose not otherwise permitted or required under this rule. They may obtain this authorization directly from the individual or from a third party, such as a government agency, on the individual's behalf. In accordance with the requirements of § 164.530(j), the covered entity must retain a written record of authorization forms signed by the individual. Covered entities must, therefore, obtain the authorization in writing. They may not rely on assurances from others that a proper authorization exists. They may, however, rely on copies of authorizations if doing so is consistent with other law.
Comment: We requested comments on reasonable steps that a covered entity could take to be assured that the individual who requests the disclosure is whom she or he purports to be. Some commenters stated that it would be extremely difficult to verify the identity of the person signing the authorization, particularly when the authorization is not obtained in person. Other comments recommended requiring authorizations to be notarized.
Response: To reduce burden on covered entities, we are not requiring verification of the identities of individuals signing authorization forms or notarization of the forms.
Comment: A few commenters asked for clarification regarding the circumstances in which a covered entity may consider a non-response as an authorization.
Response: Non-responses to requests for authorizations cannot be considered authorizations. Authorizations must be signed and have the other elements of a valid authorization described above.
Comment: Most commenters generally supported the requirement for an expiration date on the authorization. Commenters recommended expiration dates from 6 months to 3 years and/or proposed that the expiration be tied to an event such as duration of enrollment or when an individual changes health plans. Others requested no expiration requirement for some or all authorizations.
Response: We have clarified that an authorization may include an expiration date in the form of a specific date, a specific time period, or an event directly related to the individual or the purpose of the authorization. For example, a valid authorization could expire upon the individual's disenrollment from a health plan or upon termination of a research project. We prohibit an authorization from having an indeterminate expiration date.
These changes were intended to address situations in which a specific date for the termination of the purpose for the authorization is difficult to determine. An example may be a research study where it may be difficult to predetermine the length of the project.
Comment: A few commenters requested that the named insured be permitted to sign an authorization on behalf of dependents.
Response: We disagree with the commenter that a named insured should always be able to authorize uses and disclosures for other individuals in the family. Many dependents under group health plans have their own rights under this rule, and we do not assume that one member of a family has the authority to authorize uses or disclosures of the protected health information of other family members.
A named insured may sign a valid authorization for an individual if the named insured is a personal representative for the individual in accordance with § 164.502(g). The determination of whether an individual is a personal representative under this rule is based on other applicable law that determines when a person can act on behalf of an individual in making decisions related to health care. This rule limits a person's rights and authorities as a personal representative to only the protected health information relevant to the matter for which he or she is a personal representative under other law. For example, a parent may be a personal representative of a child for most health care treatment and payment decisions under state law. In that case, a parent, who is a named insured for her minor child, would be able to provide authorization with respect to most protected health information about her dependent child. However, a wife who is the named insured for her husband who is a dependent under a health insurance policy may not be a personal representative for her husband under other law or may be a personal representative only for limited purposes, such as for making decisions regarding payment of disputed claims. In this case, she may have limited authority to access protected health information related to the payment of disputed claims, but would not have the authority to authorize that her husband's information be used for marketing purposes, absent any other authority to act for her husband. See § 164.502(g) for more information regarding personal representatives.
Comment: One commenter suggested that authorizations should be dated on the day they are signed.
Response: We agree and have retained this requirement in the final rule.
Comment: Some commenters suggested that we should not require different elements in authorizations initiated by the covered entity versus authorizations initiated by the individual. The commenters argued the standards were unnecessary, confusing, and burdensome.
Response: The proposed authorization requirements are intended to ensure that an individual's authorization is truly voluntary. The additional elements required for authorizations initiated by the covered entity for its own uses and disclosures or for receipt of protected health information from other covered entities to carry out treatment, payment, or health care operations address concerns that are unique to these forms of authorization. (See above regarding requirements for research authorizations under § 164.508(f).)
First, when applicable, these authorizations must state that the covered entity will not condition treatment, payment, eligibility, or enrollment on the individual's providing authorization for the requested use or disclosure. This statement is not appropriate for authorizations initiated by the individual or another person who does not have the ability to withhold services if the individual does not authorize the use or disclosure.
Second, the authorization must state that the individual may refuse to sign the authorization. This statement is intended to signal to the individual that the authorization is voluntary and may not be accurate if the authorization is obtained by a person other than a covered entity.
Third, these authorizations must describe the purpose of the use or disclosure. We do not include this element in the core requirements because we understand there may be times when the individual does not want the covered entity maintaining the protected health information to know the purpose for the use or disclosure. For example, an individual contemplating litigation may not want the covered entity to know that litigation is the purpose of the disclosure. If the covered entity is initiating the authorization for its own use or disclosure, however, the individual and the covered entity maintaining the protected health information should have a mutual understanding of the purpose of the use or disclosure. Similarly, when a covered entity is requesting authorization for a disclosure by another covered entity that may have already obtained the individual's consent for the disclosure, the individual and covered entity that maintains the protected health information should be aware of this potential conflict.
There are two additional requirements for authorizations requested by a covered entity for its own use or disclosure of protected health information it maintains. First, we require the covered entity to describe the individual's right to inspect or copy the protected health information to be used or disclosed. Individuals may want to review the information to be used or disclosed before signing the authorization and should be reminded of their ability to do so. This requirement is not appropriate for authorizations for a covered entity to receive protected health information from another covered entity, however, because the covered entity requesting the authorization is not the covered entity that maintains the protected health information and cannot, therefore, grant or describe the individual's right to access the information.
If applicable, we also require a covered entity that requests an authorization for its own use or disclosure to state that the use or disclosure of the protected health information will result in direct or indirect remuneration to the entity. Individuals should be aware of any conflicts of interest or financial incentives on the part of the covered entity requesting the use or disclosure. These statements are not appropriate, however, in relation to uses and disclosures to carry out treatment, payment, and health care operations. Uses and disclosures for these purposes will often involve remuneration by the nature of the use or disclosure, not due to any conflict of interest on the part of either covered entity.
We note that authorizations requested by a covered entity include authorizations requested by the covered entity's business associate on the covered entity's behalf. Authorizations requested by a business associate on the covered entity's behalf and that authorize the use or disclosure of protected health information by the covered entity or the business associate must meet the requirements in § 164.508(d). Similarly, authorizations requested by a business associate on behalf of a covered entity to accomplish the disclosure of protected health information to that business associate or covered entity as described in § 164.508(e) must meet the requirements of that provision.
We disagree that these elements are unnecessary, confusing, or burdensome. We require them to ensure that the individual has a complete understanding of what he or she is agreeing to permit.
Comment: Many commenters suggested we include in the regulation text a provision stated in the preamble that entities and their business partners must limit their uses and disclosures to the purpose(s) specified by the individual in the authorization.
Response: We agree. In accordance with § 164.508(a)(1), covered entities may only use or disclose protected health information consistent with the authorization. In accordance with § 164.504(e)(2), a business associate may not make any uses or disclosures that the covered entity couldn't make.
Comment: Some comments suggested that authorizations should identify the source and amount of financial gain, if any, resulting from the proposed disclosure. Others suggested that the proposed financial gain requirements were too burdensome and would decrease trust between patients and providers. Commenters recommended that the requirement either should be eliminated or should only require covered entities, when applicable, to state that direct and foreseeable financial gain to the covered entity will result. Others requested clarification of how the requirement for covered entities to disclose financial gain relates to the criminal penalties that accrue for offenses committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Some commenters advocated use of the term "financial compensation" rather than "financial gain" to avoid confusion with in-kind compensation rules. Some comments additionally suggested excluding marketing uses and disclosures from the requirements regarding financial gain.
Response: We agree that clarification is warranted. In § 164.508(d)(1)(iv) of the final rule, we require a covered entity that asks an individual to sign an authorization for the covered entity's use or disclosure of protected health information and that will receive direct or indirect remuneration from a third party for the use or disclosure, to state that fact in the authorization. Remuneration from a third party includes payments such as a fixed price per disclosure, compensation for the costs of compiling and sending the information to be disclosed, and, with respect to marketing communications, a percentage of any sales generated by the marketing communication. For example, a device manufacturer may offer to pay a fixed price per name and address of individuals with a particular diagnosis, so that the device manufacturer can market its new device to people with the diagnosis. The device manufacturer may also offer the covered entity a percentage of the profits from any sales generated by the marketing materials sent. If a covered entity seeks an authorization to make such a disclosure, the authorization must state that the remuneration will occur. We believe individuals should have the opportunity to weigh the covered entity's potential conflict of interest when deciding to authorize the covered entity's use or disclosure of protected health information. We believe that the term "remuneration from a third party" clarifies our intent to describe a direct, tangible exchange, rather than the mere fact that parties intend to profit from their enterprises.
Comment: One commenter suggested we require covered entities to request authorizations in a manner that does not in itself disclose sensitive information.
Response: We agree that covered entities should make reasonable efforts to avoid unintentional disclosures. In § 164.530(c)(2), we require covered entities to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
Comment: Some commenters requested clarification that covered entities are permitted to seek authorization at the time of enrollment or when individuals otherwise first interact with covered entities. Similarly, commenters requested clarification that covered entities may disclose protected health information created after the date the authorization was signed but prior to the expiration date of the authorization. These commenters were concerned that otherwise multiple authorizations would be required to accomplish a single purpose. Other comments suggested that we prohibit prospective authorizations (i.e., authorizations requested prior to the creation of the protected health information to be disclosed under the authorization) because it is not possible for individuals to make informed decisions about these authorizations.
Response: We confirm that covered entities may act on authorizations signed in advance of the creation of the protected health information to be released. We note, however, that all of the required elements must be completed, including a description of the protected health information to be used or disclosed pursuant to the authorization. This description must identify the information in a specific and meaningful fashion so that the individual can make an informed decision as to whether to sign the authorization.
Comment: Some commenters suggested that the final rule prohibit financial incentives, such as premium discounts, designed to encourage individuals to sign authorizations.
Response: We do not prohibit or require financial incentives for authorizations. We have attempted to ensure that authorizations are entered into voluntary. If a covered entity chooses to offer a financial incentive for the individual to sign the authorization, and the individual chooses to accept it, they are free to do so.
Comment: Many hospital organizations opposed the NPRM's proposed opt-in approach to disclosure of directory information. These groups noted the preamble's statement that most patients welcomed the convenience of having their name, location, and general condition included in the patient directory. They said that requiring hospitals to obtain authorization before including patient information in the directory would cause harm to many patients' needs in an effort to serve the needs of the small number of patients who may not want their information to be included. Specifically, they argued that the proposed approach ultimately could have the effect of making it difficult or impossible for clergy, family members, and florists to locate patients for legitimate purposes. In making this argument, commenters pointed to problems that occurred after enactment of privacy legislation in the State of Maine in 1999. The legislation, which never was officially implemented, was interpreted by hospitals to prohibit disclosure of patient information to directories without written consent. As a result, when hospitals began complying with the law based on their interpretation, family members and clergy had difficulty locating patients in the hospital.
Response: We share commenters' concern about the need to ensure that family members and clergy who have a legitimate need to locate patients are not prevented from doing so by excessively stringent restrictions on disclosure of protected health information to health care facilities' directories. Accordingly, the final rule takes an opt-out approach, stating that health care institutions may include the name, general condition, religious affiliation, and location of a patient within the facility in the facility's directory unless the patient explicitly objects to the use or disclosure of protected health information for directory purposes. To ensure that this opt-out can be exercised, the final rule requires facilities to notify individuals of their right not to be included in the directory and to give them the opportunity to opt out. The final rule indicates that the notice and opt-out may be oral. The final rule that allows health care facilities to disclose to clergy the four types of protected health information specified above without requiring the clergy to ask for the individual by name will allow the clergy to identify the members of his or her faith who are in the facility, thus ensuring that this rule will not significantly interfere with the exercise of religion, including the clergy's traditional religious mission to provide services to individuals.
Comment: A small number of commenters recommended requiring written authorization for all disclosures of protected health information for directory purposes. These commenters believed that the NPRM's proposed provision allowing oral agreement would not provide sufficient privacy protection; that it did not sufficiently hold providers accountable for complying with patient wishes; and that it could create liability issues for providers.
Response: The final rule does not require written authorization for disclosure of protected health information for directory purposes. We believe that requiring written authorization in these cases would increase substantially the administrative burdens and costs for covered health care providers and could lead to significant inconvenience for families and others attempting to locate individuals in health care institutions. Experience from the State of Maine suggests that requiring written authorization before patient information may be included in facility directories can be disruptive for providers, families, clergy, and others.
Comment: Domestic violence organizations raised concerns that including information about domestic violence victims in health care facilities' directories could result in further harm to victims. The NPRM addressed the issue of potential danger to patients by stating that when patients were incapacitated, covered health care providers could exercise discretion - consistent with good medical practice and prior expression of patient preference - regarding whether to disclose protected health information for directory purposes. Several commenters recommended prohibiting providers from including information in a health care facility's directory about incapacitated individuals when the provider reasonably believed that the injuries to the individual could have been caused by domestic violence. These groups believed that such a prohibition was necessary to prevent abusers from locating and causing further harm to domestic violence patients.
Response: We share commenters' concerns about protecting victims of domestic violence from further abuse. We are also concerned, however, that imposing an affirmative duty on institutions not to disclose information any time injuries to the individual could have been the result of domestic violence would place too high a burden on health care facilities, essentially requiring them to rule out domestic violence as a potential cause of the injuries before disclosing to family members that an incapacitated person is in the institution.
We do believe, however, that it is appropriate to require covered health care providers to consider whether including the individual's name and location in the directory could lead to serious harm. As in the preamble to the NPRM, in the preamble to the final rule, we encourage covered health care providers to consider several factors when deciding whether to include an incapacitated patient's information in a health care facility's directory. One of these factors is whether disclosing an individual's presence in the facility could reasonably cause harm or danger to the individual (for example, if it appeared that an unconscious patient had been abused and disclosing that the individual is in the facility could give the attacker sufficient information to seek out the person and repeat the abuse). Under the final rule, when the opportunity to object to uses and disclosures for a facility's directory cannot practicably be provided due to an individual's incapacity or an emergency treatment circumstance, covered health care providers may use or disclose some or all of the protected health information that the rule allows to be included in the directory, if the disclosure is: (1) consistent with the individual's prior expressed preference, if known to the covered health care provider; and (2) in the individual's best interest, as determined by the covered health care provider in the exercise of professional judgement. The rule allows covered health care providers making decisions about incapacitated patients to include some portions of the patient's information (such as name) but not other information (such as location in the facility) to protect patient interests.
Comment: A number of comments supported the NPRM's proposed approach, which would have allowed covered entities to disclose protected health information to the individual's next of kin, family members, or other close personal friends when the individual verbally agreed to the disclosure. These commenters agreed that the presumption should favor disclosures to the next of kin, and they believed that health care providers should encourage individuals to share genetic information and information about transmittable diseases with family members at risk. Others agreed with the general approach but suggested the individual's agreement be noted in the medical record. These commenters also supported the NPRM's proposed reliance on good professional practices and ethics to determine when disclosures should be made to the next of kin when the individual's agreement could not practicably be obtained.
A few commenters recommended that the individual's agreement be in writing for the protection of the covered entity and to facilitate the monitoring of compliance with the individual's wishes. These commenters were concerned that, absent the individual's written agreement, the covered entity would become embroiled in intra-family disputes concerning the disclosures. Others argued that the individual's authorization should be obtained for all disclosures, even to the next of kin.
One commenter favored disclosures to family members and others unless the individual actively objected, as long as the disclosure was consistent with sound professional practice. Others believed that no agreement by the individual was necessary unless sensitive medical information would be disclosed or unless the health care provider was aware of the individual's prior objection. These commenters recommended that good professional practice and ethics determine when disclosures were appropriate and that disclosure should relate only to the individual's current treatment. A health care provider organization said that the ethical and legal obligations of the medical professional alone should control in this area, although it believed the proposed rule was generally consistent with these obligations.
Response: The diversity of comments regarding the proposal on disclosures to family members, next of kin, and other persons, reflects a wide range of current practice and individual expectations. We believe that the NPRM struck the proper balance between the competing interests of individual privacy and the need that covered health care providers may have, in some cases, to have routine, informal conversations with an individual's family and friends regarding the individual's treatment.
We do not agree with the comments stating that all such disclosures should be made only with consent or with the individual's written authorization. The rule does not prohibit obtaining the agreement of the individual in writing; however, we believe that imposing a requirement for consent or written authorization in all cases for disclosures to individuals involved in a person's care would be unduly burdensome for all parties. In the final rule, we clarify the circumstances in which such disclosures are permissible. The rule allows covered entities to disclose to family members, other relatives, close personal friends of the individual, or any other person identified by the individual, the protected health information directly relevant to such person's involvement with the individual's care or payment related to the individual's health care. In addition, the final rule allows covered entities to use or disclose protected health information to notify, or assist in the notification of (including identifying or locating) a family member, a personal representative of the individual, or another person responsible for the care of the individual, of the individual's location, general condition, or death. The final rule includes separate provisions for situations in which the individual is present and for when the individual is not present at the time of disclosure. When the individual is present and can make his or her own decisions, a covered entity may disclose protected health information only if the covered entity: (1) obtains the individual's agreement to disclose to the third parties involved in the individual's care; (2) provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or (3) reasonably infers from the circumstances, based on the exercise of professional judgement, that the individual does not object to the disclosure. The final rule continues to permit disclosures in circumstances when the individual is not present or when the opportunity to agree or object to the use or disclosure cannot practicably be provided due to the individual's incapacity or an emergency circumstance. In such instances, covered entities may, in the exercise of professional judgement, determine whether the disclosure is in the individual's best interests and if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's health care.
As discussed in the preamble for this section, we do not intend to disrupt most covered entities' current practices with respect to informing family members and others with whom a patient has a close personal relationship about a patient's specific health condition when a patient is incapacitated due to a medical emergency and the family member or close personal friend comes to the covered entity to ask about the patient's condition. To the extent that disclosures to family members and others in these situations currently are allowed under state law and covered entities' own rules, § 164.510(b) allows covered entities to continue making them in these situations, consistent with the exercise of professional judgement as to the patient's best interest. As indicated in the preamble above, this section is not intended to provide a loophole for avoiding the rule's other requirements, and it is not intended to allow disclosures to a broad range of individuals, such as journalists who may be curious about a celebrity's health status.
Comments: A few comments supported the NPRM approach because it permitted the current practice of allowing someone other than the patient to pick up prescriptions at pharmacies. One commenter noted that this practice occurs with respect to 25-40% of the prescriptions dispensed by community retail pharmacies. These commenters strongly supported the proposal's reliance on the professional judgement of pharmacists in allowing others to pick up prescriptions for bedridden or otherwise incapacitated patients, noting that in most cases it would be impracticable to verify that the person was acting with the individual's permission. Two commenters requested that the rule specifically allow this practice. One comment opposed the practice of giving prescriptions to another person without the individual's authorization, because a prescription implicitly could disclose medical information about the individual.
Response: As stated in the NPRM, we intended for this provision to authorize pharmacies to dispense prescriptions to family or friends who are sent by the individual to the pharmacy to pick up the prescription. We believe that stringent consent or verification requirements would place an unreasonable burden on numerous transactions. In addition, such requirements would be contrary to the expectations and preferences of all parties to these transactions. Although prescriptions are protected health information under the rule, we believe that the risk to individual privacy in allowing this practice to continue is minimal. We agree with the suggestion that the final rule should state explicitly that pharmacies have the authority to operate in this manner. Therefore, we have added a sentence to § 164.510(b)(3) allowing covered entities to use professional judgement and experience with common practice to make reasonable inferences of an individual's best interest in allowing a person to act on the individual's behalf to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information. In such situations, as when making disclosures of protected health information about an individual who is not present or is unable to agree to such disclosures, covered entities should disclose only information which directly relates to the person's involvement in the individual's current health care. Thus, when dispensing a prescription to a friend who is picking it up on the patient's behalf, the pharmacist should not disclose unrelated health information about medications that the patient has taken in the past which could prove embarrassing to the patient.
Comment: We received a few comments that misunderstood the provision as addressing disclosures related to deceased individuals.
Response: We understand that use of the term next of kin in this section may cause confusion. To promote clarity in the final rule, we eliminate the term "next of kin," as well as the term's proposed definition. In the final rule, we address comments on next of kin and the deceased in the section on disclosure of protected health information about deceased individuals in § 164.512(g).
Comments: A number of commenters expressed concern for the interaction of the proposed section with state laws. Some of these comments interpreted the NPRM's use of the term next of kin as referring to individuals with health care power of attorney and thus they believed that the proposed rule's approach to next of kin was inappropriately informal and in conflict with state law. Others noted that some state laws did not allow health care information to be disclosed to family or friends without consent or other authorization. One commenter said that case law may be evolving toward imposing a more affirmative duty on health care practitioners to inform next of kin in a variety of circumstances. One commenter noted that state laws may not define clearly who is considered to be the next of kin.
Response: The intent of this provision was not to interfere with or change current practice regarding health care powers of attorney or the designation of other personal representatives. Such designations are formal, legal actions which give others the ability to exercise the rights of or make treatment decisions related to individuals. While persons with health care powers of attorney could have access to protected health information under the personal representatives provision (§ 164.502(g)), and covered entities may disclose to such persons under this provision, such disclosures do not give these individuals substantive authority to act for or on behalf of the individual with respect to health care decisions. State law requirements regarding health care powers of attorney continue to apply.
The comments suggesting that state laws may not allow the disclosures otherwise permitted by this provision or, conversely, that they may impose a more affirmative duty, did not provide any specifics with which to judge the affect of such laws. In general, however, state laws that are more protective of an individual's privacy interests than the rule by prohibiting a disclosure of protected health information continue to apply. The rule's provisions regarding disclosure of protected health information to family or friends of the individual are permissive only, enabling covered entities to abide by more stringent state laws without violating our rules. Furthermore, if the state law creates an affirmative and binding legal obligation on the covered entity to make disclosures to family or other persons under specific circumstances, the final rule allows covered entities to comply with these legal obligations. See § 164.512(a).
Comments: A number of commenters supported the proposal to limit disclosures to family or friends to the protected health information that is directly relevant to that person's involvement in the individual's health care. Some comments suggested that this standard apply to all disclosures to family or friends, even when the individual has agreed to or not objected to the disclosure. One commenter objected to the proposal, stating that it would be too difficult to administer. According to this comment, it is accepted practice for health care providers to communicate with family and friends about an individual's condition, regardless of whether the person is responsible for or otherwise involved in the individual's care.
Other comments expressed concern for disclosures related to particular types of information. For example, two commenters recommended that psychotherapy notes not be disclosed without patient authorization. One commenter suggested that certain sensitive medical information associated with social stigma not be disclosed to family members or others without patient consent.
Response: We agree with commenters who advocated limiting permissible disclosures to relatives and close personal friends to information consistent with a person's involvement in the individual's care. Under the final rule, we clarify the NPRM provision to state that covered entities may disclose protected health information to family members, relatives, or close personal friends of an individual or any other person identified by the individual, to the extent that the information directly relates to the person's involvement in the individual's current health care. It is not intended to allow disclosure of past medical history that is not relevant to the individual's current condition. In addition, as discussed above, we do not intend to disrupt covered entities' current practices with respect to disclosing specific information about a patient's condition to family members or others when the individual is incapacitated due to a medical emergency and the family member or other individual comes to the covered entity seeking specific information about the patient's condition. For example, this section allows a hospital to disclose to a family member the fact that a patient had a heart attack, and to provide updated information to the family member about the patient's progress and prognosis during his or her period of incapacity.
We agree with the recommendation to require written authorization for a disclosure of psychotherapy notes to family, close personal friends, or others involved in the individual's care. As discussed below, the final rule allows disclosure of psychotherapy notes without authorization in a few limited circumstances; disclosure to individuals involved in a person's care is not among those circumstances. See § 164.508 for a further discussion of the final rule's provisions regarding disclosure of psychotherapy notes.
We do not agree, however, with the suggestion to treat some medical information as more sensitive than others. In most cases, individuals will have the opportunity to prohibit or limit such disclosures. For situations in which an individual is unable to do so, covered entities may, in the exercise of professional judgement, determine whether the disclosure is in the individual's best interests and, if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's health care.
Comment: One commenter suggested that this provision should allow disclosure of protected health information to the clergy and to the Red Cross. The commenter noted that clergy have ethical obligations to ensure confidentiality and that the Red Cross often notifies the next of kin regarding an individual's condition in certain circumstances. Another commenter recommended allowing disclosures to law enforcement for the purpose of contacting the next of kin of individuals who have been injured or killed. One commenter sought clarification that "close personal friend" was intended to include domestic partners and same-sex couples in committed relationships.
Response: As discussed above, § 164.510(a) allows covered health care providers to disclose to clergy protected health information from a health care facility's directory. Under § 164.510(b), an individual may identify any person, including clergy, as involved in his or her care. This approach provides more flexibility than the proposed rule would have provided.
As discussed in the preamble of the final rule, this provision allows disclosures to domestic partners and others in same-sex relationships when such individuals are involved in an individual's care or are the point of contact for notification in a disaster. We do not intend to change current practices with respect to involvement of others in an individual's treatment decisions; informal information-sharing among persons involved; or the sharing of protected health information during a disaster. As noted above, a power of attorney or other legal relationship to an individual is not necessary for these informal discussions about the individual for the purpose of assisting in or providing a service related to the individual's care.
We agree with the comments noting that the Red Cross and other organizations may play an important role in locating and communicating with the family about individuals injured or killed in an accident or disaster situation. Therefore, the final rule includes new language, in § 164.510(b)(4), which allows covered entities to use or disclose protected health information to a public or private entity authorized by law or its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities to notify, or assist in the notification of (including identifying or locating) a family member, an individual's personal representative, or another person responsible for the individual's care regarding the individual's location, general condition, or death. The Red Cross is an example of a private entity that may obtain protected health information pursuant to these provisions. We recognize the role of the Red Cross and similar organizations in disaster relief efforts, and we encourage cooperation with these entities in notification efforts and other means of assistance.
Comment: One commenter recommended stating that individuals who are mentally retarded and unable to agree to disclosures under this provision do not, thereby, lose their access to further medical treatment. This commenter also proposed stating that mentally retarded individuals who are able to provide agreement have the right to control the disclosure of their protected health information. The commenter expressed concern that the parent, relative, or other person acting in loco parentis may not have the individual's best interest in mind in seeking or authorizing for the individual the disclosure of protected health information.
Response: The final rule regulates only uses and disclosures of protected health information, not the delivery of health care. Under the final rule's section on personal representatives (§ 164.502(g)), a person with authority to make decisions about the health care of an individual, under applicable law, may make decisions about the protected health information of that individual, to the extent that the protected health information is relevant to such person's representation.
In the final rule, § 164.510(b) may apply to permit disclosures to a person other than a personal representative. Under § 164.510(b), when an individual is present and has the capacity to make his or her own decisions, a covered entity may disclose protected health information only if the covered entity: (1) obtains the individual's agreement to disclose protected health information to the third parties involved in the individual's care; (2) provides the individual with an opportunity to object to such disclosure, and the individual does not express an objection; or (3) reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure. These conditions apply to disclosure of protected health information about individuals with mental retardation as well as to disclosures about all other individuals. Thus we do not believe it is necessary to include in this section of the final rule any language specifically on persons with mental retardation.
Comments: A few commenters recommended that disclosures made in good faith to the family or friends of the individual not be subject to sanctions by the Secretary, even if the covered entity had not fully complied with the requirements of this provision. One commenter believed that a fear of sanction would make covered entities overly cautious, such that they would not disclose protected health information to domestic partners or others not recognized by law as next of kin. Another commenter recommended that sanctions not be imposed if the covered entity has proper policies in place and has trained its staff appropriately. According to this commenter, the lack of documentation of disclosures in a particular case or medical record should not subject the entity to sanctions if the information was disclosed in good faith.
Response: We generally agree with commenters regarding disclosure in good faith pursuant to this provision. As discussed above, the final rule expands the scope of individuals to whom covered entities may disclose protected health information pursuant to this section. In addition, we delete the term next of kin, to avoid the appearance of requiring any legal determination of a person's relationship in situations involving informal disclosures. Similarly, consistent with the informal nature of disclosures pursuant to this section, we do not require covered entities to document such disclosures. If a covered entity imposes its own documentation requirements and a particular covered health care provider does not follow the entity's documentation requirements, the disclosure is not a violation of this rule.
Comments: The majority of comments on this provision were from individuals and organizations concerned about domestic violence. Most of these commenters wanted assurance that domestic violence would be a consideration in any disclosure to the spouse or relatives of an individual whom the covered entity suspected to be a victim of domestic violence or abuse. In particular, these commenters recommended that disclosures not be made to family members suspected of being the abuser if to do so would further endanger the individual. Commenters believed that this limitation was particularly important when the individual was unconscious or otherwise unable to object to the disclosures.
Response: We agree with the comments that victims of domestic violence and other forms of abuse need special consideration in order to avoid further harm, and we provide for discretion of a covered entity to determine that protected health information not be disclosed pursuant to § 164.510(b). Section 164.510(b) of the final rule, disclosures to family or friends involved in the individual's care, states that when an individual is unable to agree or object to the disclosure due to incapacity or another emergency situation, a covered entity must determine based on the exercise of professional judgment whether it is in the individual's best interest to disclose the information. As stated in the preamble, we intend for this exercise of professional judgment in the individual's best interest to account for the potential for harm to the individual in cases involving domestic violence. These circumstances are unique and are best decided by a covered entity, in the exercise of professional judgment, in each situation rather than by a blanket rule.
Comment: Numerous commenters addressed directly or by implication the question of whether the provision permitting uses and disclosures of protected health information if required by other law was necessary. Other commenters generally endorsed the need for such a provision. One such commenter approved of the provision as a needed fail-safe mechanism should the enumeration of permissible uses and disclosures of protected health information in the NPRM prove to be incomplete. Other commenters cited specific statutes which required access to protected health information, arguing that such a provision was necessary to ensure that these legally mandated disclosures would continue to be permitted. For example, some commenters argued for continued access to protected health information to investigate and remedy abuse and neglect as currently required by the Developmental Disabilities Assistance and Bill of Rights, 42 U.S.C. 6042, and the Protection and Advocacy for Mentally Ill Individuals Act, 42 U.S.C. 10801.
Some comments urged deletion of the provision for uses and disclosures required by other law. This concern appeared to be based on a generalized concern that the provision fostered government intrusion into individual medical information.
Finally, a number of commenters also urged that the required by law provision be deleted. These commenters argued that the proposed provision would have undermined the intent of the statute to preempt state laws which were less protective of individual privacy. As stated in these comments, the provision for uses and disclosures required by other law was "broadly written and could apply to a variety of state laws that are contrary to the proposed rule and less protective of privacy. (Indeed, a lawrequiring disclosure is the least protective of privacy since it allows for no discretion.) The breadth of this provision greatly exceeds the exceptions to preemption contained in HIPAA."
Response: We agree with the comments that proposed § 164.510(n) was necessary to harmonize the rule with existing state and federal laws mandating uses and disclosures of protected health information. Therefore, in the final rule, the provision permitting uses and disclosures as required by other law is retained. To accommodate other reorganization of the final rule, this provision has been designated as § 164.512(a).
We do not agree with the comments expressing concern for increased governmental intrusion into individual privacy under this provision. The final rule does not create any new duty or obligation to disclose protected health information. Rather, it permits covered entities to use or disclose protected health information when they are required by law to do so.
We likewise disagree with the characterization of the proposed provision as inconsistent with or contrary to the preemption standards in the statute or Part 160 of the rule. As described in the NPRM, we intend this provision to preserve access to information considered important enough by state or federal authorities to require its disclosure by law.
The importance of these required uses or disclosures is evidenced by the legislative or other public process necessary for the government to create a legally binding obligation on a covered entity. Furthermore, such required uses and disclosures arise in a myriad of other areas of law, ranging from topics addressing national security (uses and disclosures to obtain security clearances), to public health (reporting of communicable diseases), to law enforcement (disclosures of gun shot wounds). Required uses and disclosures also may address broad national concerns or particular regional or state concerns. It is not possible, or appropriate, for HHS to reassess the legitimacy of or the need for each of these mandates in each of their specialized contexts. In some cases where particular concerns have been raised by legal mandates in other laws, we allow disclosure as required by law, and we establish additional requirements to protect privacy (for example, informing the individual as required in § 164.512(c)) when covered entities make a legally mandated disclosure.
We also disagree with commenters who suggest that the approach in the final rule is contrary to the preemption provisions in HIPAA. HIPAA provides HHS with broad discretion in fashioning privacy protections. Recognizing the legitimacy of existing legal requirements is certainly within the Secretary's discretion. Additionally, given the variety of these laws, the varied contexts in which they arise, and their significance in ensuring that important public policies are achieved, we do not believe that Congress intended to preempt each such law unless HHS specifically recognized the law or purpose in the regulation.
Comment: A number of commenters urged that the provision permitting uses and disclosures required by other law be amended by deleting the last sentence which stated: "This paragraph does not apply to uses or disclosures that are covered by paragraphs (b) through (m) of this section." Some commenters sought deletion of this sentence to avoid any inadvertent preemption of mandatory reporting laws, and requested clarification of the effect on specific statutes.
The majority of the commenters focused their concerns on the potential conflict between mandatory reporting laws to law enforcement and the limitations imposed by proposed § 164.510(f), on uses and disclosures to law enforcement. For example, the comments raised concerns that mandatory reporting to law enforcement of injuries resulting from violent acts and abuse require the health care provider to initiate such reports to local law enforcement or other state agencies, while the NPRM would have allowed such reporting on victims of crimes only in response to specific law enforcement requests for information. Similarly, mandatory reports of violence-related injuries may implicate suspected perpetrators, as well as victims, and compliance with such laws could be blocked by the proposed requirement that disclosures about suspects was similarly limited to a response to law enforcement inquiries for the specific purpose of identifying the suspect. The NPRM also would have limited the type of protected health information that could have been disclosed about a suspect or fugitive.
In general, commenters sought to resolve this overlap by removing the condition that the required-by-other-law provision applied only when no other national priority purpose addressed the particular use or disclosure. The suggested change would permit the covered entity to comply with legally mandated uses and disclosures as long as the relevant requirements of that law were met. Alternatively, other commenters suggested that the restrictions on disclosures to law enforcement be lifted to permit full compliance with laws requiring reporting for these purposes.
Finally, some comments sought clarification of when a use or disclosure was "covered by paragraphs (b) through (m)." These commenters were confused as to whether a particular use or disclosure had to be specifically addressed by another provision of the rule or simply within the scope of the one of the national priority purposes specified by proposed paragraphs (b) through (m).
Response: We agree with the commenters that the provision as proposed would have inadvertently interfered with many state and federal laws mandating the reporting to law enforcement or others of protected health information.
In response to these comments, we have modified the final rule to clarify how this section interacts with the other provisions in the rule.
Comment: A number of commenters sought expanded authority to use and disclosure protected health information when permitted by other law, not just when required by law. These comments specified a number of significant duties or potential societal benefits from disclosures currently permitted or authorized by law, and they expressed concern should these beneficial uses and disclosures no longer be allowed if not specifically recognized by the rule. For example, one commenter listed 25 disclosures of health records that are currently permitted, but not required, by state law. This commenter was concerned that many of these authorized uses and disclosures would not be covered by any of the national priority purposes specified in the NPRM, and, therefore, would not be a permissible use or disclosure under the rule. To preserve these important uses and disclosures, the comments recommended that provision be made for any use or disclosure which is authorized or permitted by other law.
Response: We do not agree with the comments that seek general authority to use and disclose protected health information as permitted, but not required, by other law. The uses and disclosures permitted in the final rule reflect those purposes and circumstances which we believe are of sufficient national importance or relevance to the needs of the health care system to warrant the use or disclosure of protected health information in the absence of either the individual's express authorization or a legal duty to make such use or disclosure. In permitting specific uses and disclosures that are not required by law, we have considered the individual privacy interests at stake in each area and crafted conditions or limitations in each identified area as appropriate to balance the competing public purposes and individual privacy needs. A general rule authorizing any use or disclosure that is permitted, but not required, by other law would undermine the careful balancing in the final rule.
In making this judgment, we have distinguished between laws that mandate uses or disclosures and laws that merely permit them. In the former case, jurisdictions have determined that public policy purposes cannot be achieved absent the use of certain protected health information, and we have chosen in general not to disturb their judgments. On the other hand, where jurisdictions have determined that certain protected health information is not necessary to achieve a public policy purpose, and only have permitted its use or disclosure, we do not believe that those judgments reflect an interest in use or disclosure strong enough to override the Congressional goal of protecting privacy rights.
Moreover, the comments failed to present any compelling circumstance to warrant such a general provision. Despite commenters' concerns to the contrary, most of the beneficial uses and disclosures that the commenters referenced to support a general provision were, in fact, uses or disclosures already permissible under the rule. For example, the general statutory authorities relied on by one state health agency to investigate disease outbreaks or to comply with health data-gathering guidelines for reporting to certain federal agencies are permissible disclosures to public health agencies.
Finally, in the final rule, we add new provisions to § 164.512 to address three examples raised by commenters of uses and disclosures that are authorized or permitted by law, but may not be required by law. First, commenters expressed concern for the states that provide for voluntary reporting to law enforcement or state protective services of domestic violence or of abuse, neglect or exploitation of the elderly or other vulnerable adults. As discussed below, a new section, § 164.512(c), has been added to the final rule to specifically address uses and disclosures of protected health information in cases of abuse, neglect, or domestic violence. Second, commenters were concerned about state or federal laws that permitted coordination and cooperation with organizations or entities involved in cadaveric organ, eye, or tissue donation and transplantation. In the final rule, we add a new section, § 164.512(h), to permit disclosures to facilitate such donation and transplantation functions. Third, a number of commenters expressed concern for uses and disclosure permitted by law in certain custodial settings, such as those involving correctional or detention facilities. In the final rule, we add a new subsection to the section on uses and disclosures for specialized government functions (§ 164.512(k), to identify custodial settings in which special rules are necessary and to specify the additional uses and disclosures of the protected health information of inmates or detainees which are necessary in such facilities.
Comment: A number of commenters asked for clarification of the term "law" and the phrase "required by law" for purposes of the provision permitting uses or disclosures that are required by law. Some of the commenters noted that "state law" was a defined term in Part 160 of the NPRM and that the terms should be used consistently. Other commenters were concerned about differentiating between laws that required a use or disclosure and those that merely authorize or permit a use or disclosure. A number of commenters recommended that the final rule include a definitive list of the laws that mandate a use or disclosure of protected health information.
Response: In the final rule, we clarify that, consistent with the "state law" definition in § 160.202, "law" is intended to be read broadly to include the full array of binding legal authority, such as constitutions, statutes, rules, regulations, common law, or other governmental actions having the effect of law. However, for the purposes of § 164.512(a), law is not limited to state action; rather, it encompasses federal, state or local actions with legally binding effect, as well as those by territorial and tribal governments.
For more detail on the meaning of "required by law," see § 164.501. Only where the law imposes a duty on the health care professional to report would the disclosure be considered to be required by law.
The final rule does not include a definitive list of the laws that contain legal mandates for disclosures of protected health information. In light of the breadth of the term "law" and number of federal, state, local, and territorial or tribal authorities that may engage in the promulgation of binding legal authority, it would be impossible to compile and maintain such a list. Covered entities have an independent duty to be aware of their legal obligations to federal, state, local and territorial or tribal authorities. The rule's approach is simply intended to avoid any obstruction to the health plan or covered health care provider's ability to comply with its existing legal obligations.
Comment: A number of commenters recommended that the rule compel covered entities to use or disclose protected health information as required by law. They expressed concern that covered entities could refuse or delay compliance with legally mandated disclosures by misplaced reliance on a rule that permits, but does not require, a use or disclosure required by other law.
Response: We do not agree that the final rule should require covered entities to comply with uses or disclosures of protected health information mandated by law. The purpose of this rule is to protect privacy, and to allow those disclosures consistent with sound public policy. Consistent with this purpose, we mandate disclosure only to the individual who is the subject of the information, and for purposes of enforcing the rule. Where a law imposes a legal duty on the covered entity to use or disclose protected health information, it is sufficient that the privacy rule permit the covered entity to comply with such law. The enforcement of that legal duty, however, is a matter for that other law.
Comment: Several non-profit entities commented that medical records research by nonprofit entities to ensure public health goals, such as disease-specific registries, would not have been covered by this provision. These organizations collect information without relying on a government agency or law. Commenters asserted that such activities are essential and must continue. They generally supported the provisions allowing the collection of individually identifiable health information without authorization for registries. One stated that both governmental and non-governmental cancer registries should be exempt from the regulation. They stated that "such entities, by their very nature, collect health information for legitimate public health and research purposes." Another, however, addressed its comments only to "disclosure to non-government entities operating such system as required or authorized by law."
Response: We acknowledge that such entities may be engaged in disease-specific or other data collection activities that provide a benefit to their members and others affected by a particular malady and that they contribute to the public health and scientific database on low incidence or little known conditions. However, in the absence of some nexus to a government public health authority or other underlying legal authority, it is unclear upon what basis covered entities can determine which registries or collections are "legitimate" and how the confidentiality of the registry information will be protected. Commenters did not suggest methods for "validating" these private registry programs, and no such methods currently exist at the federal level. It is unknown whether any states have such a program. Broadening the exemption could provide a loophole for private data collections for inappropriate purposes or uses under a "public health" mask.
In this rule, we do not seek to make judgments as to the legitimacy of private entities' disease-specific registries or of private data collection endeavors. Rather, we establish the general terms and conditions for disclosure and use of protected health information. Under the final rule, covered entities may obtain authorization to disclose protected health information to private entities seeking to establish registries or other databases; they may disclose protected health information as required by law; or they may disclose protected health information to such entities if they meet the conditions of one of the provisions of §§ 164.510 or 164.512. We believe that the circumstances under which covered entities may disclose protected health information to private entities should be limited to specified national priority purposes, as reflected through the FDA requirements or directives listed in § 164.512(b)(iii), and to enable recalls, repairs, or replacements of products regulated by the FDA. Disclosures by covered health care providers who are workforce members of an employer or are conducting evaluations relating to work-related injuries or illnesses or workplace surveillance also may disclose protected health information to employers of findings of such evaluations that are necessary for the employer to comply with requirements under OSHA and related laws.
Comment: Several commenters said that the NPRM did not indicate how to distinguish between public health data collections and government health data systems. They suggested eliminating proposed § 164.510(g) on disclosures and uses for government health data systems, because they believed that such disclosures and uses were adequately covered by proposed § 164.510(b) on public health.
Response: As discussed below, we agree with the commenters who suggested that the proposed provision that would have permitted disclosures to government health data bases was overly broad, and we remove it from the final rule. We reviewed the important purposes for which some commenters said government agencies needed protected health information, and we believe that most of those needs can be met through the other categories of permitted uses and disclosures without authorization allowed under the final rule, including provisions permitting covered entities to disclose information (subject to certain limitations) to government agencies for public health, health oversight, law enforcement, and otherwise as required by law. For example, the final rule continues to allow collection of protected health information without authorization to monitor trends in the spread of infectious disease, morbidity and mortality.
Comment: Several commenters recommended expanding the scope of disclosures permissible under proposed § 164.510(b)(1)(iii), which would have allowed covered entities to disclose protected health information to private entities that could demonstrate that they were acting to comply with requirements, or at the direction, of a public health authority. These commenters said that they needed to collect individually identifiable health information in the process of drug and device development, approval, and post-market surveillance - activities that are related to, and necessary for, the FDA regulatory process. However, they noted that the specific data collections involved were not required by FDA regulations. Some commenters said that they often devised their own data collection methods, and that health care providers disclosed information to companies voluntarily for activities such as post-marketing surveillance and efficacy surveys. Commenters said they used this information to comply with FDA requirements such as reporting adverse events, filing other reports, or recordkeeping. Commenters indicated that the FDA encouraged but did not require them to establish other data collection mechanisms, such as pregnancy registries that track maternal exposure to drugs and the outcomes.
Accordingly, several commenters recommended modifying proposed § 164.510(b) to allow covered entities to disclose protected health information without authorization to manufacturers registered with the FDA to manufacture, distribute, or sell a prescription drug, device, or biological product, in connection with post-marketing safety and efficacy surveillance or for the entity to obtain information about the drug, device, or product or its use. One commenter suggested including in the regulation an illustrative list of examples of FDA-related requirements, and stating in the preamble that all activities taken in furtherance of compliance with FDA regulations are "public health activities."
Response: We recognize that the FDA conducts or oversees many activities that are critical to help ensure the safety or effectiveness of the many products it regulates. These activities include, for example, reporting of adverse events, product defects and problems; product tracking; and post-marketing surveillance. In addition, we believe that removing defective or harmful products from the market is a critical national priority and is an important tool in FDA efforts to promote the safety and efficacy of the products it regulates. We understand that in most cases, the FDA lacks statutory authority to require product recalls. We also recognize that the FDA typically does not conduct recalls, repairs, or product replacement surveillance directly, but rather, that it relies on the private entities it regulates to collect data, notify patients when applicable, repair and replace products, and undertake other activities to promote the safety and effectiveness of FDA-regulated products.
We believe, however, that modifying the NPRM to allow disclosure of protected health information to private entities as part of any data-gathering activity related to a drug, device, or biological product or its use, or for any activity that is consistent with, or that appears to promote objectives specified, in FDA regulation would represent an inappropriately broad exception to the general requirement to obtain authorization prior to disclosure. Such a change could allow, for example, drug companies to collect protected health information without authorization to use for the purpose of marketing pharmaceuticals. We do not agree that all activities taken to promote compliance with FDA regulations represent public health activities as that term is defined in this rule. In addition, we believe it would not be appropriate to include in the regulation text an "illustrative list" of requirements "related to" the FDA. The regulation text and preamble list the FDA-related activities for which we believe disclosure of protected health information to private entities without authorization is warranted.
We believe it is appropriate to allow disclosure of protected health information without authorization to private entities only: for purposes that the FDA has, in effect, identified as national priorities by issuing regulations or express directions requiring such disclosure; or if such disclosure is necessary for a product recall. For example, we believe it is appropriate to allow covered health care providers to disclose to a medical device manufacturer recalling defective heart valves the names and last known addresses of patients in whom the provider implanted the valves. Thus, in the final rule, we allow covered entities to disclose protected health information to entities subject to FDA jurisdiction for the following activities: to report adverse events (or similar reports with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations, if the disclosure is made to the person required or directed to report such information to the FDA; to track products if the disclosure is made to a person required or directed by the FDA to track the product; to enable product recalls, repairs, or replacement (including locating and notifying individuals who have received products of product recalls, withdrawals, or other problems); or to conduct post-marketing surveillance to comply with requirements or at the direction of the FDA. The preamble above provides further detail on the meaning of some of the terms in this list. Covered entities may disclose protected health information to entities for activities other than those described above only as required by law; with authorization; or if permissible under another section of this rule.
We understand that many private registries, such as pregnancy registries, currently obtain patient authorization for data collection. We believe the approach of § 164.512(b) strikes an appropriate balance between the objective of promoting patient privacy and control over their health information and the objective of allowing private entities to collect data that ultimately may have important public health benefits.
Comment: One commenter remarked that our proposal may impede fetal/infant mortality and child fatality reviews.
Response: The final rule permits a covered entity to disclose protected health information to a public health authority authorized by law to conduct public health activities, including the collection of data relevant to death or disease, in accordance with § 164.512(b). Such activities may also meet the definition of "health care operations." We therefore do not believe this rule impedes these activities.
Comment: Several comments requested that the final regulation clarify that employers be permitted to use and/or disclose protected health information pursuant to the requirements of the Occupational Safety and Health Act and its accompanying regulations ("OSHA"). A few comments asserted that the regulation should not only permit employers to use and disclose protected health information without first obtaining an authorization consistent with OSHA requirements, but also permit them to use and disclose protected health information if the use or disclosure is consistent with the spirit of OSHA. One commenter supported the permissibility of these types of uses and disclosures, but warned that the regulation should not grant employers unfettered access to the entire medical record of employees for the purpose of meeting OSHA requirements. Other commenters noted that OSHA not only requires disclosures to the Occupational Safety and Health Administration, but also to third parties, such as employers and employee representatives. Thus, this comment asked HHS to clarify that disclosures to third parties required by OSHA are also permissible under the regulation.
Response: Employers as such are not covered entities under HIPAA and we generally do not have authority over their actions. When an employer has a health care component, such as an on-site medical clinic, and the components meets the requirements of a covered health care provider, health plan or health care clearinghouse, the uses and disclosures of protected health information by the health care component, including disclosures to the larger employer entity, are covered by this rule and must comply with its provisions.
A covered entity, including a covered health care provider, may disclose protected health information to OSHA under § 164.512(a), if the disclosure is required by law, or if the disclosure is a discretionary one for public health activities, under § 164.512(b). Employers may also request employees to provide authorization for the employer to obtain protected health information from covered entities to conduct analyses of work-related health issues. See § 164.508.
We also permit covered health care providers who provide health care as a workforce member of an employer or at the request of an employer to disclose protected health information to the employer concerning work-related injuries or illnesses or workplace medical surveillance in situations where the employer has a duty to keep records on or act on such information under the OSHA or similar laws. We added this provision to ensure that employers are able to obtain the information that they need to meet federal and state laws designed to promote safer and healthier workplaces. These laws are vital to protecting the health and safety of workers and we permit specified covered health care providers to disclose protected health information as necessary to carry out these purposes.
Comment: A few comments suggested that the final regulation clarify how it would interact with existing and pending OSHA requirements. One of these comments requested that the Secretary delay the effective date of the regulation until reviews of existing requirements are complete.
Response: As noted in the "Relationship to Other Federal Laws" section of the preamble, we are not undertaking a complete review of all existing laws with which covered entities might have to comply. Instead we have described a general framework under which such laws may be evaluated. We believe that adopting national standards to protect the privacy of individually identifiable health information is an urgent national priority. We do not believe that it is appropriate to delay the effective date of this regulation.
Comment: One commenter asserted that the proposed regulation conflicted with the OSHA regulation requirement that when a designated representative (to whom the employee has already provided a written authorization to obtain access) requests a release form for access to employee medical records, the form must include the purpose for which the disclosure is sought, which the proposed privacy regulation does not require.
Response: We do not agree that this difference creates a conflict for covered entities. If an employer seeks to obtain a valid authorization under § 164.508, it may add a purpose statement to the authorization so that it complies with OSHA's requirements and is a valid authorization under § 164.508 upon which a covered entity may rely to make a disclosure of protected health information to the employer.
Comment: One commenter stated that access to workplace medical records by the occupational medical physicians is fundamental to workplace and community health and safety. Access is necessary whether it is a single location or multiple sites of the same company, such as production facilities of a national company located throughout the country.
Response: We permit covered health care providers who provide health care as a workforce member of an employer or at the request of an employer to disclose protected health information to the employer concerning work-related injuries or illnesses or workplace medical surveillance, as described in this paragraph. Information obtained by an employer under this paragraph would be available for it to use, consistent with other laws and regulations, as it chooses and throughout the national company. We do not regulate uses or disclosures of individually identifiable health information by employers acting as employers.
The NPRM did not include a paragraph specifically addressing covered entities' disclosures of protected health information regarding victims of abuse, neglect, or domestic violence. Rather, the NPRM addressed disclosures about child abuse pursuant to proposed § 164.510(b), which would have allowed covered entities to report child abuse to a public health authority or to another appropriate authority authorized by law to receive reports of child abuse or neglect. We respond to comments regarding victims of domestic violence or abuse throughout the final rule where relevant. (See responses to comments on §§ 164.502(g), 164.510(b), 164.512(f)(3), 164.522, and 164.524.)
Comment: Several commenters urged us to require that victims of domestic violence be notified about requests for or disclosures of protected health information about them, so that victims could take safety precautions.
Response: We agree that, in balancing the burdens on covered entities from such a notification requirement against the benefits to be gained, victims of domestic abuse merit heightened concern. For this reason, we generally require covered entities to inform the individual when they disclose protected health information to authorized government authorities. As the Family Violence Prevention Fund has noted in its Health Privacy Principles for Protecting Victims of Domestic Violence (October 2000), victims of domestic violence and abuse sometimes are subject to retaliatory violence. By informing a victim of abuse or domestic violence of a disclosure to law enforcement or other authorities, covered entities give victims the opportunity to take appropriate safety precautions. See the above preamble discussion of § 164.512(c) for more detail about the requirements for disclosing protected health information about victims of domestic violence.
Comment: Some commenters argued that a consent requirement should apply at a minimum to disclosures involving victims of crime or victims of domestic violence.
Response: We agree, and we modify the proposed rule to require covered entities to obtain an individual's agreement prior to disclosing protected health information in most instances involving victims of a crime or of abuse, neglect, or domestic violence. See the above preamble discussions of § 164.512(c), on disclosures about victims of abuse, neglect, or domestic violence, and § 164.512(f)(3), on disclosures to law enforcement about crime victims.
Comment: A couple of commenters supported the NPRM's approach to health oversight. Several other commenters generally supported the NPRM's approach to disclosure of protected health information for national priority purposes, and they recommended some clarification regarding disclosure for health oversight. Two commenters recommended clarifying in the final rule that disclosure is allowed to all federal, state, and local agencies that use protected health information to carry out legally mandated responsibilities.
Response: The final rule permits disclosures to public agencies that meet the definition of a health oversight agency and for oversight of the particular areas described in the statute. Section 164.512(a) of the final rule permits disclosures that are required by law. As discussed in the responses to comments of § 164.512(a), we do not in the final rule permit disclosures merely authorized by other laws that do not fit within the other public policy purposes recognized by the rule.
Comment: One commenter recommended clarifying in the final rule that covered entities are not required to establish business partner contracts with health oversight agencies or public health authorities to release individually identifiable information to them for purposes exempt from HIPAA and sanctioned by state law.
Response: The final rule does not require covered entities to establish business associate contracts with health oversight agencies when they disclose protected health information to these agencies for oversight purposes.
Comment: Two commenters recommended clarifying in the regulation text that the health oversight section does not create a new right of access to protected health information.
Response: We agree and include such a statement in the preamble of § 164.512(d) of the final rule.
Comment: Several commenters were concerned that the proposed oversight section allowed but did not require disclosure of protected health information to health oversight agencies for oversight activities.
Response: This rule's purpose is to protect the privacy of individually identifiable health information. Except to enforce the rule and to establish individuals' right to access their own protected health information (see § 164.502(a)(2)), we do not require disclosure of protected health information to any person or entity. We allow such disclosure for situations in which other laws require disclosure.
Comment: Some commenters were concerned that the NPRM would have allowed health oversight agencies to re-use and redisclose protected health information to other entities, and they were particularly concerned about re-disclosure to and re-use by law enforcement agencies. One commenter believed that government agencies would use the label of health oversight to gain access to protected health information from covered entities - thereby avoiding the procedural requirements of the law enforcement section (proposed § 164.510(f)) and subsequently would turn over information to law enforcement officials. Thus, these groups were concerned that the potential for oversight access to protected health information under the rule to become the "back door" to law enforcement access to such information.
Based on their concerns, these commenters recommended establishing a general prohibition on the re-use and re-disclosure of protected health information obtained by health oversight agencies in actions against individuals. One health plan expressed general concern about re-disclosure among all of the public agencies covered in the proposed § 164.510. It recommended building safeguards into the rule to prevent information gathered for one purpose (for example, public health) from being used for another purpose (such as health oversight).
Many of the commenters concerned about re-disclosure of protected health information obtained for oversight purposes said that if the Secretary lacked statutory authority to regulate oversight agencies' re-disclosure of protected health information and the re-use of this information by other agencies covered in proposed § 164.510, the President should issue an Executive Order barring such re-disclosure and re-use. One of these groups specified that the Executive Order should bar re-use and re-disclosure of protected health information in actions against individuals.
In contrast, some commenters advocated information-sharing between law enforcement and oversight agencies. Most of these commenters recognized that the NPRM would have allowed re-use and re-disclosure of protected health information from oversight to law enforcement agencies, and they supported this approach.
Response: We believe that the language we have added to the rule, at § 164.512(d)(2) and the corresponding explanation in the preamble, to clarify the boundary between disclosures for health oversight and for law enforcement purposes should partially address the concern expressed by some that oversight agencies will be the back door for access by law enforcement. In situations when the individual is the subject of an investigation or activity and the investigation or activity is not related to health care fraud, the requirements for disclosure to law enforcement must be met, and an oversight agency cannot request the information under its more general oversight authority.
We acknowledge, however, that there will be instances under the rule when a health oversight agency (or a law enforcement agency in its oversight capacity) that has obtained protected health information appropriately will be able to redisclose the information to a law enforcement agency for law enforcement purposes. Under HIPAA, we have the authority to restrict re-disclosure of protected health information only by covered entities. Re-disclosures by public agencies such as oversight agencies are not within the purview of this rule. We support the enactment of comprehensive privacy legislation that would govern such public agencies' re-use and re-disclosure of this information. Furthermore, in an effort to prevent health oversight provisions from becoming the back door to law enforcement access to protected health information, the President is issuing an Executive Order that places strict limitations on the use of protected health information gathered in the course of an oversight investigation for law enforcement activities. For example, such use will be subject to review by the Deputy Attorney General.
Comment: Several commenters recommended modifying the proposed oversight section to require health oversight officials to justify and document their need for identifiable information.
Response: We encourage covered entities to work with health oversight agencies to determine the scope of information needed for health oversight inquiries. However, we believe that requiring covered entities to obtain extensive documentation of health oversight information needs could compromise health oversight agencies' ability to complete investigations, particularly when an oversight agency is investigating the covered entity from which it is seeking information.
Comment: Several commenters believed that health oversight activities could be conducted without access to individually identifiable health information. Some of these groups recommended requiring information provided to health oversight agencies to be de-identified to the extent possible.
Response: We encourage health oversight agencies to use de-identified information whenever possible to complete their investigations. We recognize, however, that in some cases, health oversight agencies need identifiable information to complete their investigations. For example, as noted in the preamble to the NPRM, to determine whether a hospital has engaged in fraudulent billing practices, it may be necessary to examine billing records for a set of individual cases. Similarly, to determine whether a health plan is complying with federal or state health care quality standards, it may be necessary to examine individually identifiable health information in comparison with such standards. Thus, to allow health oversight agencies to conduct the activities that are central to their mission, the final rule does not require covered entities to de-identify protected health information before disclosing it to health oversight organizations.
Comment: One commenter recommended requiring whistleblowers, pursuant to proposed § 164.518(a)(4) of the NPRM, to raise the issue of a possible violation of law with the affected covered entity before disclosing such information to an oversight agency, attorney, or law enforcement official.
Response: We believe that such a requirement would be inappropriate, because it would create the potential for covered entities that are the subject of whistleblowing to take action to evade law enforcement and oversight action.
Comment: One commenter recommended providing an exemption from the proposed rule's requirements for accounting for disclosures when such disclosures were for health oversight purposes.
Response: We recognize that in some cases, informing individuals that their protected health information has been disclosed to a law enforcement official or to a health oversight agency could compromise the ability of law enforcement and oversight officials to perform their duties appropriately. Therefore, in the final rule, we retain the approach of proposed § 164.515 of the NPRM. Section 164.528(a)(2) of the final rule states that an individual's right to receive an accounting of disclosures to a health oversight agency, law enforcement official, or for national security or intelligence purposes may be temporarily suspended for the time specified by the agency or official. As described in § 164.528(a)(2), for such a suspension to occur, the agency or official must provide the affected covered entity with a written request stating that an accounting to the individual would be reasonably likely to impede the agency's activity. The request must specify the time for which the suspension is required. We believe that providing a permanent exemption to the right to accounting for disclosures for health oversight purposes would fail to ensure that individuals are sufficiently informed about the extent of disclosures of their protected health information.
Comment: One commenter recommended making disclosures to health oversight agencies subject to a modified version of the NPRM's proposed three-part test governing disclosure of protected health information to law enforcement pursuant to an administrative request (as described in proposed § 164.510(f)(1)).
Response: We disagree that it would be appropriate to apply the procedural requirements for law enforcement to health oversight. We apply more extensive procedural requirements to law enforcement disclosures than to disclosures for health oversight because we believe that law enforcement investigations more often involve situations in which the individual is the subject of the investigation (and thus could suffer adverse consequences), and we believe that it is appropriate to provide greater protection to individuals in such cases. Health oversight involves investigations of institutions that use health information as part of business functions, or of individuals whose health information has been used to obtain a public benefit. These circumstances justify broader access to information.
Comment: Some commenters expressed concern that the NPRM's provisions permitting disclosures for health oversight and disclosures for law enforcement overlapped, and that the overlap could create confusion among covered entities, members of the public, and government agencies. The commenters identified particular factors that could lead to confusion, including that (1) the phrase "criminal, civil, or administrative proceeding" appeared in the definitions of both law enforcement and oversight; (2) the examples of oversight agencies listed in the preamble included a number of organizations that also conduct law enforcement activities; (3) the NPRM addressed the issue of disclosures to investigate health care fraud in the law enforcement section (§ 164.510(f)(5)), yet health care fraud investigations are central to the mission of some health care oversight agencies; (4) the NPRM established more stringent rules for disclosure of protected health information pursuant to an administrative subpoena issued for law enforcement than for disclosure pursuant to an oversight agency's administrative subpoena; and (5) the preamble, but not the NPRM regulation text, indicated that agencies conducting both oversight and law enforcement activities would be subject to the oversight requirements when conducting oversight activities.
Some commenters said that covered entities would be confused by the overlap between law enforcement and oversight and that this concern would lead to litigation over which rules should apply when an entity engaged in more than one of the activities listed under the exceptions in proposed § 164.510. Other commenters believed that covered entities could manipulate the NPRM's ambiguities in their favor, claim that the more stringent law enforcement disclosure rules always should apply, and thereby delay investigations. A few comments suggested that the confusion could be clarified by making the regulation text consistent with the preamble, by stating that when agencies conducting both law enforcement and oversight seek protected health information as part of their oversight activities, the oversight rules would apply.
Response: We agree that the boundary between disclosures for health oversight and disclosures for law enforcement proposed in the NPRM could have been more clear. Because many investigations, particularly investigations involving public benefit programs, have both health oversight and law enforcement aspects to them, and because the same agencies often perform both functions, drawing any distinction between the two functions is necessarily difficult. For example, traditional law enforcement agencies, such as the Federal Bureau of Investigation, have a significant role in health oversight. At the same time, traditional health oversight agencies, such as federal Offices of Inspectors General, often participate in criminal investigations.
To clarify the boundary between law enforcement and oversight for purposes of complying with this rule, we add new language in the final rule, at § 164.512(d)(2). This section indicates that health oversight activities do not include an investigation or activity in which the individual is the subject of the investigation or activity and the investigation or activity does not arise out of and is not directly related to health care fraud. In this rule, we describe investigations involving suspected health care fraud as investigations related to: (1) the receipt of health care; (2) a claim for public benefits related to health; or (3) qualification for, or receipt of public benefits or services where a patient's health is integral to the claim for public benefits or services. In such cases, where the individual is the subject of the investigation and the investigation does not relate to health care fraud, identified as investigations regarding issues (a) through (c), the rules regarding disclosure for law enforcement purposes (see § 164.512(f)) apply.
Where the individual is not the subject of the activity or investigation, or where the investigation or activity relates to health care fraud, a covered entity may make a disclosure pursuant to § 164.512(d)(1), allowing uses and disclosures for health oversight activities. For example, when the U.S. Department of Labor's Pension and Welfare Benefits Administration (PWBA) needs to analyze protected health information about health plan enrollees in order to conduct an audit or investigation of the health plan (i.e., the enrollees are not subjects of the investigation) to investigate potential fraud by the health plan, the health plan may disclose protected health information to the PWBA under the health oversight rules.
To clarify further that health oversight disclosure rules apply generally in health care fraud investigations (subject to the exception described above), in the final rule, we eliminate proposed § 164.510(f)(5)(i), which would have established requirements for disclosure related to health fraud for law enforcement purposes. All disclosures of protected health information that would have been permitted under proposed § 164.510(f)(5)(i) are permitted under § 164.512(d).
We also recognize that sections 201 and 202 of HIPAA, which established a federal Fraud and Abuse Control Program and the Medicare Integrity Program, identified health care fraud-fighting as a critical national priority. Accordingly, under the final rule, in joint law enforcement/oversight investigations involving suspected health care fraud, the health oversight disclosures apply, even if the individual also is the subject of the investigation.
We also recognize that in some cases, health oversight agencies may conduct joint investigations with other oversight agencies involved in investigating claims for benefits unrelated to health. For example, in some cases, a state Medicaid agency may be working with officials of the Food Stamps program to investigate suspected fraud involving Medicaid and Food Stamps. While this issue was not raised specifically in the comments, we add new language (§ 164.512(d)(3)) to provide guidance to covered entities in such situations. Specifically, we clarify that if a health oversight investigation is conducted in conjunction with an oversight activity related to a claim for benefits unrelated to health, the joint activity or investigation is considered health oversight for purposes of the rule, and the covered entities may disclose protected health information pursuant to the health oversight provisions.
Comment: An individual commenter recommended requiring authorization for disclosure of patient records in fraud investigations, unless the individual was the subject or target of the investigation. This commenter recommended requiring a search warrant for cases in which the individual was the subject and stating that fraud investigators should have access to the minimum necessary patient information.
Response: As described above, we recognize that in some cases, activities include elements of both law enforcement and health oversight. Because we consider both of these activities to be critical national priorities, we do not require covered entities to obtain authorization for disclosure of protected health information to law enforcement or health oversight agencies - including those oversight activities related to health care fraud. We believe that investigations involving health care fraud represent health oversight rather than law enforcement. Accordingly, as indicated above, we remove proposed § 164.510(f)(5)(i) from the law enforcement section of the proposed rule and clarify that all disclosures of protected health information for health oversight are permissible without authorization. As discussed in greater detail in § 164.514, the final rule's minimum necessary standard applies to disclosures under § 164.512 unless the disclosure is required by law under § 164.512(a).
Comment: A large number of commenters expressed concern about the potential for health oversight agencies to become, in effect, the "back door" for law enforcement access to such information. The commenters suggested that health oversight agencies could use their relatively unencumbered access to protected health information to circumvent the more stringent process requirements that otherwise would apply to disclosures for law enforcement purposes. These commenters urged us to prohibit health oversight agencies from re-disclosing protected health information to law enforcement.
Response: As indicated above, we do not intend for the rule's permissive approach to health oversight or the absence of specific documentation to permit the government to gather large amounts of protected health information for purposes unrelated to health oversight as defined in the rule, and we do not intend for these oversight provisions to serve as a "back door" for law enforcement access to protected health information. While we do not have the statutory authority to regulate law enforcement and oversight agencies' re-use and re-disclosure of protected health information, we strongly support enactment of comprehensive privacy legislation that would govern public agencies' re-use and re-disclosure of this information. Furthermore, in an effort to prevent health oversight provisions from becoming the back door to law enforcement access to protected health information, the President is issuing an Executive Order that places strict limitations on the use of protected health information gathered in the course of an oversight investigation for law enforcement activities.
Comment: One commenter asked us to allow the requesting agency to decide whether a particular request for protected health information was for law enforcement or oversight purposes.
Response: As described above, we clarify the overlap between law enforcement disclosures and health oversight disclosures based on the privacy and liberty interests of the individual (whether the individual also is the subject of the official inquiry) and the nature of the public interest (whether the inquiry relates to health care fraud or to another potential violation of law). We believe it is more appropriate to establish these criteria than to leave the decision to the discretion of an agency that has a stake in the outcome of the investigation.
Comment: A few commenters suggested that the final rule not permit disclosures without an authorization for judicial and administrative proceedings.
Response: We disagree. Protected health information is necessary for a variety of reasons in judicial and administrative proceedings. Often it may be critical evidence that may or may not be about a party. Requiring an authorization for all such disclosures would severely impede the review of legal and administrative claims. Thus, we have tried to balance the need for the information with the individual's privacy. We believe the approach described above provides individuals with the opportunity to object to disclosures and provides a mechanism through which their privacy interests are taken into account.
Comment: A few commenters sought clarification about the interaction between permissible disclosures for judicial and administrative proceedings, law enforcement, and health oversight.
Response: In the final rule, we state that the provision permitting disclosures without an authorization for judicial and administrative proceedings does not supersede other provisions in § 164.512 that would otherwise permit or restrict the use or disclosure of protected health information. Additionally, in the descriptive preamble of § 164.512, we provide further explanation of how these provisions relate to one another.
Comments: Many commenters urged the Secretary to revise the rule to state that it does not preempt or supersede existing rules and statutes governing judicial proceedings, including rules of evidence, procedure, and discovery. One commenter asserted that dishonest health care providers and others should not be able to withhold their records by arguing that state subpoena and criminal discovery statutes compelling disclosure are preempted by the privacy regulation. Other commenters maintained that there is no need to replace providers' current practice, which typically requires either a signed authorization from the patient or a subpoena to release medical information.
Response: These comments are similar to many of the more general preemption comments we received. For a full discussion of the Secretary's response on preemption issues, see Part 160 - Subpart B.
Comment: One commenter stated that the proposed rule creates a conflict with existing rules and statutes governing judicial proceedings, including rules of evidence and discovery. This commenter stated that the rule runs afoul of state judicial procedures for enforcement of subpoenas that require judicial involvement only when a party seeks to enforce a subpoena.
Response: We disagree with this comment. The final rule permits covered entities to disclose protected health information for any judicial or administrative procedure in response to a subpoena, discovery request, or other lawful process if the covered entity has received satisfactory assurances that the party seeking the disclosure has made reasonable efforts to ensure that the individual has been given notice of the request or has made reasonable efforts to secure a qualified protective order from a court or administrative tribunal. A covered entity may disclose protected health information in response to a subpoena, discovery request, or other lawful process without a satisfactory assurance if it has made reasonable efforts to provide the individual with such notice or to seek a qualified protected order itself. These rules do not require covered entities or parties seeking the disclosure of protected health information to involve the judiciary; they may choose the notification option rather than seeking a qualified protective order.
Many states have already enacted laws that incorporate these concepts. In California, for instance, an individual must be given ten days notice that his or her medical records are being subpoenaed from a health care provider and state law requires that the party seeking the records furnishes the health care provider with proof that the notice was given to the individual. In Montana, a party seeking discovery or compulsory process of medical records must give notice to the individual at least ten days in advance of serving the request on a health care provider, Service of the request must be accompanied by written certification that the procedure has been followed. In Rhode Island, an individual must be given notice that his or her medical records are being subpoenaed and notice of his or her right to object. The party serving the subpoena on the health care provider must provide written certification to the provider that: (1) this procedure has been followed, (2) twenty days have passed from the date of service, and (3) no challenge has been made to the disclosure or the court has ordered disclosure after resolution of a legal court challenge. In Washington, an individual must be given at least fourteen days from the date of service of notice that his or her health information is the subject of a discovery request or compulsory process to obtain a protective order. The notice must identify the health care provider from whom the information is sought, specify the health care information that is sought, and the date by which a protective order must be obtained in order to prevent the provider from disclosing the information.
Comment: A few commenters expressed concern that the rule would place unnecessary additional burdens on health care providers because when they receive a request for disclosure in connection with an administrative or judicial procedure, they would have to determine whether the litigant's health was at issue before they made the disclosure. A number of commenters complained that this requirement would make it too easy for litigants to obtain protected health information. One commenter argued that litigants should not be able to circumvent state evidentiary rules that would otherwise govern disclosure of protected health information simply upon counsel's statement that the other party's medical condition or history is at issue.
Other commenters, however, urged that disclosure without authorization should be permitted whenever a patient places his or her medical condition or history at issue and recommended requiring the request for information to include a certification to this effect. Only if another party to litigation has raised a medical question, do these commenters believe a court order should be required. Similarly, one commenter supported a general requirement that disclosure without authorization be permitted only with a court order unless the patient has placed his or her physical or mental condition at issue.
Response: We agree with the concerns expressed by several commenters about this provision and has eliminated this requirement from the final rule.
Comment: A number of commenters stated that the proposed rule should be modified to permit disclosure without authorization pursuant to a lawful subpoena. One commenter argued that the provision would limit the scope of the Inspector General's subpoena power for judicial and administrative proceedings to information concerning a litigant whose health condition or history is at issue, and would impose a requirement that the Inspector General provide a written certification to that effect. Other commenters stated that the proposed rule would seriously impair the ability of state agencies to conduct administrative hearings on physician licensing and disciplinary matters. These commenters stated that current practice is to obtain information using subpoenas.
Other commenters argued that disclosure of protected health information for judicial and administrative proceedings should require a court order and/or judicial review unless the subject of the information consents to disclosure. These commenters believed that an attorney's certification should not be considered sufficient authority to override an individual's privacy, and that the proposed rule made it too easy for a party to litigation to obtain information about the other party.
Response: As a general matter, we agree with these comments. As noted, the final rule deletes the provision that would permit a covered entity to disclose protected health information pursuant to an attorney's certification that the individual is a party to the litigation and has put his or her medical condition at issue. Under the final rule, covered entities may disclose protected health information in response to a court or administrative order, provided that only the protected health information expressly authorized by the order is disclosed. Covered entities may also disclose protected health information in response to a subpoena, discovery request, or other lawful process without a court order, but only if the covered entity receives satisfactory assurances that the party seeking disclosure has made reasonable efforts to ensure that the individual has been notified of the request or that reasonable efforts have been made by the party seeking the information to secure a qualified protective order. Additionally, a covered entity may disclose protected health information in response to a subpoena, discovery request, or other lawful process without a satisfactory assurance if it makes reasonable efforts to provide the individual with such notice or to seek a qualified protected order itself.
We also note that the final rule specifically provides that nothing in Subchapter C should be construed to diminish the authority of any Inspector General, including authority provided in the Inspector General Act of 1978.
Comment: A number of commenters expressed concern that the proposed rule would not permit covered entities to introduce material evidence in proceedings in which, for example, the provisions of an insurance contract are at issue, or when a billing or payment issue is presented. They noted that although the litigant may be the owner of an insurance policy, he or she may not be the insured individual to whom the health information pertains. In addition, they stated that the medical condition or history of a deceased person may be at issue when the deceased person is not a party.
Response: We disagree. Under the final rule, a covered entity may disclose protected health information without an authorization pursuant to a court or administrative order. It may also disclose protected health information with an authorization for judicial or administrative proceedings in response to a subpoena, discovery request, or other lawful process without a court order, if the party seeking the disclosure provides the covered entity with satisfactory assurances that it has make reasonable efforts to ensure that the individual has been notified of the request or to seek a qualified protective order. Additionally, a covered entity may disclose protected health information in response to a subpoena, discovery request, or other lawful process without a satisfactory assurance if it makes reasonable efforts to provide the individual with such notice or to seek a qualified protected order itself. Therefore, a party may obtain the information even if the subject of the information is not a party to the litigation or deceased.
Comment: A few commenters argued that disclosure of protected health information should be limited only to those cases in which the individual has consented or a court order has been issued compelling disclosure.
Response: The Secretary believes that such an approach would impose an unreasonable burden on covered entities and the judicial system and that greater flexibility is necessary to assure that the judicial and administrative systems function smoothly. We understand that even those states that have enacted specific statutes to protect the privacy of health information have not imposed requirements as strict as these commenters would suggest.
Comment: Many commenters asked that the final rule require the notification of the disclosure be provided to the individual whose health information is subject to disclosure prior to the disclosure as part of a judicial or administrative proceeding. Most of these commenters also asked that the rule require that the individual who is the subject of a disclosure be given an opportunity to object to the disclosure. A few commenters suggested that patients be given ten days to object before requested information may be disclosed and recommend that the rule require the requester to provide a certification that notice has been provided and that ten days have passed with no objection from the subject of the information. Some commenters suggested that if a subpoena for disclosure is not accompanied by a court order, the covered entities be prohibited from disclosing protected health information unless the individual has been given notice and an opportunity to object. Another commenter recommended requiring, in most circumstances, notice and an opportunity to object before a court order is issued and requiring the requestor of information to provide a signed document attesting the date of notification and forbid disclosure until ten days after notice is given.
Response: We agree that in some cases the provision of notice with an opportunity to object to the disclosure is appropriate. Thus, in the final rule we provide that a covered entity may disclose protected health information in response to a subpoena, discovery request or other lawful process that is not accompanied by a court order if it receives satisfactory assurance from the party seeking the request that the requesting party has made a good faith attempt to provide written notice to the individual that includes sufficient information about the litigation or proceeding to permit the individual to raise an objection to the court or administrative tribunal and that the time for the individual to raise objections has elapsed (and that none were filed or all have been resolved). Covered entities may make reasonable efforts to provide such notice as well.
In certain instances, however, the final rule permits covered entities to disclose protected health information for judicial and administrative proceedings without notice to the individual if the party seeking the request has made reasonable efforts to seek a qualified protective order, as described in the rule. A covered entity may also make reasonable efforts to seek a qualified protective order in order to make the disclosure. Additionally, a covered entity may disclose protected health information for judicial and administrative proceedings in response to an order of a court or administrative tribunal provided that the disclosure is limited to only that information that is expressly authorized by the order. The Secretary believes notice is not necessary in these instances because a court or administrative tribunal is in the best position to evaluate the merits of the arguments of the party seeking disclosure and the party who seeks to block it before it issues the order and that imposing further procedural obstacles before a covered entity may honor that disclosure request is unnecessary.
Comment: Many commenters urged the Secretary to require specific criteria for court and administrative orders. Many of these commenters proposed that a provision be added to the rule that would require court and administrative orders to safeguard the disclosure and use of protected health information. These commenters urged that the information sought must be relevant and material, as specific and narrowly drawn as reasonably practicable, and only disclosed if de-identified information could not reasonably be used.
Response: The Secretary's authority is limited to covered entities. Therefore, we do not impose requirements on courts and administrative tribunals. However, we note that the final rule limits the permitted disclosures by covered entities in court or administrative proceedings to only that information which is specified in the order from a court or an administrative body should provide a degree of protection for individuals from unnecessary disclosure.
Comment: Several commenters asked that the "minimum necessary" standard not apply to disclosures made pursuant to a court order because individuals could then use the rule to contest the scope of discovery requests. However, many other commenters recommended that the rule permit disclosure only of information "reasonably necessary" to respond to a subpoena. These commenters raised concerns with applying the "minimum necessary" standard in judicial and administrative proceedings, but did not believe the holder of protected health information should have blanket authority to disclose all protected health information. Some of the commenters urged that disclosure of any information about third parties that may be included in the medical records of another person - for example, the HIV status of a partner - be prohibited. Finally, some commenters disagreed with the proposed rule because it did not require covered entities to evaluate the validity of subpoenas and discovery requests to determine whether these requests ask for the "minimum necessary" or "reasonably necessary" amount of information.
Response: Under the final rule, if the disclosure is pursuant to an order of a court or administrative tribunal, covered entities may disclose only the protected health information expressly authorized by the order. In these instances, a covered entity is not required to make a determination whether or not the order might otherwise meet the minimum necessary requirement.
If the disclosure is pursuant to a satisfactory assurance from the party seeking the disclosure, at least a good faith attempt has been made to notify the individual in writing of the disclosure before it is made or a the parties have sought a qualified protective order that prohibits them from using or disclosing the protected health information for any purpose of than the litigation or proceeding for which the information was requested and that the information will be returned to the covered entity or destroyed at the end of the litigation or the proceeding. Alternatively, the covered entity may seek such notice or qualified protective order itself. This approach provides the individual with protections and places the burden on the parties to resolve their differences about the appropriateness and scope of disclosure as part of the judicial or administrative procedure itself before the order is issued, rather than requiring the covered entity to get involved in evaluating the merits of the dispute in order to determine whether or not the particular request is appropriate or too broad. In these cases, the covered entity must disclose only the protected health information that is the minimum amount necessary to achieve the purpose for which the information is sought.
We share the concern of the commenters that covered entities should redact any information about third parties before disclosing an individual's protected health information. During the fact-finding stage of our consideration of revisions to the proposed rule, we discussed this issue with representatives of covered entities. Currently, information about third parties is sometimes redacted by medical records personnel responding to requests for information. In particular, information regarding HIV status is treated with special sensitivity by these professionals. Although we considered including a special provision in the final rule prohibiting such disclosure, we decided that the revisions made to the proposed rule would provide sufficient protection. By restricting disclosure of protected health information to only that information specified in a court or administrative order or released pursuant to other types of lawful process only if the individual had notice and an opportunity to object or if the information was subject to a protective order, individuals who are concerned about disclosure of information concerning third parties will have the opportunity to raise that issue prior to the request for disclosure being presented to the covered entity. We are reluctant to put the covered entity in the position of having to resolve disputes concerning the type of information that may be disclosed when that dispute should more appropriately be settled through the judicial or administrative procedure itself.
Comment: One commenter asked that the final regulation clarify that a court order is not required when disclosure would otherwise be permitted under the rule. This commenter noted that the preamble states that the requirement for a court order would not apply if the disclosure would otherwise be permitted under the rule. For example, disclosures of protected health information pursuant to administrative, civil, and criminal proceedings relating to "health oversight" are permitted, even if no court or administrative orders have been issued. However, the commenter was concerned that this principle only appeared in the preamble and not in the rule itself.
Response: Section 164.512(e)(4) of the final regulation contains this clarification.
Comment: One commenter was concerned that the rule is unclear as to whether governmental entities are given a special right to "use" protected health information that private parties do not have under the proposed regulation or whether governmental entities that seek or use protected health information are treated the same as private parties in their use of such information. This commenter urged that we clarify our intent regarding the use of protected health information by governmental entities.
Response: Generally governmental entities are treated the same as private entities under the rule. In a few clearly defined cases, a special rule applies. For instance, under § 164.504(e)(3), when a covered entity and its business associate are both governmental entities, they may enter into a memorandum of understanding or adopt a regulation with the force and effect of law that incorporates the requirements of a business associate contract, rather than having to negotiate a business associate contract itself.
Comment: One commenter recommended that final rule state that information developed as part of a quality improvement or medical error reduction program may not be disclosed under this provision. The commenter explained that peer review information developed to identify and correct systemic problems in delivery of care must be protected from disclosure to allow a full discussion of the root causes of such events so they may be identified and addressed. According to the commenter, this is consistent with peer review protections afforded this information by the states.
Response: The question of whether or not such information should be protected is currently the subject of debate in Congress and in the states. It would be premature for us to adopt a position on this issue until a clear consensus emerges. Under the final rule, no special protection against disclosure is provided for peer review information of the type the commenter describes. However, unless the request for disclosure fits within one of the categories of permitted or required disclosures under the regulation, it may not be disclosed. For instance, if disclosure of peer review information is required by another law (such as Medicare or a state law), covered entities subject to that law may disclose protected health information consistent with the law.
Comment: One commenter stated that the requirements of this section are in conflict with Medicare contractor current practices, as defined by the HCFA Office of General Counsel and suggested that the final rule include more specific guidelines.
Response: Because the commenter failed to indicate the nature of these conflicts, we are unable to respond.
Comment: One commenter stated that the rule should require rather than permit disclosure pursuant to court orders.
Response: Under the statutory framework adopted by Congress in HIPAA, a presumption is established that the data contained in an individual's medical record belongs to the individual and must be protected from disclosure to third parties. The only instance in which covered entities holding that information must disclose it is if the individual requests access to the information himself or herself. In the final rule (as in the proposed rule), covered entities may use or disclose protected health information under certain enumerated circumstances, but are not required to do so. We do not believe that this basic principle should be compromised merely because a court order has been issued. Consistent with this principle, we provide covered entities with the flexibility to deal with circumstances in which the covered entity may have valid reasons for declining to release the protected health information without violating this regulation.
Comment: One commenter noted that in some states, public health records are not subject to discovery, and that the proposed rule would not permit disclosure of protected health information pursuant to court order or subpoena if the disclosure is not allowed by state law. The commenter requested clarification as to whether a subpoena in a federal civil action would require disclosure if a state law prohibiting the release of public health records existed.
Response: As explained above, the final rule permits, but does not require, disclosure of protected health information pursuant to a court order. Under the applicable preemption provisions of HIPAA, state laws relating to the privacy of medical information that are more stringent than the federal rules are not preempted. To the extent that an applicable state law precludes disclosure of protected health information that would otherwise be permitted under the final rule, state law governs.
Comment: A number of commenters expressed concern that the proposed rule would negatively impact state and federal benefits programs, particularly social security and workers' compensation. One commenter requested that the final rule remove any possible ambiguity about application of the rule to the Social Security Administration's (SSA) evidence requests by permitting disclosure to all administrative level of benefit programs. In addition, several commenters stated that requiring SSA or states to provide the covered entity holding the protected health information with an individual's consent before it could disclose the information would create a huge administrative and paperwork burden with no added value to the individual. In addition, several other commenters indicated that states that make disability determinations for SSA also support special accommodation for SSA's determination process. They expressed concern that providers will narrowly interpret the HIPAA requirements, resulting in significant increases in processing time and program costs for obtaining medical evidence (especially purchased consultative examinations when evidence of record cannot be obtained). A few commenters were especially concerned about the impact on states and SSA if the final rule were to eliminate the NPRM's provision for a broad consent for "all evidence from all sources."
Some commenters also note that it would be inappropriate for a provider to make a minimum necessary determination in response to a request from SSA because the provider usually will not know the legal parameters of SSA's programs, or have access to the individual's other sources of evidence. In addition, one commenter urged the Secretary to be sensitive to these concerns about delay and other negative impacts on the timely determination of disability by SSA for mentally impaired individuals.
Response: Under the final rule, covered entities may disclose protected health information pursuant to an administrative order so the flow of protected health information from covered entities to SSA and the states should not be disrupted.
Although some commenters urged that special rules should be included for state and federal agencies that need protected health information, the Secretary rejects that suggestion because, wherever possible, the public and the private sectors should operate under the same rules regarding the disclosure of health information. To the extent the activities of SSA constitute an actual administrative tribunal, covered entities must follow the requirements of § 164.512(e), if they wish to disclose protected health information to SSA in those circumstances. Not all administrative inquiries are administrative tribunals, however. If SSA's request for protected health information comes within another category of permissible exemptions, a covered entity, following the requirements of the applicable section, may disclose the information to SSA. For example, if SSA seeks information for purposes of health oversight, a covered entity that wishes to disclose the information to SSA may do so under § 164.512(d) and not § 164.512(e). If the disclosure does not come within one of the other permissible disclosures would a covered entity need to meet the requirements of § 164.512(e). If the SSA request does not come within another permissible disclosure, the agency will be treated like anyone else under the rules.
The Secretary recognizes that even under current circumstances, professional medical records personnel do not always respond unquestioningly to an agency's request for health information. During the fact finding process, professionals charged with managing provider response to requests for protected health information indicated to us that when an agency's request for protected health information is over broad, the medical records professional will contact the agency and negotiate a more limited request. In balancing the interests of individuals against the need of governmental entities to receive protected health information, we think that applying the minimum necessary standard is appropriate and that covered entities should be responsible for ensuring that they disclose only that protected health information that is necessary to achieve the purpose for which the information is sought.
Comment: In a similar vein, one commenter expressed concern that the proposed rule would adversely affect the informal administrative process usually followed in processing workers' compensation claims. Using formal discovery is not always possible, because some programs do not permit it. The commenter urged that the final rule must permit administrative agencies, employers, and workers' compensation carriers to use less formal means to obtain relevant medical evidence while the matter is pending before the agency. This commenter asked that the rule be revised to permit covered entities to disclose protected health information without authorization for purposes of federal or state benefits determinations at all levels of processing, from the initial application through continuing disability reviews.
Response: If the disclosure is required by a law relating to workers' compensation, a covered entity may disclose protected health information as authorized by and to the extent necessary to comply with that law under § 164.512(l). If the request for protected health information in connection with a workers' compensation claim is part of an administrative proceeding, a covered entity must meet the requirements set forth in § 164.512(e), and discussed above, before disclosing the information. As noted, one permissible manner by which a covered entity may disclose protected health information under § 164.512(e) is if the party seeking the disclosure makes reasonable efforts to provide notice to the individual as required by this provision. Under this method, the less formal process noted by the commenter would not be disturbed. Covered entity may disclose protected health information in response to other types of requests only as permitted by this regulation.
Comment: Some commenters argued that current law enforcement use of protected health information was legitimate and important. These commenters cited examples of investigations and prosecutions for which protected health information is needed, from white collar insurance fraud to violent assault, to provide incriminating evidence or to exonerate a suspect, to determine what charges are warranted and for bail decisions. For example, one commenter argued that disclosure of protected health information for law enforcement purposes should be exempt from the rule, because the proposed regulation would hamper Drug Enforcement Administration investigations. A few commenters argued that effective law enforcement requires early access to as much information as possible, to rule out suspects, assess severity of criminal acts, and for other purposes. A few commenters noted the difficulties criminal investigators and prosecutors face when fighting complex criminal schemes. In general, these commenters argued that all disclosures of protected health information to law enforcement should be allowed, or for elimination of the process requirements proposed in § 164.510(f)(1).
Response: The importance and legitimacy of law enforcement activities are beyond question, and they are not at issue in this regulation. We permit disclosure of protected health information to law enforcement officials without authorization in some situations precisely because of the importance of these activities to public safety. At the same time, individuals' privacy interests also are important and legitimate. As with all the other disclosures of protected health information permitted under this regulation, the rules we impose attempt to balance competing and legitimate interests.
Comment: Law enforcement representatives stated that law enforcement agencies had a good track record of protecting patient privacy and that additional restrictions on their access and use of information were not warranted. Some commenters argued that no new limitations on law enforcement access to protected health information were necessary, because sufficient safeguards exist in state and federal laws to prevent inappropriate disclosure of protected health information by law enforcement.
Response: Disclosure of protected health information by law enforcement is not at issue in this regulation. Law enforcement access to protected health information in the first instance, absent any re-disclosure by law enforcement, impinges on individuals' privacy interests and must therefore be justified by a public purpose that outweighs individuals' privacy interests.
We do not agree that sufficient safeguards already exist in this area. We are not aware of, and the comments did not provide, evidence of a minimum set of protections for individuals relating to access by law enforcement to their protected health information. Federal and state laws in this area vary considerably, as they do for other areas addressed in this final rule. The need for standards in this area is no less critical than in the other areas addressed by this rule.
Comment: Many commenters argued that no disclosures of protected health information should be made to law enforcement (absent authorization) without a warrant issued by a judicial officer after a finding of probable cause. Others argued that a warrant or subpoena should be required prior to disclosure of protected health information unless the disclosure is for the purposes of identifying a suspect, fugitive, material witness, or missing persons, as described in proposed § 164.510(f)(2). Some commenters argued that judicial review prior to release of protected health information to law enforcement should be required absent the exigent and urgent circumstances identified in the NPRM in § 164.510(f)(3) and (5), or absent "a compelling need" or similar circumstances.
Response: In the final rule, we attempt to match the level of procedural protection for privacy required by this rule with the nature of the law enforcement need for access, the existence of other procedural protections, and individuals' privacy interests. Where other rules already impose procedural protections, this rule generally relies on those protections rather than imposing new ones. Thus, where access to protected health information is granted after review by an independent judicial officer (such as a court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer), no further requirements are necessary. Similarly, because information disclosed to a grand jury is vital to law enforcement purposes and is covered by secrecy protection, this rule allows disclosure with no further process.
We set somewhat stricter standards for disclosure of protected health information pursuant to administrative process, such as administrative subpoenas, summonses, and civil or authorized investigative demands. In these cases, the level of existing procedural protections is lower than for judicially-approved or grand jury disclosures. We therefore require a greater showing, specifically, the three-part test described in § 164.512(f)(1)(ii), before the covered entity is permitted to release protected health information. Where the information to be disclosed is about the victim of a crime, privacy interests are heightened and we require the victim's agreement prior to disclosure in most instances.
In the limited circumstances where law enforcement interests are heightened, we allow disclosure of protected health information without prior legal process or agreement, but we impose procedural protections such as limits on the information that may lawfully be disclosed, limits on the circumstances in which the information may be disclosed, and requirements for verifying the identity and authority of the person requesting the disclosures. For example, in some cases law enforcement officials may seek limited but focused information needed to obtain a warrant. A witness to a shooting may know the time of the incident and the fact that the perpetrator was shot in the left arm, but not the identity of the perpetrator. Law enforcement would then have a legitimate need to ask local emergency rooms whether anyone had presented with a bullet wound to the left arm near the time of the incident. Law enforcement may not have sufficient information to obtain a warrant, but instead would be seeking such information. In such cases, when only limited identifying information is disclosed and the purpose is solely to ascertain the identity of a person, the invasion of privacy would be outweighed by the public interest. For such circumstances, we allow disclosure of protected health information in response to a law enforcement inquiry where law enforcement is seeking to identify a suspect, fugitive, material witness, or missing person, but allow only disclosure of a limited list of information.
Similarly, it is in the public interest to allow covered entities to take appropriate steps to protect the integrity and safety of their operations. Therefore, we permit covered entities on their own initiative to disclose to law enforcement officials protected health information for this purpose. However, we limit such disclosures to protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.
We shape the rule's provisions with respect to law enforcement according to the limited scope of our regulatory authority under HIPAA, which applies only to the covered entities and not to law enforcement officials. We believe the rule sets the correct standards for when an exception to the rule of non-disclosure is appropriate for law enforcement purposes. There may be advantages, however, to legislation that applies the appropriate standards directly to judicial officers, prosecutors in grand juries, and to those making administrative or other requests for protected health information, rather than to covered entities. These advantages could include measures to hold officials accountable if they seek or receive protected health information contrary to the legal standard. In Congressional consideration of law enforcement access, there have also been useful discussions of other topics, such as limits on re-use of protected health information gathered in the course of health oversight activities. The limitations on our regulatory authority provide additional reason to support comprehensive medical privacy legislation.
Comment: A few commenters cited existing sanctions for law enforcement officials who violate the rights of individuals in obtaining evidence, ranging from suppression of that evidence to monetary penalties, and argued that such sanctions are sufficient to protect patients' privacy interests.
Response: After-the-fact sanctions are important, but they are effective only when coupled with laws that establish the ground rules for appropriate behavior. That is, a sanction applies only where some other rule has been violated. This regulation sets such basic ground rules. Further, under the HIPAA statutory authority, we cannot impose sanctions on law enforcement officials or require suppression of evidence. We must therefore rely on rules that regulate disclosure of protected health information by covered entities in the first instance.
Comment: Several commenters argued that disclosure of protected health information under § 164.510(f) should be mandatory, not just permitted. Others argued that we should mandate disclosure of protected health information in response to Inspector General subpoenas. A few commenters argued that we should require all covered entities to include disclosure of protected health information to law enforcement in their required notice of privacy practices.
Response: The purpose of this regulation is to protect individuals' privacy interests, consistent with other important public activities. Other laws set the rules governing those public activities, including when health information is necessary for their effective operation. See discussion of § 164.512(a).
Comment: Some commenters questioned whether the Secretary had statutory authority to directly or indirectly impose new procedural or substantive requirements on otherwise lawful legal process issued under existing federal and state rules. They argued that, while the provisions are imposed on "covered entities," the rule would result in law enforcement officials being compelled to modify current practices to harmonize them with the requirements this rule imposes on covered entities. A number of state law enforcement agencies argued that the rule would place new burdens on state administrative subpoenas and requests that are intrusive in state functions. At least one commenter argued that the requirement for prior process places unreasonable restrictions on the right of the states to regulate law enforcement activities.
Response: This rule regulates the ability of health care clearinghouses, health plans, and covered health care providers to use and disclose health information. It does not regulate the behavior of law enforcement officials or the courts, nor does it prevent states from regulating law enforcement officials. All regulations have some effects on entities that are not directly regulated. We have considered those effects in this instance and have determined that the provisions of the rule are necessary to protect the privacy of individuals.
Comment: One commenter argued that state licensing boards should be exempt from restrictions placed on law enforcement officials, because state licensing and law enforcement are different activities.
Response: Each state's law determines what authorities are granted to state licensing boards. Because state laws differ in this regard, we cannot make a blanket determination that state licensing officials are or are not law enforcement officials under this regulation. We note, however, that the oversight of licensed providers generally is included as a health oversight activity at § 164.512(d).
Relationship to Existing Rules and Practices
Comment: Many commenters expressed concern that the proposed rule would have expanded current law enforcement access to protected health information. Many commenters said that the NPRM would have weakened their current privacy practices with respect to law enforcement access to health records. For example, some of the commenters arguing that a warrant or subpoena should be required prior to disclosure of protected health information unless the disclosure is for the purposes of identifying a suspect, fugitive, material witness, or missing persons, did so because they believed that such a rule would be consistent with current state law practices.
Response: This regulation does not expand current law enforcement access to protected health information. We do not mandate any disclosures of protected health information to law enforcement officials, nor do we make lawful any disclosures of protected health information which are unlawful under other rules and regulations. Similarly, this regulation does not describe a set of "best practices." Nothing in this regulation should cause a covered entity to change practices that are more protective of privacy than the floor of protections provided in this regulation.
This regulation sets forth the minimum practices which a covered entity must undertake in order to avoid sanctions under the HIPAA. We expect and encourage covered entities to exercise their judgment and professional ethics in using and disclosing health information, and to continue any current practices that provide privacy protections greater than those mandated in this regulation.
Comment: Many commenters asserted that, today, consent or judicial review always is required prior to release of protected health information to law enforcement; therefore, they said that the proposed rule would have lessened existing privacy protections.
Response: In many situations today, law enforcement officials lawfully obtain health information absent any prior legal process and absent exigent circumstances. The comments we received on the NPRM, both from law enforcement and consumer advocacy groups, describe many such situations. Moreover, this rule sets forth minimum privacy protections and does not preempt more stringent, pre-existing standards.
Comment: Some commenters argued that health records should be entitled to at least as much protection as cable subscription records and video rental records.
Response: We agree. The Secretary, in presenting her initial recommendations on the protection of health information to the Congress in 1997, stated that, "When Congress looked at the privacy threats to our credit records, our video records, and our motor vehicle records, it acted quickly to protect them. It is time to do the same with our health care records" (Testimony of Donna E. Shalala, Secretary, U. S. Department of Health and Human Services, before the Senate Committee on Labor & Human Resources, September 11, 1997). However, the limited jurisdiction conferred on us by the HIPAA does not allow us to impose such restrictions on law enforcement officials or the courts.
Comment: At least one commenter argued that the regulation should allow current routine uses for law enforcement under the Privacy Act.
Response: This issue is discussed in the "Relationship to Other Federal Laws" preamble discussion of the Privacy Act.
Comment: A few commenters expressed concern that people will be less likely to provide protected health information for public health purposes if they fear the information could be used for law enforcement purposes.
Response: This regulation does not affect law enforcement access to records held by public health authorities, nor does it expand current law enforcement access to records held by covered entities. These agencies are for the most part not covered entities under HIPAA. Therefore, this regulation should not reduce current cooperation with public health efforts.
Relationship to Other Provisions of This Regulation
Comment: Several commenters pointed out an unintended interaction between proposed §§ 164.510(f) and 164.510(n). Because proposed § 164.510(n), allowing disclosures mandated by other laws, applied only if the disclosure would not fall into one of the categories of disclosures provided for in § 164.510 (b) - (m), disclosures of protected health information mandated for law enforcement purposes by other law would have been preempted.
Response: We agree, and in the final rule we address this unintended interaction. It is not our intent to preempt these laws. To clarify the interaction between these provisions, in the final rule we have specifically added language to the paragraph addressing disclosures for law enforcement that permits covered entities to comply with legal mandates, and have included a specific cross reference in the provision of the final rule that permits covered entities to make other disclosures required by law. See § 164.512(a).
Comment: Several commenters argued that, when a victim of abuse or of a crime has requested restrictions on disclosure, the restrictions should be communicated to any law enforcement officials who receive that protected health information.
Response: We do not have the authority to regulate law enforcement use and disclosure of protected health information, and therefore we could not enforce any such restrictions communicated to law enforcement officials. For this reason, we determined that the benefits to be gained from requiring communication of restrictions would not outweigh the burdens such a requirement would place on covered entities. We expect that professional ethics will guide health care providers' communications to law enforcement officials about the welfare of victims of abuse or other crime.
Comment: Some commenters argued against imposing the "minimum necessary" requirement on disclosure of protected health information to law enforcement officials. Some law enforcement commenters expressed concern that the "minimum necessary" test could be "manipulated" by a covered entity that wished to withhold relevant evidence. A number of covered entities complained that they were ill-equipped to substitute their judgment for that of law enforcement for what was the minimum amount necessary, and they also argued that the burden of determining the "minimum necessary"information should be transferred to law enforcement agencies. Some commenters argued that imposing such "uninformed" discretion on covered entities would delay or thwart legitimate investigations, and would result in withholding information that might exculpate an individual or might be necessary to present a defendant's case. One comment suggested that covered entities have "immunity" for providing too much information to law enforcement.
Response: The "minimum necessary" standard is discussed at § 164.514.
Comment: A few commenters asked us to clarify when a disclosure is for a "Judicial or Administrative Proceeding" and when it is for "Law Enforcement" purposes.
Response: In the final rule we have clarified that § 164.512(e) relating to disclosures for judicial or administrative proceedings does not supersede the authority of a covered entity to make disclosures under other provisions of the rule.
Use of Protected Health Information after Disclosure to Law Enforcement
Comment: Many commenters recommended that we restrict law enforcement officials' re-use and re-disclosure of protected health information. Some commenters asked us to impose such restrictions, while other commenters noted that the need for such restrictions underscores the need for legislation. Another argued for judicial review prior to release of protected health information to law enforcement because this regulation cannot limit further uses or disclosures of protected health information once it is in the hands of law enforcement agencies.
Response: We agree that there are advantages to legislation that imposes appropriate restrictions directly on the re-use and re-disclosure of protected health information by many persons who may lawfully receive protected health information under this regulation, but whom we cannot regulate under the HIPAA legislative authority, including law enforcement agencies.
Comment: A few commenters expressed concern that protected health information about persons who are not suspects may be used in court and thereby become public knowledge. These commenters urged us to take steps to minimize or prevent such protected health information from becoming part of the public record.
Response: We agree that individuals should be protected from unnecessary public disclosure of health information about them. However, we do not have the statutory authority in this regulation to require courts to impose protective orders. To the extent possible within the HIPAA statutory authority, we address this problem in § 164.512(e), Judicial and Administrative Proceedings.
Comment: Some commenters argued that evidence obtained in violation of the regulation should be inadmissible at trial.
Response: In this regulation, we do not have the authority to regulate the courts. We can neither require nor prohibit courts from excluding evidence obtain in violation of this regulation.
Comments Supporting or Opposing a Requirement of Consent or Court Order
Comment: Some commenters argued that a rule that required a court order for every instance that law enforcement sought protected health information would impose substantial financial and administrative burdens on federal and state law enforcement and courts. Other commenters argued that imposing a new requirement of prior judicial process would compromise the time-sensitive nature of many investigations.
Response: We do not impose such a requirement in this regulation.
Comment: Many commenters argued that proposed § 164.510(f)(1) would have given law enforcement officials the choice of obtaining records with or without a court order, and that law enforcement "will choose the least restrictive means of obtaining records, those that do not require review by a judge or a prosecutor." Several commenters argued that this provision would have provided the illusion of barriers -- but no real barriers -- to law enforcement access to protected health information. A few argued that this provision would have allowed law enforcement to regulate itself.
Response: We agree with commenters that, in some cases, a law enforcement official may have discretion to seek health information under more than one legal avenue. Allowing a choice in these circumstances does not mean an absence of real limits. Where law enforcement officials choose to obtain protected health information through administrative process, they must meet the three-part test required by this regulation.
Comment: At least one commenter argued for judicial review prior to disclosure of health information because the rule will become the "de facto" standard for release of protected health information.
Response: We do not intend for this regulation to become the "de facto" standard for release of protected health information. Nothing in this regulation limits the ability of states and other governmental authorities to impose stricter requirements on law enforcement access to protected health information. Similarly, we do not limit the ability of covered entities to adopt stricter policies for disclosure of protected health information not mandated by other laws.
Comment: A few commenters expressed concern that proposed § 164.510(f)(1) would have overburdened the judicial system.
Response: The comments did not provide any factual basis for evaluating this concern.
Comment: Some commenters argued that, while a court order should be required, the standard of proof should be something other than "probable cause." For example, one commenter argued that the court should apply the three-part test proposed in § 164.510(f)(1)(C). Another commenter suggested a three-part test: the information is necessary, the need cannot be met with non-identifiable information, and the need of law enforcement outweighs the privacy interest of the patient. Some commenters suggested that we impose a "clear and convincing" standard. Another suggested that we require clear and convincing evidence that: (1) the information sought is relevant and material to a legitimate criminal investigation; (2) the request is as specific and narrow as is reasonably practicable; (3) de-identified information, for example coded records, could not reasonably be used; (4) on balance, the need for the information outweighs the potential harm to the individuals and to patient care generally; and (5) safeguards appropriate to the situation have been considered and imposed. This comment also suggested the following as such appropriate safeguard: granting only the right to inspect and take notes; allowing copying of only certain portions of records; prohibiting removing records from the premises; placing limits on subsequent use and disclosure; and requiring return or destruction of the information at the earliest possible time.) Others said the court order should impose a "minimum necessary" standard.
Response: We have not revised the regulation in response to comments suggesting that we impose additional standards relating to disclosures to comply with court orders. Unlike administrative subpoenas, where there is no independent review of the order, court orders are issued by an independent judicial officer, and we believe that covered entities should be permitted under this rule to comply with them. Court orders are issued in a wide variety of cases, and we do not know what hardships might arise by imposing standards that would require judicial officers to make specific findings related to privacy.
Comment: At least one commenter argued that the proposed rule would have placed too much burden on covered entities to evaluate whether to release information in response to a court order. This comment suggested that the regulation allow disclosure to attorneys for assessment of what the covered entity should release in response to a court order.
Response: This regulation does not change current requirements on or rights of covered entities with respect to court orders for the release of health information. Where such disclosures are required today, they continue to be required under this rule. Where other law allows a covered entity to challenge a court order today, this rule will not reduce the ability of a covered entity to mount such a challenge. Under § 164.514, a covered entity will be permitted to rely on the face of a court order to meet this rule's requirements for verification of the legal authority of the request for information. A covered entity may disclose protected health information to its attorneys as needed, to perform health care operations, including to assess the covered entity's appropriate response to court orders. See definition of "health care operations" under § 164.501.
Comment: Many commenters argued that the regulation should prohibit disclosures of protected health information to law enforcement absent patient consent.
Response: We disagree with the comment. Requiring consent prior to any release of protected health information to a law enforcement official would unduly jeopardize public safety. Law enforcement officials need protected health information for their investigations in a variety of circumstances. The medical condition of a defendant could be relevant to whether a crime was committed, or to the seriousness of a crime. The medical condition of a witness could be relevant to the reliability of that witness. Health information may be needed from emergency rooms to locate a fleeing prison escapee or criminal suspect who was injured and is believed to have stopped to seek medical care.
These and other uses of medical information are in the public interest. Requiring the authorization of the subject prior to disclosure could make apprehension or conviction of some criminals difficult or impossible. In many instances, it would not be possible to obtain such consent, for example because the subject of the information could not be located in time (or at all). In other instances, the covered entity may not wish to undertake the burden of obtaining the consent. Rather than an across-the-board consent requirement, to protect individuals' privacy interests while also promoting public safety, we impose a set of procedural safeguards (described in more detail elsewhere in this regulation) that covered entities must ensure are met before disclosing protected health information to law enforcement officials.
In most instances, such procedural safeguards consist of some prior legal process, such as a warrant, grand jury subpoena, or an administrative subpoena that meets a three-part test for protecting privacy interests. When the information to be disclosed is about the victim of a crime, privacy interests are heightened and we require the victim's agreement prior to disclosure in most instances. In the limited circumstances where law enforcement interests are heightened and we allow disclosure of protected health information without prior legal process or agreement, the procedural protections include limits on the information that may lawfully be disclosed, the circumstances in which the information may be disclosed, and requirements for verifying the identity and authority of the person requesting the disclosures.
We also allow disclosure of protected health information to law enforcement officials without consent when other law mandates the disclosures. When such other law exists, another public entity has made the determination that law enforcement interests outweigh the individual's privacy interests in the situations described in that other law, and we do not upset that determination in this regulation.
Comment: Several commenters recommended requiring that individuals receive notice and opportunity to contest the validity of legal process under which their protected health information will be disclosed, prior to disclosure of their records to law enforcement. Some of these commenters recommended adding this requirement to provisions proposed in the NPRM, while others recommended establishing this requirement as part of a new requirement for a judicial warrant prior to all disclosures of protected health information to law enforcement. At least one of these commenters proposed an exception to such a notice requirement where notice might lead to destruction of the records.
Response: Above we discuss the reasons why we believe it is inappropriate to require consent or a judicial order prior to any release of protected health information to law enforcement. Many of those reasons apply here, and they lead us not to impose such a notice requirement.
Comment: A few commenters believed that the proposed requirements in § 164.510(f)(1) would hinder investigations under the Civil Rights for Institutionalized Persons Act (CRIPA).
Response: We did not intend that provision to apply to investigations under CRIPA, and we clarify in the final rule that covered entities may disclose protected health information for such investigations under the health oversight provisions of this regulation (see § 164.512(d) for further detail).
Comments Suggesting Changes to the Proposed Three-Part Test
Comment: Many commenters argued for changes to the proposed three-part test that would make the test more difficult to meet. Many of these urged greater, but unspecified, restrictions. Others argued that the proposed test was too stringent, and that it would have hampered criminal investigations and prosecutions. Some argued that it was too difficult for law enforcement to be specific at the beginning of an investigation. Some argued that there was no need to change current practices, and they asked for elimination of the three-part test because it was "more stringent" than current practices and would make protected health information more difficult to obtain for law enforcement purposes. These commenters urged elimination of the three-part test so that administrative bodies could continue current practices without additional restrictions. Some of these argued for elimination of the three-part test for all administrative subpoenas; others argued for elimination of the three-part test for administrative subpoenas from various Inspectors General offices. A few commenters argued that the provisions in proposed § 164.510(f)(1) should be eliminated because they would have burdened criminal investigations and prosecutions but would have served "no useful public purpose."
Response: We designed the proposed three-part test to require proof that the government's interest in the health information was sufficiently important and sufficiently focused to overcome the individual's privacy interest. If the test were weakened or eliminated, the individual's privacy interest would be insufficiently protected. At the same time, if the test were significantly more difficult to meet, law enforcement's ability to protect the public interest could be unduly compromised.
Comment: At least one comment argued that, in the absence of a judicial order, protected health information should be released only pursuant to specific statutory authority.
Response: It is impossible to predict all the facts and circumstances, for today and into the future, in which law enforcement's interest in health information outweigh individuals' privacy interests. Recognizing this, states and other governments have not acted to list all the instances in which health information should be available to law enforcement officials. Rather, they specify some such instances, and rely on statutory, constitutional, and other limitations to place boundaries on the activities of law enforcement officials. Since the statutory authority to which the commenter refers does not often exist, many uses of protected health information that are in the public interest (described above in more detail) would not be possible under such an approach.
Comment: At least one commenter, an administrative agency, expressed concern that the proposed rule would have required its subpoenas to be approved by a judicial officer.
Response: This rule does not require judicial approval of administrative subpoenas. Administrative agencies can avoid the need for judicial review under this regulation by issuing subpoenas for protected health information only where the three-part test has been met.
Comment: Some commenters suggested alternative requirements for law enforcement access to protected health information. A few suggested replacing the three-part test with a requirement that the request for protected health information from law enforcement be in writing and signed by a supervisory official, and/or that the request "provide enough information about their needs to allow application of the minimum purpose rule."
Response: A rule requiring only that the request for information be in writing and signed fails to impose appropriate substantive standards for release of health information. A rule requiring only sufficient information for the covered entity to make a "minimum necessary" determination would leave these decisions entirely to covered entities' discretion. We believe that protection of individuals' privacy interests must start with a minimum floor of protections applicable to all. We believe that while covered entities may be free to provide additional protections (within the limits of the law), they should not have the ability to allow unjustified access to health information.
Comment: Some commenters argued that the requirement for an unspecified "finding" for a court order should be removed from the proposed rule, because it would have been confusing and would have provided no guidance to a court as to what finding would be sufficient.
Response: We agree that the requirement would have been confusing, and we delete this language from the final regulation.
Comment: A few commenters argued that the proposed three-part test should not be applied where existing federal or state law established a standard for issuing administrative process.
Response: It is the content of such a standard, not its mere existence, that determines whether the standard strikes an appropriate balance between individuals' privacy interests and the public interest in effective law enforcement activities. We assume that current authorities to issue administrative subpoena are all subject to some standards. When an existing standard provides at least as much protection as the three-part test imposed by this regulation, the existing standard is not disturbed by this rule. When, however, an existing standard for issuing administrative process provides less protection, this rule imposes new requirements.
Comment: Some covered entities said that they should not have been asked to determine whether the proposed three-part test has been met. Some argued that they were ill-equipped to make a judgment on whether an administrative subpoena actually met the three-part test, or that it was unfair to place the burden of making such determinations on covered entities. Some argued that the burden should have been on law enforcement, and that it was inappropriate to shift the burden to covered entities. Other commenters argued that the proposal would have given too much discretion to the record holders to withhold evidence without having sufficient expertise or information on which to make such judgments. At least one comment said that this aspect of the proposal would have caused delay and expense in the detection and prevention of health care fraud. The commenter believed that this delay and expense could be prevented by shifting to law enforcement and health care oversight the responsibility to determine whether standards have been met.
At least one commenter recommended eliminating the three-part test for disclosures of protected health information by small providers.
Some commenters argued that allowing covered entities to rely on law enforcement representation that the three-part test has been met would render the test meaningless.
Response: Because the statute does not bring law enforcement officials within the scope of this regulation, the rule must rely on covered entities to implement standards that protect individuals' privacy interests, including the three-part test for disclosure pursuant to administrative subpoenas. To reduce the burden on covered entities, we do not require a covered entity to second-guess representations by law enforcement officials that the three part test has been met. Rather, we allow covered entities to disclose protected health information to law enforcement when the subpoena or other administrative request indicates on its face that the three-part test has been met, or where a separate document so indicates. Because we allow such reliance, we do not believe that it is necessary or appropriate to reduce privacy protections for individuals who obtain care from small health care providers.
Comment: Some commenters ask for modification of the three-part test to include a balancing of the interests of law enforcement and the privacy of the individual, pointing to such provisions in the Leahy-Kennedy bill.
Response: We agree with the comment that the balancing of these interests is important in this circumstance. We designed the regulation's three-part test to accomplish that result.
Comment: At least one commenter recommended that "relevant and material" be changed to "relevant," because "relevant" is a term at the core of civil discovery rules and is thus well understood, and because it would be difficult to determine whether information is "material" prior to seeing the documents. As an alternative, this commenter suggested explaining what we meant by "material."
Response: Like the term "relevant," the term "material" is commonly used in legal standards and well understood.
Comment: At least one commenter suggested deleting the phrase "reasonably practical" from the second prong of the test, because, the commenter believed, it was not clear who would decide what is "reasonably practical" if the law enforcement agency and covered entity disagreed.
Response: We allow covered entities to rely on a representation on the face of the subpoena that the three-part test, including the "reasonably practical" criteria, is met. If a covered entity believes that a subpoena is not valid, it may challenge that subpoena in court just as it may challenge any subpoena that today it believes is not lawfully issued. This is true regardless of the specific test that a subpoena must meet, and is not a function of the "reasonably practical" criteria.
Comment: Some commenters requested elimination of the third prong of the test. One of these commenters suggested that the regulation should specify when de-identified information could not be used. Another recommended deleting the phrase "could not reasonably be used" from the third prong of the test, because the commenter believed it was not clear who would determine whether de-identified information "could reasonably be used" if the law enforcement agency and covered entity disagreed.
Response: We cannot anticipate in regulation all the facts and circumstances surrounding every law enforcement activity today, or in the future as technologies change. Such a rigid approach could not account for the variety of situations faced by covered entities and law enforcement officials, and would become obsolete over time. Thus, we believe it would not be appropriate to specify when de-identified information can or cannot be used to meet legitimate law enforcement needs.
In the final rule, we allow the covered entity to rely on a representation on the face of the subpoena (or similar document) that the three-part test, including the "could not reasonably be used" criteria, is met. If a covered entity believes that a subpoena is not valid, it may challenge that subpoena in court just as it may challenge today any subpoena that it believes is not lawfully issued. This is true regardless of the specific test that a subpoena must meet, and it is not a function of the "could not reasonably be used" criteria.
Comment: A number of commenters recommended deletion of this provision. These commenters argued that the legal process requirements in proposed § 164.510(f)(1) should apply when protected health information is disclosed for identification purposes. At least one privacy group recommended that if the provision were not eliminated in its entirety, "suspects" should be removed from the list of individuals whose protected health information may be disclosed for identifying purposes. Many commenters expressed concern that this provision would allow compilation of large data bases of health information that could be use for purposes beyond those specified in this provision.
Response: We retain this provision in the final rule. We continue to believe that identifying fugitives, material witnesses, missing persons, and suspects is an important national priority and that allowing disclosure of limited identifying information for this purpose is in the public interest. Eliminating this provision - or eliminating suspects from the list of types of individuals about whom disclosure of protected health information to law enforcement is allowed - would impede law enforcement agencies' ability to apprehend fugitives and suspects and to identify material witnesses and missing persons. As a result, criminals could remain at large for longer periods of time, thereby posing a threat to public safety, and missing persons could be more difficult to locate and thus endangered.
However, as described above and in the following paragraphs, we make significant changes to this provision, to narrow the information that may be disclosed and make clear the limited purpose of the provision. For example, the proposed rule did not state explicitly whether covered entities would have been allowed to initiate - in the absence of a request from law enforcement - disclosure of protected health information to law enforcement officials for the purpose of identifying a suspect, fugitive, material witness or missing person. In the final rule, we clarify that covered entities may disclose protected health information for identifying purposes only in response to a request by a law enforcement official or agency. A "request by a law enforcement official or agency" is not limited to direct requests, but also includes oral or written requests by individuals acting on behalf of a law enforcement agency, such as a media organization broadcasting a request for the public's assistance in identifying a suspect on the evening news. It includes "Wanted" posters, public announcements, and similar requests to the general public for assistance in locating suspects or fugitives.
Comment: A few commenters recommended additional restrictions on disclosure of protected health information for identification purposes. For example, one commenter recommended that the provision should either (1) require that the information to be disclosed for identifying purposes be relevant and material to a legitimate law enforcement inquiry and that the request be as specific and narrowly drawn as possible; or (2) limit disclosures to circumstances in which (a) a crime of violence has occurred and the perpetrator is at large, (b) the perpetrator received an injury during the commission of the crime, (c) the inquiry states with specificity the type of injury received and the time period during which treatment would have been provided, and (d) "probable cause" exists to believe the perpetrator received treatment from the provider.
Response: We do not agree that these additional restrictions are appropriate for disclosures of limited identifying information for purposes of locating or identifying suspects, fugitives, material witnesses or missing persons. The purpose of this provision is to permit law enforcement to obtain limited time-sensitive information without the process requirements applicable to disclosures for other purposes. Only limited information may be disclosed under this provision, and disclosure is permitted only in limited circumstances. We believe that these safeguards are sufficient, and that creating additional restrictions would undermine the purpose of the provision and that it would hinder law enforcement's ability to obtain essential, time-sensitive information.
Comment: A number of law enforcement agencies recommended that the provision in the proposed rule be broadened to permit disclosure to law enforcement officials for the purpose of "locating" as well as "identifying" a suspect, fugitive, material witness or missing person.
Response: We agree with the comment and have changed the provision in the final rule. We believe that locating suspects, fugitives, material witnesses and missing persons is an important public policy priority, and that it can be critical to identifying these individuals. Further, efforts to locate suspects, fugitives, material witnesses, and missing persons can be at least as time-sensitive as identifying such individuals.
Comment: Several law enforcement agencies requested that the provision be broadened to permit disclosure of additional pieces of identifying information, such as ABO blood type and Rh factor, DNA information, dental records, fingerprints, and/or body fluid and tissue typing, samples and analysis. These commenters stated that additional identifying information may be necessary to permit identification of suspects, fugitives, material witnesses or missing persons. On the other hand, privacy and consumer advocates, as well as many individuals, were concerned that this section would allow all computerized medical records to be stored in a large law enforcement data base that could be scanned for matches of blood, DNA, or other individually identifiable information.
Response: The final rule seeks to strike a balance in protecting privacy and facilitating legitimate law enforcement inquiries. Specifically, we have broadened the NPRM's list of data elements that may be disclosed pursuant to this section, to include disclosure of ABO blood type and rh factor for the purpose of identifying or locating suspects, fugitives, material witnesses or missing persons. We agree with the commenters that these pieces of information are important to law enforcement investigations and are no more invasive of privacy than the other pieces of protected health information that may be disclosed under this provision.
However, as explained below, protected health information associated with DNA and DNA analysis; dental records; or typing, samples or analyses of tissues and bodily fluids other than blood (e.g., saliva) cannot be disclosed for the location and identification purposes described in this section. Allowing disclosure of this information is not necessary to accomplish the purpose of this provision, and would be substantially more intrusive into individuals' privacy. In addition, we understand commenters' concern about the potential for such information to be compiled in law enforcement data bases. Allowing disclosure of such information could make individuals reluctant to seek care out of fear that health information about them could be compiled in such a data base.
Comment: Many commenters argued that proposed § 164.510(f)(2) should be deleted because it would permit law enforcement to engage in "fishing expeditions" or to create large data bases that could be searched for suspects and others.
Response: Some of this fear may have stemmed from the inclusion of the phrase "other distinguishing characteristic" - which could be construed broadly - in the list of items that could have been disclosed pursuant to this section. In the final rule, we delete the phrase "other distinguishing characteristic" from the list of items that can be disclosed pursuant to § 164.512(f)(2). In its place, we allow disclosure of a description of distinguishing physical characteristics, such as scars, tattoos, height, weight, gender, race, hair and eye color, and the presence or absence of facial hair such as a beard or moustache. We believe that such a change, in addition to the changes described in the paragraph above, responds to commenters' concern that the NPRM would have allowed creation of a government data base of personal identifying information. Further, this modification provides additional guidance to covered entities regarding the type of information that may be disclosed under this provision.
Comment: At least one commenter recommended removing social security numbers (SSNs) from the list of items that may be disclosed pursuant to proposed § 164.510(f)(2). The commenter was concerned that including SSNs in the (f)(2) list would cause law enforcement agencies to demand that providers collect SSNs. In addition, the commenter was concerned that allowing disclosure of SSNs could lead to theft of identity by unscrupulous persons in policy departments and health care organizations.
Response: We disagree. We believe that on balance, the potential benefits from use of SSNs for this purpose outweigh the potential privacy intrusion from such use of SSNs. For example, SSNs can help law enforcement officials identify suspects are using aliases.
Comment: Some law enforcement organizations expressed concern that proposed § 164.510(f)(3) could inhibit compliance with state mandatory reporting laws.
Response: We recognize that the NPRM could have preempted such state mandatory reporting laws, due to the combined impact of proposed §§ 164.510(m) and 164.510(f). As explained in detail in § 164.512(a) above, we did not intend that result, and we modify the final rule to make clear that this rule does not preempt state mandatory reporting laws.
Comment: Many commenters, including consumer and provider groups, expressed concern that allowing covered entities to disclose protected health information without authorization to law enforcement regarding victims of crime, abuse, and other harm could endanger victims, particularly victims of domestic violence, who could suffer further abuse if their abuser learned that the information had been reported. Provider groups also expressed concern about undermining provider-patient relationships. Some law enforcement representatives noted that in many cases, health care providers' voluntary reports of abuse or harm can be critical for the successful prosecution of violent crime. They argued, that by precluding providers from voluntarily reporting to law enforcement evidence of potential abuse, the proposed rule could make it more difficult to apprehend and prosecute criminals.
Response: We recognize the need for heightened sensitivity to the danger facing victims of crime in general, and victims of domestic abuse or neglect in particular. As discussed above, the final rule includes a new section (§ 164.512(c)) establishing strict conditions for disclosure of protected health information about victims of abuse, neglect, and domestic violence.
Victims of crime other than abuse, neglect, or domestic violence can also be placed in further danger by disclosure of protected health information relating to the crime. In § 164.512(f)(3) of the final rule, we establish conditions for disclosure of protected health information in these circumstances, and we make significant modifications to the proposed rule's provision for such disclosures. Under the final rule, unless a state or other government authority has enacted a law requiring disclosure of protected health information about a victim to law enforcement officials, in most instances, covered entities must obtain the victim's agreement before disclosing such information to law enforcement officials. This requirement gives victims control over decision making about their health information where their safety could be at issue, helps promote trust between patients and providers, and is consistent with health care providers' ethical obligation to seek patient authorization whenever possible before disclosing protected health information.
At the same time, the rule strikes a balance between protecting victims and providing law enforcement access to information about potential crimes that cause harm to individuals, by waiving the requirement for agreement in two situations. In allowing covered entities to disclose protected health information about a crime victim pursuant to a state or other mandatory reporting law, we defer to other governmental bodies' judgments on when certain public policy objectives are important enough to warrant mandatory disclosure of protected health information to law enforcement. While some mandatory reporting laws are written more broadly than others, we believe that it is neither appropriate nor practicable to distinguish in federal regulations between what we consider overly broad and sufficiently focused mandatory reporting laws.
The final rule waives the requirement for agreement if the covered entity is unable to obtain the individual's agreement due to incapacity or other emergency circumstance, and (1) the law enforcement official represents that the information is needed to determine whether a violation of law by a person other than the victim has occurred and the information is not intended to be used against the victim; (2) the law enforcement official represents that immediate law enforcement activity that depends on the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and (3) the covered entity determines, in the exercise of professional judgment, that the disclosure is in the individual's best interests. By allowing covered entities, in the exercise of professional judgment, to determine whether such disclosures are in the individual's best interests, the final rule recognizes the importance of the provider-patient relationship.
In addition, the final rule allows covered entities to initiate disclosures of protected health information about victims without the victim's permission to law enforcement officials only if such disclosure is required under a state mandatory reporting law. In other circumstances, plans and providers may disclose protected health information only in response to a request from a law enforcement official. We believe that such an approach recognizes the importance of promoting trust between victims and their health care providers. If providers could initiate reports of victim information to law enforcement officials absent a legal reporting mandate, victims may avoid give their providers health information that could facilitate their treatment, or they may avoid seeking treatment completely.
Comment: Many commenters believed that access to medical records pursuant to this provision should occur only after judicial review. Others believed that it should occur only with patient consent or after notifying the patient of the disclosure to law enforcement. Similarly, some commenters said that the minimum necessary standard should apply to this provision, and they recommended restrictions on law enforcement agencies' re-use of the information.
Response: As discussed above, the final rule generally requires individual agreement as a condition for disclosure of a victim's health information; this requirement provides greater privacy protection and individual control than would a requirement for judicial review. We also discuss above the situations in which this requirement for agreement may be waived, and why that is appropriate. The requirement that covered entities disclose the minimum necessary protected health information consistent with the purpose of the disclosure applies to disclosures of protected health information about victims to law enforcement, unless the disclosure is required by law. (See § 164.514 for more detail on the requirements for minimum necessary use and disclosure of protected health information.) As described above, HIPAA does not provide statutory authority for HHS to regulate law enforcement agencies' re-use of protected health information that they obtain pursuant to this rule.
Comment: A few commenters expressed concern that the NPRM would not have required law enforcement agencies' requests for protected health information about victims to be in writing. They believed that written requests could promote clarity in law enforcement requests, as well as greater accountability among law enforcement officials seeking information.
Response: We do not impose this requirement in the final rule. We believe that such a requirement would not provide significant new protection for victims and would unduly impede the completion of legitimate law enforcement investigations.
Comment: A provider group was concerned that it would be difficult for covered entities to evaluate law enforcement officials' claims that information is needed and that law enforcement activity may be necessary. Some comments from providers and individuals expressed concern that the proposed rule would have provided open-ended access by law enforcement to victims' medical records because of this difficulty in evaluating law enforcement claims of their need for the information.
Response: We modify the NPRM in several ways that reduce covered entities' decisionmaking burdens. The final rule clarifies that covered entities may disclose protected health information about a victim of crime where a report is required by state or other law, and it requires the victim's agreement for disclosure in most other instances. The covered entity must make the decision whether to disclose only in limited circumstances: when there is no mandatory reporting law; or when the victim is unable to provide agreement and the law enforcement official represents that: the protected health information is needed to determine whether a violation of law by a person other than the victim has occurred, that the information will not be used against the victim, and that immediate law enforcement activity that depends on such information would be materially and adversely affected by waiting until the individual is able to agree to the disclosure. In these circumstances, we believe it is appropriate to rely on the covered entity, in the exercise of professional judgment, to determine whether the disclosure is in the individual's best interests. Other sections of this rule allow covered entities to reasonably rely on certain representations by law enforcement officials (see § 164.514, regarding verification,) and require disclosure of the minimum necessary protected health information for this purpose. Together, these provisions do not allow open-ended access or place undue responsibility on providers.
In the final rule, we recognize that disclosures for intelligence and national security activities do not always involve law enforcement. Therefore, we delete the provisions of proposed § 164.510(f)(4), and we address disclosures for intelligence and national security activities in § 164.512(k), on uses and disclosures for specialized government functions. Comments and responses on these issues are included below, in the comments for that section.
Comment: Many commenters noted that proposed § 164.510(f)(5)(i), which covered disclosures for investigations and prosecutions of health care fraud, overlapped with proposed § 164.510(c) which covered disclosures for health oversight activities.
Response: As discussed more fully in § 164.512(d) of this preamble, above, we agree that proposed § 164.510(f)(5)(i) created confusion because all disclosures covered by that provision were already permitted under proposed § 164.510(c) without prior process. In the final rule, therefore, we delete proposed § 164.510(f)(5)(i).
Comment: One commenter was concerned the proposed provision would not have allowed an emergency room physician to report evidence of abuse when the suspected abuse had not been committed on the covered entity's premises.
Response: Crimes on the premises are only one type of crime that providers may report to law enforcement officials. The rules for reporting evidence of abuse to law enforcement officials are described in § 164.512(c) of the rule, and described in detail in § 164.512(c) of the preamble. An emergency room physician may report evidence of abuse if the conditions in § 164.512(c) are met, regardless of where the abuse occurred.
Comment: One commenter argued that covered entities should be permitted to disclose information that "indicates the potential existence" of evidence, not just information that "constitutes evidence" of crimes on the premises or crimes witnessed by a member of the covered entity's workforce.
Response: We agree that covered entities should not be required to guess correctly whether information will be admitted to court as evidence. For this reason, we include a good-faith standard in this provision. Covered entities may disclose information that it believes in good faith constitutes evidence of a crime on the premises. If the covered entity discloses protected health information in good faith but is wrong in its belief that the information is evidence of a violation of law, the covered entity will not be subject to sanction under this regulation.
Comment: We received several comments, for example, from state and county health departments, a private foundation, and a provider organization, in support of the NPRM provision allowing disclosure without authorization to coroners and medical examiners.
Response: The final rule retains the NPRM's basic approach to disclosure of coroners and medical examiners. It allows covered entities to disclose protected health information without authorization to coroners and medical examiners, for identification of a deceased person, determining cause of death, or other duties authorized by law.
Comment: In the preamble to the NPRM, we said we had considered but rejected the option of requiring covered entities to redact from individuals' medical records any information identifying other persons before disclosing the record to a coroner or medical examiner. We solicited comment on whether health care providers routinely identify other persons specifically in an individual's medical record and if so, whether in the final rule we should require health care providers to redact information about the other person before providing it to a coroner or medical examiner.
A few commenters said that medical records typically do not include information about persons other than the patient. One commenter said that patient medical records occasionally reference others such as relatives or employers. These commenters recommended requiring redaction of such information in any report sent to a coroner or medical examiner. On the other hand, other commenters said that redaction should not be required. These commenters generally based their recommendation on the burden and delay associated with redaction. In addition to citing the complexity and time involved in redaction of medical records provided to coroners, one commenter said that health plans and covered health care providers were not trained to determine the identifiable information necessary for coroners and medical examiners to do thorough investigations. Another commenter said that redaction should not be required because coroners and medical examiners needed some additional family information to determine what would be done with the deceased after their post-mortem investigation is completed.
Response: We recognize the burden associated with redacting medical records to remove the names of persons other than the patient. In addition, as stated in the preamble to the NPRM, we recognize that there is a limited time period after death within which an autopsy must be conducted. We believe that the delay associated with this burden could make it impossible to conduct a post-mortem investigation within the required time frame. In addition, we agree that health plans and covered health care providers may lack the training necessary to determine the identifiable information necessary for coroners and medical examiners to do thorough investigations. Thus, in the final rule, we do not require health plans or covered providers to redact information about persons other than the patient who may be identified in a patient's medical record before disclosing the record to a coroner or medical examiner.
Comment: One commenter said that medical records sent to coroners and medical examiners were considered their work product and thus were not released from their offices to anyone else. The commenter recommended that HHS establish regulations on how to dispose of medical records and that we create a "no re-release" statement to ensure that individual privacy is maintained without compromising coroners' or medical examiners' access to protected health information. The organization said that such a policy should apply regardless of whether the investigation was civil or criminal.
Response: HIPAA does not provide HHS with statutory authority to regulate coroners' or medical examiners' re-use or re-disclosure of protected health information unless the coroner or medical examiner is also a covered entity. However, we consistently have supported comprehensive privacy legislation to regulate disclosure and use of individually identifiable health information by all entities that have access to it.
Comment: One commenter recommended modifying the proposed rule to allow disclosure without authorization to funeral directors. To accomplish this change, the commenter suggested either: (1) adding another subsection to proposed § 164.510 of the NPRM, to allow disclosure without authorization to funeral directors as needed to make arrangements for funeral services and for disposition of a deceased person's remains; or (2) revising proposed § 164.510(e) to allow disclosure of protected health information to both coroners and funeral directors. According to this commenter, funeral directors often need certain protected health information for the embalming process, because a person's medical condition may affect the way in which embalming is performed. For example, the commenter noted, funeral directors increasingly receive bodies after organ and tissue donation, which has implications for funeral home staff duties associated with embalming.
Response: We agree with the commenter. In the final rule, we permit covered entities to disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to a decedent. When necessary for funeral directors to carry out their duties, covered entities may disclose protected health information prior to and in reasonable anticipation of the individual's death.
Comment: One commenter recommended clarifying in the final rule that it does not restrict law enforcement agencies' release of medical information that many state records laws require to be reported, for example, as part of autopsy reports. The commenter recommended stating that law enforcement officials may independently gather medical information, that such information would not be covered by these rules, and that it would continue to be covered under applicable state and federal access laws.
Response: HIPAA does not give HHS statutory authority to regulate law enforcement officials' use or disclosure of protected health information. As stated elsewhere, we continue to support enactment of comprehensive privacy legislation to cover disclosure and use of all individually identifiable health information.
Comment: One commenter recommended prohibiting health plans and covered health care providers from disclosing psychotherapy notes to coroners or medical examiners.
Response: We disagree with the commenter who asserted that psychotherapy notes should only be used by or disclosed to coroners and medical examiners with authorization. Psychotherapy notes are sometimes needed by coroners and medical examiners to determine cause of death, such as in cases where suicide is suspected as the cause of death. We understand that several states require the disclosure of protected health information, including psychotherapy notes, to medical examiners and coroners. However, in the absence of a state law requiring such disclosure, we do not intend to prohibit coroners or medical examiners from obtaining the protected health information necessary to determine an individual's cause of death.
Comment: Commenters noted that under the organ donation system, information about a patient is disclosed before seeking consent for donation from families. These commenters offered suggestions for ensuring that the system could continue to operate without consent for information sharing with organ procurement organizations and tissue banks. Commenters suggested that organ and tissue procurement organizations should be "covered entities" or that the procurement of organs and tissues be included in the definition of health care operations or treatment, or in the definition of emergency circumstances.
Response: We agree that organ and tissue donation is a special situation due to the need to protect potential donors' families from the stress of considering whether their loved one should be a donor before a determination has been made that donation would be medically suitable. Rather than list the entities that are "covered entities" or modify the definitions of health care operations and treatment or emergency circumstances to explicitly include organ procurement organizations and tissue banks, we have modified § 164.512 to permit covered entities to use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissues.
Comment: Commenters asked that the rule clarify that organ procurement organizations are health care providers but not business partners of the hospitals.
Response: We agree that organ procurement organizations and tissue banks are generally not business associates of hospitals.
Comment: We received a number of comments supporting the exception for disclosure of protected health information to government health data systems. Some supporters stated a general belief that the uses of such information were important to improve and protect the health of the public. Commenters said that state agencies used the information from government health data systems to contribute to the improvement of the health care system by helping prevent fraud and abuse and helping improve health care quality, efficiency, and cost-effectiveness. Commenters asserted that state agencies take action to ensure that data they release based on these data systems do not identify individuals
We also received a large volume of comments opposed to the exception for use and disclosure of protected health information for government health data systems. Many commenters expressed general concern that the provision threatened their privacy, and many believed that their health information would be subject to abuse by government employees. Commenters expressed concern that the provision would facilitate collection of protected health information in one large, centralized government health database that could threaten privacy. Others argued that the proposed rule would facilitate law enforcement access to protected health information and could, in fact, become a database for law enforcement use.
Many commenters asserted that this provision would make individuals concerned about confiding in their health care providers. Some commenters argued that the government should not be allowed to collect individually identifiable health information without patient consent, and that the government could use de-identified data to perform the public policy analyses. Many individual commenters said that HHS lacked statutory and Constitutional authority to give the government access and control of their medical records without consent.
Many commenters believed that the NPRM language on government health data systems was too broad and would allow virtually any government collection of data to be covered. They argued that the government health data system exception was unnecessary because there were other provisions in the proposed rules providing sufficient authority for government agencies to obtain the information they need.
Some commenters were concerned that the NPRM's government health data system provisions would allow disclosure of protected health information for purposes unrelated to health care. These commenters recommended narrowing the provision to allow disclosure of protected health information without consent to government health data systems in support of health care-related policy, planning, regulatory, or management functions. Others recommended narrowing the exception to allow use and disclosure of protected health information for government health databases only when a specific statute or regulation has authorized collection of protected health information for a specific purpose.
Response: We agree with the commenters who suggested that the proposed provision that would have permitted disclosures to government health data bases was overly broad, and we remove it from the final rule.
We reviewed the important purposes identified in the comments for government access to protected health information, and believe that the disclosures of protected health information that should appropriately be made without individuals' authorization can be achieved through the other disclosures provided for in the final rule, including provisions permitting covered entities to disclose information (subject to certain limitations) to government agencies for public health, research, health oversight, law enforcement, and otherwise as required by law. For example, the final rule continues to allow a covered entity to disclose protected health information without authorization to a public health authority to monitor trends in the spread of infectious disease, morbidity, and mortality. Under the rule's health oversight provision, covered entities can continue to disclose protected health information to public agencies for purposes such as analyzing the cost and quality of services provided by covered entities; evaluating the effectiveness of federal, state, and local public programs; examining trends in health insurance coverage of the population; and analyzing variations in access to health coverage among various segments of the population. We believe that it is better to remove the proposed provision for government health data systems generally and to rely on other, more narrowly tailored provisions in the rule to authorize appropriate disclosures to government agencies.
Comment: Some provider groups, private companies, and industry organizations recommended expanding the exception for government health data systems to include data collected by private entities. These commenters said that such an expansion would be justified, because private entities often perform the same functions as public agencies collecting health data.
Response: We eliminate the exception for government health data systems because it was over broad and the uses and disclosures we were trying to permit are permitted by other provisions. We note that private organizations may use or disclose protected health information pursuant to multiple provisions of the rule.
Comment: One commenter recommended clarifying in the final rule that the government health data system provisions apply to: (1) manufacturers providing data to HCFA and its contractors to help the agency make reimbursement and related decisions; and to (2) third-party payors that must provide data collected by device manufacturers to HCFA to help the agency make reimbursement and related decisions.
Response: The decision to eliminate the general provision permitting disclosures to government health data systems makes this issue moot with respect to such disclosures. We note that the information used by manufacturers to support coverage determinations often is gathered pursuant to patient authorization (as part of informed consent for research) or as an approved research project. There also are many cases in which information can be de-identified before it is disclosed. Where HCFA hires a contractor to collect such protected health information, the contractor may do so under HCFA's authority, subject to the business associate provisions of this rule.
Comment: One commenter recommended stating in the final rule that de-identified information from government health data systems can be disclosed to other entities.
Response: HHS does not have the authority to regulate re-use or re-disclosure of information by agencies or institutions that are not covered entities under the rule. However, we support the policies and procedures that public agencies already have implemented to de-identify any information that they redisclose, and we encourage the continuation of these activities.
Proposed § 164.510(j) of the NPRM would have allowed disclosure of protected health information without authorization for banking and payment processes. In the final rule, we eliminate this provision. Disclosures that would have been allowed under it, as well as comments received on proposed § 164.510(j), are addressed under § 164.501 of the final rule, under the definition of "payment."
Comment: A number of commenters argued that the proposed research requirements of § 164.510(j) exceeded the Secretary's authority under section 246(c) of HIPAA. In particular, several commenters argued that the Department was proposing to extend the Common Rule and the use of the IRB or privacy boards beyond federally-funded research projects, without the necessary authority under HIPAA to do so. One commenter stated that, "Section 246(c) of HIPAA requires the Secretary to issue a regulation setting privacy standards for individually identifiable health information transmitted in connection with the transactions described in section 1173(a)," and thus concluded that the disclosure of health information to researchers is not covered. Some of these commenters also argued that the documentation requirements of proposed § 164.510(j), did not shield the NPRM from having the effect of regulating research by placing the onus on covered health care providers to seek documentation that certain standards had been satisfied before providing protected health information to researchers. These commenters argued that the proposed rule had the clear and intended effect of directly regulating researchers who wish to obtain protected health information from a covered entity.
Response: As discussed above, we do not agree with commenters that the Secretary's authority is limited to individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of HIPAA. We also disagree that the proposed research documentation requirements would have constituted the unauthorized regulation of researchers. The proposed requirements established conditions for the use of protected health information by covered entities for research and the disclosure of protected health information by covered entities to researchers. HIPAA authorizes the Secretary to regulate such uses and disclosures, and the final rule retains documentation requirements similar to those proposed.
Comment: Several commenters believed that the NPRM was proposing either directly or indirectly to modify the Common Rule and, therefore, stated that such modification was beyond the Secretary's authority under HIPAA. Many of these commenters arrived at this conclusion because the waiver of authorization criteria proposed in § 164.510(j) differed from the Common Rule's criteria for the waiver of informed consent (Common Rule, § ___.116(d)).
Response: We do not agree that the proposed provision relating to research would have modified the Common Rule. The provisions that we proposed and provisions that we include in the final rule place conditions that must be met before a covered entity may use or disclose protected health information. Those conditions are in addition to any conditions required of research entities under the Common Rule. Covered entities will certainly be subject to laws and regulations in addition to the rule, but the rule does not require compliance with these other laws or regulations. For covered health care providers and health plans that are subject to both the final rule and the Common Rule, both sets of regulations will need to be followed.
Comment: A few commenters suggested that the Common Rule should be extended to all research, regardless of funding source.
Response: We generally agree with the commenters on the need to provide protections to all human subjects research, regardless of funding source. HIPAA, however, did not provide the Department with authority to extend the Common Rule beyond its current purview. For research that relies on the use or disclosure of protected health information by covered entities without authorization, the final rule applies the Common Rule's principles for protecting research subjects by, in most instances, requiring documentation of independent board review, and a finding that specified criteria designed to protect the privacy of prospective research subjects have been met.
Comment: A large number of commenters agreed that the research use and disclosure of protected health information should not require authorization. Of these commenters, many supported the proposed rule's approach to research uses and disclosures without authorization, including many from health care provider organizations, the mental health community, and members of Congress. Others, while they agreed that the research use and disclosure should not require authorization disagreed with the NPRM's approach and proposed alternative models.
The commenters who supported the NPRM's approach to permitting researchers access to protected health information without authorization argued that it was appropriate to apply "Common Rule-like" provisions to privately funded research. In addition, several commenters explicitly argued that the option to use a privacy board, in lieu of an IRB, must be maintained because requiring IRB review to include all aspects of patient privacy could diffuse focus and significantly compromise an IRB's ability to execute its primary patient protection role. Furthermore, several commenters believed that privacy board review should be permitted, but wanted equal oversight and accountability for privacy boards and IRBs.
Many other commenters agreed that the research use and disclosure should not require authorization, but disagreed with the proposed rule's approach and proposed alternative models. Several of these commenters argued that the final rule should eliminate the option for privacy board review and that all research to be subject to IRB review. These commenters stated that having separate and unequal systems to approve research based on its funding source would complicate compliance and go against the spirit of the regulations. Several of these commenters, many from patient and provider organizations, opposed the permitted use of privacy boards to review research studies and instead argued that IRB review should be required for all studies involving the use or disclosure of protected health information. These commenters argued that although privacy board requirements would be similar, they are not equitable; for example, only three of the Common Rule's six requirements for the membership of IRBs were proposed to be required for the membership on privacy boards, and there was no proposed requirement for annual review of ongoing research studies that used protected health information. Several commenters were concerned that the proposed option to obtain documentation of privacy board review, in lieu of IRB review, would perpetuate the divide in the oversight of federally-funded versus publically-funded research, rather than eliminate the differential oversight of publically- and privately-funded research, with the former still being held to a stricter standard. Some of these commenters argued that these unequal protections would be especially apparent for the disclosure of research with authorization, since under the Common Rule, IRB review of human subjects studies is required, regardless of the subject's consent, before the study may be conducted.
Response: Although we share the concern raised by commenters that the option for the documentation of privacy board approval for an alteration or waiver of authorization may perpetuate the unequal mechanisms of protecting the privacy of human research subjects for federally-funded versus publically-funded research, the final rule is limited by HIPAA to addressing only the use and disclosure of protected health information by covered entities, not the protection of human research subjects more generally. Therefore, the rule cannot standardize human subjects protections throughout the country. Given the limited scope of the final rule with regard to research, the Department believes that the option to obtain documentation of privacy board approval for an alteration or waiver of authorization in lieu of IRB approval provides covered entities with needed flexibility. Therefore, in the final rule we have retained the option for covered entities to rely on documentation of privacy board approval that specified criteria have been met.
We disagree with the rationale suggested by commenters who argued that the option for privacy board review must be maintained because requiring IRB review to include all aspects of patient privacy could diffuse focus and significantly compromise an IRB's ability to execute its primary patient protection role. For research that involves the use of individually identifiable health information, assessing the risk to the privacy of research subjects is currently one of the key risks that must be assessed and addressed by IRBs. In fact, we expect that it will be appropriate for many research organizations that have existing IRBs to rely on these IRBs to meet the documentation requirements of § 164.512(i).
Comment: One health care provider organization recommended that the IRB or privacy board mechanism of review should be applied to non-research uses and disclosures.
Response: We disagree. Imposing documentation of privacy board approval for other public policy uses and disclosures permitted by § 164.512 would result in undue delays in the use or disclosure of protected health information that could harm individuals and the public. For example, requiring that covered health care providers obtain third-party review before permitting them to alert a public health authority that an individual was infected with a serious communicable disease could cause delay appropriate intervention by a public health authority and could present a serious threat to the health of many individuals.
Comment: A number of commenters, including several members of Congress, argued that since the research provisions in proposed § 164.510(j) were modeled on the existing system of human subjects protections, they were inadequate and would shatter public trust if implemented. Similarly, some commenters, asserted that IRBs are not accustomed to reviewing and approving utilization reviews, outcomes research, or disease management programs and, therefore, IRB review may not be an effective tool for protecting patient privacy in connection with these activities. Some of these commenters noted that proposed § 164.510(j) would exacerbate the problems inherent in the current federal human subjects protection system especially in light of the recent GAO reports that indicate the IRB system is already over-extended. Furthermore, a few commenters argued that the Common Rule's requirements may be suited for interventional research involving human subjects, but is ill suited to the archival and health services research typically performed using medical records without authorization. Therefore, these commenters concluded that extending "Common Rule-like" provisions to the private sector would be inadequate to protect human subjects and would result in significant and unnecessary cost increases.
Response: While the vast majority of government-supported and regulated research adheres to strict protocols and the highest ethical standards, we agree that the federal system of human subjects protections can and must be strengthened. To work toward this goal, on May 23, the Secretary announced several additional initiatives to enhance the safety of subjects in clinical trials, strengthen government oversight of medical research, and reinforce clinical researchers' responsibility to follow federal guidelines. As part of this initiative, the National Institutes of Health have undertaken an aggressive effort to ensure IRB members and IRB staff receive appropriate training in bioethics and other issues related to research involving human subjects, including research that involves the use of individually identifiable health information. With these added improvements, we believe that the federal system of human subjects protections continues to be a good model to protect the privacy of individually identifiable health information that is used for research purposes. This model of privacy protection is also consistent with the recent recommendations of both the Institute of Medicine in their report entitled, "Protecting Data Privacy in Health Services Research," and the Joint Commission on Accreditation of Healthcare Organizations and the National Committee for Quality Assurance in their report entitled, "Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment." Both of these reports similarly concluded that health services research that involves the use of individually identifiable health information should undergo IRB review or review by another board with sufficient expertise in privacy and confidentiality protection.
Furthermore, it is important to recognize that the Common Rule applies not only to interventional research, but also to research that uses individually identifiable health information, including archival research and health services research. The National Bioethics Advisory Commission (NBAC) is currently developing a report on the federal oversight of human subjects research, which is expected to address the unique issues raised by non-interventional human subjects research. The Department looks forward to receiving NBAC's report, and carefully considering the Commission's recommendations. This final rule is the first step in enhancing patients' privacy and we will propose modifications to the rule if changes are warranted by the Commission's findings and recommendations.
Comment: Many commenters argued that the proposed research provision would have a chilling affect on the willingness of health plans and covered providers to participate in research because of the criminal and civil penalties that could be imposed for failing to meet the requirements that would have been required by proposed § 164.510(j). Some of these commenters cautioned, that over time, research could be severely hindered if covered entities choose not to disclose protected health information to researchers. In addition, one commenter recommended that a more reasonable approach would be to require IRB or privacy board approval only if the results of the research were to be broadly published. Another commenter expressed concern that the privacy rule could influence IRBs or privacy boards to refuse to recognize the validity of decisions by other IRBs or privacy boards and specifically recommended that the privacy rule include a preamble statement that: (1) the "risk" balancing consider only the risk to the patient, not the risk to the institution, and (2) add a phrase that the decision by the initial IRB or privacy board to approve the research shall be given deference by other IRBs or privacy boards. This commenter also recommended that to determine whether IRBs or privacy boards were giving such deference to prior IRB or privacy board review, HHS should monitor the disapproval rate by IRB or privacy boards conducting secondary reviews.
Response: As the largest federal sponsor of medical research, we understand the important role of research in improving our Nation's health. However, the benefits of research must be balanced against the risks, including the privacy risks, for those who participate in research. An individual's rights and welfare must never be sacrificed for scientific or medical progress. We believe that the requirements for the use and disclosure of protected health information for research without authorization provides an appropriate balance. We understand that some covered health care providers and health plans may conclude that the rule's documentation requirements for research uses and disclosures are too burdensome.
We rejected the recommendation that documentation of IRB or privacy board approval of the waiver of authorization should only be required if the research were to be "broadly published." Research findings that are published in de-identified form have little influence on the privacy interests of individuals. We believe that it is the use or disclosure of individually identifiable health information to a researcher that poses the greater risk to individuals' privacy, not publication of de-identified information.
We agree with the commenters that IRB or privacy board review should address the privacy interests of individuals and not institutions. This provision is intended to protect individuals from unnecessary uses and disclosures of their health information and does not address institutional privacy.
We disagree with the comment that documentation of IRB or privacy board approval of the waiver of authorization should be given deference by other IRBs or privacy boards conducting secondary reviews. We do not believe that it is appropriate to restrict the deliberations or judgments of privacy boards, nor do we have the authority under this rule to instruct IRBs on this issue. Instead, we reiterate that all disclosures for research purposes under § 164.512(i) are voluntary, and that institutions may choose to impose more stringent requirements for any use and disclosure permitted under § 164.512.
Comment: Some commenters were concerned about the implications of proposed § 164.510(j) on multi-center research. These commenters argued that for multi-center research, researchers may require protected health information from multiple covered entities, each of whom may have different requirements for the documentation of IRB or privacy board review. Therefore, there was concern that documentation that may suffice for one covered entity, may not for another, thereby hindering multi-center research.
Response: Since § 164.512(i) establishes minimum documentation standards for covered health care providers and health plans using or disclosing protected health information for research purposes, we understand that some covered providers and health plans may choose to require additional documentation requirements for researchers. We note, however, that nothing in the final rule would preclude a covered health care provider or health plan from developing the consistent documentation requirements provided they meet the requirements of § 164.512(i).
Comment: One commenter who was also concerned that the minimum necessary requirements of proposed § 164.506(b) would negatively affect multi-center research because covered entities participating in multi-site research studies would no longer be permitted to rely upon the consent form approved by a central IRB, and nor would participating entities be permitted to report data to the researcher using the case report form approved by the central IRB to guide what data points to include. This commenter noted that the requirement that each site would need to undertake a separate minimum necessary review for each disclosure would erect significant barriers to the conduct of research and may compromise the integrity and validity of data combined from multiple sites. This commenter recommended that the Secretary absolve a covered entity of the responsibility to make its own individual minimum necessary determinations if the entity is disclosing information pursuant to an IRB or privacy board-approved protocol.
Response: The minimum necessary requirements in the final rule have been revised to permit covered entities to rely on the documentation of IRB or privacy board approval as meeting the minimum necessary requirements of § 164.514. However, we anticipate that much multi-site research, such as multi-site clinical trials, will be conducted with patients' informed consent as required by the Common Rule and FDA's protection of human subjects regulations, and that patients' authorization will also be sought for the use or disclosure of protected health information for such studies. Therefore, it should be noted that the minimum necessary requirements do not apply for uses or disclosures made with an authorization. In addition, the final rule allows a covered health care provider or health plan to use or disclose protected health information pursuant to an authorization that was approved by a single IRB or privacy board, provided the authorization met the requirements of § 164.508. The final rule does not, however, require IRB or privacy board review for the use or disclosure of protected health information for research conducted with individuals' authorization.
Comment: Some commenters believed that proposed § 164.510(j) would have required documentation of both IRB and privacy board review before a covered entity would be permitted to disclose protected health information for research purposes without an individual's authorization.
Response: This is incorrect. Section 164.512(i)(1)(i) of the final rule requires documentation of alteration or waiver approval by either an IRB or a privacy board.
Comment: Some commenters believed that the proposed rule would have required that patients be notified whenever protected health information about themselves was disclosed for research purposes.
Response: This is incorrect. Covered entities are not required to inform individuals that protected health information about themselves has been disclosed for research purposes. However, as required in § 164.520 of the final rule, the covered entity must include research disclosures in their notice of information practices. In addition, as required by § 164.528 of the rule, covered health care providers and health plans must provide individuals, upon request, with an accounting of disclosures made of protected health information about the individual.
Comment: One commenter recommended that IRB and privacy boards also be required to be accredited.
Response: While we agree that the issue of accrediting IRBs and privacy boards deserves further consideration, we believe it is premature to require covered entities to ensure that the IRB or privacy board that approves an alteration or waiver of authorization is accredited. Currently, there are no accepted accreditation standards for IRBs or privacy boards, nor a designated accreditation body. Recognizing the need for and value of greater uniformity and public accountability in the review and approval process, HHS, with support from the Office of Human Research Protection, National Institutes of Health, Food and Drug Administration, Centers for Disease Control and Prevention, and Agency for Health Care Research and Quality, has engaged the Institute of Medicine to recommend uniform performance resource-based standards for private, voluntary accreditation of IRBs. This effort will draw upon work already undertaken by major national organizations to develop and test these standards by the spring of 2001, followed by initiation of a formal accreditation process before the end of next year. Once the Department has received the Institute of Medicine's recommended accreditation standards and process for IRBs, we plan to consider whether this accreditation model would also be applicable to privacy boards.
Comment: A few commenters also noted that if both an IRB and a privacy board reviewed a research study and came to conflicting decisions, proposed § 164.510(j) was unclear about which board's decision would prevail.
Response: The final rule does not stipulate which board's decision would prevail if an IRB and a privacy board came to conflicting decisions. The final rule requires covered entities to obtain documentation that one IRB or privacy board has approved of the alteration or waiver of authorization. The covered entity, however, has discretion to request information about the findings of all IRBs and/or privacy boards that have reviewed a research proposal. We strongly encourage researchers to notify IRBs and privacy boards of any prior IRB or privacy board review of a research protocol.
Comment: Many commenters noted that the NPRM included no guidance on how the privacy board should approve or deny researchers' requests. Some of these commenters recommended that the regulation stipulate that privacy boards be required to follow the same voting rules as required under the Common Rule.
Response: We agree that the Common Rule (§ ___.108(b)) provides a good model of voting procedures for privacy boards and incorporate such procedures to the extent they are relevant. In the final rule, we require that the documentation of alteration or waiver of authorization state that the alteration or waiver has been reviewed and approved by either (1) an IRB that has followed the voting requirements of the Common Rule (§ ___.108(b)), or the expedited review procedures of the Common Rule (§ ___.110); or (2) unless an expedited review procedure is used, a privacy board that has reviewed the proposed research at a convened meeting at which a majority of the privacy board members are present, including at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any such entities, and the alteration or waiver of authorization is approved by the majority of privacy board members present at the meeting.
Comment: A few commenters were concerned that the research provisions would be especially onerous for small non-governmental entities, furthering the federal monopoly on research.
Response: We understand that the documentation requirements of § 164.512(i), as well as other provisions in the final rule, may be more onerous for small entities than for larger entities. We believe, however, that when protected health information is to be used or disclosed for research without an individual's authorization, the additional privacy protections in § 164.512(i) are essential to reduce the risk of harm to the individual.
Comment: One commenter believed that it was paradoxical that, under the proposed rule, the disclosure of protected health information for research conducted with an authorization would have been more heavily burdened than research that was conducted without authorization, which they reasoned was far less likely to bring personal benefit to the research subjects.
Response: It was not our intent to impose more requirements on covered entities using or disclosing protected health information for research conducted with authorization than for research conducted without authorization. In fact, the proposed rule would have required only authorization as stipulated in proposed § 164.508 for research disclosures made with authorization, and would have been exempt from the documentation requirements in proposed § 164.510(j). We retain this treatment in the final rule. We disagree with the commenter who asserted that the requirements for research conducted with authorization are more burdensome for covered health care providers and plans than the documentation provisions of this paragraph.
Comment: A number of comments, mostly from the pharmaceutical industry, recommended that the final rule state that privacy boards be permitted to waive authorization only with respect to research uses of medical information collected in the course of treatment or health care operations, and not with respect to clinical research. Similarly, one commenter recommended that IRBs and privacy boards be authorized to review privacy issues only, not the entire research project. These commenters were concerned that by granting waiver authority to privacy boards and IRBs, and by incorporating the Common Rule waiver criteria into the waiver criteria included in the proposed rule, the Secretary has set the stage for privacy boards to review and approve waivers in circumstances that involve interventional research that is not subject to the Common Rule.
Response: We agree with the commenters who recommended that the final rule clarify that the documentation of IRB or privacy board approval of the waiver of authorization would be based only on an assessment of the privacy risks associated with a research study, not an assessment of all relevant risks to participants. In the final rule, we have amended the language in the waiver criteria to make clear that these criteria relate only to the privacy interests of the individual. We anticipate, however, that the vast majority of uses and disclosures of protected health information for interventional research will be made with individuals' authorization. Therefore, we expect it will be rare that a researcher will seek IRB or privacy board approval for the alteration or waiver of authorization, but seek informed consent for participation for the interventional component of the research study. Furthermore, we believe that interventional research, such as most clinical trials, could not meet the waiver criteria in the final rule (§ 164.512(i)(2)(ii)(C)), which states "the research could not practicably be conducted without the alteration or waiver." If a researcher is to have direct contact with research subjects, the researcher should in virtually all cases be able to seek and obtain patients' authorization for the use and disclosure of protected health information about themselves for the research study.
Comment: A few commenters recommended that the rule explicitly state that covered entities would be permitted to rely upon an IRB or privacy boards' representation that the research proposal meets the requirements of proposed § 164.510(j).
Response: We agree with this comment. The final rule clarifies that covered health care providers and health plans are allowed to rely on an IRB's or privacy board's representation that the research proposal meets the requirements of § 164.512(i).
Comment: One commenter recommended that IRBs be required to maintain web sites with information on proposed and approved projects.
Response: We agree that it could be useful for IRBs and privacy boards to maintain web sites with information on proposed and approved projects. However, requiring this of IRBs and privacy boards is beyond the scope of our authority under HIPAA. In addition, this recommendation raises concerns that would need to be addressed, including concerns about protecting the confidentiality of research participants and propriety information that may be contained in research proposals. For these reasons, we decided not to incorporate this requirement into the final rule.
Comment: One commenter recommended that HHS collect data on research-related breaches of confidentiality and investigate existing anecdotal reports of such breaches.
Response: This recommendation is beyond HHS' legal authority, since HIPAA did not give us the authority to regulate researchers. Therefore, this recommendation was not included in the final rule.
Comment: A number of commenters were concerned that HIPAA did not give the Secretary the authority to protect information once it was disclosed to researchers who were not covered entities.
Response: The Secretary shares these commenters' concerns about the Department's limited authority under HIPAA. We strongly support the enactment of additional federal legislation to fill these crucial gaps in the Secretary's authority.
Comment: One commenter recommended that covered entities should be required to retain the IRB's or privacy board's documentation of approval of the waiver of individuals' authorization for at least six years from when the waiver was obtained.
Response: We agree with this comment and have included such a requirement in the final rule. See § 164.530(j).
Comment: One commenter recommended that whenever health information is used for research or administrative purposes, a plan is in place to evaluate whether to and how to feed patient-specific information back into the health system to benefit an individual or group of patients from whom the health information was derived.
Response: While we agree that this recommendation is consistent with the responsible conduct of research, HIPAA did not give us the authority to regulate research. Therefore, this recommendation was not included in the final rule.
Comment: A few commenters recommended that contracts between covered entities and researcher be pursued. Comments received in favor of requiring contractual agreements argued that such a contract would be enforceable under law, and should prohibit secondary disclosures by researchers. Some of these commenters recommended that contracts between covered entities and researchers should be the same as, or modeled on, the proposed requirements for business partners. In addition, some commenters argued that contracts between covered entities and researchers should be required as a means of placing equal responsibility on the researcher for protecting protected health information and for not improperly re-identifying information.
Response: In the final rule, we have added an additional waiver criteria to require that there are adequate written assurances from the researcher that protected health information will not be re-used or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart. We believe that this additional waiver criteria provides additional assurance that protected health information will not be misused by researchers, while not imposing the additional burdens of a contractual requirement on covered health care providers and health plans. We were not persuaded by the comments received that contractual requirements would provide necessary additional protections, that would not also be provided by the less burdensome waiver criteria for adequate written assurance that the researcher will not re-use or disclose protected health information, with few exceptions. Our intent was to strengthen and extend existing privacy safeguards for protected health information that is used or disclosed for research, while not creating unnecessary disincentives to covered health care providers and health plans who choose to use or disclose protected health information for research purposes.
Comment: Some commenters explicitly opposed requiring contracts between covered entities and researchers as a condition of permitting the use or disclosure of protected health information for research purposes. This commenters argued that such a contractual requirement would be too onerous for covered entities and researchers and would hinder or halt important research.
Response: We agree with the arguments raised by these commenters, and thus, the final rule does not require contracts between covered entities and researchers as a condition of using or disclosing protected health information for research purposes without authorization.
Comment: A large number of commenters strongly supported requiring patient consent before protected health information could be used or disclosed, including but not limited to use and disclosure for research purposes. These commenters argued that the unconsented-to use of their medical records abridged their autonomy right to decide whether or not to participate in research. A few referenced the Nuremberg Code in support of their view, noting that the Nuremberg Code required individual consent for participation in research.
Response: We agree that it is of foremost importance that individuals' privacy rights and welfare be safeguarded when protected health information about themselves is used or disclosed for research studies. We also strongly believe that continued improvements in the nation's health requires that researchers be permitted access to protected health information without authorization in certain circumstances. Additional privacy protections are needed, however, and we have included several in the final rule. If covered entities plan to disclose protected health without individuals' authorization for research purposes, individuals must be informed of this through the covered entity's notice to patients of their information practices. In addition, before covered health care providers or health plans may use or disclose protected health information for research without authorization, they must obtain documentation that an IRB or privacy board has found that specified waiver criteria have been met, unless the research will include protected health information about deceased individuals only, or is solely for reviews that are preparatory to research.
While it is true that the first provision of the Nuremberg Code states that "the voluntary consent of the human subject is absolutely essential," it is important to understand the context of this important document in the history of protecting human subjects research from harm. The Nuremberg Code was developed for the Nuremberg Military Tribunal as standards by which to judge the human experimentation conducted by the Nazis, and was one of the first documents setting forth principles for the ethical conduct of human subjects research. The acts of atrocious cruelty that the Nuremberg Code was developed to address, focused on preventing the violations to human rights and dignity that occurred in the name of "medical advancement." The Code, however, did not directly address the ethical conduct of non-interventional research, such as medical records research, where the risk of harm to participants can be unlike those associated with clinical research.
We believe that the our proposed requirements for the use or disclosure of protected health information for research are consistent with the ethical principles of "respect for persons," "beneficence," and "justice," which were established by the Belmont Report in 1978, and are now accepted as the quintessential requirements for the ethical conduct of research involving human subjects, including research using individually identifiable health information. These ethical principles formed the foundation for the requirements in the Common Rule, on which our proposed requirements for research uses and disclosures were modeled.
Comment: Many commenters recommended that the privacy rule permit individuals to opt out of having their records used for the identified "important" public policy purposes in § 164.510, including for research purposes. These commenters asserted that permitting the use and disclosure of their protected health information without their consent, or without an opportunity to "opt out" of having their information used or disclosed, abridged individuals' right to decide who should be permitted access to their medical records. In addition, one commenter argued that although the research community has been sharply critical of a Minnesota law that limits access to health records (Minnesota Statute Section 144.335 (1998)), researchers have cited a lack of response to mailed consent forms as the primary factor behind a decrease in the percentage of medical records available for research. This commenter argued that an opt-out provision would not be subject to this "nonresponder" problem.
Response: We believe that a meaningful right to "opt out" of a research study requires that individuals be contacted and informed about the study for which protected health information about themselves is being requested by a researcher. We concluded, therefore, that an "opt out" provision of this nature may suffer from the same decliner bias that has been experienced by researchers who are subject to laws that require patient consent for medical records research. Furthermore, evidence on the effect of a mandatory "opt out" provision for medical records research is only fragmentary at this time, but at least one study has preliminarily suggested that those who refuse to consent for research access to their medical records may differ in statistically significant ways from those who consent with respect to variables such as age and disease category (SJ Jacobsen et al. "Potential Effect of Authorization Bias on Medical Records Research." Mayo Clin Proc 74: (1999) 330-338). For these reasons, we disagree with the commenters who recommended that an "opt out" provision be included in the final rule. In the final rule, we do require covered entities to include research disclosures in their notice of information practices. Therefore, individuals who do not wish for protected health information about themselves to be disclosed for research purposes without their authorization could select a health care provider or health plan on this basis. In addition, the final rule also permits covered health care providers or health plans to agree not to disclose protected health information for research purposes, even if research disclosures would otherwise be permitted under their notice of information practices. Such an agreement between a covered health care provider or health plan and an individual would not be enforceable under the final rule, but might be enforceable under applicable state law.
Comment: Some commenters explicitly recommended that there should be no provision permitting individuals to opt out of having their information used for research purposes.
Response: We agree with these commenters for the reasons discussed above.
IRB and Privacy Board Review
Comments: The NPRM imposed no requirements for the location or sponsorship of the IRB or privacy board. One commenter supported the proposed approach to permit covered entities to rely on documentation of a waiver by a IRB or privacy board that was convened by the covered entity, the researcher, or another entity.
In contrast, a few commenters recommended that the NPRM require that the IRB or privacy board be outside of the entity conducting the research, although the rationale for these recommendations was not provided. Several industry and consumer groups alternatively recommended that the regulation require that privacy boards be based at the covered entity. These comments argued that "if the privacy board is to be based at the entity receiving data, and that entity is not a covered entity, there will be little ability to enforce the regulation or study the effectiveness of the standards."
Response: We agree with the comment supporting the proposed rule's provision to impose no requirements for the location or sponsorship of the IRB or privacy board that was convened to review a research proposal for the alteration or waiver of authorization criteria. In the absence of a rationale, we were not persuaded by the comments asserting that the IRB or privacy board should be convened outside of the covered entity. In addition, while we agree with the comments that asserted HHS would have a greater ability to enforce the rule if a privacy board was established at the covered entity rather than an uncovered entity, we concluded that the additional burden that such a requirement would place on covered entities was unwarranted. Furthermore, under the Common Rule and FDA's protection of human subjects regulations, IRB review often occurs at the site of the recipient researchers' institution, and it was not our intent to change this practice. Therefore, in the final rule, we continue to impose no requirements for the location or sponsorship of the IRB or privacy board.
Privacy Board Membership
Comment: Some commenters were concerned that the proposed composition of the privacy board did not adequately address potential conflicts of interest of the board members, particularly since the proposed rule would have permitted the board's "unaffiliated" member to be affiliated with the entity disclosing the protected health information for research purposes. To address this concern, some commenters recommended that the required composition of privacy boards be modified to require "...at least one member who is not affiliated with the entity receiving or disclosing protected health information." These commenters believed that this addition would be more sound and more consistent with the Common Rule's requirements for the composition of IRBs. Furthermore, it was argued that this requirement would prohibit covered entities from creating a privacy board comprised entirely of its own employees.
Response: We agree with these comments. In the final rule we have revised the proposed membership for privacy board to reduce potential conflict of interest among board members. The final rule requires that documentation of alteration or waiver from a privacy board, is only valid under § 164.512(i) if the privacy board includes at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to a person who is affiliated which such entities.
Comment: One commenter recommended that privacy boards be required to include more than one unaffiliated member to address concerns about conflict of interest among members.
Response: We disagree that privacy boards should be required to include more than one unaffiliated member. We believe that the revised membership criterion for the unaffiliated member of the privacy board, and the criterion that requires that the board have no member participating in a review of any project in which the member has a conflict of interest, are sufficient to ensure that no member of the board has a conflict of interest in a research proposal under their review.
Comment: Many commenters also recommended that the membership of privacy boards be required to be more similar to that of IRBs. These commenters were concerned that privacy boards, as described in the proposed rule, would not have the needed expertise to adequately review and oversee research involving the use of protected health information. A few of these commenters also recommended that IRBs be required to have at least one member trained in privacy or security matters.
Response: We disagree with the comments asserting that the membership of privacy boards should be required be more similar to IRBs. Unlike IRBs, privacy boards only have responsibility for reviewing research proposals that involve the use or disclosure of protected health information without authorization. We agree, however, that the proposed rule may not have ensured that the a privacy board had the necessary expertise to protect adequately individuals' privacy rights and interests. Therefore, in the final rule, we have modified one of the membership criteria for privacy board to require that the board has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual's privacy rights and related interests.
Comment: Two commenters recommended that IRBs and privacy boards be required to include patient advocates.
Response: The Secretary's legal authority under HIPAA does not permit HHS to modify the membership of IRBs. Moreover, we disagree with the comments recommending that IRBs and privacy board should be required to include patient advocates. We were not persuaded that patient advocates are the only persons with the needed expertise to protect patients' privacy rights and interests. Therefore, in the final rule, we do not require that patient advocates be included as members of a privacy board. However, under the final rule, IRBs and privacy board members could include patient advocates provided they met the required membership criteria in § 164.512(i).
Comment: A few commenters requested clarification of the term "conflict of interest" as it pertained to the proposed rule's criteria for IRB and privacy board membership. In particular, some commenters recommended that the final rule clarify what degree of involvement in a research project by a privacy board member would constitute a conflict, thereby precluding that individual's participation in a review. One commenter specifically requested clarification about whether employment by the covered entity constituted a conflict of interest, particularly if the covered entity is receiving a financial gain from the conduct of the research.
Response: We understand that determining what constitutes conflict of interest can be complex. We do not believe that employees of covered entities or employees of the research institution requesting protected health information for research purposes are necessarily conflicted, even if those employees may benefit financially from the research. However, there are many factors that should be considered in assessing whether a member of an IRB has a conflict of interest, including financial and intellectual conflicts.
As part of a separate, but related effort to the final rule, during the summer of 2000, HHS held a conference on human subject protection and financial conflicts of interest. In addition, HHS solicited comments from the public about financial conflicts of interest associated with human subjects research for researchers, IRB members and staff, and research sponsors. The findings from the conference and the public comments received are forming the basis for guidance that HHS is now developing on financial conflicts of interest.
Privacy Training for IRB and Privacy Boards
Comment: A few commenters expressed support for training IRB members and chairs about privacy issues, recommending that such training either be required or that it be encouraged in the final rule.
Response: We agree with these comments and thus encourage institutions that administer IRBs and privacy boards to ensure that the members of these boards are adequately trained to protect the privacy rights and welfare of individuals about whom protected health information is used for research purposes. In the final rule, we require that privacy board members have varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual's privacy rights and related interests. We believe that this criterion for privacy board membership requires that members already have the necessary knowledge or that they be trained to address privacy issues that arise in the conduct of research that involves the use of protected health information. In addition, we note that the Common Rule (§ ___.107(a)) already imposes a general requirement that IRB members posses adequate training and experience to adequately evaluate the research which it reviews. IRBs are also authorized to obtain the services of consultants (§ ___.107(f)) to provide expertise not available on the IRB. We believe that these existing requirements in the Common Rule already require that an IRB have the necessary privacy expertise.
Waiver Criteria
Comment: A large number of comments supported the proposed rule's criteria for the waiver of authorization by an IRB or privacy board.
Response: While we agree that several of the waiver criteria should be retained in the final rule, we have made changes to the waiver criteria to address some of the comments we received on specific criteria. These reason for these changes are discussed in the response to comments below.
Comment: In addition to the proposed waiver criteria, several commenters recommended that the final rule also instruct IRBs and privacy boards to consider the type of protected health information and the sensitivity of the information to be disclosed in determining whether to grant a waiver, in whole or in part, of the authorization requirements.
Response: We agree with these comments, but believe that the requirement to consider the type and sensitivity of protected health information was already encompassed by the proposed waiver criteria. We encourage and expect that IRBs and privacy boards will take into consideration the type and sensitivity of protected health information, as appropriate, in considering the waiver criteria included in the final rule.
Comment: Many commenters were concerned that the criteria were not appropriate in the context of privacy risks and recommended that the waiver criteria be rewritten to more precisely focus on the protection of patient privacy. In addition, some commenters argued that the proposed waiver criteria were redundant with the Common Rule and were confusing because they mix elements of the Common Rule's waiver criteria--some of which they argued were relevant only to interventional research. In particular, a number of commenters raised these concerns about proposed criterion (ii). Some of these commenters suggested that the word "privacy" be inserted before "rights."
Response: We agree with these comments. To focus all of the criterion on individuals' privacy interests, in the final rule, we have modified one of the proposed waiver criteria, eliminated one proposed criterion, and added an additional criterion : (1) the proposed criterion which stated, "the waiver will not adversely affect the rights and welfare of the subjects," has been revised in the final rule as follows: "the alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;" (2) the proposed criterion which stated, "whenever appropriate, the subjects will be provided with additional pertinent information after participation," has been eliminated; and (3) a criterion has been added in the final rule which states, "there are adequate written assurances that the protected health information will not be re-used or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart." In addressing these criteria, we expect that IRBs and privacy boards will not only consider the immediate privacy interests of the individual that would arise from the proposed research study, but also the possible implications from a loss of privacy, such as the loss of employment, loss or change in cost of health insurance, and social stigma.
Comment: A number of commenters were concerned about the interaction between the proposed rule and the Common Rule. One commenter opposed the four proposed waiver criteria which differed from the Common Rule's criteria for the waiver of informed consent (§ ___.116(d)) on the grounds that the four criteria proposed in addition to the Common Rule's waiver criteria would apply only to the research use and disclosure of protected health information by covered entities. This commenter argued that this would lead to different standards for the protection of other kinds of individually identifiable health information used in research that will fall outside of the scope of the final rule. This commenter concluded that this inconsistency would be difficult for IRBs to administer, difficult for IRB members to distinguish, and would be ethically questionable. For these reasons, many commenters recommended that the final rule should permit the waiver criteria of the Common Rule, to be used in lieu of the waiver criteria identified in the proposed rule.
Response: We disagree with the comments recommending that the waiver criteria of the Common Rule should be permitted to be used in lieu of the waiver criteria identified in the proposed rule. The Common Rule's waiver criteria were designed to protect research subjects from all harms associated with research, not specifically to protect individuals' privacy interests. We understand that the waiver criteria in the final rule may initially cause confusion for IRBs and researchers that must attend to both the final rule and the Common Rule, but we believe that the additional waiver criteria adopted in the final rule are essential to ensure that individuals' privacy rights and welfare are adequately safeguarded when protected health information about themselves is used for research without their authorization. We agree that ensuring that the privacy rights and welfare of all human subjects--involved in all forms of research--is ethically required, and the new Office of Human Research Protection will immediately initiate plans to review the confidentiality provisions of the Common Rule.
In addition, at the request of the President, the National Bioethics Advisory Commission has begun an examination of the current federal human system for the protection of human subjects in research. The current scope of the federal regulatory protections for protecting human subjects in research is just one of the issues that will be addressed in the by the Commission's report, and the Department looks forward to receiving the Commission's recommendations.
CONCERNS ABOUT SPECIFIC WAIVER CRITERIA
Comment: One commenter argued that the term "welfare" was vague and recommended that it be deleted from the proposed waiver of authorization criterion which stated, "the waiver will not adversely affect the rights and welfare of the subjects."
Response: We disagree with the comment recommending that the final rule eliminate the term "welfare" from this waiver criterion. As discussed in the National Bioethics Advisory Commission's 1999 report entitled, "Research Involving Human Biological Materials: Ethical Issues and Policy Guidance," "Failure to obtain consent may adversely affect the rights and welfare of subjects in two basic ways. First, the subject may be improperly denied the opportunity to choose whether to assume the risks that the research presents, and second, the subject may be harmed or wronged as a result of his or her involvement in research to which he or she has not consented....Subjects' interest in controlling information about themselves is tied to their interest in, for example, not being stigmatized and not being discriminated against in employment and insurance." Although this statement by the Commission was made in the context of research involving human biological materials, we believe research that involves the use of protected health information similarly requires that social and psychological harms be considered when assessing whether an alteration or waiver will adversely affect the privacy rights and welfare of individuals. We believe it would be insufficient to attend only to individuals' privacy "rights" since some of the harms that could result from a breach of privacy, such as stigmatization, and discrimination in employment or insurance, may not be tied directly to an individuals' "rights," but would have a significant impact on their welfare. Therefore, in the final rule, we have retained the term "welfare" in this criterion for the alteration or waiver of authorization but modified the criterion as follows to focus more specifically on privacy concerns and to clarify that it pertains to alterations of authorization: "the alteration or waiver will not adversely affect the privacy rights and the welfare of the individual."
Comment: A few commenters recommended that the proposed waiver criteria that stated, "the research could not practicably be conducted without the waiver," be modified to eliminate the term "practicably." These commenters believed that determining "practicably" was subjective and that its elimination would facilitate IRBs' and privacy boards' implementation of this criterion. In addition, one commenter was concerned that this term could be construed to require authorization if enough weight is given to a privacy interest, and little weight is given to cost or administrative burden. This commenter recommended that the criterion be changed to allow a waiver if the "disclosure is necessary to accomplish the research or statistical purpose for which the disclosure is to be made."
Response: We disagree with the comments recommending that the term "practicability" be deleted from this waiver criterion. We believe that an assessment of practicability is necessary to account for research that may be possible to conduct with authorization but that would be impracticable if authorization were required. For example, in research study that involves thousands of records, it may be possible to track down all potential subjects, but doing so may entail costs that would make the research impracticable. In addition, IRBs have experience implementing this criterion since it is nearly identical to a waiver criterion in the Common Rule (§ ___.116(d)(3)).
We also disagree with the recommendation to change the criterion to state, "disclosure is necessary to accomplish the research or statistical purpose for which the disclosure is to be made." We believe it is essential that consideration be given as to whether it would be practicable for research to be conducted with authorization in determining whether a waiver of authorization is justified. If the research could practicably be conducted with authorization, then authorization must be sought. Authorization must not be waived simply for convenience.
Therefore, in the final rule, we have retained this criterion and clarified that it also applies to alterations of authorization. This waiver criterion in the final rule states, "the research could not practicably be conducted without the alteration or waiver."
Comment: Some commenters argued that the criterion which stated, "whenever appropriate, the subjects will be provided with additional pertinent information after participation," should be deleted. Some comments recommended that the criterion should be deleted for privacy reasons, arguing that it would be inappropriate to create a reason for the researcher to contact the individual whose data were analyzed, without IRB review of the proposed contact as a patient intervention. Other commenters argued for the deletion of the criterion on grounds that requiring researchers to contact patients whose records were used for archival research would be unduly burdensome, while adding little to the patient's base of information. Several commenters also argued that the criterion was not pertinent to non-interventional retrospective research requiring access to archived protected health information.
In addition, one commenter asserted that this criterion was inconsistent with the Secretary's rationale for prohibiting disclosures of "research information unrelated to treatment" for purposes other than research. This commenter argued that the privacy regulations should not mandate that a covered entity provide information with unknown validity or utility directly to patients. This commenter recommended that a patient's physician, not the researcher, should be the one to contact a patient to discuss the significance of new research findings for that individual patient's care.
Response: Although we disagree with the arguments made by commenters recommending that this criterion be eliminated in the final rule, we concluded that the criterion was not directly related to ensuring the privacy rights and welfare of individuals. Therefore, we eliminated this criterion in the final rule.
Comment: A few commenters recommended that the criterion, which required that "the research would be impracticable to conduct without access to and use of the protected health information," be deleted because it would be too subjective to be meaningful.
Response: We disagree with comments asserting that this proposed criterion would be too subjective. We believe that researchers should be required to demonstrate to an IRB or privacy board why protected health information is necessary for their research proposal. If a researcher could practicably use de-identified health information for a research study, protected health information should not be used or disclosed for the study without individuals' authorization. Therefore, we retain this criterion in the final rule. In considering this criterion, we expect IRBs and privacy boards to consider the amount of information that is needed for the study. To ensure the covered health care provider or health plan is informed of what information the IRB or privacy board has determined may be used or disclosed without authorization, the final rule also requires that the documentation of IRB or privacy board approval of the alteration or waiver describe the protected health information for which use or access has been determined to be necessary.
Comment: A large number of comments objected to the proposed waiver criterion, which stated that, "the research is of sufficient importance so as to outweigh the intrusion of the privacy of the individual whose information is subject to the disclosure." The majority of these commenters argued that the criterion was overly subjective, and that due to its subjectivity, IRBs and privacy boards would inevitably apply it inconsistently. Several commenters asserted that this criterion was unsound in that it would impose on reviewing bodies the explicit requirement to form and debate conflicting value judgments about the relative weights of the research proposal versus an individual's right to privacy. Furthermore these commenters argued that this criterion was also unnecessary because the Common Rule already has a requirement that deals with this issue more appropriately. In addition, one commenter argued that the rule eliminate this criterion because common purposes should not override individual rights in a democratic society. Based on these arguments, these commenters recommended that this criterion be deleted.
Response: We disagree that it is inappropriate to ask IRBs and privacy boards to ensure that there is a just balance between the expected benefits and risks to individual participants from the research. As noted by several commenters, IRBs currently conduct such a balancing of risks and benefits because the Common Rule contains a similar criterion for the approval of human subjects research (§ ___.111(a)(2)). However, we disagree with the comments asserting that the proposed criterion was unnecessary because the Common Rule already contains a similar criterion. The Common Rule does not explicitly address the privacy interests of research participants and does not apply to all research that involves the use or disclosure of protected health information. However, we agree that the relevant Common Rule criterion for the approval of human subjects research provides better guidance to IRBs and privacy boards for assessing the privacy risks and benefits of a research proposal. Therefore, in the final rule, we modeled the criterion on the relevant Common Rule requirement for the approval of human subjects research, and revised the proposed criterion to state: "the privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research."
Comment: One commenter asserted that as long as the research organization has adequate privacy protections in place to keep the information from being further disclosed, it is unnecessary for the IRB or privacy board to make a judgment on whether the value of the research outweighs the privacy intrusion.
Response: The Department disagrees with the assertion that adequate safeguards of protected health information are sufficient to ensure that the privacy rights and welfare of individuals are adequately protected. We believe it is imperative that there be an assessment of the privacy risks and anticipated benefits of a research study that proposes to use protected health information without authorization. For example, if a research study was so scientifically flawed that it would provide no useful knowledge, any risk to patient privacy that might result from the use or disclosure of protected health information without individuals' authorization would be too great.
Comment: A few commenters asserted that the proposed criterion requiring "an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining identifiers," conflicted with the regulations of the FDA on clinical record keeping (21 CFR 812.140(d)) and the International Standard Organization on control of quality records (ISO 13483, 4.16), which require that relevant data be kept for the life of a device.
In addition, one commenter asserted that this criterion could prevent follow up care. Similarly, other commenters argued that the new waiver criteria would be likely to confuse IRBs and may impair researchers' ability to go back to IRBs to request extensions of time for which samples or data can be stored if researchers are unable to anticipate future uses of the data
Response: We do not agree with the comment that there is a conflict between either the FDA or the ISO regulations and the proposed waiver criteria in the rule. We believe that compliance with such recordkeeping requirements would be "consistent with the conduct of research" which is subject to such requirements. Nonetheless, to avoid any confusion, in the final rule we have added the phrase "or such retention is otherwise required by law" to this waiver criterion.
We also disagree with the comments that this criterion would prevent follow up care to individuals or unduly impair researchers from retaining identifiers on data for future research. We believe that patient care would qualify as a "health...justification for retaining identifiers." In addition, we understand that researchers may not always be able to anticipate that the protected health information they receive from a covered health care provider or health plan for one research project may be useful for the conduct of future research studies. However, we believe that the concomitant risk to patient privacy of permitting researchers to retain identifiers they obtained without authorization would undermine patient trust, unless researchers could identify a health or research justification for retaining the identifiers. In the final rule, an IRB or privacy board is not required to establish a time limit on a researcher's retention of identifiers.
ADDITIONAL WAIVER CRITERIA
Comment: A few comments recommended that there be a additional waiver criterion to safeguard or limit subsequent use or disclosure of protected health information by the researcher.
Response: We agree with these comments. In the final rule, we include a waiver criterion requiring "there are adequate written assurances that the protected health information will not be re-used or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart."
Waiving Authorization, in Whole or in Part
Comment: A few commenters requested that the final rule clarify what "in whole or in part" means if authorization is waived or altered.
Response: In the proposed rule, it was HHS' intent to permit IRBs and privacy boards to either waive all of the elements for authorization, or alternatively, waive only some of the elements of authorization. Furthermore, we also intended to permit IRBs and privacy boards to alter the authorization requirements. Therefore, in the final rule, we clarify that the alteration to and waiver of authorization, in whole or in part, are permitted as stipulated in § 164.512(i).
Expedited Review
Comment: One commenter asserted that the proposed rule would prohibit expedited review as permitted under the Common Rule. Many commenters supported the proposal in the rule to incorporate the Common Rule's provision for expedited review, and strongly recommended that this provision be retained in the final rule. Several of these commenters argued that the expedited review mechanism provides IRBs with the much-needed flexibility to focus volunteer-IRB members' limited resources.
Response: We agree that expedited review should be available, and included a provision permitting expedited review under specified conditions. We understand that the National Bioethics Advisory Commission is currently developing a report on the federal oversight of human subjects research, which is expected to address the Common Rule's requirements for expedited review. HHS looks forward to receiving the National Bioethics Advisory Commission's report, and will modify the provisions for expedited review in the privacy rule if changes are warranted by the Commission's findings and recommendations.
Required Signature
Comment: A few commenters asserted that the proposed requirement that the written documentation of IRB or privacy board approval be signed by the chair of the IRB or the privacy board was too restrictive. Some commenters recommended that the final rule permit the documentation of IRB or privacy board approval to be signed by persons other than the IRB or privacy board chair, including: (1) any person authorized to exercise executive authority under IRB's or privacy board's written procedures; (2) the IRB's or privacy board's acting chair or vice chair in the absence of the chair, if permitted by IRB procedures; and (3) the covered entity's privacy official.
Response: We agree with the commenters who argued that the final rule should permit the documentation of IRB or privacy board approval to be signed by someone other than the chair of the board. In the final rule, we permit the documentation of alteration or waiver of authorization to be signed by the chair or other member, as designated by the chair of the IRB or privacy board, as applicable.
Comment: Some commenters, including several industry and consumer groups, argued that the proposed rule would establish a two-tiered system for public and private research. Privately funded research conducted with an authorization for the use or disclosure of protected health information would not require IRB or privacy board review, while publically funded research conducted with authorization would require IRB review as required by the Common Rule. Many of these commenters argued that authorization is insufficient to protect patients involved in research studies and recommended that IRB or privacy board review should be required for all research regardless of sponsor. These commenters asserted that it is not sufficient to obtain authorization, and that IRBs and privacy boards should review the authorization document, and assess the risks and benefits to individuals posed by the research.
Response: For the reasons we rejected the recommendation that we eliminate the option for privacy board review and require IRB review for the waiver of authorization, we also decided against requiring documentation of IRB or privacy board approval for research conducted with authorization. HHS strongly agrees that IRB review is essential for the adequate protection of human subjects involved in research, regardless of whether informed consent and/or individuals' authorization is obtained. In fact, IRB review may be even more important for research conducted with subjects' informed consent and authorization since such research may present greater than minimal risk to participants. However, HHS' authority under HIPAA is limited to safeguarding the privacy of protected health information, and does not extend to protecting human subjects more broadly. Therefore, in the final rule we have not required documentation of IRB or privacy board review for the research use or disclosure of protected health information conducted with individuals' authorization. As mentioned above, HHS looks forward to receiving the recommendations of the National Bioethics Advisory Commission, which is currently examining the current scope of federal regulatory protections for protecting human subjects in research as part of its overarching report on the federal oversight of human subjects protections.
Comment: Due to concern about several of the elements of authorization, many commenters recommended that the final rule stipulate that "informed consent" obtained pursuant to the Common Rule be deemed to meet the requirements for "authorization." These commenters argued that the NPRM's additional authorization requirements offered no additional protection to research participants but would be a substantive impediment to research.
Response: We disagree with the comments asserting that the proposed requirements for authorization for the use or disclosure of protected health information would have offered research subjects no additional privacy protection. Because the purposes of authorization and informed consent differ, the proposed rule's requirements for authorization pursuant to a request from a researcher (§ 164.508) and the Common Rule's requirements for informed consent (Common Rule, § ___.116) contain important differences. For example, unlike the Common Rule, the proposed rule would have required that the authorization include a description of the information to be used or disclosed that identifies the information in a specific and meaningful way, an expiration date, and where, use of disclosure of the requested information will result in financial gain to the entity, a statement that such gain will result. We believe that the authorization requirements provide individuals with information necessary to determine whether to authorize a specific use or disclosure of protected health information about themselves, that are not required by the Common Rule.
Therefore, in the final rule, we retain the requirement for authorization for all uses and disclosures of protected health information not otherwise permitted without authorization by the rule. Some of the proposed requirements for authorization were modified in the final rule as discussed in the preamble on § 164.508. The comments received on specific proposed elements of authorization as they would have pertained to research are addressed below.
Comment: A number of commenters, including several from industry and consumer groups, recommended that the final rule require patients' informed consent as stipulated in the Common Rule. These commenters asserted that the proposed authorization document was inadequate for research uses and disclosures of protected health information since it included fewer elements than required for informed consent under the Common Rule, including for example, the Common Rule's requirement that the informed consent document include: (1) a description of any reasonably foreseeable risks or discomforts to the subject; (2) a description of any benefits to the subject or to others which may reasonably be expected from the research (Common Rule, § ___.116(a)).
Response: While we agree that the ethical conduct of research requires the voluntary informed consent of research subjects, as stipulated in the Common Rule, as we have stated elsewhere, the privacy rule is limited to protecting the confidentiality of individually identifiable health information, and not protecting human subjects more broadly. Therefore, we believe it would not be within the scope of the final rule to require informed consent as stipulated by the Common Rule for research uses and disclosures of protected health information.
Comment: Several commenters specifically objected to the authorization requirement for a "expiration date." To remedy this concern, many of these commenters proposed that the rule exempt research from the requirement for an expiration date if an IRB has reviewed and approved the research study. In particular, some commenters asserted that the requirement for an expiration date would be impracticable in the context of clinical trials, where the duration of the study depends on several different factors that cannot be predicted in advance. These commenters argued that determining an exact date would be impossible due to the legal requirements that manufactures and the Food and Drug Administration be able to retrospectively audit the source documents when patient data are used in clinical trials. In addition, some commenters asserted that a requirement for an expiration date would force researchers to designate specific expiration dates so far into the future as to render them meaningless.
Response: We agree with commenters that an expiration date is not always possible or meaningful. In the final rule, we continue to require an identifiable expiration, but permit it to be a specific date or an event directly relevant to the individual or the purpose of the authorization (e.g., for the duration of a specific research study) in which the individual is a participant.
Comment: A number of commenters, including those from the pharmaceutical industry, were concerned about the authorization requirement that gave patients the right to revoke consent for participation in clinical research. These commenters argued that such a right to revoke authorization for the use of their protected health information would require complete elimination of the information from the record. Some stated that in the conduct of clinical trials, the retrieval of individually identifiable health information that has already been blinded and anonymized, is not only burdensome, but should this become a widespread practice, would render the trial invalid. One commenter suggested that the Secretary modify the proposed regulation to allow IRBs or privacy boards to determine the duration of authorizations and the circumstances under which a research participant should be permitted to retroactively revoke his or her authorization to use data already collected by the researcher.
Response: We agree with these concerns. In the final rule we have clarified that an individual cannot revoke an authorization to the extent that action has been taken in reliance on the authorization. Therefore, if a covered entity has already used or disclosed protected health information for a research study pursuant to an authorization obtained as required by § 164.508, the covered entity is not required under the rule, unless it agreed otherwise, to destroy protected health information that was collected, nor retrieve protected health information that was disclosed under such an authorization. However, once an individual has revoked an authorization, no additional protected health information may be used or disclosed unless otherwise permitted by this rule.
Comment: Some commenters were concerned that the authorization requirement to disclose "financial gain" would be problematic as it would pertain to research. These commenters asserted that this requirement could mislead patients and would make it more difficult to attract volunteers to participate in research. One commenter recommended that the statement be revised to state "that the clinical investigator will be compensated for the value of his/her services in administrating this clinical trial." Another commenter recommended that the authorization requirement for disclosure of financial gain be defined in accordance with FDA's financial disclosure rules.
Response: We strongly believe that a requirement for the disclosure of financial gain is imperative to ensure that individuals are informed about how and why protected health information about themselves will be used or disclosed. We agree, however that the language of the proposed requirement could cause confusion, because most activities involve some type of financial gain. Therefore, in the final rule, we have modified the language to provide that when the covered entity initiates the authorization and the covered entity will receive direct or indirect remuneration (rather than financial gain) from a third party in exchange for using or disclosing the health information, the authorization must include a statement that such remuneration will result.
Comment: A few commenters asserted that the requirement to include a statement in which the patient acknowledged that information used or disclosed to any entity other than a health plan or health care provider may no longer be protected by federal privacy law would be inconsistent with existing protections implemented by IRBs under the Common Rule. In particular they stated that this inconsistency exists because IRBs are required to consider the protections in place to protect patients' confidential information and that IRBs are charged with ensuring that researchers comply with the confidentiality provisions of the informed consent document.
Response: We disagree that this proposed requirement would pose a conflict with the Common Rule since the requirement was for a statement that the "information may no longer be protected by the federal privacy law." This statement does not pertain to the protections provided under the Common Rule. In addition, while we anticipate that IRBs and privacy boards will most often waive all or none of the authorization requirements, we clarify an IRB or privacy board could alter this requirement, among others, if the documentation requirements of § 164.512(i) have been met.
Comment: Some industry groups expressed concern that the research provision would prohibit physicians from using patient information to recruit subjects into clinical trials. These commenters recommended that researchers continue to have access to hospitals' and clinics' patient information in order to recruit patients for studies.
Response: Under the proposed rule, even if the researcher only viewed the medical record at the site of the covered entity and did not record the protected health information in a manner that patients could be identified, such an activity would have constituted a use or disclosure that would have been subject to proposed § 164.508 or proposed § 164.510. Based on the comments received and the fact finding we conducted with the research community, we concluded that documentation of IRB or privacy board approval could halt the development of research hypotheses that require access to protected health information before a formal protocol can be developed and brought to an IRB or privacy board for approval. To avoid this unintended result, the final rule permits covered health care providers and health plans to use or disclose protected health information for research if the covered entity obtains from the researcher representations that: (1) use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; (2) no protected health information is to be removed from the covered entity by the researcher in the course of the review; and (3) the protected health information for which use or access is sought is necessary for the research purposes.
Comment: A few commenters asserted that the final rule should eliminate the possibility that research requiring access to protected health information could be determined to be "exempt" from IRB review, as provided by the Common Rule (§ ___.101(b)(4)).
Response: The rule did not propose nor intend to modify any aspect of the Common Rule, including the provision that exempts from coverage, "research involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publically available, or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or indirectly through identifiers linked to the subjects" (§ ___.101(b)(4)). For the reasons discussed above, we have included a provision in the final rule for reviews preparatory to research that was modeled on this exemption to the Common Rule.
Comment: A few commenters expressed support for the proposal to allow use and disclosure of protected health information about decedents for research purposes without the protections afforded to the protected health information of living individuals. One commenter, for example, explained that it extensively uses such information in its research, and any restrictions were likely to impede its efforts. Alternately, a number of commenters provided arguments for eliminating the research exception for deceased persons. They commented that the same concerns regarding use and disclosure of genetic and hereditary information for other purposes apply in the research context. They believed that in many cases the risk of identification was greater in the research context because researchers may attempt to identify genetic and hereditary conditions of the deceased. Finally, they argued that while information of the deceased does not necessarily identify living relatives by name, living relatives could be identified and suffer the same harm as if their own medical records were used or disclosed for research purposes. Another commenter stated that the exception was unnecessary, and that existing research could and should proceed under the requirements in proposed § 164.510 that dictated the IRB/privacy board approval process or be conducted using de-identified information. This commenter further stated that in this way, at least there would be some degree of assurance that all reasonable steps are taken to protect deceased persons' and their families' confidentiality.
Response: Although we understand the concerns raised by commenters, we believe those concerns are outweighed by the need to keep the research-related policies in this rule as consistent as possible with standard research practice under the Common Rule, which does not consider deceased persons to be "human subjects." Thus, we retain the exception in the final rule. With regard to the protected health information about a deceased individual, therefore, a covered entity is permitted to use or disclose such information for research purposes without obtaining authorization from a personal representative and absent approval by an IRB or privacy board as governed by § 164.512(i). We note that the National Bioethics Advisory Committee (NBAC) is currently considering revising the Common Rule's definition of "human subject" with regard to coverage of the deceased. However, at this time, NBAC's deliberations on this issue are not yet completed and any reliance on such discussions would be premature.
The final rule requires at § 164.512(i)(1)(iii) that covered entities obtain from the researcher (1) representation that the use or disclosure is sought solely for research on the protected health information of decedents; (2) documentation, at the request of the covered entity, of the death of such individuals; and (3) representation that the protected health information for which use or disclosure is sought is necessary for the research purposes. It is our intention with this change to reduce the burden and ambiguity on the part of the covered entity to determine whether or not the request is for protected health information of a deceased individual.
Comment: Some commenters, in their support of the research exception, requested that HHS clarify in the final rule that protected health information obtained during the donation process of eyes and eye tissue could continue to be used or disclosed to or by eye banks for research purposes without an authorization and without IRB approval. They expressed concern over the impediments to this type of research these approvals would impose, such as added administrative burden and vulnerabilities to the time sensitive nature of the process.
Another commenter similarly expressed the position that, with regard to uses and disclosures of protected health information for tissue, fluid, or organ donation, the regulation should not present an obstacle to the transfer of donations unsuitable for transplant to the research community. However, they believed that consent can be obtained for such purposes since the donor or donor's family must generally consent to any transplant purposes, it would seem to be a minimal additional obligation to seek consent for research purposes at the same time, should the material be unsuitable for transplant.
Response: Protected health information about a deceased individual, including information related to eyes and eye tissue, can be used or disclosed further for research purposes by a covered entity in accordance with § 164.512(i)(1)(iii) without authorization or IRB or privacy board approval. This rule does not address whether organs unsuitable for transplant may be transferred to researchers with or without consent.
Comment: We received a number of comments that interpreted the proposed rule as having unnecessarily and inappropriately amended the Common Rule. Assuming that the Common Rule was being modified, these comments argued that the rule was legally deficient under the Administrative Procedures Act, the Regulatory Flexibility Act, and other controlling Executive orders or laws.
In addition, one research organization expressed concern that, by involving IRBs in the process of approving a waiver of authorization for disclosure purposes and establishing new criteria for such waiver approvals, the proposed rule would have subjected covered entities whose IRBs failed to comply with the requirements for reviewing and approving research to potential sanctions under HIPAA. The comment recommended that the rule be changed to eliminate such a punitive result. Specifically, the comment recommended that the existing Common Rule structure be preserved for IRB-approved research, and that the waiver of authorization criteria for privacy purposes be kept separate from the other the functions of the IRB.
Response: We disagree with the comments asserting the proposed rule attempted to change the Common Rule. It was not our intent to modify or amend the Common Rule or to regulate the activities of the IRBs with respect to the underlying research. We therefore reject the comments about legal deficiencies in the rule which are based on the mistaken perception that the Common Rule was being amended. The proposed rule established new requirements for covered entities before they could use or disclose protected health information for research without authorization. The proposed rule provided that one method by which a covered entity could obtain the necessary documentation was to receive it from an IRB. We did not mandate IRBs to perform such reviews, and we expressly provided for means other than through IRBs for covered entities to obtain the required documentation.
In the final rule, we also have clarified our intent not to interfere with existing requirements for IRBs by amending the language in the waiver criteria to make clear that these criteria relate to the privacy interests of the individual and are separate from the criteria that would be applied by an IRB to any evaluation of the underlying research. Moreover, we have restructured the final rule to also make clear that we are regulating only the content and conditions of the documentation upon which a covered entity may rely in making a disclosure of protected health information for research purposes.
We cannot and do not purport to regulate IRBs or modify the Common Rule through this regulation. We cannot under this rule penalize an IRB for failure to comply with the Common Rule, nor can we sanction an IRB based on the documentation requirements in the rule. Health plans and covered health care providers may rely on documentation from an IRB or privacy board concerning the alteration or waiver of authorization for the disclosure of protected health information for research purposes, provided the documentation, on its face, meets the requirements in the rule. Health plans and covered health care providers will not be penalized for relying on facially adequate documentation from an IRB. Health plans and covered health providers will only be penalized for their own errors or omissions in following the requirements of the rule, and not those of the IRB.
Comment: Many of the comments supported the proposed rule's provision that would have imposed the same requirements for both research uses and research disclosures of protected health information.
Response: We agree with these comments. In the final rule we retain identical use and disclosure requirements for research uses and disclosures of protected health information by covered entities.
Comment: In contrast, a few commenters recommended that there be fewer requirements on covered entities for internal research uses of protected health information.
Response: For the reasons discussed above in § 164.501 on the definition of "research," we disagree that an individual's privacy interest is of less concern when covered entities use protected health information for research purposes than when covered entities disclose protected health information for research purposes. Therefore, in the final rule, the research-related requirements of § 164.512(i) apply to both uses and disclosures of protected health information for research purposes without authorization.
Comment: A few commenters recommended that HHS work to provide additional resources to IRBs to assist them in meeting their new responsibilities.
Response: This recommendation is beyond our statutory authority under HIPAA, and therefore, cannot be addressed by the final rule. However, we fully agree that steps should be taken to moderate the workload of IRBs and to ensure adequate resources for their activities. Through the Office for Human Research Protections, the Department is committed to working with institutions and IRBs to identify efficient ways to optimize utilization of resources, and is committed to developing guidelines for appropriate staffing and workload levels for IRBs.
Comment: One commenter recommended that the documentation of IRB or privacy board approval also be required to state that, "the health researcher has fully disclosed which of the protected health information to be collected or created would be linked to other protected health information, and that appropriate safeguards be employed to protect information against re-identification or subsequent unauthorized linkages."
Response: The proposed provision for the use or disclosure of protected health information for research purposes without authorization only pertained to individually identifiable health information. Therefore, since the information to be obtained would be individually identifiable, we concluded that it was illogical to require IRBs and privacy boards document that the researcher had "fully disclosed that...appropriate safeguards be employed to protect information against re-identification or subsequent unauthorized linkages." Therefore, we did not incorporate this recommendation into the final rule.
Comment: Several commenters generally stated support for proposed § 164.510(k), which was titled "Uses and Disclosures in Emergency Circumstances." One commenter said that "narrow exceptions to confidentiality should be permitted for emergency situations such as duty to warn, duty to protect, and urgent law enforcement needs." Another commented that the standard "...based on a reasonable belief that the disclosures are necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual" would apply in only narrow treatment circumstances. Some commenters suggested that the provision be further narrowed, for example, with language specifically identifying "imminent threats" and a "chain-of-command clearance process," or by limiting permissible disclosures under this provision to "public health emergencies," or "national emergencies." Others proposed procedural requirements, such as specifying that such determinations may only be made by the patient's treating physician, a licensed mental health care professional, or as validated by three physicians. One commenter recommended stating that the rule is not intended to create a duty to warn or to disclose protected health information but rather permits such disclosure in emergency circumstances, consistent with other applicable legal or ethical standards.
Response: We agree with the commenters who noted that the proposed provision would apply in rare circumstances. We clarify, however, that we did not intend for the proposed provision to apply to emergency treatment scenarios as discussed below. In the final rule, to avoid confusion over the circumstances in which we intend this section to apply, we retitle it "Uses and Disclosures to Avert a Serious Threat to Health or Safety."
We do not believe it would be appropriate to narrow further the scope of permissible disclosures under this section to respond to specifically identified "imminent threats," a "public health emergency," or a "national emergency." We believe it would be impossible to enumerate all of the scenarios that may warrant disclosure of protected health information pursuant to this section. Such cases may involve a small number of people and may not necessarily involve a public health emergency or a national emergency.
Furthermore, in response to comments arguing that the proposed provision was too broad, we note that under both the NPRM and the final rule, we allow but do not require disclosures in situations involving serious and imminent threats to health or safety. Health plans and covered health care providers may make the disclosures allowed under § 164.512(j) consistent with applicable law and standards of ethical conduct.
As indicated in the preamble to the NPRM, the proposed approach is consistent with statutory and case law addressing this issue. The most well-known case on the topic is Tarasoff v. Regents of the University of California, 17 Cal. 3d 425 (1976), which established a duty to warn those at risk of harm when a therapist's patient made credible threats against the physical safety of a specific person. The Supreme Court of California found that the therapist involved in the case had an obligation to use reasonable care to protect the intended victim of his patient against danger, including warning the victim of the peril. Many states have adopted, in statute or through case law, versions of the Tarasoff duty to warn or protect. Although Tarasoff involved a psychiatrist, this provision is not limited to disclosures by psychiatrists or other mental health professionals. As stated in the preamble of the NPRM, we clarify that § 164.512(j) is not intended to create a duty to warn or disclose protected health information.
Comment: Several comments addressed the portion of proposed § 164.510(k) that would have provided a presumption of reasonable belief to covered entities that disclosed protected health information pursuant to this provision, when such disclosures were made in good faith, based on credible representation by a person with apparent knowledge or authority. Some commenters recommended that this standard be applied to all permissible disclosures without consent or to such disclosures to law enforcement officials.
Alternatively, a group representing health care provider management firms believed that the proposed presumption of reasonable belief would not have provided covered entities with sufficient protection from liability exposure associated with improper uses or disclosures. This commenter recommended that a general good-faith standard apply to covered entities' decisions to disclose protected health information to law enforcement officials. A health plan said that HHS should consider applying the standard of reasonable belief to all uses and disclosures that would have been allowed under proposed § 164.510. Another commenter questioned how the good-faith presumption would apply if the information came from a confidential informant or from a person rather than a doctor, law enforcement official, or government official. (The NPRM listed doctors, law enforcement officials, and other government officials as examples of persons who may make credible representations pursuant to this section.)
Response: As discussed above, this provision is intended to apply in rare circumstances--circumstances that occur much less frequently than those described in other parts of the rule. Due to the importance of averting serious and imminent threats to health and safety, we believe it is appropriate to apply a presumption of good faith to covered entities disclosing protected health information under this section. We believe that the extremely time-sensitive and urgent conditions surrounding the need to avert a serious and imminent threat to the health or safety are fundamentally different from those involved in disclosures that may be made pursuant to other sections of the rule. Therefore, we do not believe it would be appropriate to apply to other sections of the rule the presumption of good faith that applies in § 164.512(j). We clarify that we intend for the presumption of good faith to apply if the disclosure is made in good faith based upon a credible representation by any person with apparent knowledge or authority--not just by doctors, law enforcement or other government officials. Our listing of these persons in the NPRM was illustrative only, and it was not intended to limit the types of persons who could make such a credible representation to a covered entity.
Comment: One commenter questioned under what circumstances proposed § 164.510(k) would apply instead of proposed § 164.510(f)(5), "Urgent Circumstances," which permitted covered entities to disclose protected health information to law enforcement officials about individuals who are or are suspected to be victims of a crime, abuse, or other harm, if the law enforcement official represents that the information is needed to determine whether a violation of law by a person other than the victim has occurred and immediate law enforcement activity that depends upon obtaining such information may be necessary.
Response: First, we note that inclusion of this provision as § 164.510(f)(5)(5) was a drafting error which subsequently was clarified in technical corrections to the NPRM. In fact, proposed § 164.510(f)(3) addressed the identical circumstances, which in this subsection were titled "Information about a Victim of Crime or Abuse." The scenarios described under § 164.510(f)(3) may or may not involve serious and imminent threats to health or safety.
Second, as discussed in the main section of the preamble to § 164.512(j), we recognize that in some situations, more than one section of this rule potentially could apply with respect to a covered entity's potential disclosure of protected health information. We clarify that if a situation fits one section of the rule (e.g., § 164.512(j) on serious and imminent threats to health or safety), health plans and covered health care providers may disclose protected health information pursuant to that section, regardless of whether the disclosure also could be made pursuant to another section (e.g., §§ 164.512(f)(2) or 164.512(f)(3), regarding disclosure of protected health information about suspects or victims to law enforcement officials), except as otherwise stated in the rule.
Comment: A state health department indicated that the disclosures permitted under this section may be seen as conflicting with existing law in many states.
Response: As indicated in the regulation text for § 164.512(j), this section allows disclosure consistent with applicable law and standards of ethical conduct. We do not preempt any state law that would prohibit disclosure of protected health information in the circumstances to which this section applies. (See Part 160, Subpart B.)
Comment: Many commenters stated that the rule should require that any disclosures should not modify "duty to warn" case law or statutes.
Response: The rule does not affect case law or statutes regarding "duty to warn." In § 164.512(j), we specifically permit covered entities to disclose protected health information without authorization for the purpose of protecting individuals from imminent threats to health and safety, consistent with state laws and ethical obligations.
Armed Forces Personnel and Veterans
Comment: A few comments opposed the proposed rule's provisions on the military, believing that they were too broad. Although acknowledging that the Armed Forces may have legitimate needs for access to protected health data, the commenters believed that the rule failed to provide adequate procedural protections to individuals. A few comments said that, except in limited circumstances or emergencies, covered entities should be required to obtain authorization before using or disclosing protected health information. A few comments also expressed concern over the proposed rule's lack of specific safeguards to protect the health information of victims of domestic violence and abuse. While the commenters said they understood why the military needed access to health information, they did not believe the rule would impede such access by providing safeguards for victims of domestic violence or abuse.
Response: We note that the military comprises a unique society and that members of the Armed Forces do not have the same freedoms as do civilians. The Supreme Court held in Goldman v. Weinberger, 475 US 503 (1986), that the military must be able to command its members to sacrifice a great many freedoms enjoyed by civilians and to endure certain limits on the freedoms they do enjoy. The Supreme Court also held in Parker v. Levy, 417 US 733 (1974), that the different character of the military community and its mission required a different application of Constitutional protections. What is permissible in the civilian world may be impermissible in the military. We also note that individuals entering military service are aware that they will not have, and enjoy, the same rights as others.
The proposed rule would have authorized covered entities to use and disclose protected health information about armed forces personnel only for activities considered necessary by appropriate military command authorities to assure the proper execution of the military mission. In order for the military mission to be achieved and maintained, military command authorities need protected health information to make determinations regarding individuals' medical fitness to perform assigned military duties.
The proposed rule required the Department of Defense (DoD) to publish a notice in the Federal Register identifying its intended uses and disclosures of protected health information, and we have retained this approach in the final rule. This notice will serve to limit command authorities' access to protected health information to circumstances in which disclosure of protected health information is necessary to assure proper execution of the military mission.
With respect to comments regarding the lack of procedural safeguards for individuals, including those who are victims of domestic violence and abuse, we note that the rule does not provide new authority for covered entities providing health care to individuals who are Armed Forces personnel to use and disclose protected health information. Rather, the rule allows the Armed Forces to use and disclose such information only for those military mission purposes which will be published separately in the Federal Register. In addition, we note that the Privacy Act of 1974, as implemented by the DoD, provides numerous protections to individuals.
We modify the proposal to publish privacy rules for the military in the Federal Register. The NPRM would have required this notice to include information on the activities for which use or disclosure of protected health information would occur in order to assure proper execution of the military mission. We believe that this proposed portion of the notice is redundant and thus unnecessary in light the rule's application to military services. In the final rule, we eliminate this proposed section of the notice, and we state that health plans and covered health care providers may use and disclose protected health information of Armed Forces personnel for activities considered necessary by appropriate military command authorities to assure the proper execution of a military mission, where the appropriate military authority has published a Federal Register notice identifying: (1) the appropriate military command authorities; and (2) the purposes for which protected health information may be used or disclosed.
Comment: A few commenters, members of the affected beneficiary class, which numbers approximately 2.6 million (active duty and reserve military personnel), opposed proposed § 164.510(m) because it would have allowed a non-governmental covered entity to provide protected health information without authorization to the military. These commenters were concerned that military officials could use the information as the basis for taking action against individuals.
Response: The Secretary does not have the authority under HIPAA to regulate the military's re-use or re-disclosure of protected health information obtained from health plans and covered health care providers. This provision's primary intent is to ensure that proper military command authorities can obtain needed medical information held by covered entities so that they can make appropriate determinations regarding the individual's medical fitness or suitability for military service. Determination that an individual is not medically qualified for military service would lead to his or her discharge from or rejection for service in the military. Such actions are necessary in order for the Armed Forces to have medically qualified personnel, ready to perform assigned duties. Medically unqualified personnel not only jeopardize the possible success of a mission, but also pose an unacceptable risk or danger to others. We have allowed such uses and disclosures for military activities because it is in the Nation's interest.
Separation or Discharge from Military Service
Comment: The preamble to the NPRM solicited comments on the proposal to permit the DoD to transfer, without authorization, a service member's military medical record to the Department of Veterans Affairs (DVA) when the individual completed his or her term of military service. A few commenters opposed the proposal, believing that authorization should be obtained. Both the DoD and the DVA supported the proposal, noting that transfer allows the DVA to make timely determinations as to whether a veteran is eligible for benefits under programs administered by the DVA.
Response: We note that the transfer program was established based on recommendations by Congress, veterans groups, and veterans; that it has existed for many years; and that there has been no objection to, or problems associated with, the program. We also note that the Department of Transportation (DoT) and the Department of Veterans Affairs operate an analogous transfer program with respect to United States Coast Guard personnel, who comprise part of the U.S. Armed Forces. The protected health information involved the DoD/DVA transfer program is being disclosed and used for a limited purpose that directly benefits the individual. This information is covered by, and thus subject to the protections of, the Privacy Act. For these reasons, the final rule retains the DoD/DVA transfer program proposed in the NPRM. In addition, we expand the NPRM's proposed provisions regarding the Department of Veterans Affairs to include the DoT/DVA program, to authorize the continued transfer of these records.
Comment: The Department of Veterans Affairs supported the NPRM's proposal to allow it to use and disclose protected health information among components of the Department so that it could make determinations on whether an individual was entitled to benefits under laws administered by the Department. Some commenters said that the permissible disclosure pursuant to this section appeared to be sufficiently narrow in scope, to respond to an apparent need. Some commenters also said that the DVA's ability to make benefit determinations would be hampered if an individual declined to authorize release of his or her protected health information. A few commenters, however, questioned whether such an exchange of information currently occurs between the components. A few commenters also believed the proposed rule should be expanded to permit sharing of information with other agencies that administer benefit programs.
Response: The final rule retains the NPRM's approach regarding use and disclosure of protected health information without authorization among components of the DVA for the purpose of making eligibility determinations based on commenters' assessment that the provision was narrow in scope and that an alternative approach could negatively affect benefit determinations for veterans. We modify the NPRM language slightly, to clarify that it refers to a health plan or covered health care provider that is a component of the DVA. These component entities may use or disclose protected health information without authorization among various components of the Department to determine eligibility for or entitlement to veterans' benefits. The final rule does not expand the scope of permissible disclosures under this provision to allow the DVA to share such information with other agencies. Other agencies may obtain this information only with authorization, subject to the requirements of § 164.508.
Foreign Military Personnel
Comments: A few comments opposed the exclusion of foreign diplomatic and military personnel from coverage under the rule. These commenters said that the mechanisms that would be necessary to identify these personnel for the purpose of exempting them from the rule's standards would create significant administrative difficulties. In addition, they believed that this provision would have prohibited covered entities from making disclosures allowed under the rule. Some commenters were concerned that implementation of the proposed provision would result in disparate treatment of foreign military and diplomatic personnel with regard to other laws, and that it would allow exploitation of these individuals' health information. These commenters believed that the proposed rule's exclusion of foreign military and diplomatic personnel was unnecessarily broad and that it should be narrowed to meet a perceived need. Finally, they noted that the proposed exclusion could be affected by the European Union's Data Protection Directive.
Response: We agree with the commenters' statement that the NPRM's exclusion of foreign military and diplomatic personnel from the rule's provisions was overly broad. Thus, the final rule's protections apply to these personnel. The rule covers foreign military personnel under the same provisions that apply to all other members of the U.S. Armed Forces, as described above. Foreign military authorities need access to protected health information for the same reason as must United States military authorities: to ensure that members of the armed services are medically qualified to perform their assigned duties. Under the final rule, foreign diplomatic personnel have the same protections as other individuals.
Intelligence Community
Comments: A few commenters opposed the NPRM's provisions regarding protected health information of intelligence community employees and their dependents being considered for postings overseas, on the grounds that the scope of permissible disclosure without authorization was too broad. While acknowledging that the intelligence community may have legitimate needs for its employees' protected health information, the commenters believed that the NPRM failed to provide adequate procedural protections for the employees' information. A few comments also said that the intelligence community should be able to obtain their employees' health information only with authorization. In addition, commenters said that the intelligence community should make disclosure of protected health information a condition of employment.
Response: Again, we agree that the NPRM's provision allowing disclosure of the protected health information of intelligence community employees without authorization was overly broad. Thus we eliminate it in the final rule. The intelligence community can obtain this information with authorization (pursuant to § 164.508), for example, when employees or their family members are being considered for an oversees assignment and when individuals are applying for employment with or seeking a contract from an intelligence community agency.
Comment: A number of comments opposed the proposed "intelligence and national security activities" provision of the law enforcement section (§ 164.510(f)(4)), suggesting that it was overly broad. These commenters were concerned that the provision lacked sufficient procedural safeguards to prevent abuse of protected health information. The Central Intelligence Agency (CIA) and the Department of Defense (DoD) also expressed concern over the provision's scope. The agencies said that if implemented as written, the provision would have failed to accomplish fully its intended purpose of allowing the disclosure of protected health information to officials carrying out intelligence and national security activities other than law enforcement activities. The CIA and DoD believed that the provision should be moved to another section of the rule, possibly to proposed § 164.510(m) on specialized classes, so that authorized intelligence and national security officials could obtain individuals' protected health information without authorization when lawfully engaged in intelligence and national security activities.
Response: In the final rule, we clarify that this provision does not provide new authority for intelligence and national security officials to acquire health information that they otherwise would not be able to obtain. Furthermore, the rule does not confer new authority for intelligence, national security, or Presidential protective service activities. Rather, the activities permissible under this section are limited to those authorized under current law and regulation (e.g., for intelligence activities, 50 U.S.C. 401, et seq., Executive Order 12333, and agency implementing regulatory authorities). For example, the provision regarding national security activities pertains only to foreign persons that are the subjects of legitimate and lawful intelligence, counterintelligence, or other national security activities. In addition, the provision regarding protective services pertains only to those persons who are the subjects of legitimate investigations for threatening or otherwise exhibiting an inappropriate direction of interest toward U.S. Secret Service protectees pursuant to 18 U.S.C. 871, 879, and 3056. Finally, the rule leaves intact the existing State Department regulations that strictly limit the disclosure of health information pertaining to employees (e.g., Privacy Issuances at State-24 Medical Records).
We believe that because intelligence/national security activities and Presidential/other protective service activities are discrete functions serving different purposes, they should be treated consistently but separately under the rule. For example, medical information is used as a complement to other investigative data that are pertinent to conducting comprehensive threat assessment and risk prevention activities pursuant to 18 U.S.C. 3056. In addition, information on the health of world leaders is important for the provision of protective services and other functions. Thus, § 164.512(k) of the final rule includes separate subsections for national security/intelligence activities and for disclosures related to protective services to the President and others.
We note that the rule does not require or compel a health plan or covered health care provider to disclose protected health information. Rather, two subsections of § 164.512(k) allow covered entities to disclose information for intelligence and national security activities and for protective services to the President and others only to authorized federal officials conducting these activities, when such officials are performing functions authorized by law.
We agree with DoD and CIA that the NPRM, by including these provisions in the law enforcement section (proposed § 164.510(f)), would have allowed covered entities to disclose protected health information for national security, intelligence, and Presidential protective activities only to law enforcement officials. We recognize that many officials authorized by law to carry out intelligence, national security, and Presidential protective functions are not law enforcement officials. Therefore, the final rule allows covered entities to disclose protected health information pursuant to this provision not only to law enforcement officials, but to all federal officials authorized by law to carry out the relevant activities. In addition, we remove this provision from the law enforcement section and include it in § 164.512(k) on uses and disclosures for specialized government functions
Comment: A few comments opposed the NPRM's provision allowing the Department of State to use protected health information for medical clearance determinations. These commenters believed that the scope of permissible disclosures under the proposed provision was too broad. While acknowledging that the Department may have legitimate needs for access to protected health data, the commenters believed that implementation of the proposed provision would not have provided adequate procedural safeguards for the affected State Department employees. A few comments said that the State Department should be able to obtain protected health information for medical clearance determinations only with authorization. A few comments also said that the Department should be able to disclose such information only when required for national security purposes. Some commenters believed that the State Department should be subject to the Federal Register notice requirement that the NPRM would have applied to the Department of Defense. A few comments also opposed the proposed provision on the basis that it would conflict with the Rehabilitation Act of 1973 or that it appeared to represent an invitation to discriminate against individuals with mental disorders.
Response: We agree with commenters who believed that the NPRM's provision regarding the State Department's use of protected health information without authorization was unnecessarily broad. Therefore, in the final rule, we restrict significantly the scope of protected health information that the State Department may use and disclose without authorization. First, we allow health plans and covered health care providers that are a component of the State Department to use and disclose protected health information without authorization when making medical suitability determinations for security clearance purposes. For the purposes of a security investigation, these components may disclose to authorized State Department officials whether or not the individual was determined to be medically suitable. Furthermore, we note that the rule does not confer authority on the Department to disclose such information that it did not previously possess. The Department remains subject to applicable law regarding such disclosures, including the Rehabilitation Act of 1973.
The preamble to the NPRM solicited comment on whether there was a need to add national security determinations under Executive Order 10450 to the rule's provision on State Department uses and disclosures of protected health information for security determinations. While we did not receive comment on this issue, we believe that a limited addition is warranted and appropriate. Executive Orders 10450 and 12968 direct Executive branch agencies to make certain determinations regarding whether their employees' access to classified information is consistent with the national security interests of the United States. Specifically, the Executive Orders state that access to classified information shall be granted only to those individuals whose personal and professional history affirmatively indicates, inter alia, strength of character, trustworthiness, reliability, and sound judgment. In reviewing the personal history of an individual, Executive branch agencies may investigate and consider any matter, including a mental health issue or other medical condition, that relates directly to any of the enumerated factors.
In the vast majority of cases, Executive agencies require their security clearance investigators to obtain the individual's express consent in the form of a medical release, pursuant to which the agency can conduct its background investigation and obtain any necessary health information. This rule does not interfere with agencies' ability to require medical releases for purposes of security clearances under these Executive Orders.
In the case of the Department of State, however, it may be impracticable or infeasible to obtain an employee's authorization when exigent circumstances arise overseas. For example, when a Foreign Service Officer is serving at an overseas post and he or she develops a critical medical problem which may or may not require a medical evacuation or other equally severe response, the Department's medical staff have access to the employee's medical records for the purpose of making a medical suitability determination under Executive Orders 10450 and 12968. To restrict the Department's access to information at such a crucial time due to a lack of employee authorization leaves the Department no option but to suspend the employee's security clearance. This action automatically would result in an immediate forced departure from post, which negatively would affect both the Department, due to the unexpected loss of personnel, and the individual, due to the fact that a forced departure can have a long-term impact on his or her career in the Foreign Service.
For this reason, the rule contains a limited security clearance exemption for the Department of State. The exemption allows the Department's own medical staff to continue to have access to an employee's medical file for the purpose of making a medical suitability determination for security purposes. The medical staff can convey a simple "yes" or "no" response to those individuals conducting the security investigation within the Department. In this way, the Department is able to make security determinations in exigent circumstances without disclosing any specific medical information to any employees other than the medical personnel who otherwise have routine access to these same medical records in an everyday non-security context.
Second, and similarly, the final rule establishes a similar system for disclosures of protected health information necessary to determine worldwide availability or availability for mandatory service abroad under Sections 101(a)(4) and 504 of the Foreign Service Act. The Act requires that Foreign Service members be suitable for posting throughout the world and for certain specific assignments. For this reason, we permit a limited exemption to serve the purposes of the statute. Again, the medical staff can convey availability determinations to State Department officials who need to know if certain Foreign Service members are available to serve at post.
Third, and finally, the final rule recognizes the special statutory obligations that the State Department has regarding family members of Foreign Service members under Sections 101(b)(5) and 904 of the Foreign Service Act. Section 101(b)(5) of the Foreign Service Act requires the Department of State to mitigate the impact of hardships, disruptions, and other unusual conditions on families of Foreign Service Officers. Section 904 requires the Department to establish a health care program to promote and maintain the physical and mental health of Foreign Service member family members. The final rule permits disclosure of protected health information to officials who need protected health information to determine whether a family member can accompany a Foreign Service member abroad.
Given the limited applicability of the rule, we believe it is not necessary for the State Department to publish a notice in the Federal Register to identify the purposes for which the information may be used or disclosed. The final rule identifies these purposes, as described above.
Comments about the rule's application to correctional institutions are addressed in § 164.501, under the definition of "individual."
Comment: Several commenters stated that workers' compensation carriers are excepted under the HIPAA definition of group health plan and therefore we have no authority to regulate them in this rule. These commenters suggested clarifying that the provisions of the proposed rule did not apply to certain types of insurance entities, such as workers' compensation carriers, and that such non-covered entities should have full access to protected health information without meeting the requirements of the rule. Other commenters argued that a complete exemption for workers' compensation carriers was inappropriate.
Response: We agree with commenters that the proposed rule did not intend to regulate workers' compensation carriers. In the final rule we have incorporated a provision that clarifies that the term "health plan" excludes "any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits as defined in section 2791(c)(1) of the PHS Act." See discussion above under the definition of "health plan" in § 164.501.
Comment: Some commenters argued that the privacy rule should defer to other laws that regulate the disclosure of information to employers and workers' compensation carriers. They commented that many states have laws that require sharing of information - without consent - between providers and employers or workers' compensation carriers.
Response: We agree that the privacy rule should permit disclosures necessary for the administration of state and other workers' compensation systems. To assure that workers' compensations systems are not disrupted, we have added a new provisions to the final rule. The new § 164.512(l) permits covered entities to disclose protected health information as authorized by and to the extent necessary to comply with workers' compensation or other similar programs established by law that provide benefits for work-related injuries or illnesses without regard to fault. We also note that where a state or other law requires a use or disclosure of protected health information under a workers' compensation or similar scheme, the disclosure would be permitted under § 164.512(a).
Comment: Several commenters stated that if workers' compensation carriers are to receive protected health information, they should only receive the minimum necessary as required in § 164.514. The commenters argued that employers and workers' compensation carriers should not have access to the entire medical history or portions of the medical history that have nothing to do with the injury in question. Further, the covered provider and not the employer or carrier should determine minimum necessary since the provider is a covered entity and only covered entities are subject to sanctions for violations of the rule. These commenters stated that the rule should clearly indicate the ability of covered entities to refuse to disclose protected health information if it went beyond the scope of the injury. Workers' compensation carriers, on the other hand, argued that permitting providers to determine the minimum necessary was inappropriate because determining eligibility for benefits is an insurance function, not a medical function. They stated that workers' compensation carriers need access to the full range of information regarding treatment for the injury underlying the claim, the claimants' current condition, and any preexisting conditions that can either mitigate the claim or aggravate the impact of the injury.
Response: Under the final rule, covered entities must comply with the minimum necessary provisions unless the disclosure is required by law. Our review of state workers' compensation laws suggests that many of these laws address the issue of the scope of information that is available to carriers and employers. The rule permits a provider to disclose information that is authorized by such a law to the extent necessary to comply with such law. Where the law is silent, the workers' compensation carrier and covered health care provider will need to discuss what information is necessary for the carrier to administer the claim, and the health care provider may disclose that information. We note that if the workers' compensation insurer has secured an authorization from the individual for the release of protected health information, the covered entity may release the protected health information described in the authorization.
Comments: The comments on this topic almost unanimously supported the concept of de-identification and efforts to expand its use. Although a few comments suggested deleting one of the proposed methods or the other, most appeared to support the two method approach for entities with differing levels of statistical expertise.
Many of the comments argued that the standard for creation of de-identified information should be whether there is a "reasonable basis to believe" that the information has been de-identified. Others suggested that the "reasonable basis" standard was too vague.
A few commenters suggested that we consider information to be de-identified if all personal identifiers that directly reveal the identity of the individual or provide a direct means of identifying individuals have been removed, encrypted or replaced with a code. Essentially, this recommendation would require only removal of "direct" identifiers (e.g., name, address, and ID numbers) and allow retention of all "indirect" identifiers (e.g., zip code and birth date) in "de-identified" information. These comments did not suggest a list or further definition of what identifiers should be considered "direct" identifiers.
Some commenters suggested that the standard be modified to reflect a single standard that applies to all covered entities in the interest of reducing uncertainty and complexity. According to these comments, the standard for covered entities to meet for de-identification of protected health information should be generally accepted standards in the scientific and statistical community, rather than focusing on a specified list of identifiers that must be removed.
A few commenters believed that no record of information about an individual can be truly de-identified and that all such information should be treated and protected as identifiable because more and more information about individuals is being made available to the public, such as voter registration lists and motor vehicle and driver's license lists, that would enable someone to match (and identify) records that otherwise appear to be not identifiable.
Response: In the final rule, we reformulate the method for de-identification to more explicitly use the statutory standard of "a reasonable basis to believe that the information can be used to identify the individual"- just as information is "individually identifiable" if there is a reasonable basis to believe that it can be used to identify the individual, it is "de-identified" if there is no reasonable basis to believe it can be so used. We also define more precisely how the standard should be applied.
We did not accept comments that suggested that we allow only one method of de-identifying information. We find support for both methods in the comments but find no compelling logic for how the competing interests could be met cost-effectively with only one method.
We also disagree with the comments that advocated using a standard which required removing only the direct identifiers. Although such an approach may be more convenient for covered entities, we judged that the resulting information would often remain identifiable, and its dissemination could result in significant violations of privacy. While we encourage covered entities to remove direct identifiers whenever possible as a method of enhancing privacy, we do not believe that the resulting information is sufficiently blinded as to permit its general dissemination without the protections provided by this rule.
We agree with the comments that said that records of information about individuals cannot be truly de-identified, if that means that the probability of attribution to an individual must be absolutely zero. However, the statutory standard does not allow us to take such a position, but envisions a reasonable balance between risk of identification and usefulness of the information.
We disagree with those comments that advocated releasing only truly anonymous information (which has been changed sufficiently so that it no longer represents actual information about real individuals) and those that supported using only sophisticated statistical analysis before allowing uncontrolled disclosures. Although these approaches would provide a marginally higher level of privacy protection, they would preclude many of the laudable and valuable uses discussed in the NPRM (in § 164.506(d)) and would impose too great a burden on less sophisticated covered entities to be justified by the small decrease in an already small risk of identification.
We conclude that compared to the alternatives advanced by the comments, the approach proposed in the NPRM, as refined and modified below in response to the comments, most closely meets the intent of the statute.
Comments: A few comments complained that the proposed standards were so strict that they would expose covered entities to liability because arguably no information could ever be de-identified.
Response: In the final rule we have modified the mechanisms by which a covered entity may demonstrate that it has complied with the standard in ways that provide greater certainty. In the standard method for de-identification, we have clarified the professional standard to be used, and anticipate issuing further guidance for covered entities to use in applying the standard. In the safe harbor method, we reduced the amount of judgment that a covered entity must apply. We believe that these mechanisms for de-identification are sufficiently well-defined to protect covered entities that follow them from undue liability.
Comments: Several comments suggested that the rule prohibit any linking of de-identified data, regardless of the probability of identification.
Response: Since our methods of de-identification include consideration of how the information might be used in combination with other information, we believe that linking de-identified information does not pose a significantly increased risk of privacy violations. In addition, since our authority extends only to the regulation of individually identifiable health information, we cannot regulate de-identified information because it no longer meets the definition of individually identifiable health information. We also have no authority to regulate entities that might receive and desire to link such information yet that are not covered entities; thus such a prohibition would have little protective effect.
Comments: Several commenters suggested that we create incentives for covered entities to use de-identified information. One commenter suggested that we mandate an assessment to see if de-identified information could be used before the use or disclosure of identified information would be allowed.
Response: We believe that this final rule establishes a reasonable mechanism for the creation of de-identified information and the fact that this de-identified information can be used without having to follow the policies, procedures, and documentation required to use individually identifiable health information should provide an incentive to encourage its use where appropriate. We disagree with the comment suggesting that we require an assessment of whether de-identified information could be used for each use or disclosure. We believe that such a requirement would be too burdensome on covered entities, particularly with respect to internal uses, where entire records are often used by medical and other personnel. For disclosures, we believe that such an assessment would add little to the protection provided by the minimum necessary requirements in this final rule.
Comments: One commenter asked if de-identification was equivalent to destruction of the protected health information (as required under several of the provisions of this final rule).
Response: The process of de-identification creates a new dataset in addition to the source dataset containing the protected health information. This process does not substitute for actual destruction of the source data.
Comments: Several commenters called for clarification of proposed language in the NPRM that would have permitted a covered entity to treat information as de-identified, even if specified identifiers were retained, as long as the probability of identifying subject individuals would be very low. Commenters expressed concern that the "very low" standard was vague. These comments expressed concern that covered entities would not have a clear and easy way to know when information meets this part of the standard.
Response: We agree with the comments that covered entities may need additional guidance on the types of analyses that they should perform in determining when the probability of re-identification of information is very low. We note that in the final rule, we reformulate the standard somewhat to require that a person with appropriate knowledge and experience apply generally accepted statistical and scientific methods relevant to the task to make a determination that the risk of re-identification is very small. In this context, we do not view the difference between a very low probability and a very small risk to be substantive. After consulting representatives of the federal agencies that routinely de-identify and anonymize information for public release (16), we attempt here to provide some guidance for the method of de-identification.
As requested by some commenters, we include in the final rule a requirement that covered entities (not following the safe harbor approach) apply generally accepted statistical and scientific principles and methods for rendering information not individually identifiable when determining if information is de-identified. Although such guidance will change over time to keep up with technology and the current availability of public information from other sources, as a starting point the Secretary approves the use of the following as guidance to such generally accepted statistical and scientific principles and methods:
(1) Statistical Policy Working Paper 22 - Report on Statistical Disclosure Limitation Methodology (http://www.fcsm.gov/working-papers/wp22.html) (prepared by the Subcommittee on Disclosure Limitation Methodology, Federal Committee on Statistical Methodology, Office of Management and Budget) and
(2) the Checklist on Disclosure Potential of Proposed Data Releases (http://www.fcsm.gov/reports) (prepared by the Confidentiality and Data Access Committee, Federal Committee on Statistical Methodology, Office of Management and Budget).
We agree with commenters that such guidance will need to be updated over time and we will provide such guidance in the future.
According to the Statistical Policy Working Paper 22, the two main sources of disclosure risk for de-identified records about individuals are the existence of records with very unique characteristics (e.g., unusual occupation or very high salary or age) and the existence of external sources of records with matching data elements which can be used to link with the de-identified information and identify individuals (e.g., voter registration records or driver's license records). The risk of disclosure increases as the number of variables common to both types of records increases, as the accuracy or resolution of the data increases, and as the number of external sources increases. As outlined in Statistical Policy Working Paper 22, an expert disclosure analysis would also consider the probability that an individual who is the target of an attempt at re-identification is represented on both files, the probability that the matching variables are recorded identically on the two types of records, the probability that the target individual is unique in the population for the matching variables, and the degree of confidence that a match would correctly identify a unique person.
Statistical Policy Working Paper 22 also describes many techniques that can be used to reduce the risk of disclosure that should be considered by an expert when de-identifying health information. In addition to removing all direct identifiers, these include the obvious choices based on the above causes of the risk; namely, reducing the number of variables on which a match might be made and limiting the distribution of the records through a "data use agreement" or "restricted access agreement" in which the recipient agrees to limits on who can use/receive the data. The techniques also include more sophisticated manipulations: recoding variables into fewer categories to provide less precise detail (including rounding of continuous variables); setting top-codes and bottom-codes to limit details for extreme values; disturbing the data by adding noise by swapping certain variables between records, replacing some variables in random records with mathematically imputed values or averages across small random groups of records, or randomly deleting or duplicating a small sample of records; and replacing actual records with synthetic records that preserve certain statistical properties of the original data.
Comments: Many commenters argued that stripping all 19 identifiers is unnecessary for purposes of de-identification. They felt that such items as zip code, city (or county), and birth date, for example, do not identify the individual and only such identifiers as name, street address, phone numbers, fax numbers, email, Social Security number, driver's license number, voter registration number, motor vehicle registration, identifiable photographs, finger prints, voice prints, web universal resource locator, and Internet protocol address number need to be removed to reasonably believe that data has been de-identified.
Other commenters felt that removing the full list of identifiers would significantly reduce the usefulness of the data. Many of these comments focused on research and, to a lesser extent, marketing and undefined "statistical analysis." Commenters who represented various industries and research institutions expressed concern that they would not be able to continue current activities such as development of service provider networks, conducting "analysis" on behalf of the plan, studying use of medication and medical devices, community studies, marketing and strategic planning, childhood immunization initiatives, patient satisfaction surveys, and solicitation of contributions. The requirements in the NPRM to strip off zip code and date of birth were of particular concern. These commenters stated that their ability to do research and quality analysis with this data would be compromised without access to some level of information about patient age and/or geographic location.
Response: While we understand that removing the specified identifiers may reduce the usefulness of the resulting data to third parties, we remain convinced by the evidence found in the MIT study that we referred to in the preamble to the proposed rule (17) and the analyses discussed below that there remains a significant risk of identification of the subjects of health information from the inclusion of indirect identifiers such as birth date and zip code and that in many cases there will be a reasonable basis to believe that such information remains identifiable. We note that a covered entity not relying on the safe harbor may determine that information from which sufficient other identifiers have been removed but which retains birth date or zip code is not reasonably identifiable. As discussed above, such a determination must be made by a person with appropriate knowledge and expertise applying generally accepted statistical and scientific methods for rendering information not identifiable.
Although we have determined that all of the specified identifiers must be removed before a covered entity meets the safe harbor requirements, we made modifications in the final rule to the specified identifiers on the list to permit some information about age and geographic area to be retained in de-identified information.
For age, we specify that, in most cases, year of birth may be retained, which can be combined with the age of the subject to provide sufficient information about age for most uses. After considering current and evolving practices and consulting with federal experts on this topic, including members of the Confidentiality and Data Access Committee of the Federal Committee on Statistical Methodology, Office of Management and Budget, we concluded that in general, age is sufficiently broad to be allowed in de-identified information, although all dates that might be directly related to the subject of the information must be removed or aggregated to the level of year to prevent deduction of birth dates. Extreme ages -- 90 and over -- must be aggregated further (to a category of 90+, for example) to avoid identification of very old individuals (because they are relatively rare). This reflects the minimum requirement of the current recommendations of the Bureau of the Census. (18) For research or other studies relating to young children or infants, we note that the rule would not prohibit age of an individual from being expressed as an age in months, days, or hours.
For geographic area, we specify that the initial three digits of zip codes may be retained for any three-digit zip code that contains more than 20,000 people as determined by the Bureau of the Census. As discussed more below, there are currently only 18 three-digit zip codes containing fewer than 20,000 people. We note that this number may change when information from the 2000 Decennial Census is analyzed.
In response to concerns expressed in the comments about the need for information on geographic area, we investigated the potential of allowing 5-digit zip codes or 3-digit zip codes to remain in the de-identified information. According to 1990 Census data, the populations in geographical areas delineated by 3-digit zip codes vary a great deal, from a low of 394 to a high of 3,006,997, with an average size of 282,304. There are two 3-digit zip codes containing fewer than 500 people and six 3-digit zip codes containing fewer than 10,000 people each. (19) Of the total of 881 3-digit zip codes, there are 18 with fewer than 20,000 people, 71 with fewer than 50,000 people, and 215 containing fewer than 100,000 population. We also looked at two-digit zip codes (the first 2 digits of the 5-digit zip code) and found that the smallest of the 98 2-digit zip codes contains 188,638 people.
We also investigated the practices of several other federal agencies which are mandated by Congress to release data from national surveys while preserving confidentiality and which have been dealing with these issues for decades. The problems and solutions being used by these agencies are laid out in detail in the Statistical Policy Working Paper 22 cited earlier.
To protect the privacy of individuals providing information to the Bureau of Census, the Bureau has determined that a geographical region must contain at least 100,000 people. (20) This standard has been used by the Bureau of the Census for many years and is supported by simulation studies using Census data. (21) These studies showed that after a certain point, increasing the size of a geographic area does not significantly decrease the percentage of unique records (i.e., those that could be identified if sampled), but that the point of diminishing returns is dependent on the number and type of demographic variables on which matching might occur. For a small number of demographic variables (6), this point was quite low (about 20,000 population), but it rose quickly to about 50,000 for 10 variables and to about 80,000 for 15 variables. The Bureau of the Census releases sets of data to the public that it considers safe from re-identification because it limits geographical areas to those containing at least 100,000 people and limits the number and detail of the demographic variables in the data. At the point of approximately 100,000 population, 7.3% of records were unique (and therefore potentially identifiable) on 6 demographic variables from the 1990 Census Short Form: age in years (90 categories), race (up to 180 categories), sex (2 categories), relationship to householder (14 categories), Hispanic (2 categories), and tenure (owner vs. renter in 5 categories). Using 6 variables derived from the Long Form data, age (10 categories), race (6 categories), sex (2 categories), marital status (5 categories), occupation (54 categories), and personal income (10 categories), raised the percentage to 9.8%.
We also examined the results of an NCHS simulation study using national survey data (22) to see if some scientific support could be found for a compromise. The study took random samples from populations of different sizes and then compared the samples to the whole population to see how many records were identifiable, that is, matched uniquely to a unique person in the whole population on the basis of 9 demographic variables: age (85 categories), race (4 categories), gender (2 categories), ethnicity (2 categories), marital status (3 categories), income (3 categories), employment status (2 categories), working class (4 categories), and occupation (42 categories). Even when some of the variables are aggregated or coded, from the perspective of a large statistical agency desiring to release data to the public, the study concluded that a population size of 500,000 was not sufficient to provide a reasonable guarantee that certain individuals could not be identified. About 2.5 % of the sample from the population of 500,000 was uniquely identifiable, regardless of sample size. This percentage rose as the size of the population decreased, to about 14% for a population of 100,000 and to about 25% for a population of 25,000. Eliminating the occupation variable (which is less likely to be found in health data) reduced this percentage significantly to about 0.4 %, 3%, and 10% respectively. These percentages of unique records (and thus the potentials for re-identification) are highly dependent on the number of variables (which must also be available in other databases which are identified to be considered in a disclosure risk analysis), the categorical breakdowns of those variables, and the level of geographic detail included.
With respect to how we might clarify the requirement to achieve a "low probability" that information could be identified, the Statistical Policy Working Paper 22 referenced above discusses the attempts of several researchers to define mathematical measures of disclosure risk only to conclude that "more research into defining a computable measure of risk is necessary." When we considered whether we could specify a maximum level of risk of disclosure with some precision (such as a probability or risk of identification of < 0.01), we concluded that it is premature to assign mathematical precision to the "art" of de-identification.
After evaluating current practices and recognizing the expressed need for some geographic indicators in otherwise de-identified databases, we concluded that permitting geographic identifiers that define populations of greater than 20,000 individuals is an appropriate standard that balances privacy interests against desirable uses of de-identified data. In making this determination, we focused on the studies by the Bureau of Census cited above which seemed to indicate that a population size of 20,000 was an appropriate cut off if there were relatively few (6) demographic variables in the database. Our belief is that, after removing the required identifiers to meet the safe harbor standards, the number of demographic variables retained in the databases will be relatively small, so that it is appropriate to accept a relatively low number as a minimum geographic size.
In applying this provision, covered entities must replace the (currently 18) forbidden 3-digit zip codes with zeros and thus treat them as a single geographic area (with > 20,000 population). The list of the forbidden 3-digit zip codes will be maintained as part of the updated Secretarial guidance referred to above. Currently, they are: 022, 036, 059, 102, 203, 555, 556, 692, 821, 823, 830, 831, 878, 879, 884, 893, 987, and 994. This will result in an average 3-digit zip code area population of 287,858 which should result in an average of about 4% unique records using the 6 variables described above from the Census Short Form. Although this level of unique records will be much higher in the smaller geographic areas, the actual risk of identification will be much lower because of the limited availability of comparable data in publically available, identified databases, and will be further reduced by the low probability that someone will expend the resources to try to identify records when the chance of success is so small and uncertain. We think this compromise will meet the current need for an easy method to identify geographic area while providing adequate protection from re-identification. If a greater level of geographical detail is required for a particular use, the information will have to be obtained through another permitted mechanism or be subjected to a specific de-identification determination as described above. We will monitor the availability of identified public data and the concomitant re-identification risks, both theoretical and actual, and adjust this safe harbor in the future as necessary.
As we stated above, we understand that many commenters would prefer a looser standard for determining when information is de-identified, both generally and with respect to the standards for identifying geographic area. However, because public databases (such as voter records or driver's license records) that include demographic information about a geographically defined population are available, a surprisingly large percentage of records of health information that contain similar demographic information can be identified. Although the number of these databases seems to be increasing, the number of demographic variables within them still appears to be fairly limited. The number of cases of privacy violation from health records which have been identified in this way is small to date. However, the risk of identification increases with decreasing population size, with increasing amounts of demographic information (both in level of detail and number of variables), and with the uniqueness of the combination of such information in the population. That is, an 18 year old single white male student is not at risk of identification in a database from a large city such as New York. However, if the database were about a small town where most of the inhabitants were older, retired people of a specific minority race or ethnic group, that same person might be unique in that community and easily identified. We believe that the policy that we have articulated reaches the appropriate balance between reasonably protecting privacy and providing a sufficient level of information to make de-identified databases useful.
Comments: Some comments noted that identifiers that accompany photographic images are often needed to interpret the image and that it would be difficult to use the image alone to identify the individual.
Response: We agree that our proposed requirement to remove all photographic images was more than necessary. Many photographs of lesions, for example, which cannot usually be used alone to identify an individual, are included in health records . In this final rule, the only absolute requirement is the removal of full-face photographs, and we depend on the "catch-all" of "any other unique ... characteristic ..." to pick up the unusual case where another type of photographic image might be used to identify an individual.
Comments: A number of commenters felt that the proposed bar for removal had been set too high; that the removal of these 19 identifiers created a difficult standard, since some identifiers may be buried in lengthy text fields.
Response: We understand that some of the identifiers on our list for removal may be buried in text fields, but we see no alternative that protects privacy. In addition, we believe that such unstructured text fields have little or no value in a de-identified information set and would be removed in any case. With time, we expect that such identifiers will be kept out of places where they are hard to locate and expunge.
Comments: Some commenters asserted that this requirement creates a disincentive for covered entities to de-identify data and would compromise the Secretary's desire to see de-identified data used for a multitude of purposes. Others stated that the 'no reason to believe' test creates an unreasonable burden on covered entities, and would actually chill the release of de-identified information, and set an impossible standard.
Response: We recognize that the proposed standards might have imposed a burden that could have prevented the widespread use of de-identified information. We believe that our modifications to the final rule discussed above will make the process less burdensome and remove some of the disincentive. However, we could not loosen the standards as far as many commenters wanted without seriously jeopardizing the privacy of the subjects of the information. As discussed above, we modify the "no reason to know" standard that was part of the safe harbor provision and replace it in the final rule with an "actual knowledge" standard. We believe that this change provides additional certainty to covered entities using the safe harbor and should eliminate any chilling effect.
Comments: Although most commenters wanted to see data elements taken off the list, there were a small number of commenters that wanted to see data items added to the list. They believed that it is also necessary to remove clinical trial record numbers, device model serial numbers, and all proper nouns from the records.
Response: In response to these requests, we have slightly revised the list of identifiers that must be removed under the safe harbor provision. Clinical trial record numbers are included in the general category of "any other unique identifying number, characteristic, or code." These record numbers cannot be included with de-identified information because, although the availability of clinical trial numbers may be limited, they are used for other purposes besides de-identification/re-identification, such as identifying clinical trial records, and may be disclosed under certain circumstances. Thus, they do not meet the criteria in the rule for use as a unique record identifier for de-identified records. Device model serial numbers are included in "any device identifier or serial number" and must be removed. We considered the request to remove all proper nouns to be very burdensome to implement for very little increase in privacy and likely to be arbitrary in operation, and so it is not included in the final rule.
Comments: One commenter wanted to know if the rule requires that covered entities retain the ability to re-identify de-identified information.
Response: The rule does not require covered entities to retain the ability to re-identify de-identified information, but it does allow them to retain this ability.
Comments: A few commenters asked us to prohibit anyone from re-identifying de-identified health information.
Response: We do not have the authority to regulate persons other than covered entities, so we cannot affect attempts by entities outside of this rule to re-identify information. Under the rule, we permit the covered entity that created the de-identified information to re-identify it. However, we include a requirement that, when a unique record identifier is included in the de-identified information, such identifier must not be such that someone other than the covered entity could use it to identify the individual (such as when a derivative of the individual's name is used as the unique record identifier).
Comment: A large number of commenters objected to the application of the proposed "minimum necessary" standard for uses and disclosures of protected health information to uses and disclosures for treatment purposes. Some suggested that the final regulation should establish a good faith exception or safe harbor for disclosures made for treatment.
The overwhelming majority of commenters, generally from the medical community, argued that application of the proposed standard would be contrary to sound medical practice, increase medical errors, and lead to an increase in liability. Some likened the standard to a 'gag clause' in that it limited the exchange of information critical for quality patient care. They found the standard unworkable in daily treatment situations. They argued that this standard would be potentially dangerous in that it could cause practitioners to withhold information that could be essential for later care. Commenters asserted that caregivers need to be able to give and receive a complete picture of the patient's health to make a diagnosis and develop a treatment plan.
Other commenters noted that the complexity of medicine is such that it is unreasonable to think that anyone will know the exact parameters of the information another caregiver will need for proper diagnosis and treatment or that a plan will need to support quality assurance and improvement activities. They therefore suggested that the minimum necessary standard be applied instead as an administrative requirement.
Providers also emphasized that they already have an ethical duty to limit the sharing of unnecessary medical information, and most already have well-developed guidelines and practice standards in place. Concerns were also voiced that attempts to provide the minimum necessary information in the treatment setting would lead to multiple editions of a record or creation of summaries that turn out to omit crucial information resulting in confusion and error.
Response: In response to these concerns, we substantially revise the minimum necessary requirements. As suggested by certain commenters, we provide, in § 164.502(b), that disclosures of protected health information to or requests by health care providers for treatment are not subject to the minimum necessary standard. We also modify the requirements for uses of protected health information. This final rule requires covered entities to make determinations of minimum necessary use, including use for treatment purposes, based on the role of the person or class of workforce members rather than at the level of specific uses. A covered entity must establish policies and procedures that identify the types of persons who are to have access to designated categories of information and the conditions, if any, of that access. We establish no requirements specific to a particular use of information. Covered entities are responsible for establishing and documenting these policies and procedures. This approach is consistent with the argument of many commenters that guidelines and practice standards are appropriate means for protecting the privacy of patient information.
Comment: Some commenters argued that the standard should be retained in the treatment setting for uses and disclosures pertaining to mental health information. Some of these commenters asserted that other providers do not need to know the mental status of a patient for treatment purposes.
Response: We agree that the standard should be retained for uses of mental health information in the treatment setting. However, we believe that the arguments for excepting disclosures of protected health information for treatment purposes from application of the minimum necessary standard are also persuasive with respect to mental health information. An individual's mental health can interact with proper treatment for other conditions in many ways. Psychoactive medications may have harmful interactions with drugs routinely prescribed for other purposes; an individual's mental health history may help another health care provider understand the individual's ability to abide by a complicated treatment regimen. For these reasons, it is also not reasonable to presume that, in every case, a health care provider will not need to know an individual's mental health status to provide appropriate treatment.
Providers' comments noted existing ethical duties to limit the sharing of unnecessary medical information, and well-developed guidelines and practice standards for this purpose. Under this rule, providers may use these tools to guide their discretion in disclosing health information for treatment.
Comment: Several commenters urged that covered entities should be required to conspicuously label records to show that they are not complete. They argued that absent such labeling, patient care could be compromised.
Response: We believe that the final policy to except disclosures of protected health information for treatment purposes from application of the minimum necessary standard addresses these commenters' concerns.
Comment: Some commenters argued that the audit exception to the minimum necessary requirements needs to be clarified or expanded, because "audit" and "payment" are essentially the same thing.
Response: We eliminate this exception. The proposed exclusion of disclosures to health plans for audit purposes is replaced with a general requirement that covered entities must limit requests to other covered entities for individually identifiable health information to what is reasonably necessary for the purpose intended.
Comment: Many commenters argued that the proposed standard was unworkable as applied to "uses" by a covered entity's employees, because the proposal appeared not to allow providers to create general policy as to the types of records that particular employees may have access to but instead required that each decision be made "individually," which providers interpret as "case-by-case." Commenters argued that the standard with regard to "uses" would be impossible to implement and prohibitively expensive, requiring both medical and legal input to each disclosure decision.
Some commenters recommended deletion of the minimum necessary standard with regard to "uses." Other commenters specifically recommended deletion of the requirement that the standard be applied on an individual, case-by-case basis. Rather, they suggested that the covered entity be allowed to establish general policies to meet the requirement. Another commenter similarly urged that the standard not apply to internal disclosures or for internal health care operations such as quality improvement/assurance activities. The commenter recommended that medical groups be allowed to develop their own standards to ensure that these activities are carried out in a manner that best helps the group and its patients.
Other commenters expressed confusion and requested clarification as to how the standard as proposed would actually work in day-to-day operations within an entity.
Response: Commenters' arguments regarding the workability of this standard as proposed were persuasive, and we therefore make significant modification to address these comments and improve the workability of the standard. For all uses and many disclosures, we require covered entities to include in their policies and procedures (see § 164.530), which may be standard protocols, for 'minimum necessary' uses and disclosures. We require implementation of such policies in lieu of making the 'minimum necessary' determination for each separate use and disclosure.
For uses, covered entities must implement policies and procedures that restrict access to and use of protected health information based on the specific professional roles of members of the covered entity's workforce. The policies and procedures must identify the persons or classes of persons in the entity's workforce who need access to protected health information to carry out their duties and the category or categories of protected health information to which such persons or classes need access. These role-based access rules must also identify the conditions, as appropriate, that would apply to such access. For example, an institutional health care provider could allow physicians access to all records under the condition that the viewing of medical records of patients not under their care is recorded and reviewed. Other health professionals' access could be limited to time periods when they are on duty. Information available to staff who are responsible for scheduling surgical procedures could be limited to certain data. In many instances, use of order forms or selective copying of relevant portions of a record may be appropriate policies to meet this requirement.
Routine disclosures also are not subject to individual review; instead, covered entities must implement policies and procedures (which may be standard protocols) to limit the protected health information in routine disclosures to the minimum information reasonably necessary to achieve the purpose of that type of disclosure. For non-routine disclosures, a covered entity must develop reasonable criteria to limit the protected health information disclosed to the minimum necessary to accomplish the purpose for which disclosure is sought, and to implement procedures for review of disclosures on an individual basis.
We modify the proposed standard to require the covered entity to make "reasonable efforts" to meet the minimum necessary standard (not "all"reasonable efforts, as proposed). What is reasonable will vary with the circumstances. When it is practical to use order forms or selective copying of relevant portions of the record, the covered entity is required to do so. Similarly, this flexibility in the standard takes into account the ability of the covered entity to configure its record system to allow selective access to only certain fields, and the practicality of organizing systems to allow this capacity. It might be reasonable for a covered entity with a highly computerized information system to implement a system under which employees with certain functions have access to only limited fields in a patient records, while other employees have access to the complete records. Such a system might not be reasonable for a covered entity with a largely paper records system.
Covered entities' policies and procedures must provide that disclosure of an entire medical record will not be made except pursuant to policies which specifically justify why the entire medical record is needed.
We believe that these modifications significantly improve the workability of this standard. At the same time, we believe that asking covered entities to assess their practices and establish rules for themselves will lead to significant improvements in the privacy of health information. See the preamble for § 164.514 for a more detailed discussion.
Comment: The minimum necessary standard should not be applied to uses and disclosures for payment or health care operations.
Response: Commenter's arguments for exempting these uses and disclosures from the minimum necessary standard were not compelling. We believe that our modifications to application of the minimum necessary standard to internal uses of protected health information, and to routine disclosures, address many of the concerns raised, particularly the concerns about administrative burdens and the concerns about having the information necessary for day-to-day operations. We do not eliminate this standard in part because we also remain concerned that covered entities may be tempted to disclose an entire medical record when only a few items of information are necessary, to avoid the administrative step of extracting the necessary information (or redacting the unnecessary information). We also believe this standard will cause covered entities to assess their privacy practices, give the privacy interests of their patients and enrollees greater attention, and make improvements that might otherwise not have been made. For this reason, the privacy benefits of retaining the minimum necessary standard for these purposes outweigh the burdens involved. We note that the minimum necessary standard is tied to the purpose of the disclosure; thus, providers may disclose protected health information as necessary to obtain payment.
Comment: Other commenters urged us to apply a "good faith" provision to all disclosures subject to the minimum necessary standard. Commenters presented a range of options to modify the proposed provisions which, in their view, would have mitigated their liability if they failed to comply with minimum necessary standard.
Response: We believe that the modifications to this standard, described above, substantially address these commenters' concerns. In addition to allowing the covered entity to use standard protocols for routine disclosures, we modify the standard to require a covered entity to make "reasonable efforts," not "all" reasonable efforts as proposed, in making the "minimum necessary" disclosure.
Comments: Some commenters complained that language in the proposed rule was vague and provided little guidance, and should be abandoned.
Response: In the preamble for § 164.504 and these responses to comments, we provide further guidance on how a covered entity can develop its policies for the minimum necessary use and disclosure of protected health information. We do not abandon this standard for the reasons described above. We remain concerned about the number of persons who have access to identifiable health information, and believe that causing covered entities to examine their practices will have significant privacy benefits.
Comment: Some commenters asked that the minimum necessary standard should not be applied to disclosures to business partners. Many of these commenters articulated the burdens they would bear if every disclosure to a business partner was required to meet the minimum necessary standard.
Response: We do not agree. In this final rule, we minimize the burden on covered entities in the following ways: in circumstances where disclosures are made on a routine, recurring basis, such as in on-going relationships between covered entities and their business associates, individual review of each routine disclosure has been eliminated; covered entities are required only to develop standard protocols to apply to such routine disclosures made to business associates (or types of business associates). In addition, we allow covered entities to rely on the representation of a professional hired to provide professional services as to what information is the minimum necessary for that purpose.
Comment: Some commenters were concerned that applying the standard in research settings will result in providers declining to participate in research protocols.
Response: We have modified the proposal to reduce the burden on covered entities that wish to disclose protected health information for research purposes. The final rule requires covered entities to obtain documentation or statements from persons requesting protected health information for research that, among other things, describe the information necessary for the research. We allow covered entities to reasonably rely on the documentation or statements as describing the minimum necessary disclosure.
Comment: Some commenters argued that government requests should not be subject to the minimum necessary standard, whether or not they are "authorized by law."
Response: We found no compelling reason to exempt government requests from this standard, other than when a disclosure is required by law. (See preamble to § 164.512(a) for the rationale behind this policy). When a disclosure is required by law, the minimum necessary standard does not apply, whether the recipient of the information is a government official or a private individual.
At the same time, we understand that when certain government officials make requests for protected health information, some covered entities might feel pressure to comply that might not be present when the request is from a private individuals. For this reason, we allow (but do not require) covered entities to reasonably rely on the representations of public officials as to the minimum necessary information for the purpose.
Comment: Some commenters argued that requests under proposed § 164.510 should not be subject to the minimum necessary standard, whether or not they are "authorized by law." Others argued that for disclosures made for administrative proceedings pursuant to proposed § 164.510, the minimum necessary standard should apply unless they are subject to a court order.
Response: We found no compelling reason to exempt disclosures for purposes listed in the regulation from this standard, other than for disclosures required by law. When there is no such legal mandate, the disclosure is voluntary on the part of the covered entity, and it is therefore reasonable to expect the covered entity to make some effort to protect privacy before making such a disclosure. If the covered entity finds that redacting unnecessary information, or extracting the requested information, prior to making the disclosure, is too burdensome, it need not make the disclosure. Where there is ambiguity regarding what information is needed, some effort on the part of the covered entity can be expected in these circumstances.
We also found no compelling reason to limit the exemption for disclosures "required by law" to those made pursuant to a court order. The judgment of a state legislature or regulatory body that a disclosure is required is entitled to no less deference than the same decision made by a court. For further rationale for this policy, see the preamble to § 164.512(a).
Comment: Some commenters argued that, in cases where a request for disclosure is not required by law, covered entities should be permitted to rely on the representations by public officials, that they have requested no more than the minimum amount necessary.
Response: We agree, and retain the proposed provision which allows reasonable reliance on the representations of public officials.
Comment: Some commenters argued that it is inappropriate to require covered entities to distinguish between disclosures that are "required by law" and those that are merely "authorized by law," for the purposes of determining when the standard applies.
Response: We do not agree. Covered entities have an independent duty to be aware of their legal obligations to federal, state, local and territorial or tribal authorities. In addition, § 164.514(h) allows covered entities to reasonably rely on the oral or written representation of public officials that a disclosure is required by law.
Comment: The minimum necessary standard should not be applied to pharmacists, or to emergency services.
Response: We believe that the final rule's exemption of disclosures of protected health information to health care providers for treatment purposes from the minimum necessary standard addresses these commenters concerns about emergency services. Together with the other changes we make to the proposed standard, we believe we have also addressed most of the commenters' concerns about pharmacists. With respect to pharmacists, the comments offered no persuasive reasons to treat pharmacists differently from other health care providers. Our reasons for retaining this standard for other uses and disclosures of protected health information are explained above.
Comment: A number of commenters argued that the standard should not apply to disclosures to attorneys, because it would interfere with the professional duties and judgment of attorneys in their representation of covered entities. Commenters stated that if a layperson within a covered entity makes an improper decision as to what the minimum necessary information is in regard to a request by the entity's attorney, the attorney may end up lacking information that is vital to representation. These commenters stated that attorneys are usually going to be in a better position to determine what information is truly the minimum necessary for effective counsel and representation of the client.
Response: We found no compelling reason to treat attorneys differently from other business associates. However, to ensure that this rule does not inadvertently cause covered entities to second-guess the professional judgment of the attorneys and other professionals they hire, we modify the proposed policies to explicitly allow covered entities to rely on the representation of a professional hired to provide professional services as to what information is the minimum necessary for that purpose.
Comment: Commenters from the law enforcement community expressed concern that providers may attempt to misuse the minimum necessary standard as a means to restrict access to information, particularly with regard to disclosures for health oversight or to law enforcement officials.
Response: The minimum necessary standard does not apply to disclosures required by law. Since the disclosures to law enforcement officials to which this standard applies are all voluntary, there would be no need for a covered entity to "manipulate" the standard; it could decline to make the disclosure.
Comment: Some commenters argued that the only exception to the application of the standard should be when an individual requests access to his or her own information. Many of these commenters expressed specific concerns about victims of domestic violence and other forms of abuse.
Response: We do not agree with the general assertion that disclosure to the individual is the only appropriate exception to the minimum necessary standard. There are other, limited, circumstances in which application of the minimum necessary standard could cause significant harm. For reasons described above, disclosures of protected health information for treatment purposes are not subject to this standard. Similarly, as described in detail in the preamble to § 164.512(a), where another public body has mandated the disclosure of health information, upsetting that judgment in this regulation would not be appropriate.
The more specific concerns expressed about victims of domestic violence and other forms of abuse are addressed in a new provision regarding disclosure of protected health information related to domestic violence and abuse (see § 164.512(c)), and in new limitations on disclosures to persons involved in the individual's care (see § 164.510(b)). We believe that the limitations we place on disclosure of health information in those circumstances address the concerns of these commenters.
Comment: Some commenters argued that disclosures to next of kin should be restricted to minimum necessary protected health information, and to protected health information about only the current medical condition.
Response: In the final regulation, we change the proposed provision regarding "next of kin" to more clearly focus on the disclosures we intended to target: disclosures to persons involved in the individual's care. We allow such disclosure only with the agreement of the individual, or where the covered entity has offered the individual the opportunity to object to the disclosure and the individual did not object. If the opportunity to object cannot practicably be provided because of the incapacity of the individual or other emergency, we require covered entities to exercise professional judgment in the best interest of the patient in deciding whether to disclose information. In such cases, we permit disclosure only of that information directly relevant to the person's involvement with the individual's health care. (This provision also includes limited disclosure to certain persons seeking to identify or locate an individual.) See § 164.510(b).
Some additional concerns expressed about victims of domestic violence and other forms of abuse are also addressed in a new section on disclosure of protected health information related to domestic violence and abuse. See § 164.512(c). We believe that the limitations we place on disclosure of health information in these provisions address the concerns of these commenters.
Comment: Some commenters argued that covered entities should be required to determine whether de-identified information could be used before disclosing information under the minimum necessary standard.
Response: We believe that requiring covered entities' policies and procedures for minimum necessary disclosures to address whether de-identified information could be used in all instances would impose burdens on some covered entities that could outweigh the benefits of such a requirement. There is significant variation in the sophistication of covered entities' information systems. Some covered entities can reasonably implement policies and procedures that make significant use of de-identified information; other covered entities would find such a requirement excessively burdensome. For this reason, we chose instead to require "reasonable efforts," which can vary according to the situation of each covered entity.
In addition, we believe that the fact that we allow de-identified information to be disclosed without regard to the policies, procedures, and documentation required for disclosure of identifiable health information will provide an incentive to encourage its use where appropriate.
Comment: Several commenters argued that standard transactions should not be subject to the standard.
Response: We agree that data elements that are required or situationally required in the standard transactions should not be, and are not, subject to this standard. However, in many cases, covered entities have significant discretion as to the information included in these transactions. Therefore, this standard does apply to those optional data elements.
Comment: Some commenters asked for clarification to understand how the minimum necessary standard is intended to interact with the security NPRM.
Response: The proposed Security Rule included requirements for electronic health information systems to include access management controls. Under this regulation, the covered entity's privacy policies will determine who has access to what protected health information. We will make every effort to ensure consistency prior to publishing the final Security Rule.
Comment: Many commenters, representing health care providers, argued that if the request was being made by a health plan, the health plan should be required to request only the minimum protected health information necessary. Some of these commenters stated that the requestor is in a better position to know the minimum amount of information needed for their purposes. Some of these commenters argued that the minimum necessary standard should be imposed only on the requesting entity. A few of these commenters argued that both the disclosing and the requesting entity should be subject to the minimum necessary standard, to create "internal tension" to assure the standard is honored.
Response: We agree, and in the final rule we require that a request for protected health information made by one covered entity to another covered entity must be limited to the minimum amount necessary for the purpose. As with uses and disclosures of protected health information, covered entities may have standard protocols for routine requests. Similarly, this requirement does not apply to requests made to health care providers for treatment purposes. We modify the rule to balance this provision; that is, it now applies both to disclosure of and requests for protected health information. We also allow, but do not require, the covered entity releasing the information to reasonably rely on the assertion of a requesting covered entity that it is requesting only the minimum protected health information necessary.
Comment: A few commenters suggested that there should be a process for resolving disputes between covered entities over what constitutes the 'minimum necessary' information.
Response: We do not intend that this rule change the way covered entities currently handle their differences regarding the disclosure of health information. We understand that the scope of information requested from providers by health plans is a source of tension in the industry today, and we believe it would not be appropriate to use this regulation to affect that debate. As discussed above, we require both the requesting and the disclosing covered entity to take privacy concerns into account, but do not inject additional tension into the on-going discussions.
Comment: Many commenters requested clarification of the boundaries between treatment, payment, health care operations, and marketing. Some of these commenters requested clarification of the apparent inconsistency between language in proposed § 164.506(a)(1)(i) (a covered entity is permitted to use or disclose protected health information without authorization "to carry out" treatment, payment, or health care operations) and proposed § 164.508(a)(2)(A) (a covered entity must obtain an authorization for all uses and disclosures that are not "compatible with or directly related to" treatment, payment, and health care operations). They suggested retaining the language in proposed § 164.508(a)(2)(A), which would permit a broader range of uses and disclosures without authorization, in order to engage in health promotion activities that might otherwise be considered marketing.
Response: In the final rule, we make several changes to the definitions of treatment, payment, and health care operations that are intended to clarify the uses and disclosures of protected health information that may be made for each purpose. See § 164.501 and the corresponding preamble discussion regarding the definitions of these terms. We also have added a definition of the term "marketing" to help establish the boundary between marketing and treatment, payment, and health care operations. See § 164.501. We also clarify the conditions under which authorization is or is not required for uses and disclosures of protected health information for marketing purposes. See § 164.514(e). Due to these changes, we believe it is appropriate to retain the wording from proposed § 164.506(a)(1)(i).
Comment: We received a wide variety of suggestions with respect to authorization for uses and disclosures of protected health information for marketing purposes. Some commenters supported requiring authorization for all such uses and disclosures. Other commenters suggested permitting all such uses and disclosures without authorization.
Some commenters suggested we distinguish between marketing to benefit the covered entity and marketing to benefit a third party. For example, a few commenters suggested we should prohibit covered entities from seeking authorization for any use or disclosure for marketing purposes that benefit a third party. These commenters argued that the third parties should be required to obtain the individual's authorization directly from the individual, not through a covered entity, due to the potential for conflicts of interest.
While a few commenters suggested that we require covered entities to obtain authorization to use or disclose protected health information for the purpose of marketing its own products and services, the majority argued these types of marketing activities are vital to covered entities and their customers and should therefore be permitted to occur without authorization. For example, commenters suggested covered entities should be able to use and disclose protected health information without authorization in order to provide appointment reminders, newsletters, information about new initiatives, and program bulletins.
Finally, many commenters argued we should not require authorization for the use or disclosure of protected health information to market any health-related goods and services, even if those goods and services are offered by a third party. Some of these commenters suggested that individuals should have an opportunity to opt out of these types of marketing activities rather than requiring authorization.
Response: We have modified the final rule in ways that address a number of the issues raised in the comments. First, the final rule defines the term marketing, and excepts certain communications from the definition. See § 164.501. These exceptions include communications made by covered entities for the purpose of describing network providers or other available products, services, or benefits and communications made by covered entities for certain treatment-related purposes. These exceptions only apply to oral communications or to written communications for which the covered entity receives no third-party remuneration. The exceptions to the definition of marketing fall within the definitions of treatment and/or health care operations, and therefore uses, or disclosures to a business associate, of protected health information for these purposes are permissible under the rule without authorization.
The final rule also permits covered entities to use protected health information to market health-related products and services, whether they are the products and services of the covered entity or of a third party, subject to a number of limitations. See § 164.514(e). We permit these uses to allow entities in the health sector to inform their patients and enrollees about products that may benefit them. The final rule contains significant restrictions, including requirements that the covered entity disclose itself as the source of a marketing communication, that it disclose any direct or indirect remuneration from third parties for making the disclosure, and that, except in the cases of general communications such as a newsletter, the communication disclose how the individual can opt-out of receiving additional marketing communications. Additional requirements are imposed if the communication is targeted based on the health status or condition of the proposed recipients.
We believe that these modifications address many of the issues raised by commenters and provide a substantial amount of flexibility as to when a covered entity may communicate about a health-related product or service to a patient or enrollee. These communications may include appointment reminders, newsletters, and information about new health products. These changes, however, do not permit a covered entity to disclose protected health information to third parties for marketing (other than to a business associate to make a marketing communication on behalf of the covered entity) without authorization under § 164.508.
Comment: A few commenters suggested we prohibit health care clearinghouses from seeking authorization for the use or disclosure of protected health information for marketing purposes.
Response: We do not prohibit clearinghouses from seeking authorizations for these purposes. We believe, however, that health care clearinghouses will almost always create or obtain protected health information in a business associate capacity. Business associates may only engage in activities involving the use or disclosure of protected health information, including seeking or acting on an authorization, to the extent their contracts allow them to do so. When a clearinghouse creates or receives protected health information other than as a business associate of a covered entity, it is permitted and required to obtain authorizations to the same extent as any other covered entity.
Comment: A few commenters suggested we require covered entities to publicly disclose, on the covered entity's website or upon request, all of their marketing arrangements.
Response: While we agree that such a requirement would provide individuals with additional information about how their information would be used, we do not feel that such a significant intrusion into the business practices of the covered entity is warranted.
Comment: Some commenters argued that if an activity falls within the scope of payment, it should not be considered marketing. Commenters strongly supported an approach which would bar an activity from being construed as "marketing" even if performing that activity would result in financial gain to the covered entity. In a similar vein, we were urged to adopt the position that if an activity was considered payment, treatment or health care operations, it could not be further evaluated to determine whether it should be excluded as marketing.
Response: We considered the approach offered by commenters but decided against it. Some activities, such as the marketing of a covered entity's own health-related products or services, are now included in the definition of health care operations, provided certain requirements are met. Other types of activities, such as the sale of a patient list to a marketing firm, would not be permitted under this rule without authorization from the individual. We do not believe that we can envision every possible disclosure of health information that would violate the privacy of an individual, so any list would be incomplete. Therefore, whether or not a particular activity is considered marketing, payment, treatment or health care operations will be a fact-based determination based on the activity's congruence with the particular definition.
Comment: Some industry groups stated that if an activity involves selling products, it is not disease management. They suggested we adopt a definition of disease management that differentiates use of information for the best interests of patient from uses undertaken for "ulterior purposes" such as advertising, marketing, or promoting separate products.
Response: We agree in general that the sale of unrelated products to individuals is not a population-based activity that supports treatment and payment. However, in certain circumstances marketing activities are permitted as a health care operation; see the definition of "health care operations" in§ 164.501 and the related marketing requirements of § 164.514.
Comment: Some commenters complained that the absence of a definition for disease management created uncertainty, in view of the proposed rule's requirement to get authorization for marketing. They expressed concern that the effect would be to require patient consent for many activities that are desirable, not practicably done if authorization is required, and otherwise classifiable as treatment, payment, or health care operations. Examples provided include reminders for appointments, reminders to get preventive services like mammograms, and information about home management of chronic illnesses. They also stated that the proposed rule would prevent many disease management and preventive health activities.
Response: We agree that the distinction in the NPRM between disease management and marketing was unclear. Rather than provide a definition of disease management, this final rule defines marketing. We note that overlap between disease management and marketing exists today in practice and they cannot be distinguished easily with a definitional label. However, for purposes of this rule, the revised language makes clear for what activities an authorization is required. We note that under this rule many of the activities mentioned by commenters will not require authorizations under most circumstances. See the discussion of disease management under the definition of "treatment" in § 164.501.
Comment: Many comments objected to the requirement that an authorization from the individual be obtained for use and disclosure of protected health information for fundraising purposes. They argued that, in the case of not-for-profit health care providers, having to obtain authorization would be time consuming and costly, and that such a requirement would lead to a decrease in charitable giving. The commenters also urged that fundraising be included within the definition of health care operations. Numerous commenters suggested that they did not need unfettered access to patient information in order to carry out their fundraising campaigns. They stated that a limited data set restricted to name, address, and telephone number would be sufficient to meet their needs. Several commenters suggested that we create a voluntary opt-out provision so people can avoid solicitations.
Response: We agree with commenters that our proposal could have adversely effected charitable giving, and accordingly make several modifications to the proposal. First, the final rule allows a covered entity to use or disclose to a business associate protected health information without authorization to identify individuals for fundraising for its own benefit. Permissible fundraising activities include appeals for money, sponsorship of events, etc. They do not include royalties or remittances for the sale of products of third parties (except auctions, rummage sales, etc).
Second, the final rule allows a covered entity to disclose protected health information without authorization to an institutionally related foundation that has as its mission to benefit the covered entity. This special provision is necessary to accommodate tax code provisions which may not allow such foundations to be business associates of their associated covered entity.
We also agree that broad access to protected health information is unnecessary for fundraising and unnecessarily intrudes on individual privacy. The final rule limits protected health information to be used or disclosed for fundraising to demographic information and the date that treatment occurred. Demographic information is not defined in the rule, but will generally include in this context name, address and other contact information, age, gender, and insurance status. The term does not include any information about the illness or treatment.
We also agree that a voluntary opt-out is an appropriate protection, and require in § 164.520 that covered entities provide information on their fundraising activities in their "Notice of Information Practices." As part of the notice and in any fundraising materials, covered entities must provide information explaining how individuals may opt out of fundraising communications.
Comment: Some commenters stated that use and disclosure of protected health information for fundraising, without authorization should be limited to not-for-profit entities. They suggested that not-for-profit entities were in greater need of charitable contributions and as such, they should be exempt from the authorization requirement while for-profit organizations should have to comply with the requirement.
Response: We do not agree that the profit status of a covered entity should determine its allowable use of protected health information for fundraising. Many for-profit entities provide the same services and have similar missions to not-for-profit entities. Therefore, the final rule does not make this distinction.
Comment: Several commenters suggested that the final rule should allow the internal use of protected health information for fundraising, without authorization, but not disclosure for fundraising. These commenters suggested that by limiting access of protected health information to only internal development offices concerns about misuse would be reduced.
Response: We do not agree. A number of commenters noted that they have related charitable foundations that raise funds for the covered entity, and we permit disclosures to such foundations to ensure that this rule does not interfere with charitable giving.
Comment: Several commenters asked us to address the content of fundraising letters. They pointed out that disease or condition-specific letters requesting contributions, if opened by the wrong person, could reveal personal information about the intended recipient.
Response: We agree that such communications raise privacy concerns. In the final rule, we limit the information that can be used or disclosed for fundraising, and exclude information about diagnosis, nature of services, or treatment.
Comment: A few commenters suggested that verification guidelines may need to be different as they apply to emergency clinical situations as opposed to routine data collection where delays do not threaten health.
Response: We agree, and make special provisions in §§ 164.510 and 164.512 for disclosures of protected health information by a covered entity without authorization where the individual is unable to agree or object to disclosure due to incapacity or other emergency circumstance.
For example, a health care provider may need to make disclosures to family members, close personal friends, and others involved in the individual's care in emergency situations. Similarly, a health care provider may need to respond to a request from a hospital seeking protected health information in a circumstance described as an emergency. In each case, we require only that the covered entity exercise professional judgment, in the best interest of the patient, in deciding whether to make a disclosure. Based on the comments and our fact finding, this reflects current practice.
Comment: A few commenters stated the rules should include provisions for electronic verification of identity (such as Public Key Infrastructure (PKI)) as established in the regulations on Security and Electronic Signatures. One commenter suggested that some kind of PKI credentialing certificate should be required.
Response: This regulation does not address specific technical protocols utilized to meet the verification requirements. If the requirements of the rule are otherwise met, the mechanism for meeting them can be determined by the covered entity.
Comment: A few commenters wanted more clarification on the verification procedures. One commenter wanted to know if contract number is enough for verification. A few commenters wanted to know if a callback or authorization on a letterhead is acceptable. A few commenters wanted to know if plans are considered to "routinely do business" with all of their members.
Response: In the final rule, we modify the proposed provision and require covered entities to have policies and procedures reasonably designed to verify the identify and authority of persons requesting protected health information. Whether knowledge of a contract number is reasonable evidence of authority and identity will depend on the circumstances. Call-backs and letterhead are typically used today for verification, and are acceptable under this rule if reasonable under the circumstances. For communications with health plan members, the covered entity will already have information about each individual, collected during enrollment, that can be used to establish identity, especially for verbal or electronic inquiries. For example, today many health plans ask for the social security or policy number of individuals seeking information or assistance by telephone. How this verification is done is left up to the covered entity.
Comment: One commenter expressed the need for consistency on verification requirements between this rule and the Security regulation.
Response: We will make every effort to ensure consistency prior to publishing the final Security Rule.
Comment: One commenter stated that the verification language in proposed § 164.518(c)(2)(ii)(B)(1) would have created a presumption that "a request for disclosure made by official legal process issued by a[n] administrative body" is reasonable legal authority to disclose the protected health information. The commenter was concerned that this provision could be interpreted to permit a state agency to demand the disclosure of protected health information merely on the basis of a letter signed by an agency representative. The commenter believed that the rule specifically should defer to state or federal law on the disclosure of protected health information pursuant to legal process.
Response: The verification provisions in this rule are minimum requirements that covered entities must meet before disclosing protected health information under this regulation. They do not mandate disclosure, nor do they preempt state laws which impose additional restrictions on disclosure. Where state law regarding disclosures is more stringent, the covered entity must adhere to state law.
Comment: A few commenters wanted the verification requirements to apply to disclosures of protected health information for treatment, payment and operations purposes.
Response: We agree. This verification requirement applies to all disclosures of protected health information permitted by this rule, including for treatment, payment and operations, where the identity of the recipient is not known to the covered entity. Routine communications between providers, where existing relationships have been established, do not require special verification procedures.
Comment: A few commenters were concerned that a verbal inquiry for next of kin verification is not consistent with the verification guidelines of this verification subsection and that verbal inquiry would create problems because anyone who purports to be a next of kin could easily obtain information under false pretenses.
Response: In the final rule in § 164.514, we require the covered entity to verify the identity and authority of persons requesting protected health information, where the identity and authority of such person is not known to the covered entity. This applies to next of kin situations. Procedures for disclosures to next of kin, other family members and persons assisting in an individual's care are also discussed in § 164.510(b), which allows the covered entity to exercise professional judgment as to whether the disclosure is in the individual's best interest when the individual is not available to agree to the disclosure or is incapacitated. Requiring written proof of identity in many of these situations, such as when a family member is seeking to locate a relative in an emergency or disaster situation, would create enormous burden without a corresponding enhancement of privacy, and could cause unnecessary delays in these situations. We therefore believe that reliance on professional judgment provides a better framework for balancing the need for privacy with the need to locate and identify individuals.
Comment: A few commenters stated that the verification requirements will provide great uncertainty to providers who receive authorizations from life, disability income and long-term care insurers in the course of underwriting and claims investigation. They are unaware of any breaches of confidentiality associated with these circumstances and believe the rule creates a solution to a non-existent problem. Another commenter stated that it is too burdensome for health care providers to verify requests that are normally received verbally or via fax.
Response: This rule requires covered health care providers to adhere to current best practices for verification. That is, when the requester is not known to the covered provider, the provider makes a reasonable effort to determine that the protected health information is being sent to the entity authorized to receive it. Our fact finding reveals that this is often done by sending the information to a recognizable organizational address or if being transmitted by fax or phone by calling the requester back through the main organization switchboard rather than through a direct phone number. We agree that these procedures seem to work reasonably well in current practice and are sufficient to meet the relevant requirements in the final rule.
Comments: One comment suggested requiring a form of photo identification such as a driver's license or certain personal information such as date of birth to verify the identity of the individual.
Response: These are exactly the types of standard procedures for verifying the identity of individuals that are envisioned by the final rule. Most health care entities already conduct such procedures successfully. However, it is unwise to prescribe specific means of verification for all situations. Instead, we require policies and procedures reasonably designed for purposes of verification.
Comment: One professional association said that the example procedure described in the NPRM for asking questions to verify that an adult acting for a young child had the requisite relationship to the child would be quite complex and difficult in practice. The comment asked for specific guidance as to what questions would constitute an adequate attempt to verify such a relationship.
Response: The final rule requires the covered entity to implement policies and procedures that are reasonably designed to comply with the verification requirement in § 164.514. It would not be possible to create the requested specific guidance which could deal with the infinite variety of situations that providers must face, especially the complex ones such as that described by the commenter. As with many of the requirements of this final rule, health care providers are given latitude and expected to make decisions regarding disclosures, based on their professional judgment and experience with common practice, in the best interest of the individual.
Comment: One commenter asserted that ascertaining whether a requestor has the appropriate legal authority is beyond the scope of the training or expertise of most employees in a physician's office. They believe that health care providers must be able to reasonably rely on the authority of the requestor.
Response: In the final regulation we require covered entities to have policies and procedures reasonably designed to verify the identify and authority of persons requesting health information. Where the requester is a public official and legal authority is at issue, we provide detailed descriptions of the acceptable methods for such verification in the final rule. For others, the covered entity must implement policies and procedures that are reasonably designed to comply with the requirement to verify the identity and authority of a requestor, but only if the requestor is unknown to the covered entity. As described above, we expect these policies and procedures to document currently used best practices and reliance on professional judgment in the best interest of the individual.
Comment: One commenter expressed concern that the verification/identification procedures may eliminate or significantly reduce their ability to utilize medical records copy services. As written, they believe the NPRM provides the latitude to set up copy service arrangements, but any change that would add restrictions would adversely affect their ability to process an individual's disability claim.
Response: The covered entity can establish reasonable policies and procedures to address verification in routine disclosures under business associate agreements, with, for example, medical records copy services. Nothing in the verification provisions would preclude those activities, nor have we significantly modified the NPRM provision on this issue.
Comment: Many commenters supported the proposal to require covered entities to produce a notice of information practices. They stated that such notice would improve individuals' understanding of how their information may be used and disclosed and would help to build trust between individuals and covered entities. A few comments, however, argued that the notice requirement would be administratively burdensome and expensive without providing significant benefit to individuals.
Response: We retain the requirement for covered health care providers and health plans to produce a notice of information practices. We additionally require health care clearinghouses that create or receive protected health information other than as a business associate of another covered entity to produce a notice. We believe the notice will provide individuals with a clearer understanding of how their information may be used and disclosed and is essential to inform individuals of their privacy rights. The notice will focus individuals on privacy issues, and prompt individuals to have discussions about privacy issues with their health plans, health care providers, and other persons.
The importance of providing individuals with notice of the uses and disclosures of their information and of their rights with respect to that information is well supported by industry groups, and is recognized in current state and federal law. The July 1977 Report of the Privacy Protection Study Commission recommended that "each medical-care provider be required to notify an individual on whom it maintains a medical record of the disclosures that may be made of information in the record without the individual's express authorization." (23) The Commission also recommended that "an insurance institution... notify [an applicant or principal insured] as to: ... the types of parties to whom and circumstances under which information about the individual may be disclosed without his authorization, and the types of information that may be disclosed; [and] ... the procedures whereby the individual may correct, amend, delete, or dispute any resulting record about himself." (24) The Privacy Act (5 U.S.C. 552a) requires government agencies to provide notice of the routine uses of information the agency collects and the rights individuals have with respect to that information. In its report "Best Principles for Health Privacy," the Health Privacy Working Group stated, "Individuals should be given notice about the use and disclosure of their health information and their rights with regard to that information." (25) The National Association of Insurance Commissioners' Health Information Privacy Model Act requires carriers to provide a written notice of health information policies, standards, and procedures, including a description of the uses and disclosures prohibited and permitted by the Act, the procedures for authorizing and limiting disclosures and for revoking authorizations, and the procedures for accessing and amending protected health information.
Some states require additional notice. For example, Hawaii requires health care providers and health plans, among others, to produce a notice of confidentiality practices, including a description of the individual's privacy rights and a description of the uses and disclosures of protected health information permitted under state law without the individual's authorization. (HRS section 323C-13)
Today, health plan hand books and evidences of coverage include some of what is required to be in the notice. Industry and standard-setting organizations have also developed notice requirements. The National Committee for Quality Assurance accreditation guidelines state that an accredited managed care organization "communicates to prospective members its policies and practices regarding the collection, use, and disclosure of medical information [and]... informs members... of its policies and procedures on... allowing members access to their medical records." (26) Standards of the American Society for Testing and Materials state, "Organizations and individuals who collect, process, handle, or maintain health information should provide individuals and the public with a notice of information practices." They recommend that the notice include, among other elements, "a description of the rights of individuals, including the right to inspect and copy information and the right to seek amendments [and] a description of the types of uses and disclosures that are permitted or required by law without the individual's authorization." (27) We build on this well-established principle in this final rule.
Comment: We received many comments on the model notice provided in the proposed rule. Some commenters argued that patients seeing similar documents would be less likely to become disoriented when examining a new notice. Other commenters, however, opposed the inclusion of a model notice or expressed concern about particular language included in the model. They maintained that a uniform model notice would never capture the varying practices of covered entities. Many commenters opposed requirements for a particular format or specific language in the notice. They stated that covered entities should be afforded maximum flexibility in fashioning their notices. Other commenters requested inclusion of specific language as a header to indicate the importance of the notice. A few commenters recommended specific formatting requirements, such as font size or type.
Response: On the whole, we found commenters' arguments for flexibility in the regulation more persuasive than those arguing for more standardization. We agree that a uniform notice would not capture the wide variation in information practices across covered entities. We therefore do not include a model notice in the final rule, and do not require inclusion of specific language in the notice (except for a standard header). We also do not require particular formatting. We do, however, require the notice to be written in plain language. (See above for guidance on writing documents in plain language.) We also agree with commenters that the notice should contain a standard header to draw the individual's attention to the notice and facilitate the individual's ability to recognize the notice across covered entities.
We believe that post-publication guidance will be a more effective mechanism for helping covered entities design their notices than the regulation itself. After the rule is published, we can provide guidance on notice content and format tailored to different types of health plans and providers. We believe such specially designed guidance will be more useful that a one-size-fits-all model notice we might publish with this regulation.
Comment: Commenters suggested that the rule should require that the notice regarding privacy practices include specific provisions related to health information of unemancipated minors.
Response: Although we agree that minors and their parents should be made aware of practices related to confidentiality of protected health information of unemancipated minors, we do not require covered entities that treat minors or use their protected health information to include provisions in their notice that are not required of other covered entities. In general, the content of notice requirements in § 164.520(b) do not vary based on the status of the individual being served. We have decided to maintain consistency by declining to prescribe specific notice requirements for minors. The rule does permit a covered entity to provide individuals with notice of its policies and procedures with respect to anticipated uses and disclosures of protected health information (§ 164.520(b)(2)), and providers are encouraged to do so.
Comment: Some commenters argued that covered entities should not be required to distinguish between those uses and disclosures that are required by law and those that are permitted by law without authorization, because these distinctions may not always be clear and will vary across jurisdictions. Some commenters maintained that simply stating that the covered entity would make all disclosures required by law would be sufficient. Other comments suggested that covered entities should be able to produce very broadly stated notices so that repeated revisions and mailings of those revisions would not be necessary.
Response: While we believe that covered entities have an independent duty to understand the laws to which they are subject, we also recognize that it could be difficult to convey such legal distinctions clearly and concisely in a notice. We therefore eliminate the proposed requirement for covered entities to distinguish between those uses and disclosures that are required by and those that are permitted by law. We instead require that covered entities describe each purpose for which they are permitted or required to use or disclose protected health information under this rule and other applicable law without individual consent or authorization. Specifically, covered entities must describe the types of uses and disclosures they are permitted to make for treatment, payment, and health care operations. They must also describe each of the purposes for which the covered entity is permitted or required by this subpart to use or disclose protected health information without the individual's written consent or authorization (even if they do not plan to make a permissive use or disclosure). We believe this requirement provides individuals with sufficient information to understand how information about them can be used and disclosed and to prompt them to ask for additional information to obtain a clearer understanding, while minimizing covered entities' burden.
A notice that stated only that the covered entity would make all disclosures required by law, as suggested by some of these commenters, would fail to inform individuals of the uses and disclosures of information about them that are permitted, but not required, by law. We clarify that each and every disclosure required by law need not be listed on the notice. Rather, the covered entity can include a general statement that disclosures required by law will be made.
Comment: Some comments argued that the covered entity should not have to provide notice about uses and disclosures that are permitted under the rule without authorization. Other comments suggested that the notice should inform individuals about all of the uses and disclosures that may be made, with or without the individual's authorization.
Response: When the individual's permission is not required for uses and disclosures of information, we believe providing the required notice is the most effective means of ensuring that individuals are aware of how information about them may be shared. The notice need not describe uses and disclosures for which the individual's permission is required, because the individual will be informed of these at the time permission to use or disclose the information is requested.
We additionally require covered entities, even those required to obtain the individual's consent for use and disclosure of protected health information for treatment, payment, and health care operations, to describe those uses and disclosures in their notice. (See § 164.506 and the corresponding preamble discussion regarding consent requirements.) We require these uses and disclosures to be described in the notice in part in order to reduce the administrative burden on covered providers that are required to obtain consent. Rather than obtaining a new consent each time the covered provider's information policies and procedures are materially revised, covered providers may revise and redistribute their notice. We also expect that the description of how information may be used to carry out treatment, payment, and health care operations in the notice will be more detailed than in the more general consent document.
Comment: Some commenters argued that covered entities should not be required to provide notice of the right to request restrictions, because doing so would be burdensome to the covered entity and distracting to the individual; because individuals have the right whether they are informed of such right or not; and because the requirement would be unlikely to improve patient care.
Response: We disagree. We believe that the ability of an individual to request restrictions is an important privacy right and that informing people of their rights improves their ability to exercise those rights. We do not believe that adding a sentence to the notice is burdensome to covered entities.
Comment: We received comments supporting inclusion of a contact point in the notice, so that individuals will not be forced to make multiple calls to find someone who can assist them with the issues in the notice.
Response: We retain the requirement, but clarify that the title of the contact person is sufficient. A person's name is not required.
Comment: Some commenters argued that we could facilitate compliance by requiring the notice to include the proposed requirement that covered entities use and disclose only the minimum necessary protected health information.
Response: We do not agree that adding such a requirement would strengthen the notice. The purpose of the notice is to inform individuals of their privacy rights, and of the purposes for which protected health information about them may be used or disclosed. Informing individuals that covered entities may use and disclose only the minimum necessary protected health information for a purpose would not increase individuals' understanding of their rights or the purposes for which information may be used or disclosed.
Comment: A few commenters supported allowing covered entities to apply changes in their information practices to protected health information obtained prior to the change. They argued that requiring different protections for information obtained at different times would be inefficient and extremely difficult to administer. Some comments supported requiring covered entities to state in the notice that the information policies and procedures are subject to change.
Response: We agree. In the final rule, we provide a mechanism by which covered entities may revise their privacy practices and apply those revisions to protected health information they already maintain. We permit, but do not require, covered entities to reserve the right to change their practices and apply the revised practices to information previously created or obtained. If a covered entity wishes to reserve this right, it must make a statement to that effect in its notice. If it does not make such a statement, the covered entity may still revise its privacy practices, but it may apply the revised practices only to protected health information created or obtained after the effective date of the notice in which the revised practices are reflected. See § 164.530(i) and the corresponding preamble discussion of requirements regarding changes to information policies and procedures.
Comment: Some commenters requested clarification of the term "material changes" so that entities will be comfortable that they act properly after making changes to their information practices. Some comments stated that entities should notify individuals whenever a new category of disclosures to be made without authorization is created.
Response: The concept of "material change" appears in other notice laws, such as the ERISA requirements for summary plan descriptions. We therefore retain the "materiality" condition for revision of notices, and encourage covered entities to draw on the concept as it has developed through those other laws. We agree that the addition of a new category of use or disclosure of health information that may be made without authorization would likely qualify as a material change.
Comment: We proposed to permit covered entities to implement revised policies and procedures without first revising the notice if a compelling reason existed to do so. Some commenters objected to this proposal because they were concerned that the "compelling reason" exception would give covered entities broad discretion to engage in post hoc violations of its own information practices.
Response: We agree and eliminate this provision. Covered entities may not implement revised information policies and procedures before properly documenting the revisions and updating their notice. See § 164.530(i). Because in the final rule we require the notice to include all disclosures that may be made, not only those the covered entity intends to make, we no longer need this provision to accommodate emergencies.
Comment: Some comments suggested that we require covered entities to maintain a log of all past notices, with changes from the previous notice highlighted. They further suggested we require covered entities to post this log on their web sites.
Response: In accordance with § 164.530(j)(2), a covered entity must retain for six years a copy of each notice it issues. We do not require highlighting of changes to the notice or posting of prior notices, due to the associated administrative burdens and the complexity such a requirement would build into the notice over time. We encourage covered entities, however, to make such materials available upon request.
Comment: Several commenters requested clarification about when, relative to the compliance date, covered entities are required to produce their notice. One commenter suggested that covered entities be allowed a period not less than 180 days after adoption of the final rule to develop and distribute the notice. Other comments requested that the notice compliance date be consistent with other HIPAA regulations.
Response: We require covered entities to have a notice available upon request as of the compliance date of this rule (or the compliance date of the covered entity if such date is later). See § 164.534 and the corresponding preamble discussion of the compliance date.
Comment: Some commenters suggested that covered entities, particularly covered health care providers, should be required to discuss the notice with individuals. They argued that posting a notice or otherwise providing the notice in writing may not achieve the goal of informing individuals of how their information will be handled, because some individuals may not be literate or able to function at the reading level used in the notice. Others argued that entities should have the flexibility to choose alternative modes of communicating the information in the notice, including voice disclosure. In contrast, some commenters were concerned that requirements to provide the notice in plain language or in languages other than English would be overly burdensome.
Response: We require covered entities to write the notice in plain language so that the average reader will be able to understand the notice. We encourage, but do not require, covered entities to consider alternative means of communicating with certain populations. We note that any covered entity that is a recipient of federal financial assistance is generally obligated under Title VI of the Civil Rights Act of 1964 to provide material ordinarily distributed to the public in the primary languages of persons with limited English proficiency in the recipients' service areas. While we believe the notice will prompt individuals to initiate discussions with their health plans and health care providers about the use and disclosure of health information, we believe this should be a matter left to each individual and that requiring covered entities to initiate discussions with each individual would be overly burdensome.
Comment: Some commenters suggested that covered entities, particularly health plans, should be permitted to distribute their notice in a newsletter or other communication with individuals.
Response: We agree, so long as the notice is sufficiently separate from other important documents. We therefore prohibit covered entities from combining the notice in a single document with either a consent (§ 164.506) or an authorization (§ 164.508), but do not otherwise prohibit covered entities from including the notice in or with other documents the covered entity shares with individuals.
Comment: Some comments suggested that covered entities should not be required to respond to requests for the notice from the general public. These comments indicated that the requirement would place an undue burden on covered entities without benefitting individuals.
Response: We proposed that the notice be publicly available so that individuals may use the notice to compare covered entities' privacy practices and to select a health plan or health care provider accordingly. We therefore retain the proposed requirement for covered entities to provide the notice to any person who requests a copy, including members of the general public.
Comment: Many commenters argued that the distribution requirements for health plans should be less burdensome. Some suggested requiring distribution upon material revision, but not every three years. Some suggested that health plans should only be required to distribute their notice annually or upon re-enrollment. Some suggested that health plans should only have to distribute their notice upon initial enrollment, not re-enrollment. Other commenters supported the proposed approach.
Response: We agree that the notice distribution requirements for health plans can be less burdensome than in the NPRM while still being effective. In the final rule, we reduce health plans' distribution burden in several ways. First, we require health plans to remind individuals every three years of the availability of the notice and of how to obtain a copy of the notice, rather than requiring the notice to be distributed every three years as proposed. Second, we clarify that health plans only have to distribute the notice to new enrollees on enrollment, not to current members of the health plan upon re-enrollment. Third, we specifically allow all covered entities to distribute the notice electronically in accordance with § 164.520(c)(3).
We retain the requirement for health plans to distribute the notice within 60 days of a material revision. We believe the revised distribution requirements will ensure that individuals are adequately informed of health plans' information practices and any changes to those procedures, without unduly burdening health plans.
Comment: Many commenters argued that health plans should not be required to distribute their notice to every person covered by the plan. They argued that distributing the notice to every family member would be unnecessarily duplicative, costly, and difficult to administer. They suggested that health plans only be required to distribute the notice to the primary participant or to each household with one or more insured individuals.
Response: We agree, and clarify in the final rule that a health plan may satisfy the distribution requirement by providing the notice to the named insured on behalf of the dependents of that named insured. For example, a group health plan may satisfy its notice requirement by providing a single notice to each covered employee of the plan sponsor. We do not require the group health plan to distribute the notice to each covered employee and to each covered dependent of those employees.
Comment: Many comments requested clarification about health plans' ability to distribute the notice via other entities. Some commenters suggested that group health plans should be able to satisfy the distribution requirement by providing copies of the notice to plan sponsors for delivery to employees. Others requested clarification that covered health care providers are only required to distribute their own notice and that health plans should be prohibited from using their affiliated providers to distribute the health plan's notice.
Response: We require health plans to distribute their notice to individuals covered by the health plan. Health plans may elect to hire or otherwise arrange for others, including group health plan sponsors and health care providers affiliated with the health plan, to carry out this distribution. We require covered providers to distribute only their own notices, and neither require nor prohibit health plans and health care providers from devising whatever arrangements they find suitable to meet the requirements of this rule. However, if a covered entity arranges for another person or entity to distribute the covered entity's notice on its behalf and individuals do not receive such notice, the covered entity would be in violation of the rule.
Comment: Some comments stated that covered providers without direct patient contact, such as clinical laboratories, might not have sufficient patient contact information to be able to mail the notice. They suggested we require or allow such providers to form agreements with referring providers or other entities to distribute notices on their behalf or to include their practices in the referring entity's own notice.
Response: We agree with commenters' concerns about the potential administrative and financial burdens of requiring covered providers that have indirect treatment relationships with individuals, such as clinical laboratories, to distribute the notice. Therefore, we require these covered providers to provide the notice only upon request. In addition, these covered providers may elect to reach agreements with other entities distribute their notice on their behalf, or to participate in an organized health care arrangement that produces a joint notice. See § 164.520(d) and the corresponding preamble discussion of joint notice requirements.
Comment: Some commenters requested that covered health care providers be permitted to distribute their notice prior to an individual's initial visit so that patients could review the information in advance of the visit. They suggested that distribution in advance would reduce the amount of time covered health care providers' staff would have to spend explaining the notice to patients in the office. Other comments argued that providers should distribute their notice to patients at the time the individual visits the provider, because providers lack the administrative infrastructure necessary to develop and distribute mass communications and generally have difficulty identifying active patients.
Response: In the final rule, we clarify that covered providers with direct treatment relationships must provide the notice to patients no later than the first service delivery to the patient after the compliance date. For the reasons identified by these commenters, we do not require covered providers to send their notice to the patient in advance of the patient's visit. We do not prohibit distribution in advance, but only require distribution to the patient as of the time of the visit. We believe this flexibility will allow each covered provider to develop procedures that best meet its and its patients' needs.
Comment: Some comments suggested that covered providers should be required to distribute the notice as of the compliance date. They noted that if the covered provider waited to distribute the notice until first service delivery, it would be possible (pursuant to the rule) for a use or disclosure to be made without the individual's authorization, but before the individual receives the notice.
Response: Because health care providers generally lack the administrative infrastructure necessary to develop and distribute mass communications and generally have difficulty identifying active patients, we do not require covered providers to distribute the notice until the first service delivery after the compliance date. We acknowledge that this policy allows uses and disclosure of health information without individuals' consent or authorization before the individual receives the notice. We require covered entities, including covered providers, to have the notice available upon request as of the compliance date of the rule. Individuals may request a copy of the notice from their provider at any time.
Comment: Many commenters were concerned with the requirement that covered providers post their notice. Some commenters suggested that covered hospital-based providers should be able to satisfy the distribution requirements by posting their notice in multiple locations at the hospital, rather than handing the notice to patients - particularly with respect to distribution after material revisions have been made. Some additionally suggested that these covered providers should have copies of the notice available on site. Some commenters emphasized that the notice must be clear and conspicuous to give individuals meaningful and effective notice of their rights. Other commenters noted that posting the notice will not inform former patients who no longer see the provider.
Response: We clarify in the final rule that the requirement to post a notice does not substitute for the requirement to give individuals a notice or make notices available upon request. Covered providers with direct treatment relationships, including covered hospitals, must give a copy of the notice to the individual as of first service delivery after the compliance date. After giving the individual a copy of the notice as of that first visit, the covered provider has no other obligation to actively distribute the notice. We believe it is unnecessarily burdensome to require covered providers to mail the notice to all current and former patients each time the notice is revised, because unlike health plans, providers may have a difficult time identifying active patients. All individuals, including those who no longer see the covered provider, have the right to receive a copy of the notice on request.
If the covered provider maintains a physical delivery site, it must also post the notice (including revisions to the notice) in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered provider to be able to read the notice. The covered provider must also have the notice available on site for individuals to be able to request and take with them.
Comment: Some comments requested clarification about the distribution requirements for a covered entity that is a health plan and a covered health care provider.
Response: Under § 164.504(g), discussed above, covered entities that conduct multiple types of covered functions, such as the kind of entities described in the above comments, are required to comply with the provisions applicable to a particular type of health care function when acting in that capacity. Thus, in the example described above, the covered entity is required by § 164.504(g) to follow the requirements for health plans with respect to its actions as a health plan and to follow the requirements for health care providers with respect to its actions as a health care provider.
Comment: We received many comments about the ability of covered entities to distribute their notices electronically. Many commenters suggested that we permit covered entities to distribute the notice electronically, either via a web site or e-mail. They argued that covered entities are increasingly using electronic technology to communicate with patients and otherwise administer benefits. They also noted that other regulations permit similar documents, such as ERISA-required summary plan descriptions, to be delivered electronically. Some commenters suggested that electronic distribution should be permitted unless the individual specifically requests a hard copy or lacks electronic access. Some argued that entities should be able to choose a least-cost alternative that allows for periodic changes without excessive mailing costs. A few commenters suggested requiring covered entities to distribute notices electronically.
Response: We clarify in the final rule that covered entities may elect to distribute their notice electronically, provided the individual agrees to receiving the notice electronically and has not withdrawn such agreement. We do not require any particular form of agreement. For example, a covered provider could ask an individual at the time the individual requests a copy of the notice whether she prefers to receive it in hard copy or electronic form. A health plan could ask an individual applying for coverage to provide an e-mail address where the health plan can send the individual information. If the individual provides an e-mail address, the health plan can infer agreement to obtain information electronically.
An individual who has agreed to receive the notice electronically, however, retains the right to request a hard copy of the notice. This right must be described in the notice. In addition, if the covered entity knows that electronic transmission of the notice has failed, the covered entity must produce a hard copy of the notice. We believe this provision allows covered entities flexibility to provide the notice in the form that best meets their needs without compromising individuals' right to adequate notice of covered entities' information practices.
We note that covered entities may also be subject to the Electronic Signatures in Global and National Commerce Act. This rule is not intended to alter covered entities' requirements under that Act.
Comment: Some commenters were concerned that covered providers with "face-to-face" patient contact would have a competitive disadvantage against covered internet-based providers, because the face-to-face providers would be required to distribute the notice in hard copy while internet-based providers could satisfy the requirement by requiring review of the notice on the web site before processing an order. They suggested allowing face-to-face covered providers to satisfy the distribution requirement by asking patients to review the notice posted on site.
Response: We clarify in the final rule that covered health care providers that provide services to individuals over the internet have direct treatment relationships with those individuals. Covered internet-based providers, therefore, must distribute the notice at the first service delivery after the compliance date by automatically and contemporaneously providing the notice electronically in response to the individual's first request for service, provided the individual agrees to receiving the notice electronically.
Even though we require all covered entity web sites to post the entity's notice prominently, we note that such posting is not sufficient to meet the distribution requirements. A covered internet-based provider must send the notice electronically at the individual's first request for service, just as other covered providers with direct treatment relationships must give individuals a copy of the notice as of the first service delivery after the compliance date.
We do not intend to create competitive advantages among covered providers. A web-based and a non-web-based covered provider each have the same alternatives available for distribution of the notice. Both types of covered providers may provide either a paper copy or an electronic copy of the notice.
Comment: We received several comments suggesting that some covered entities should be exempted from the notice requirement or permitted to combine notices with other covered entities. Many comments argued that the notice requirement would be burdensome for hospital-based physicians and result in numerous, duplicative notices that would be meaningless or confusing to patients. Other comments suggested that multiple health plans offered through the same employer should be permitted to produce a single notice.
Response: We retain the requirement for all covered health care providers and health plans to produce a notice of information practices. Health care clearinghouses are required to produce a notice of information practices only to the extent the clearinghouse creates or receives protected health information other than as a business associate of a covered entity. See § 164.500(b)(2). Two other types of covered entities are not required to produce a notice: a correctional institution that is a covered entity and a group health plan that provides benefits only through one or more contracts of insurance with health insurance issuers or HMOs.
We clarify in § 164.504(d), however, that affiliated covered entities under common ownership or control may designate themselves as a single covered entity for purposes of this rule. An affiliated covered entity is only required to produce a single notice.
In addition, covered entities that participate in an organized health care arrangement - which could include hospitals and their associated physicians - may choose to produce a single, joint notice, if certain requirements are met. See § 164.501 and the corresponding preamble discussion of organized health care arrangements.
We clarify that each covered entity included in a joint notice must meet the applicable distribution requirements. If any one of the covered entities, however, provides the notice to a given individual, the distribution requirement with respect to that individual is met for all of the covered entities included in the joint notice. For example, a covered hospital and its attending physicians may elect to produce a joint notice. When an individual is first seen at the hospital, the hospital must provide the individual with a copy of the joint notice. Once the hospital has done so, the notice distribution requirement for all of the attending physicians that provide treatment to the individual at the hospital and that are included in the joint notice is satisfied.
Comment: We solicited and received comments on whether to require covered entities to obtain the individual's signature on the notice. Some commenters suggested that requiring a signature would convey the importance of the notice, would make it more likely that individuals read the notice, and could have some of the same benefits of a consent. They noted that at least one state already requires entities to make a reasonable effort to obtain a signed notice. Other comments noted that the signature would be useful for compliance and risk management purposes because it would document that the individual had received the notice.
The majority of commenters on this topic, however, argued that a signed acknowledgment would be administratively burdensome, inconsistent with the intent of the Administrative Simplification requirements of HIPAA, impossible to achieve for incapacitated individuals, difficult to achieve for covered entities that do not have direct contact with patients, inconsistent with other notice requirements under other laws, misleading to individuals who might interpret their signature as an agreement, inimical to the concept of permitting uses and disclosures without authorization, and an insufficient substitute for authorization.
Response: We agree with the majority of commenters and do not require covered entities to obtain the individual's signed acknowledgment of receipt of the notice. We believe that we satisfied most of the arguments in support of requiring a signature with the new policy requiring covered health care providers with direct treatment relationships to obtain a consent for uses and disclosures of protected health information to carry out treatment, payment, and health care operations. See § 164.506 and the corresponding preamble discussion of consent requirements. We note that this rule does not preempt other applicable laws that require a signed notice and does not prohibit a covered entity from requesting an individual to sign the notice.
Comment: Some commenters supported requiring covered entities to adhere to their privacy practices, as described in their notice. They argued that the notice is meaningless if a covered entity does not actually have to follow the practices contained in its notice. Other commenters were concerned that the rule would prevent a covered entity from using or disclosing protected health information in otherwise lawful and legitimate ways because of an intentional or inadvertent omission from its published notice. Some of these commenters suggested requiring the notice to include a description of some or all disclosures that are required or permitted by law. Some commenters stated that the adherence requirement should be eliminated because it would generally inhibit covered entities' ability to innovate and would be burdensome.
Response: We agree that the value of the notice would be significantly diminished absent a requirement that covered entities adhere to the statements they make in their notices. We therefore retain the requirement for covered entities to adhere to the terms of the notice. See § 164.502(i).
Many of these commenters' concerns regarding a covered entity's inability to use or disclose protected health information due to an intentional or inadvertent omission from the notice are addressed in our revisions to the proposed content requirements for the notice. Rather than require covered entities to describe only those uses and disclosures they anticipate making, as proposed, we require covered entities to describe all uses and disclosures they are required or permitted to make under the rule without the individual's consent or authorization. We permit a covered entity to provide a statement that it will disclose protected health information that is otherwise required by law, as permitted in § 164.512(a), without requiring them to list all state laws that may require disclosure. Because the notice must describe all legally permissible uses and disclosures, the notice will not generally preclude covered entities from making any uses or disclosures they could otherwise make without individual consent or authorization. This change will also ensure that individuals are aware of all possible uses and disclosures that may occur without their consent or authorization, regardless of the covered entity's current practices.
We encourage covered entities, however, to additionally describe the more limited uses and disclosures they actually anticipate making in order to give individuals a more accurate understanding of how information about them will be shared. We expect that certain covered entities will want to distinguish themselves on the basis of their privacy protections. We note that a covered entity that chooses to exercise this option must clearly state that, at a minimum, the covered entity may make disclosures that are required by law and that are necessary to avert a serious and imminent threat to health or safety.
Comment: Several commenters supported the language in the NPRM regarding the right to request restrictions. One commenter specifically stated that this is a balanced approach that addresses the needs of the few who would have reason to restrict disclosures without negatively affecting the majority of individuals. At least one commenter explained that if we required consent or authorization for use and disclosure of protected health information for treatment, payment, and health care operations that we must also have a right to request restrictions of such disclosure in order to make the consent meaningful.
Many commenters requested that we delete this provision, claiming it would interfere with patient care, payment, and data integrity. Most of the commenters that presented this position asserted that the framework of giving patients control over the use or disclosure of their information is contrary to good patient care because incomplete medical records may lead to medical errors, misdiagnoses, or inappropriate treatment decisions. Other commenters asserted that covered entities need complete data sets on the populations they serve to effectively conduct research and quality improvement projects and that restrictions would hinder research, skew findings, impede quality improvement, and compromise accreditation and performance measurement.
Response: We acknowledge that widespread restrictions on the use and disclosure of protected health information could result in some difficulties related to payment, research, quality assurance, etc. However, in our efforts to protect the privacy of health information about individuals, we have sought a balance in determining the appropriate level of individual control and the smooth operation of the health care system. In the final rule, we require certain covered providers and permit all covered entities to obtain consent from individuals for use and disclosure of protected health information for treatment, payment, and health care operations (see § 164.506). In order to give individuals some control over their health information for uses and disclosures of protected health information for treatment, payment, and health care operations, we provide individuals with the opportunity to request restrictions of such uses and disclosures.
Because the right to request restrictions encourages discussions about how protected health information may be used and disclosed and about an individual's concerns about such uses and disclosures, it may improve communications between a provider and patient and thereby improve care. According to a 1999 survey on the Confidentiality of Medical Records by the California HealthCare Foundation, one out of every six people engage in behavior to protect themselves from unwanted disclosures of health information, such as lying to providers or avoiding seeking care. This indicates that, without the ability to request restrictions, individuals would have incentives to remain silent about important health information that could have an effect on their health and health care, rather than consulting a health care provider.
Further, this policy is not a dramatic change from the status quo. Today, many state laws restrict disclosures for certain types of health information without patient's authorization. Even if there is no mandated requirement to restrict disclosures of health information, providers may agree to requests for restrictions of disclosures when a patient expresses particular sensitivity and concern for the disclosure of health information.
We agree that there may be instances in which a restriction could negatively affect patient care. Therefore, we include protections against this occurrence. First, the right to request restrictions is a right of individuals to make the request. A covered entity may refuse to restrict uses and disclosures or may agree only to certain aspects of the individual's request if there is concern for the quality of patient care in the future. For example, if a covered provider believes that it is not in the patient's best medical interest to have such a restriction, the provider may discuss the request for restriction with the patient and give the patient the opportunity to explain the concern for disclosure. Also, a covered provider who is concerned about the implications on future treatment can agree to use and disclose sensitive protected health information for treatment purposes only and agree not to disclose information for payment and operation purposes. Second, a covered provider need not comply with a restriction that has been agreed to if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment. This exception should limit the harm to health that may otherwise result from restricting the use or disclosure of protected health information. We encourage covered providers to discuss with individuals that the information may be used or disclosed in emergencies. We require that the covered entity that discloses restricted protected health information in an emergency request that the health care provider that receives such information not further use or re-disclose the information.
Comment: Some health plans stated that an institutionalized right to restrict can interfere with proper payment and can make it easier for unscrupulous providers or patients to commit fraud on insurance plans. They were concerned that individuals could enter into restrictions with providers to withhold information to insurance companies so that the insurance company would not know about certain conditions when underwriting a policy.
Response: This rule does not enhance the ability of unscrupulous patients or health care providers to engage in deceptive or fraudulent withholding of information. This rule grants a right to request a restriction, not an absolute right to restrict. Individuals can make such requests today. Other laws criminalize insurance fraud; this regulation does not change those laws.
Comment: One commenter asserted that patients cannot anticipate the significance that one aspect of their medical information will have on treatment of other medical conditions, and therefore, allowing them to restrict use or disclosure of some information is contrary to the patient's best interest.
Response: We agree that patients may find it difficult to make such a calculus, and that it is incumbent on health care providers to help them do so. Health care providers may deny requests for or limit the scope of the restriction requested if they believe the restriction is not in the patient's best interest.
Comment: One commenter asked whether an individual's restriction to disclosure of information will be a bar to liability for misdiagnosis or failure to diagnose by a covered entity who can trace its error back to the lack of information resulting from such restriction.
Response: Decisions regarding liability and professional standards are determined by state and other law. This rule does not establish or limit liability for covered entities under those laws. We expect that the individual's request to restrict the disclosure of their protected health information would be considered in the decision of whether or not a covered entity is liable.
Comment: One commenter requested that we allow health plans to deny coverage or reimbursement when a covered health care provider's agreement to restrict use or disclosure prevents the plan from getting the information that is necessary to determine eligibility or coverage.
Response: In this rule, we do not modify insurers' rules regarding information necessary for payment. We recognize that restricting the disclosure of information may result in a denial of payment. We expect covered providers to explain this possibility to individuals when considering their requests for restrictions and to make alternative payment arrangements with individuals if necessary.
Comment: Some commenters discussed the administrative burden and cost of the requirement that individuals have the right to request restrictions and that trying to segregate certain portions of information for protection may be impossible. Others stated that the administrative burden would make providers unable to accommodate restrictions, and would therefore give patients false expectations that their right to request restrictions may be acted upon. One commenter expressed concern that large covered providers would have a particularly difficult time establishing a policy whereby the covered entity could agree to restrictions and would have an even more difficult time implementing the restrictions since records may be kept in multiple locations and accessed by multiple people within the organization. Still other commenters believed that the right to request restrictions would invite argument, delay, and litigation.
Response: We do not believe that this requirement is a significant change from current practice. Providers already respond to requests by patients regarding sensitive information, and are subject to state law requirements not to disclose certain types of information without authorization. This right to request is permissive so that covered entities can balance the needs of particular individuals with the entity's ability to manage specific accommodations.
Comment: Some commenters were concerned that a covered entity would agree to a restriction and then realize later that the information must be disclosed to another caregiver for important medical care purposes.
Response: Some individuals seek treatment only on the condition that information about that treatment will not be shared with others. We believe it is necessary and appropriate, therefore, that when a covered provider agrees to such a restriction, the individual must be able to rely on that promise. We strongly encourage covered providers to consider future treatment implications of agreeing to a restriction. We encourage covered entities to inform others of the existence of a restriction when appropriate, provided that such notice does not amount to a de facto disclosure of the restricted information. If the covered provider subject to the restriction believes that disclosing the protected health information that was created or obtained subject to the restriction is necessary to avert harm (and it is not for emergency treatment), the provider must ask the individual for permission to terminate or modify the restriction. If the individual agrees to the termination of the restriction, the provider must document this termination by noting this agreement in the medical record or by obtaining a written agreement of termination from the individual and may use or disclose the information for treatment. If the individual does not agree to terminate or modify the restriction, however, the provider must continue to honor the restriction with respect to protected health information that was created or received subject to the restriction. We note that if the restricted protected health information is needed to provide emergency treatment to the individual who requested the restriction, the covered entity may use or disclose such information for such treatment.
Comment: Commenters asked that we require covered entities to keep an accounting of the requests for restrictions and to report this information to the Department in order for the Department to determine whether covered entities are showing "good faith" in dealing with these requests.
Response: We require that covered entities that agree to restrictions with individuals document such restrictions. A covered entity must retain such documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. We do not require covered entities to keep a record of all requests made, including those not agreed to, nor that they report such requests to the Department. The decision to agree to restrictions is that of the covered entity. Because there is no requirement to agree to a restriction, there is no reason to impose the burden to document requests that are denied. Any reporting requirement could undermine the purpose of this provision by causing the sharing, or appearance of sharing, of information for which individuals are seeking extra protection.
Comment: One commenter asserted that providers that currently allow such restrictions will choose not to do so under the rule based on the guidance of legal counsel and loss prevention managers, and suggested that the Secretary promote competition among providers with respect to privacy by developing a third-party ranking mechanism.
Response: We believe that providers will do what is best for their patients, in accordance with their ethics codes, and will continue to find ways to accommodate requested restrictions when they believe that it is in the patients' best interests. We anticipate that providers who find such action to be of commercial benefit will notify consumers of their willingness to be responsive to such requests. Involving third parties could undermine the purpose of this provision, by causing the sharing, or appearance of sharing, of information for which individuals are seeking extra protection.
Comment: One commenter said that any agreement regarding patient-requested restrictions should be in writing before a covered provider would be held to standards for compliance.
Response: We agree that agreed to restrictions must be documented in writing, and we require that covered entities that agree to restrictions document those restrictions in accordance with § 164.530(j). The writing need not be formal; a notation in the medical record will suffice. We disagree with the request that an agreed to restriction be reduced to writing in order to be enforced. If we adopted the requested policy, a covered entity could agree to a restriction with an individual, but avoid being held to this agreed to restriction under the rule by failing to document the restriction. This would give a covered entity the opportunity to agree to a restriction and then, at its sole discretion, determine if it is enforceable by deciding whether or not to make a note of the restriction in the record about the individual. Because the covered entity has the ability to agree or fail to agree to a restriction, we believe that once the restriction is agreed to, the covered entity must honor the agreement. Any other result would be deceptive to the individual and could lead an individual to disclose health information under the assumption that the uses and disclosures will be restricted. Under § 164.522, a covered entity could be found to be in violation of the rule if it fails to put an agreed-upon restriction in writing and also if it uses or discloses protected health information inconsistent with the restriction.
Comment: Some commenters said that the right to request restrictions should be extended to some of the uses and disclosures permitted without authorization in § 164.510 of the NPRM, such as disclosures to next of kin, for judicial and administrative proceedings, for law enforcement, and for governmental health data systems. Other commenters said that these uses and disclosures should be preserved without an opportunity for individuals to opt out.
Response: We have not extended the right to request restrictions under this rule to disclosures permitted in § 164.512 of the final rule. However, we do not preempt other law that would enforce such agreed-upon restrictions. As discussed in more detail, above, we have extended the right to request restrictions to disclosures to persons assisting in the individual's care, such as next of kin, under § 164.510(b). Any restriction that a covered entity agrees to with respect to persons assisting in the individual's care in accordance with the rule will be enforceable under the rule.
Comment: A few commenters raised the question of the effect of a restriction agreed to by one covered entity that is part of a larger covered entity, particularly a hospital. Commenters were also concerned about who may speak on behalf of the covered entity.
Response: All covered entities are required to establish policies and procedures for providing individuals the right to request restrictions, including policies for who may agree to such restrictions on the covered entity's behalf. Hospitals and other large entities that are concerned about employees agreeing to restrictions on behalf of the organization will have to make sure that their policies are communicated appropriately to those employees. The circumstances under which members of a covered entity's workforce can bind the covered entity are a function of other law, not of this regulation.
Comment: Commenters expressed confusion about the intended effect of any agreed-upon restrictions on downstream covered entities. They asserted that it would be extremely difficult for a requested restriction to be followed through the health care system and that it would be unfair to hold covered entities to a restriction when they did not agree to such restriction. Specifically, commenters asked whether a covered provider that receives protected health information in compliance with this rule from a physician or medical group that has agreed to limit certain uses of the information must comply with the original restriction. Other commenters expressed concern that not applying a restriction to downstream covered entities is a loophole and that all downstream covered providers and health plans should be bound by the restrictions.
Response: Under the final rule, a restriction that is agreed to between an individual and a covered entity is only binding on the covered entity that agreed to the restriction and not on downstream entities. It would also be binding on any business associate of the covered entity since a business associate can not use or disclose protected health information in any manner that a covered entity would not be permitted to use or disclose such information. We realize that this may limit the ability of an individual to successfully restrict a use or disclosure under all circumstances, but we take this approach for two reasons. First, we allow covered entities to refuse individuals' requests for restrictions. Requiring downstream covered entities to abide by a restriction would be tantamount to forcing them to agree to a request to which they otherwise may not have agreed. Second, some covered entities have information systems which will allow them to accommodate such requests, while others do not. If the downstream provider is in the latter category, the administrative burden of such a requirement would be unmanageable.
We encourage covered entities to explain this limitation to individuals when they agree to restrictions, so individuals will understand that they need to ask all their health plans and providers for desired restrictions. We also require that a covered entity that discloses protected health information to a health care provider for emergency treatment, in accordance with § 164.522 (a)(iii), to request that the recipient not further use or disclose the information.
Comment: One commenter requested that agreed-to restrictions of a covered entity not be applied to business associates.
Response: As stated in § 164.504(e)(2), business associates are acting on behalf of, or performing services for, the covered entity and may not, with two narrow exceptions, use or disclose protected health information in a manner that would violate this rule if done by the covered entity. Business associates are agents of the covered entity with respect to protected health information they obtain through the business relationship. If the covered entity agrees to a restriction and, therefore, is bound to such restriction, the business associate will also be required to comply with the restriction. If the covered entity has agreed to a restriction, the satisfactory assurances from the business associate, as required in § 164.504(e), must include assurances that protected health information will not be used or disclosed in violation of an agreed to restriction.
Comment: One commenter requested clarification that the right to request restrictions cannot be used to restrict the creation of de-identified information.
Response: We found no reason to treat the use of protected health information to create de-identified information different from other uses of protected health information. The right to request restriction applies to any use or disclosure of protected health information to carry out treatment, payment, or health care operations. If the covered entity uses protected health information to create de-identified information, the covered entity need not agree to a restriction of this use.
Comment: Some commenters stated that individuals should be given a true right to restrict uses and disclosures of protected health information in certain defined circumstances (such as for sensitive information) rather than a right to request restrictions.
Response: We are concerned that a right to restrict could create conflicts with the professional ethical obligations of providers and others. We believe it is better policy to allow covered entities to refuse to honor restrictions that they believe are not appropriate and leave the individual with the option of seeking service from a different covered entity. In addition, many covered entities have information systems that would make it difficult or impossible to accommodate certain restrictions.
Comment: Some commenters requested that self-pay patients have additional rights to restrict protected health information. Others believed that this policy would result in de facto discrimination against those patients that could not afford to pay out-of-pocket.
Response: Under the final rule, the decision whether to tie an agreement to restrict to the way the individual pays for services is left to each covered entity. We have not provided self-pay patients with any special rights under the rule.
Comment: Some commenters suggested that we require restrictions to be clearly noted so that insurers and other providers would be aware that they were not being provided with complete information.
Response: Under the final rule, we do not require or prohibit a covered entity to note the existence of an omission of information. We encourage covered entities to inform others of the existence of a restriction, in accordance with professional practice and ethics, when appropriate to do so. In deciding whether or not to disclose the existence of a restriction, we encourage the covered entity to carefully consider whether disclosing the existence is tantamount to disclosure of the restricted protected health information so as to not violate the agreed to restriction.
Comment: A few commenters said that covered entities should have the right to modify or revoke an agreement to restrict use or disclosure of protected health information.
Response: We agree that, as circumstances change, covered entities should be able to revisit restrictions to which they had previously agreed. At the same time, individuals should be able to rely on agreements to restrict the use or disclosure of information that they believe is particularly sensitive. If a covered entity would like to revoke or modify an agreed-upon restriction, the covered entity must renegotiate the agreement with the individual. If the individual agrees to modify or terminate the restriction, the covered entity must get written agreement from the individual or must document the oral agreement. If the individual does not agree to terminate or modify the restriction, the covered entity must inform the individual that it is modifying or terminating its agreement to the restriction and any modification or termination would apply only with respect to protected health information created or received after the covered entity informed the individual of the termination. Any protected health information created or received during the time between when the restriction was agreed to and when the covered entity informed the individual or such modification or termination remains subject to the restriction.
Comment: Many commenters advocated for stronger rights to request restrictions, particularly that victims of domestic violence should have an absolute right to restrict disclosure of information.
Response: We address restrictions for disclosures in two different ways, the right to request restrictions (§ 164.522(a)) and confidential communications (§ 164.522(b)). We have provided all individuals with a right to request restrictions on uses or disclosures of treatment, payment, and health care operations. This is not an absolute right to restrict. Covered entities are not required to agree to requested restrictions; however, if they do, the rule would require them to act in accordance with the restrictions. (See the preamble regarding § 164.522 for a more comprehensive discussion of the right to request restrictions.)
In the final rule, we create a new provision that provides individuals with a right to confidential communications, in response to these comments. This provision grants individuals with a right to restrict disclosures of information related to communications made by a covered entity to the individual, by allowing the individual to request that such communications be made to the person at an alternative location or by an alternative means. For example, a woman who lives with an abusive man and is concerned that his knowledge of her health care treatment may lead to additional abuse can request that any mail from the provider be sent to a friend's home or that telephone calls by a covered provider be made to her at work. Other reasonable accommodations may be requested as well, such as requesting that a covered provider never contact the individual by a phone, but only contact her by electronic mail. A provider must accommodate an individual's request for confidential communications, under this section, without requiring an explanation as to the reason for the request as a condition of accommodating the request. The individual does not need to be in an abusive situation to make such requests of a covered provider. The only conditions that a covered provider may place on an individual is that the request be reasonable with respect to the administrative burden on the provider, the request to be in writing, the request specify an alternative address or other method of contact, and that (where relevant) the individual provide information about how payment will be handled. What is reasonable may vary by the size or type of covered entity; however, additional modest cost to the provider would not be unreasonable.
An individual also has a right to restrict communications from a health plan. The right is the same as with covered providers except it is limited to cases where the disclosure of information could endanger the individual. A health plan may require an individual to state this fact as a condition of accommodating the individual's request for confidential communications. This would provide victims of domestic violence the right to control such disclosures.
Comment: Commenters opposed the provision of the NPRM (§ 164.506(c)(1)(ii)(B)) stating that an individual's right to request restrictions on use or disclosure of protected health information would not apply in emergency situations as set forth in proposed § 164.510(k). Commenters asserted that victims who have been harmed by violence may first turn to emergency services for help and that, in such situations, the victim should be able to request that the perpetrator not be told of his or her condition or whereabouts.
Response: We agree with some of the commenters' concerns. In the final rule, the right to request restrictions is available to all individuals regardless of the circumstance or the setting in which the individual is obtaining care. For example, an individual that seeks care in an emergency room has the same right to request a restriction as an individual seeking care in the office of a covered physician.
However, we continue to permit a covered entity to disclose protected health information to a health care provider in an emergency treatment situation if the restricted protected health information is needed to provide the emergency treatment or if the disclosure is necessary to avoid serious and imminent threats to public health and safety. Although we understand the concern of the commenters, we believe that these exceptions are limited and will not cause a covered entity to disclose information to a perpetrator of a crime. We are concerned that a covered provider would be required to delay necessary care if a covered entity had to determine if a restriction exists at the time of such emergency. Even if a covered entity knew that there was a restriction, we permitted this limited exception for emergency situations because, as we had stated in the preamble for § 164.506 of the NPRM, an emergency situation may not provide sufficient opportunity for a patient and health care provider to discuss the potential implications of restricting use and disclosure of protected health information on that emergency. We also believe that the importance of avoiding serious and imminent threats to health and safety and the ethical and legal obligations of covered health care providers' to make disclosures for these purposes is so significant that it is not appropriate to apply the right to request restrictions on such disclosures.
We note that we have included other provisions in the final rule intended to avoid or minimize harm to victims of domestic violence. Specifically, we include provisions in the final rule that allow individuals to opt out of certain types of disclosures and require covered entities to use professional judgment to determine whether disclosure of protected health information is in a patient's best interest (see § 164.510(a) on use and disclosure for facility directories and § 164.510(b) on uses and disclosures for assisting in an individual's care and notification purposes). Although an agreed to restriction under § 164.522 would apply to uses and disclosures for assisting in an individual's care, the opt out provision in § 164.510(b) can be more helpful to a person who is a victim of domestic violence because the individual can opt out of such disclosure without obtaining the agreement of the covered provider. We permit a covered entity to elect not to treat a person as a personal representative (see § 164.502(g)) or to deny access to a personal representative (see § 164.524(a)(3)(iii)) where there are concerns related to abuse. We also include a new § 164.512(c) which recognizes the unique circumstances surrounding disclosure of protected health information about victims of abuse, neglect, and domestic violence.
Comment: Several commenters requested that we add a new section to prevent disclosure of sensitive health care services to members of the patient's family through communications to the individual's home, such as appointment notices, confirmation or scheduling of appointments, or mailing a bill or explanation of benefits, by requiring covered entities to agree to correspond with the patient in another way. Some commenters stated that this is necessary in order to protect inadvertent disclosure of sensitive information and to protect victims of domestic violence from disclosure to an abuser. A few commenters suggested that a covered entity should be required to obtain an individual's authorization prior to communicating with the individual at the individual's home with respect to health care relating to sensitive subjects such as reproductive health, sexually transmissible diseases, substance abuse or mental health.
Response: We agree with commenters' concerns regarding covered entities' communications with individuals. We created a new provision, § 164.522(b), to address confidential communications by covered entities. This provision gives individuals the right to request that they receive communications from covered entities at an alternative address or by an alternative means, regardless of the nature of the protected health information involved. Covered providers are required to accommodate reasonable requests by individuals and may not require the individual to explain the basis for the request as a condition of accommodation. Health plans are required to accommodate reasonable requests by individuals as well; however, they may require the individual to provide a statement that disclosure of the information could endanger the individual, and they may condition the accommodation on the receipt of such statement.
Under the rule, we have required covered providers to accommodate requests for communications to alternative addresses or by alternative means, regardless of the reason, to limit risk of harm. Providers have more frequent one-on-one communications with patients, making the safety concerns from an inadvertent disclosure more substantial and the need for confidential communications more compelling. We have made the requirement for covered providers absolute and not contingent on the reason for the request because we wanted to make it relatively easy for victims of domestic violence, who face real safety concerns by disclosures of health information, to limit the potential for such disclosures.
The standard we created for health plans is different from the requirement for covered providers, in that we only require health plans to make requested accommodations for confidential communications when the individual asserts that disclosure could be dangerous to the individual. We address health plan requirements in this way because health plans are often issued to a family member (the employee), rather than to each individual member of a family, and therefore, health plans tend to communicate with the named insured rather than with individual family members. Requiring plans to accommodate a restriction for one individual could be administratively more difficult than it is for providers that regularly communicate with individuals. However, in the case of domestic violence or potential abuse, the level of harm that can result from a disclosure of protected health information tips the balance in favor of requiring such restriction to prevent inadvertent disclosure. We have adopted the policy recommended by the National Association of Insurance Commissioners in the Health Information Policy Model Act (1998) as this best reflects the balance of the appropriate level of regulation of the industry compared with the need to protect individuals from harm that may result from inadvertent disclosure of information. This policy is also consistent with recommendations made in the Family Violence Prevention Fund's publication "Health Privacy Principles for Protecting Victims of Domestic Violence" (October 2000). Of course, health plans may accommodate requests for confidential communications without requiring a statement that the individual would be in danger from disclosure of protected health information.
Comment: One commenter requested that we create a standard that all information from a health plan be sent to the patient and not the policyholder or subscriber.
Response: We require health plans to accommodate certain requests that information not be sent to a particular location or by particular means. A health plan must accommodate reasonable requests by individuals that protected health information about them be sent directly to them and not to a policyholder or subscriber, if the individual states that he or she may be in danger from disclosure of such information. We did not generally require health plans to send information to the patient and not the policyholder or subscriber because we believed it would be administratively burdensome and because the named insured may have a valid need for such information to manage payment and benefits.
Comment: Many commenters requested that additional protections be placed on sensitive information, including information regarding HIV/AIDS, sexually transmitted diseases, mental health, substance abuse, reproductive health, and genetics. Many requested that we ensure the regulation adequately protects victims of domestic violence. They asserted that the concern for discrimination or stigma resulting from disclosure of sensitive health information could dissuade a person from seeking needed treatment. Some commenters noted that many state laws provide additional protections for various types of information. They requested that we develop federal standards to have consistent rules regarding the protection of sensitive information to achieve the goals of cost savings and patient protection. Others requested that we require patient consent or special authorization before certain types of sensitive information was disclosed, even for treatment, payment, and health care operations, and some thought we should require a separate request for each disclosure. Some commenters requested that the right to request restrictions be replaced with a requirement for an authorization for specific types of sensitive information. There were recommendations that we require covered entities to develop internal policies to address sensitive information.
Other commenters argued that sensitive information should not be segregated from the record because it may limit a future provider's access to information necessary for treatment of the individual and it could further stigmatize a patient by labeling him or her as someone with sensitive health care issues. These commenters further maintained that segregation of particular types of information could negatively affect analysis of community needs, research, and would lead to higher costs of health care delivery.
Response: We generally do not differentiate among types of protected health information, because all health information is sensitive. The level of sensitivity varies not only with the type of information, but also with the individual and the particular situation faced by the individual. This is demonstrated by the different types of information that commenters singled out as meriting special protection, and in the great variation among state laws in defining and protecting sensitive information. Most states have a law providing heightened protection for some type of health information. However, even though most states have considered the issue of sensitive information, the variation among states in the type of information that is specially protected and the requirements for permissible disclosure of such information demonstrates that there is no national consensus.
Where, as in this case, most states have acted and there is no predominant rule that emerges from the state experience with this issue, we have decided to let state law predominate. The final rule only provides a floor of protection for health information and does not preempt state laws that provider greater protection than the rule. Where states have decided to treat certain information as more sensitive than other information, we do not preempt those laws.
To address the variation in the sensitivity of protected health information without defining specially sensitive information, we incorporate opportunities for individuals and covered entities to address specific sensitivities and concerns about uses and disclosures of certain protected health information that the patient and provider believe are particularly sensitive, as follows:
This approach allows for state law and personal variation in this area.
The only type of protected health information that we treat with heightened protection is psychotherapy notes. We provide a different level of protection because they are unique types of protected health information that typically are not used or required for treatment, payment, or health care operations other than by the mental health professional that created the notes. (See § 164.508(a)(2) regarding psychotherapy notes.)
Comment: Some commenters recommended that there be no access to disease registries.
Response: Most entities that maintain disease registries are not covered entities under this regulation; examples of such non-covered entities are public health agencies and pharmaceutical companies. If, however, a disease registry is maintained by a covered entity and is used to make decisions about individuals, this rule requires the covered entity to provide access to information about a requesting individual unless one of the rule's conditions for denial of access is met. We found no persuasive reasons why disease registries should be given special treatment compared with other information that may be used to make decisions about an individual.
Comment: Some commenters stated that covered entities should be held accountable for access to information held by business partners so that individuals would not have the burden of tracking down their protected health information from a business partner. Many commenters, including insurers and academic medical centers, recommended that, to reduce burden and duplication, only the provider who created the protected health information should be required to provide individuals access to the information. Commenters also asked that other entities, including business associates, the Medicare program, and pharmacy benefit managers, not be required to provide access, in part because they do not know what information the covered entity already has and they may not have all the information requested. A few commenters also argued that billing companies should not have to provide access because they have a fiduciary responsibility to their physician clients to maintain the confidentiality of records.
Response: A general principle in responding to all of these points is that a covered entity is required to provide access to protected health information in accordance with the rule regardless of whether the covered entity created such information or not. Thus, we agree with the first point: in order to meet its requirements for providing access, a covered entity must not only provide access to such protected health information it holds, but must also provide access to such information in a designated record set of its business associate, pursuant to its business associate contract, unless the information is the same as information maintained directly by the covered entity. We require this because an individual may not be aware of business associate relationships. Requiring an individual to track down protected health information held by a business associate would significantly limit access. In addition, we do not permit a covered entity to limit its duty to provide access by giving protected health information to a business associate.
We disagree with the second point: if the individual directs an access request to a covered entity that has the protected health information requested, the covered entity must provide access (unless it may deny access in accordance with this rule). In order to assure that an individual can exercise his or her access rights, we do not require the individual to make a separate request to each originating provider. The originating provider may no longer be in business or may no longer have the information, or the non-originating provider may have the information in a modified or enhanced form.
We disagree with the third point: other entities must provide access only if they are covered entities or business associates of covered entities, and they must provide access only to protected health information that they maintain (or that their business associates maintain). It would not be efficient to require a covered entity to compare another entity's information with that of the entity to which the request was addressed. (See the discussion regarding covered entities for information about whether a pharmacy benefit manager is a covered entity.)
We disagree with the fourth point: a billing company will be required by its business associate contract only to provide the requested protected health information to its physician client. This action will not violate any fiduciary responsibility. The physician client would in turn be required by the rule to provide access to the individual.
Comment: Some commenters asked for clarification that the clearinghouse function of turning non-standardized data into standardized data does not create non-duplicative data and that "duplicate" does not mean "identical." A few commenters suggested that duplicated information in a covered entity's designated record set be supplied only once per request.
Response: We consider as duplicative information the same information in different formats, media, or presentations, or which have been standardized. Business associates who have materially altered protected health information are obligated to provide individuals access to it. Summary information and reports, including those of lab results, are not the same as the underlying information on which the summaries or reports were based. A clean document is not a duplicate of the same document with notations. If the same information is kept in more than one location, the covered entity has to produce the information only once per request for access.
Comment: A few commenters suggested requiring covered entities to disclose to third parties without exception at the requests of individuals. It was argued that this would facilitate disability determinations when third parties need information to evaluate individuals' entitlement to benefits. Commenters argued that since covered entities may deny access to individuals under certain circumstances, individuals must have another method of providing third parties with their protected health information.
Response: We allow covered entities to forward protected health information about an individual to a third party, pursuant to the individual's authorization under § 164.508. We do not require covered entities to disclose information pursuant to such authorizations because the focus of the rule is privacy of protected health information. Requiring disclosures in all circumstances would be counter to this goal. In addition, a requirement of disclosing protected health information to a third party is not a necessary substitute for the right of access to individuals, because we allow denial of access to individuals under rare circumstances. However, if the third party is a personal representative of the individual in accordance with § 164.502(g) and there is no concern regarding abuse or harm to the individual or another person, we require the covered entity to provide access to that third party on the individual's behalf, subject to specific limitations. We note that a personal representative may obtain access on the individual's behalf in some cases where covered entity may deny access to the individual. For example, an inmate may be denied a copy of protected health information, but a personal representative may be able to obtain a copy on the individual's behalf. See § 164.502(g) and the corresponding preamble discussion regarding the ability of a personal representative to act on an individual's behalf.
Comment: The majority of commenters supported granting individuals the right to access protected health information for as long as the covered entity maintains the protected health information; commenters argued that to do otherwise would interfere with existing record retention laws. Some commenters advocated for limiting the right to information that is less than one or two years old. A few commenters explained that frequent changes in technology makes it more difficult to access stored data. The commenters noted that the information obtained prior to the effective date of the rule should not be required to be accessible.
Response: We agree with the majority of commenters and retain the proposal to require covered entities to provide access for as long as the entity maintains the protected health information. We do not agree that information created prior to the effective date of the rule should not be accessible. The reasons for granting individuals access to information about them do not vary with the date the information was created.
Comment: A few commenters argued that there should be no grounds for denying access, stating that individuals should always have the right to inspect and copy their protected health information.
Response: While we agree that in the vast majority of instances individuals should have access to information about them, we cannot agree that a blanket rule would be appropriate. For example, where a professional familiar with the particular circumstances believes that providing such access is likely to endanger a person's life or physical safety, or where granting such access would violate the privacy of other individuals, the benefits of allowing access may not outweigh the harm. Similarly, we allow denial of access where disclosure would reveal the source of confidential information because we do not want to interfere with a covered entity's ability to maintain implicit or explicit promises of confidence.
We create narrow exceptions to the rule of open access, and we expect covered entities to employ these exceptions rarely, if at all. Moreover, we require covered entities to provide access to any protected health information requested after excluding only the information that is subject to a denial. The categories of permissible denials are not mandatory, but are a means of preserving the flexibility and judgment of covered entities under appropriate circumstances.
Comment: Many commenters supported our proposal to allow covered entities to deny an individual access to protected health information if a professional determines either that such access is likely to endanger the life or physical safety of a person or, if the information is about another person, access is reasonably likely to cause substantial harm to such person.
Some commenters requested that the rule also permit covered entities to deny a request if access might be reasonably likely to cause psychological or mental harm, or emotional distress. Other commenters, however, were particularly concerned about access to mental health information, stating that the lack of access creates resentment and distrust in patients.
Response: We disagree with the comments suggesting that we expand the grounds for denial of access to an individual to include a likelihood of psychological or mental harm of the individual. We did not find persuasive evidence that this is a problem sufficient to outweigh the reasons for providing open access. We do allow a denial for access based on a likelihood of substantial psychological or mental harm, but only if the protected health information includes information about another person and the harm may be inflicted on such other person or if the person requesting the access is a personal representative of the individual and the harm may be inflicted on the individual or another person.
We generally agree with the commenters concerns that denying access specifically to mental health records could create distrust. To balance this concern with other commenters' concerns about the potential for psychological harm, however, we exclude psychotherapy notes from the right of access. This is the only distinction we make between mental health information and other types of protected health information in the access provisions of this rule. Unlike other types of protected health information, these notes are not widely disseminated through the health care system. We believe that the individual's privacy interests in having access to these notes, therefore, are outweighed by the potential harm caused by such access. We encourage covered entities that maintain psychotherapy notes, however, to provide individuals access to these notes when they believe it is appropriate to do so.
Comment: Some commenters believed that there is a potential for abuse of the provision allowing denial of access because of likely harm to self. They questioned whether there is any experience from the Privacy Act of 1974 to suggest that patients who requested and received their records have ever endangered themselves as a result.
Response: We are unaware of such problems from access to records that have been provided under the Privacy Act but, since these are private matters, such problems might not come to our attention. We believe it is more prudent to preserve the flexibility and judgment of health care professionals familiar with the individuals and facts surrounding a request for records than to impose the blanket rule suggested by these commenters.
Comment: Commenters asserted that the NPRM did not adequately protect vulnerable individuals who depend on others to exercise their rights under the rule. They requested that the rule permit a covered entity to deny access when the information is requested by someone other than the subject of the information and, in the opinion of a licensed health care professional, access to the information could harm the individual or another person.
Response: We agree with the commenters that such protection is warranted and add a provision in § 164.524(a)(3), which permits a covered health care provider to deny access if a personal representative of the individual is making the request for access and a licensed health care professional has determined, in the exercise of professional judgment, that providing access to such personal representative could result in substantial harm to the individual or another person. Access can be denied even if the potential harm may be inflicted by someone other than the personal representative.
This provision is designed to strike a balance between the competing interests of ensuring access to protected health information and protecting the individual or others from harm. The "substantial harm" standard will ensure that a covered entity cannot deny access in cases where the harm is de minimus.
The amount of discretion that a covered entity has to deny access to a personal representative is generally greater than the amount of discretion that a covered entity has to deny access to an individual. Under the final rule, a covered entity may deny access to an individual if a licensed health care professional determines that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person. In this case, concerns about psychological or emotional harm would not be sufficient to justify denial of access. We establish a relatively high threshold because we want to assure that individuals have broad access to health information about them, and due to the potential harm that comes from denial of access, we believe denials should be permitted only in limited circumstances.
The final rule grants covered entities greater discretion to deny access to a personal representative than to an individual in order to provide protection to those vulnerable people who depend on others to exercise their rights under the rule and who may be subjected to abuse or neglect. This provision applies to personal representatives of minors as well as other individuals. The same standard for denial of access on the basis of potential harm that applies to personal representatives also applies when an individual is seeking access to his or her protected health information, and the information makes reference to another person. Under these circumstances, a covered entity may deny a request for access if such access is reasonably likely to cause substantial harm to such other person. The standard for this provision and for the provision regarding access by personal representatives is the same because both circumstances involve one person obtaining information about another person, and in both cases the covered entity is balancing the right of access of one person against the right of a second person not to be harmed by the disclosure.
Under any of these grounds for denial of access to protected health information, the covered entity is not required to deny access to a personal representative under these circumstances, but has the discretion to do so.
In addition to denial of access rights, we also address the concerns raised by abusive or potentially abusive situations in the section regarding personal representatives by giving covered entities discretion to not recognize a person as a personal representative of an individual if the covered entity has a reasonable belief that the individual has been subjected to domestic violence, abuse, or neglect by or would be in danger from a person seeking to act as the personal representative. (See § 164.502(g))
Comment: A number of commenters were concerned that this provision would lead to liability for covered entities if the release of information results in harm to individuals. Commenters requested a "good faith" standard in this provision to relieve covered entities of liability if individuals suffer harm as a result of seeing their protected health information or if the information is found to be erroneous. A few commenters suggested requiring providers (when applicable) to include with any disclosure to a third party a statement that, in the provider's opinion, the information should not be disclosed to the patient.
Response: We do not intend to create a new duty to withhold information nor to affect other laws on this issue. Some state laws include policies similar to this rule, and we are not aware of liability arising as a result.
Comment: Some commenters suggested that both the individual's health care professional and a second professional in the relevant field of medicine should review each request. Many commenters suggested that individuals have a right to have an independent review of any denial of access, e.g., review by a health care professional of the individual's choice.
Response: We agree with the commenters who suggest that denial on grounds of harm to self or others should be determined by a health professional, and retain this requirement in the final rule. We disagree, however, that all denials should be reviewed by a professional of the individual's choice. We are concerned that the burden such a requirement would place on covered entities would be significantly greater than any benefits to the individual. We believe that any health professional, not just one of the individual's choice, will exercise appropriate professional judgment. To address some of these concerns, however, we add a provision for the review of denials requiring the exercise of professional judgment. If a covered entity denies access based on harm to self or others, the individual has the right to have the denial reviewed by another health care professional who did not participate in the original decision to deny access.
Comment: A few commenters objected to the proposal to allow covered entities to deny a request for access to health information if the information was obtained from a confidential source that may be revealed upon the individual's access. They argued that this could be subject to abuse and the information could be inherently less reliable, making the patient's access to it even more important.
Response: While we acknowledge that information provided by confidential sources could be inaccurate, we are concerned that allowing unfettered access to such information could undermine the trust between a health care provider and patients other than the individual. We retain the proposed policy because we do not want to interfere with a covered entity's ability to obtain important information that can assist in the provision of health care or to maintain implicit or explicit promises of confidence, which may be necessary to obtain such information. We believe the concerns raised about abuse are mitigated by the fact that the provision does not apply to promises of confidentiality made to a health care provider. We note that a covered entity may provide access to such information.
Comment: Some commenters were concerned that the NPRM did not allow access to information unrelated to treatment, and thus did not permit access to research information.
Response: In the final rule, we eliminate the proposed special provision for "research information unrelated to treatment." The only restriction on access to research information in this rule applies where the individual agrees in advance to denial of access when consenting to participate in research that includes treatment. In this circumstance, the individual's right of access to protected health information created in the course of the research may be suspended for as long as the research is in progress, but access rights resume after such time. In other instances, we make no distinction between research information and other information in the access provisions in this rule.
Comment: A few commenters supported the proposed provision temporarily denying access to information obtained during a clinical trial if participants agreed to the denial of access when consenting to participate in the trial. Some commenters believed there should be no access to any research information. Other commenters believed denial should occur only if the trial would be compromised. Several recommended conditioning the provision. Some recommended that access expires upon completion of the trial unless there is a health risk. A few commenters suggested that access should be allowed only if it is included in the informed consent and that the informed consent should note that some information may not be released to the individual, particularly research information that has not yet been validated. Other commenters believed that there should be access if the research is not subject to IRB or privacy board review or if the information can be disclosed to third parties.
Response: We agree with the commenters that support temporary denial of access to information from research that includes treatment if the subject has agreed in advance, and with those who suggested that the denial of access expire upon completion of the research, and retain these provisions in the final rule. We disagree with the commenters who advocate for further denial of this information. These comments did not explain why an individual's interest in access to health information used to make decisions about them is less compelling with respect to research information. Under this rule, all protected health information for research is subject either to privacy board or IRB review unless a specific authorization to use protected health information for research is obtained from the individual. Thus, this is not a criterion we can use to determine access rights.
Comment: A few commenters believed that it would be "extremely disruptive of and dangerous" to patients to have access to records regarding their current care and that state law provides sufficient protection of patients' rights in this regard.
Response: We do not agree. Information about current care has immediate and direct impact on individuals. Where a health care professional familiar with the circumstances believes that it is reasonably likely that access to records would endanger the life or physical safety of the individual or another person, the regulation allows the professional to withhold access.
Comment: Several commenters requested clarification that a patient not be denied access to protected health information because of failure to pay a bill. A few commenters requested clarification that entities may not deny requests simply because producing the information would be too burdensome.
Response: We agree with these comments, and confirm that neither failure to pay a bill nor burden are lawful reasons to deny access under this rule. Covered entities may deny access only for the reasons provided in the rule.
Comment: Some commenters requested that the final rule not include detailed procedural requirements about how to respond to requests for access. Others made specific recommendations on the procedures for providing access, including requiring written requests, requiring specific requests instead of blanket requests, and limiting the frequency of requests. Commenters generally argued against requiring covered entities to acknowledge requests, except under certain circumstances, because of the potential burden on entities.
Response: We intend to provide sufficient procedural guidelines to ensure that individuals have access to their protected health information, while maintaining the flexibility for covered entities to implement policies and procedures that are appropriate to their needs and capabilities. We believe that a limit on the frequency of requests individuals may make would arbitrarily infringe on the individual's right of access and have, therefore, not included such a limitation. To limit covered entities' burden, we do not require covered entities to acknowledge receipt of the individuals' requests, other than to notify the individual once a decision on the request has been made. We also permit a covered entity to require an individual to make a request for access in writing and to discuss a request with an individual to clarify which information the individual is actually requesting. If individuals agree, covered entities may provide access to a subset of information rather than all protected health information in a designated record set. We believe these changes provide covered entities with greater flexibility without compromising individuals' access rights.
Comment: Commenters offered varying suggestions for required response time, ranging from 48 hours because of the convenience of electronic records to 60 days because of the potential burden. Others argued against a finite time period, suggesting the response time be based on mutual convenience of covered entities and individuals, reasonableness, and exigencies. Commenters also varied on suggested extension periods, from one 30-day extension to three 30- day extensions to one 90-day extension, with special provisions for off-site records.
Response: We are imposing a time limit because individuals are entitled to know when to expect a response. Timely access to protected health information is important because such information may be necessary for the individual to obtain additional health care services, insurance coverage, or disability benefits, and the covered entity may be the only source for such information. To provide additional flexibility, we eliminate the requirement that access be provided as soon as possible and we lengthen the deadline for access to off-site records. For on-site records, covered entities must act on a request within 30 days of receipt of the request. For off-site records, entities must complete action within 60 days. We also permit covered entities to extend the deadline by up to 30 days if they are unable to complete action on the request within the standard deadline. These time limits are intended to be an outside deadline rather than an expectation. We expect covered entities to be attentive to the circumstances surrounding each request and respond in an appropriate time frame.
Comment: A few commenters suggested that, upon individuals' requests, covered entities should be required to provide protected health information in a format that would be understandable to a patient, including explanations of codes or abbreviations. The commenters suggested that covered entities be permitted to provide summaries of pertinent information instead of full copies of records; for example, a summary may be more helpful for the patient's purpose than a series of indecipherable billing codes.
Response: We agree with these commenters' point that some health information is difficult to interpret. We clarify, therefore, that the covered entity may provide summary information in lieu of the underlying records. A summary may only be provided if the covered entity and the individual agree, in advance, to the summary and to any fees imposed by the covered entity for providing such summary. We similarly permit a covered entity to provide an explanation of the information. If the covered entity charges a fee for providing an explanation, it must obtain the individual's agreement to the fee in advance.
Comment: Though there were recommendations that fees be limited to the costs of copying, the majority of commenters on this topic requested that covered entities be able to charge a reasonable, cost-based fee. Commenters suggested that calculation of access costs involve factors such as labor costs for verification of requests, labor and software costs for logging of requests, labor costs for retrieval, labor costs for copying, expense costs for copying, capital cost for copying, expense costs for mailing, postal costs for mailing, billing and bad-debt expenses, and labor costs for refiling. Several commenters recommended specific fee structures.
Response: We agree that covered entities should be able to recoup their reasonable costs for copying of protected health information, and include such provision in the regulation. We are not specifying a set fee because copying costs could vary significantly depending on the size of the covered entity and the form of such copy (e.g., paper, electronic, film). Rather, covered entities are permitted to charge a reasonable, cost-based fee for copying (including the costs of supplies and labor), postage, and summary or explanation (if requested and agreed to by the individual) of information supplied. The rule limits the types of costs that may be imposed for providing access to protected health information, but does not preempt applicable state laws regarding specific allowable fees for such costs. The inclusion of a copying fee is not intended to impede the ability of individuals to copy their records.
Comment: Many commenters stated that if a covered entity denies a request for access because the entity does not hold the protected health information requested, the covered entity should provide, if known, the name and address of the entity that holds the information. Some of these commenters additionally noted that the Uniform Insurance Information and Patient Protection Act, adopted by 16 states, already imposes this notification requirement on insurance entities. Some commenters also suggested requiring providers who leave practice or move offices to inform individuals of that fact and of how to obtain their records.
Response: We agree that, when covered entities deny requests for access because they do not hold the protected health information requested, they should inform individuals of the holder of the information, if known; we include this provision in the final rule. We do not require health care providers to notify all patients when they move or leave practice, because the volume of such notifications would be unduly burdensome.
Comment: Many commenters strongly encouraged the Secretary to adopt "appendment" rather than "amendment and correction" procedures. They argued that the term "correction" implies a deletion of information and that the proposed rule would have allowed covered entities to remove portions of the record at their discretion. Commenters indicated that appendment rather than correction procedures will ensure the integrity of the medical record and allow subsequent health care providers access to the original information as well as the appended information. They also indicated appendment procedures will protect both individuals and covered entities since medical records are sometimes needed for litigation or other legal proceedings.
Response: We agree with commenters' concerns about the term "correction." We have revised the rule and deleted "correction" from this provision in order to clarify that covered entities are not required by this rule to delete any information from the designated record set. We do not intend to alter medical record retention laws or current practice, except to require covered entities to append information as requested to ensure that a record is accurate and complete. If a covered entity prefers to comply with this provision by deleting the erroneous information, and applicable record retention laws allow such deletion, the entity may do so. For example, an individual may inform the entity that someone else's X-rays are in the individual's medical record. If the entity agrees that the X-ray is inaccurately filed, the entity may choose to so indicate and note where in the record the correct X-ray can be found. Alternatively, the entity may choose to remove the X-ray from the record and replace it with the correct X-ray, if applicable law allows the entity to do so. We intend the term "amendment" to encompass either action.
We believe this approach is consistent with well-established privacy principles, with other law, and with industry standards and ethical guidelines. The July 1977 Report of the Privacy Protection Study Commission recommended that health care providers and other organizations that maintain medical-record information have procedures for individuals to correct or amend the information. (28) The Privacy Act (5 U.S.C. 552a) requires government agencies to permit individuals to request amendment of any record the individual believes is not accurate, relevant, timely, or complete. In its report "Best Principles for Health Privacy," the Health Privacy Working Group recommended, "An individual should have the right to supplement his or her own medical record. Supplementation should not be implied to mean 'deletion' or 'alteration' of the medical record." (29) The National Association of Insurance Commissioners' Health Information Privacy Model Act establishes the right of an individual who is the subject of protected health information to amend protected health information to correct any inaccuracies. The National Conference of Commissioners on Uniform State Laws' Uniform Health Care Information Act states, "Because accurate health-care information is not only important to the delivery of health care, but for patient applications for life, disability and health insurance, employment, and a great many other issues that might be involved in civil litigation, this Act allows a patient to request an amendment in his record."
Some states also establish a right for individuals to amend health information about them. For example, Hawaii law (HRS section 323C-12) states, "An individual or the individual's authorized representative may request in writing that a health care provider that generated certain health care information append additional information to the record in order to improve the accuracy or completeness of the information; provided that appending this information does not erase or obliterate any of the original information." Montana law (MCA section 50-16-543) states, "For purposes of accuracy or completeness, a patient may request in writing that a health care provider correct or amend its record of the patient's health care information to which he has access." Connecticut, Georgia, and Maine provide individuals a right to request correction, amendment, or deletion of recorded personal information about them maintained by an insurance institution. Many other states have similar provisions.
Industry and standard-setting organizations have also developed policies for amendment of health information. The National Committee for Quality Assurance and the Joint Commission on Accreditation of Healthcare Organizations issued recommendations stating, "The opportunity for patients to review their records will enable them to correct any errors and may provide them with a better understanding of their health status and treatment. Amending records does not erase the original information. It inserts the correct information with a notation about the date the correct information was available and any explanation about the reason for the error." (30) Standards of the American Society for Testing and Materials state, "An individual has a right to amend by adding information to his or her record or database to correct inaccurate information in his or her patient record and in secondary records and databases which contain patient identifiable health information." (31) We build on this well-established principle in this final rule.
Comment: Some commenters supported the proposal to allow individuals to request amendment for as long as the covered provider or plan maintains the information. A few argued that the provision should be time-limited, e.g., that covered entities should not have to amend protected health information that is more than two years old. Other comments suggested that the provision should only be applied to protected health information created after the compliance date of the regulation.
Response: The purpose of this provision is to create a mechanism whereby individuals can ensure that information about them is as accurate as possible as it travels through the health care system and is used to make decisions, including treatment decisions, about them. To achieve this result, individuals must have the ability to request amendment for as long as the information used to make decisions about them exists. We therefore retain the proposed approach. For these reasons, we also require covered entities to address requests for amendment of all protected health information within designated record sets, including information created or obtained prior to the compliance date, for as long as the entity maintains the information.
Comment: A few commenters were concerned that the proposal implied that the individual is in control of and may personally change the medical record. These commenters opposed such an approach.
Response: We do not give individuals the right to alter their medical records. Individuals may request amendment, but they have no authority to determine the final outcome of the request and may not make actual changes to the medical record. The covered entity must review the individual's request and make appropriate decisions. We have clarified this intent in § 164.526(a)(1) by stating that individuals have a right to have a covered entity amend protected health information and in § 164.526(b)(2) by stating that covered entities must act on an individual's request for amendment.
Comment: Some comments argued that there is no free-text field in some current transaction formats that would accommodate the extra text required to comply with the amendment provisions (e.g., sending statements of disagreement along with all future disclosures of the information at issue). Commenters argued that this provision will burden the efficient transmission of information, contrary to HIPAA requirements.
Response: We believe that most amendments can be incorporated into the standard transactions as corrections of erroneous data. We agree that some of the standard transactions cannot currently accommodate additional material such as statements of disagreement and rebuttals to such statements. To accommodate these rare situations, we modify the requirements in § 164.526(d)(iii). The provision now states that if a standard transaction does not permit the inclusion of the additional material required by this section, the covered entity may separately transmit the additional material to the recipient of the standard transaction. Commenters interested in modifying the standard transactions to allow the incorporation of additional materials may also bring the issue up for resolution through the process established by the Transactions Rule and described in its preamble.
Comment: The NPRM proposed to allow amendment of protected health information in designated record sets. Some commenters supported the concept of a designated record set and stated that it appropriately limits the type of information available for amendment to information directly related to treatment. Other commenters were concerned about the burden this provision will create due to the volume of information that will be available for amendment. They were primarily concerned with the potential for frivolous, minor, or technical requests. They argued that for purposes of amendment, this definition should be limited to information used to make medical or treatment decisions about the individual. A few commenters requested clarification that individuals do not have a right to seek amendment unless there is verifiable information to support their claim or they can otherwise convince the entity that the information is inaccurate or incomplete.
Response: We believe that the same information available for inspection should also be subject to requests for amendment, because the purpose of these provisions is the same: to give consumers access to and the chance to correct errors in information that may be used to make decisions that affect their interests. We thus retain use of the "designated record set" in this provision. However, we share commenters' concerns about the potential for minor or technical requests. To address this concern, we have clarified that covered entities may deny a request for amendment if the request is not in writing and does not articulate a reason to support the request, as long as the covered entity informs the individual of these requirements in advance.
Comment: Many commenters noted the potentially negative impact of the proposal to allow covered entities to deny a request for amendment if the covered entity did not create the information at issue. Some commenters pointed out that the originator of the information may no longer exist or the individual may not know who created the information in question. Other commenters supported the proposal that only the originator of the information is responsible for amendments to it. They argued that any extension of this provision requiring covered entities to amend information they have not created is administratively and financially burdensome.
Response: In light of the comments, we modify the rule to require the holder of the information to consider a request for amendment if the individual requesting amendment provides a reasonable basis to believe that the originator of the information is no longer available to act on a request. For example, if a request indicates that the information at issue was created by a hospital that has closed, and the request is not denied on other grounds, then the entity must amend the information. This provision is necessary to preserve an individual's right to amend protected health information about them in certain circumstances.
Comment: Some commenters stated that the written contract between a covered entity and its business associate should stipulate that the business associate is required to amend protected health information in accordance with the amendment provisions. Otherwise, these commenters argued, there would be a gap in the individual's right to have erroneous information corrected, because the covered entity could deny a request for amendment of information created by a business associate.
Response: We agree that information created by the covered entity or by the covered entity's business associates should be subject to amendment. This requirement is consistent with the requirement to make information created by a business associate available for inspection and copying. We have revised the rule to require covered entities to specify in the business associate contract that the business associate will make protected health information available for amendment and will incorporate amendments accordingly. (See § 164.504(e).)
Comment: One commenter argued that covered entities should be required to presume information must be corrected where an individual informs the entity that an adjudicative process has made a finding of medical identity theft.
Response: Identity theft is one of many reasons why protected health information may be inaccurate, and is one of many subjects that may result in an adjudicative process relevant to the accuracy of protective health information. We believe that this provision accommodates this situation without a special provision for identity theft.
Comment: Some commenters asserted that the proposed rule's requirement that action must be taken on individuals' requests within 60 days of the receipt of the request was unreasonable and burdensome. A few commenters proposed up to three 30-day extensions for "extraordinary" (as defined by the entity) requests.
Response: We agree that 60 days will not always be a sufficient amount of time to adequately respond to these requests. Therefore, we have revised this provision to allow covered entities the option of a 30-day extension to deal with requests that require additional response time. However, we expect that 60 days will be adequate for most cases.
Comment: One commenter questioned whether a covered entity could appropriately respond to a request by amending the record, without indicating whether it believes the information at issue is accurate and complete.
Response: An amendment need not include a statement by the covered entity as to whether the information is or is not accurate and complete. A covered entity may choose to amend a record even if it believes the information at issue is accurate and complete. If a request for amendment is accepted, the covered entity must notify the individual that the record has been amended. This notification need not include any explanation as to why the request was accepted. A notification of a denied request, however, must contain the basis for the denial.
Comment: A few commenters suggested that when an amendment is made, the date should be noted. Some also suggested that the physician should sign the notation.
Response: We believe such a requirement would create a burden that is not necessary to protect individuals' interests, and so have not accepted this suggestion. We believe that the requirements of § 164.526(c) regarding actions a covered entity must take when accepting a request will provide an adequate record of the amendment. A covered entity may date and sign an amendment at its discretion.
Comment: The NPRM proposed that covered entities, upon accepting a request for amendment, make reasonable efforts to notify those persons the individual identifies, and other persons whom the covered entity knows have received the erroneous or incomplete information and who may have relied, or could foreseeably rely, on such information to the detriment of the individual. Many commenters argued that this notification requirement was too burdensome and should be narrowed. They expressed concern that covered entities would have to notify anyone who might have received the information, even persons identified by the individual with whom the covered entity had no contact. Other commenters also contended that this provision would require covered entities to determine the reliance another entity might place on the information and suggested that particular part of the notification requirements be removed. Another commenter suggested that the notification provision be eliminated entirely, believing that it was unnecessary.
Response: Although there is some associated administrative burden with this provision, we believe it is a necessary requirement to effectively communicate amendments of erroneous or incomplete information to other parties. The negative effects of erroneous or incomplete medical information can be devastating. This requirement allows individuals to exercise some control in determining recipients they consider important to be notified, and requires the covered entity to communicate amendments to other persons that the covered entity knows have the erroneous or incomplete information and may take some action in reliance on the erroneous or incomplete information to the detriment of the individual. We have added language to clarify that the covered entity must obtain the individual's agreement to have the amendment shared with the persons the individual and covered entity identifies. We believe these notification requirements appropriately balance covered entities' burden and individuals' interest in protecting the accuracy of medical information used to make decisions about them. We therefore retain the notification provisions substantially as proposed.
Comment: Some commenters argued against the proposed provision requiring a covered entity that receives a notice of amendment to notify its business associates, "as appropriate," of necessary amendments. Some argued that covered entities should only be required to inform business associates of these changes if the amendment could affect the individual's further treatment, citing the administrative and financial burden of notifying all business associates of changes that may not have a detrimental effect on the patient. Other commenters suggested that covered entities should only be required to inform business associates whom they reasonably know to be in possession of the information.
Response: We agree with commenters that clarification is warranted. Our intent is that covered entities must meet the requirements of this rule with respect to protected health information they maintain, including protected health information maintained on their behalf by their business associates. We clarify this intent by revising the definition of designated record set (see § 164.501) to include records maintained "by or for" a covered entity. Section 164.526(e) requires a covered entity that is informed of an amendment made by another covered entity to incorporate that amendment into designated record sets, whether the designated record set is maintained by the covered entity or for the covered entity by a business associate. If a business associate maintains the record at issue on the covered entity's behalf, the covered entity must fulfill its requirement by informing the business associate of the amendment to the record. The contract with the business associate must require the business associate to incorporate any such amendments. (See § 164.504(e).)
Comment: Some commenters supported the proposal to require covered entities to provide notification of the covered entity's statement of denial and the individual's statement of disagreement in any subsequent disclosures of the information to which the dispute relates. They argued that we should extend this provision to prior recipients of disputed information who have relied on it. These commenters noted an inconsistency in the proposed approach, since notification of accepted amendments is provided to certain previous recipients of erroneous health information and to recipients of future disclosures. They contended there is not a good justification for the different treatment and believed that the notification standard should be the same, regardless of whether the covered entity accepts the request for amendment.
These commenters also recommended that the individual be notified of the covered entity's intention to rebut a statement of disagreement. They suggested requiring covered entities to send a copy of the statement of rebuttal to the individual.
Response: Where a request for amendment is accepted, the covered entity knows that protected health information about the individual is inaccurate or incomplete or the amendment is otherwise warranted; in these circumstances, it is reasonable to ask the covered entity to notify certain previous recipients of the information that reliance on such information could be harmful. Where, however, the request for amendment is denied, the covered entity believes that the relevant information is accurate and complete or the amendment is otherwise unacceptable. In this circumstance, the burden of prior notification outweighs the potential benefits. We therefore do not require notification of prior recipients.
We agree, however, that individuals should know how a covered entity has responded to their requests, and therefore add a requirement that covered entities also provide a copy of any rebuttal statements to the individual.
Comment: Many commenters expressed support for the concept of the right to receive an accounting of disclosures. Others opposed even the concept. One commenter said that it is likely that some individuals will request an accounting of disclosures from each of his or her health care providers and payors merely to challenge the disclosures that the covered entity made.
Some commenters also questioned the value to the individual of providing the right to an accounting. One commenter stated that such a provision would be meaningless because those who deliberately perpetrate an abuse are unlikely to note their breach in a log.
Response: The final rule retains the right of an individual to receive an accounting of disclosures of protected health information. The provision serves multiple purposes. It provides a means of informing the individual as to which information has been sent to which recipients. This information, in turn, enables individuals to exercise certain other rights under the rule, such as the rights to inspection and amendment, with greater precision and ease. The accounting also allows individuals to monitor how covered entities are complying with the rule. Though covered entities who deliberately make disclosures in violation of the rule may be unlikely to note such a breach in the accounting, other covered entities may document inappropriate disclosures that they make out of ignorance and not malfeasance. The accounting will enable the individual to address such concerns with the covered entity.
We believe this approach is consistent with well-established privacy principles, with other law, and with industry standards and ethical guidelines. The July 1977 Report of the Privacy Protection Study Commission recommended that a health care provider should not disclose individually-identifiable information for certain purposes without the individual's authorization unless "an accounting of such disclosures is kept and the individual who is the subject of the information being disclosed can find out that the disclosure has been made and to whom." (32) With certain exceptions, the Privacy Act (5 U.S.C. 552a) requires government agencies to "keep an accurate accounting of... the date, nature, and purpose of each disclosure of a record to any person or to another agency... and... the name and address of the person or agency to whom the disclosure is made." The National Association of Insurance Commissioners' Health Information Privacy Model Act requires carriers to provide to individuals on request "information regarding disclosure of that individual's protected health information that is sufficient to exercise the right to amend the information." We build on these standards in this final rule.
Comment: Many commenters disagreed with the NPRM's exception for treatment, payment, and health care operations. Some commenters wanted treatment, payment, and health care operations disclosures to be included in an accounting because they believed that improper disclosures of protected health information were likely to be committed by parties within the entity who have access to protected health information for treatment, payment, and health care operations related purposes. They suggested that requiring covered entities to record treatment, payment, and health care operations disclosures would either prevent improper disclosures or enable transgressions to be tracked.
One commenter reasoned that disclosures for treatment, payment, and health care operations purposes should be tracked since these disclosures would be made without the individual's consent. Others argued that if an individual's authorization is not required for a disclosure, then the disclosure should not have to be tracked for a future accounting to the individual.
One commenter requested that the provision be restated so that no accounting is required for disclosures "compatible with or directly related to" treatment, payment or health care operations. This comment indicated that the change would make § 164.515(a)(l) of the NPRM consistent with § 164.508(a)(2)(i)(A) of the NPRM.
Response: We do not accept the comments suggesting removing the exception for disclosures for treatment, payment, and health care operations. While including all disclosures within the accounting would provide more information to individuals about to whom their information has been disclosed, we believe that documenting all disclosures made for treatment, payment, and health care operations purposes would be unduly burdensome on entities and would result in accountings so voluminous as to be of questionable value. Individuals who seek treatment and payment expect that their information will be used and disclosed for these purposes. In many cases, under this final rule, the individual will have consented to these uses and disclosures. Thus, the additional information that would be gained from including these disclosures would not outweigh the added burdens on covered entities. We believe that retaining the exclusion of disclosures to carry out treatment, payment, and health care operations makes for a manageable accounting both from the point of view of entities and of individuals. We have conformed the language in this section with language in other sections of the rule regarding uses and disclosures to carry out treatment, payment, and health care operations. See § 164.508 and the corresponding preamble discussion regarding our to decision to use this language.
Comments: A few commenters called for a record of all disclosures, including a right of access to a full audit trail where one exists. Some commenters stated while audit trails for paper records are too expensive to require, the privacy rule should not discourage audit trails, at least for computer-based records. They speculated that an important reason for maintaining a full audit trail is that most abuses are the result of activity by insiders. On the other hand, other commenters pointed out that an enormous volume of records would be created if the rule requires recording all accesses in the manner of a full audit trail.
One commenter supported the NPRM's reference to the proposed HIPAA Security Rule, agreeing that access control and disclosure requirements under this rule should be coordinated with the final HIPAA Security Rule. The commenter recommended that HHS add a reference to the final HIPAA Security Rule in this section and keep specific audit log and reporting requirements generic in the privacy rule.
Response: Audit trails and the accounting of disclosures serve different functions. In the security field, an audit trail is typically a record of each time a sensitive record is altered, how it was altered and by whom, but does not usually record each time a record is used or viewed. The accounting required by this rule provides individuals with information about to whom a disclosure is made. An accounting, as described in the this rule, would not capture uses. To the extent that an audit trail would capture uses, consumers reviewing an audit trail may not be able to distinguish between accesses of the protected health information for use and accesses for disclosure. Further, it is not clear the degree to which the field is technologically poised to provide audit trails. Some entities could provide audit trails to individuals upon their request, but we are concerned that many could not.
We agree that it is important to coordinate this provision of the privacy rule with the Security Rule when it is issued as a final rule.
Comments: We received many comments from researchers expressing concerns about the potential impact of requiring an accounting of disclosures related to research. The majority feared that the accounting provision would prove so burdensome that many entities would decline to participate in research. Many commenters believed that disclosure of protected health information for research presents little risk to individual privacy and feared that the accounting requirement could shut down research.
Some commenters pointed out that often only a few data elements or a single element is extracted from the patient record and disclosed to a researcher, and that having to account for so singular a disclosure from what could potentially be an enormous number of records imposes a significant burden. Some said that the impact would be particularly harmful to longitudinal studies, where the disclosures of protected health information occur over an extended period of time. A number of commenters suggested that we not require accounting of disclosures for research, registries, and surveillance systems or other databases unless the disclosure results in the actual physical release of the patient's entire medical record, rather than the disclosure of discrete elements of information contained within the record.
We also were asked by commenters to provide an exclusion for research subject to IRB oversight or research that has been granted a waiver of authorization pursuant to proposed § 164.510, to exempt "in-house" research from the accounting provision, and to allow covered entities to describe the type of disclosures they have made to research projects, without specifically listing each disclosure. Commenters suggested that covered entities could include in an accounting a listing of the various research projects in which they participated during the time period at issue, without regard to whether a particular individual's protected health information was disclosed to the project.
Response: We disagree with suggestions from commenters that an accounting of disclosures is not necessary for research. While it is possible that informing individuals about the disclosures made of their health information may on occasion discourage worthwhile activities, we believe that individuals have a right to know who is using their health information and for what purposes. This information gives individuals more control over their health information and a better base of knowledge from which to make informed decisions.
For the same reasons, we also do not believe that IRB or privacy board review substitutes for providing individuals the right to know how their information has been disclosed. We permit IRBs or privacy boards to determine that a research project would not be feasible if authorization were required because we understand that it could be virtually impossible to get authorization for archival research involving large numbers of individuals or where the location of the individuals is not easy to ascertain. While providing an accounting of disclosures for research may entail some burden, it is feasible, and we do not believe that IRBs or privacy boards would have a basis for waiving such a requirement. We also note that the majority of comments that we received from individuals supported including more information in the accounting, not less.
We understand that requiring covered entities to include disclosures for research in the accounting of disclosures entails some burden, but we believe that the benefits described above outweigh the burden.
We do not agree with commenters that we should exempt disclosures where only a few data elements are released or in the case of data released without individuals' names. We recognize that information other than names can identify an individual. We also recognize that even a few data elements could be clues to an individual's identity. The actual volume of information released is not an appropriate indicator of whether an individual could have a concern about privacy.
We disagree with comments that suggested that it would be sufficient to provide individuals with a general list of research projects to which information has been disclosed by the covered entity. We believe that individuals are entitled to a level of specificity about disclosures of protected health information about them and should know to which research projects their protected health information has been disclosed, rather than to which projects protected health information may have been disclosed. However, we have added a provision allowing for a summary accounting of recurrent disclosures. For multiple disclosures to the same recipient pursuant to a single authorization or for a single purpose permitted under the rule without authorization, the covered entity may provide a summary accounting addressing the series of disclosures rather than a detailed accounting of each disclosure in the series. This change is designed to ease the burden on covered entities involved in longitudinal projects.
With regard to the suggestion that we exempt "in-house" research from the accounting provision, we note that only disclosures of protected health information must appear in an accounting.
Comments: Several commenters noted that disclosures for public health activities may be of interest to individuals, but add to the burden imposed on entities. Furthermore, some expressed fear that priority public health activities would be compromised by the accounting provision. One commenter from a health department said that covered entities should not be required to provide an accounting to certain index cases, where such disclosures create other hazards, such as potential harm to the reporting provider. This commenter also speculated that knowing protected health information had been disclosed for these public health purposes might cause people to avoid treatment in order to avoid being reported to the public health department.
A provider association expressed concern about the effect that the accounting provision might have on a non-governmental, centralized disease registry that it operates. The provider organization feared that individuals might request that their protected health information be eliminated in the databank, which would make the data less useful.
Response: As in the discussion of research above, we reject the contention that we should withhold information from individuals about where their information has been disclosed because informing them could occasionally discourage some worthwhile activities. We also believe that, on balance, individuals' interest in having broad access to this information outweighs concerns about the rare instances in which providing this information might raise concerns about harm to the person who made the disclosure. As we stated above, we believe that individuals have a right to know who is using their health information and for what purposes. This information gives individuals more control over their health information and a better base of knowledge from which to make informed decisions.
Comment: We received many comments about the proposed time-limited exclusion for law enforcement and health oversight. Several commenters noted that it is nearly impossible to accurately project the length of an investigation, especially during its early stages. Some recommended we permit a deadline based on the end of an event, such as conclusion of an investigation. One commenter recommended amending the standard such that covered entities would never be required to give an accounting of disclosures to health oversight or law enforcement agencies. The commenter noted that there are public policy reasons for limiting the extent to which a criminal investigation is made known publicly, including the possibility that suspects may destroy or falsify evidence, hide assets, or flee. The commenter also pointed out that disclosure of an investigation may unfairly stigmatize a person or entity who is eventually found to be innocent of any wrongdoing.
On the other hand, many commenters disagreed with the exemption for recording disclosures related to oversight activities and law enforcement. Many of these commenters stated that the exclusion would permit broad exceptions for government purposes while holding disclosures for private purposes to a more burdensome standard.
Some commenters felt that the NPRM made it too easy for law enforcement to obtain an exception. They suggested that law enforcement should not be excepted from the accounting provision unless there is a court order. One commenter recommended that a written request for exclusion be dated, signed by a supervisory official, and contain a certification that the official is personally familiar with the purpose of the request and the justification for exclusion from accounting.
Response: We do not agree with comments suggesting that we permanently exclude disclosures for oversight or law enforcement from the accounting. We believe generally that individuals have a right to know who is obtaining their health information and for what purposes.
At the same time, we agree with commenters that were concerned that an accounting could tip off subjects of investigations. We have retained a time-limed exclusion period similar to that proposed in the NPRM. To protect the integrity of investigations, in the final rule we require covered entities to exclude disclosures to a health oversight agency or law enforcement official for the time specified by that agency or official, if the agency or official states that including the disclosure in an accounting to the individual would be reasonably likely to impede the agency or official's activities. We require the statement from the agency or official to provide a specific time frame for the exclusion. For example, pursuant to a law enforcement official's statement, a covered entity could exclude a law enforcement disclosure from the accounting for a period of three months from the date of the official's statement or until a date specified in the statement.
In the final rule, we permit the covered entity to exclude the disclosure from an accounting to an individual if the agency or official makes the statement orally and the covered entity documents the statement and the identify of the agency or official that made the statement. We recognize that in urgent situations, agencies and officials may not be able to provide statements in writing. If the agency or official's statement is made orally, however, the disclosure can be excluded from an accounting to the individual for no longer than 30 days from the oral statement. For exclusions longer than 30 days, a covered entity must receive a written statement.
We believe these requirements appropriately balance individuals' rights to be informed of the disclosures of protected health information while recognizing the public's interest in maintaining the integrity of health oversight and law enforcement activities.
Comment: One commenter stated that under Minnesota law, providers who are mandated reporters of abuse are limited as to whom they may reveal the report of abuse (generally law enforcement authorities and other providers only). This is because certain abusers, such as parents, by law may have access to a victim's (child's) records. The commenter requested clarification as to whether these disclosures are exempt from the accounting requirement or whether preemption would apply.
Response: While we do not except mandatory disclosures of abuse from the accounting for disclosure requirement, we believe the commenter's concerns are addressed in several ways. First, nothing in this regulation invalidates or limits the authority or procedures established under state law providing for the reporting of child abuse. Thus, with respect to child abuse the Minnesota law's procedures are not preempted even though they are less stringent with respect to privacy. Second, with respect to abuse of persons other than children, we allow covered entities to refuse to treat a person as an individual's personal representative if the covered entity believes that the individual has been subjected to domestic violence, abuse, or neglect from the person. Thus, the abuser would not have access to the accounting. We also note that a covered entity must exclude a disclosure, including disclosures to report abuse, from the accounting for specified period of time if the law enforcement official to whom the report is made requests such exclusion.
Comment: A few comments noted the lack of exception for disclosures made to intelligence agencies.
Response: We agree with the comments and have added an exemption for disclosures made for national security or intelligence purposes under § 164.512(k)(2). Individuals do not have a right to an accounting of disclosures for these purposes.
Comment: Commenters noted that the burden associated with this provision would, in part, be determined by other provisions of the rule, including the definitions of "individually identifiable," "treatment," and "health care operations." They expressed concern that the covered entity would have to be able to organize on a patient by patient basis thousands of disclosures of information, which they described as "routine." These commenters point to disclosures for patient directory information, routine banking and payment processes, uses and disclosures in emergency circumstances, disclosures to next of kin, and release of admissions statistics to a health oversight agency.
Response: We disagree with the commenters that ambiguity in other areas of the rule increase the burden associated with maintaining an accounting. The definitions of treatment, payment, and health operations are necessarily broad and there is no accounting required for disclosures for these purposes. These terms cover the vast majority of routine disclosures for health care purposes. (See § 164.501 and the associated preamble for a discussion of changes made to these definitions.)
The disclosures permitted under § 164.512 are for national priority purposes, and determining whether a disclosure fits within the section is necessary before the disclosure can be made. There is no additional burden, once such a determination is made, in determining whether it must be included in the accounting.
We agree with the commenters that there are areas where we can reduce burden by removing additional disclosures from the accounting requirement, without compromising individuals' rights to know how their information is being disclosed. In the final rule, covered entities are not required to include the following disclosures in the accounting: disclosures to the individual, disclosures for facility directories under § 164.510(a), or disclosures to persons assisting in the individual's care or for other notification purposes under § 164.510(b). For each of these types of disclosures, the individual is likely to already know about the disclosure or to have agreed to the disclosure, making the inclusion of such disclosures in the accounting less important to the individual and unnecessarily burdensome to the covered entity.
Comment: Many commenters objected to requiring business partners to provide an accounting to covered entities upon their request. They cited the encumbrance associated with re-contracting with the various business partners, as well as the burden associated with establishing this type of record keeping.
Response: Individuals have a right to know to whom and for what purpose their protected health information has been disclosed by a covered entity. The fact that a covered entity uses a business associate to carry out a function does not diminish an individual's right to know.
Comments: One commenter requested clarification as to how far a covered entity's responsibility would extend, asking whether an entity had to track only their direct disclosures or subsequent re-disclosures.
Response: Covered entities are required to account for their disclosures, as well as the disclosures of their business associates, of protected health information. Because business associates act on behalf of covered entities, it is essential that their disclosures be included in any accounting that an individual requests from a covered entity. Covered entities are not responsible, however, for the actions of persons who are not their business associates. Once a covered entity has accounted for a disclosure to any person other than a business associate, it is not responsible for accounting for any further uses or disclosures of the information by that other person.
Comments: Some commenters said that the accounting provision described in the NPRM was ambiguous and created uncertainty as to whether it addresses disclosures only, as the title would indicate, or whether it includes accounting of uses. They urged that the standard address disclosures only, and not uses, which would make implementation far more practicable and less burdensome.
Response: The final rule requires disclosures, not uses, to be included in an accounting. See § 164.501 for definitions of "use" and "disclosure."
Comments: We received many comments from providers and other representatives of various segments of the health care industry, expressing the view that a centralized system of recording disclosures was not possible given the complexity of the health care system, in which disclosures are made by numerous departments within entities. For example, commenters stated that a hospital medical records department generally makes notations regarding information it releases, but that these notations do not include disclosures that the emergency department may make. Several commenters proposed that the rule provide for patients to receive only an accounting of disclosures made by medical records departments or some other central location, which would relieve the burden of centralizing accounting for those entities who depend on paper records and tracking systems.
Response: We disagree with commenters' arguments that covered entities should not be held accountable for the actions of their subdivisions or workforce members. Covered entities are responsible for accounting for the disclosures of protected health information made by the covered entity, in accordance with this rule. The particular person or department within the entity that made the disclosure is immaterial to the covered entity's obligation. In the final rule, we require covered entities to document each disclosure that is required to be included in an accounting. We do not, however, require this documentation to be maintained in a central registry. A covered hospital, for example, could maintain separate documentation of disclosures that are made from the medical records department and the emergency department. At the time an individual requests an accounting, this documentation could be integrated to provide a single accounting of disclosures made by the covered hospital. Alternatively, the covered hospital could centralize its processes for making and documenting disclosures. We believe this provision provides covered entities with sufficient flexibility to meet their business needs without compromising individuals' rights to know how information about them is disclosed.
Comments: Commenters stated that the accounting requirements placed undue burden on covered entities that use paper, rather than electronic, records.
Response: We do not agree that the current reliance on paper records makes the accounting provision unduly burdensome. Covered entities must use the paper records in order to make a disclosure, and have the opportunity when they do so to make a notation in the record or in a separate log. We require an accounting only for disclosures for purposes other than treatment, payment, and health care operations. Such disclosures are not so numerous that they cannot be accounted for, even if paper records are involved.
Comments: The exception to the accounting provision for disclosures of protected health information for treatment, payment, and health care operations purposes was viewed favorably by many respondents. However, at least one commenter stated that since covered entities must differentiate between disclosures that require documentation and those that do not, they will have to document each instance when a patient's medical record is disclosed to determine the reason for the disclosure. This commenter also argued that the administrative burden of requiring customer services representatives to ask in which category the information falls and then to keep a record that they asked the question and record the answer would be overwhelming for plans. The commenter concluded that the burden of documentation on a covered entity would not be relieved by the stipulation that documentation is not required for treatment, payment, and health care operations.
Response: We disagree. Covered entities are not required to document every disclosure in order to differentiate those for treatment, payment, and health care operations from those for purposes for which an accounting is required. We require that, when a disclosure is made for which an accounting is required, the covered entity be able to produce an accounting of those disclosures upon request. We do not require a covered entity to be able to account for every disclosure. In addition, we believe that we have addressed many of the commenters' concerns by clarifying in the final rule that disclosures to the individual, regardless of the purpose for the disclosure, are not subject to the accounting requirement.
Comment: An insurer explained that in the context of underwriting, it may have frequent and multiple disclosures of protected health information to an agent, third party medical provider, or other entity or individual. It requested we reduce the burden of accounting for such disclosures.
Response: We add a provision allowing for a summary accounting of recurrent disclosures. For multiple disclosures to the same recipient pursuant to a single authorization or for a single purpose permitted under the rule without authorization, the covered entity may provide a summary accounting addressing the series of disclosures rather than a detailed accounting of each disclosure in the series.
Comment: Several commenters said that it was unreasonable to expect covered entities to track disclosures that are requested by the individual. They believed that consumers should be responsible for keeping track of their own requests.
Other commenters asked that we specify that entities need not retain and provide copies of the individual's authorization to disclose protected health information. Some commenters were particularly concerned that if they maintain all patient information on a computer system, it would be impossible to link the paper authorization with the patient's electronic records.
Another commenter suggested we allow entities to submit copies of authorizations after the 30-day deadline for responding to the individual, as long as the accounting itself is furnished within the 30-day window.
Response: In the final rule we do not require disclosures to the individual to be included in the accounting. Other disclosures requested by the individual must be included in the accounting, unless they are otherwise excepted from the requirement. We do not agree that individuals should be required to track these disclosures themselves. In many cases, an authorization may authorize a disclosure by more than one entity, or by a class of entities, such as all physicians who have provided medical treatment to the individual. Absent the accounting, the individual cannot know whether a particular covered entity has acted on the authorization.
We agree, however, that it is unnecessarily burdensome to require covered entities to provide the individual with a copy of the authorization. We remove the requirement. Instead, we require the accounting to contain a brief statement describing the purpose for which the protected health information was disclosed. The statement must be sufficient to reasonably inform the individual of the basis for the disclosure. Alternatively, the covered entity may provide a copy of the authorization or a copy of the written request for disclosure, if any, under §§ 164.502(a)(2)(ii) or 164.512.
Comments: We received many comments regarding the amount of information required in the accounting. A few commenters requested that we include additional elements in the accounting, such as the method of transmittal and identity of the employee who accessed the information.
Other commenters, however, felt that the proposed requirements went beyond what is necessary to inform the individual of disclosures. Another commenter stated that if the individual's right to obtain an accounting extends to disclosures that do not require a signed authorization, then the accounting should be limited to a disclosure of the manner and purpose of disclosures, as opposed to an individual accounting of each entity to whom the protected health information was disclosed. An insurer stated that this section of the proposed rule should be revised to provide more general, rather than detailed, guidelines for accounting of disclosures. The commenter believed that its type of business should be allowed to provide general information regarding the disclosure of protected health information to outside entities, particularly with regard to entities with which the insurer maintains an ongoing, standard relationship (such as a reinsurer).
Response: In general, we have retained the proposed approach, which we believe strikes an appropriate balance between the individual's right to know to whom and for what purposes their protected health information has been disclosed and the burden placed on covered entities. In the final rule, we clarify that the accounting must include the address of the recipient only if the address is known to the covered entity. As noted above, we also add a provision allowing for a summary accounting of recurrent disclosures. We note that some of the activities of concern to commenters may fall under the definition of health care operations (see § 164.501 and the associated preamble).
Comment: A commenter asked that we limit the accounting to information pertaining to the medical record itself, as opposed to protected health information more generally. Similarly, commenters suggested that the accounting be limited to release of the medical record only.
Response: We disagree. Protected health information exists in many forms and resides in many sources. An individual's right to know to whom and for what purposes his or her protected health information has been disclosed would be severely limited if it pertained only to disclosure of the medical record, or information taken only from the record.
Comment: A commenter asked that we make clear that only disclosures external to the organization are within the accounting requirement.
Response: We agree. The requirement only applies to disclosures of protected health information, as defined in § 164.501.
Comment: Some commenters requested that we establish a limit on the number of times an individual could request an accounting. One comment suggested we permit individuals to request one accounting per year; another suggested two accountings per year, except in "emergency situations." Others recommended that we enable entities to recoup some of the costs associated with implementation by allowing the entity to charge for an accounting.
Response: We agree that covered entities should be able to defray costs of excessive requests. The final rule provides individuals with the right to receive one accounting without charge in a twelve-month period. For additional requests by an individual within a twelve-month period, the covered entity may charge a reasonable, cost-based fee. If it imposes such a fee, the covered entity must inform the individual of the fee in advance and provide the individual with an opportunity to withdraw or modify the request to avoid or reduce the fee.
Comment: In the NPRM, we solicited comments on the appropriate duration of the individual's right to an accounting. Some commenters supported the NPRM's requirement that the right exist for as long as the covered entities maintains the protected health information. One commenter, however, noted that most audit control systems do not retain data on activity for indefinite periods of time.
Other commenters noted that laws governing the length of retention of clinical records vary by state and by provider type and suggested that entities be allowed to adhere to state laws or policies established by professional organizations or accrediting bodies. Some commenters suggested that the language be clarified to state that whatever minimum requirements are in place for the record should also guide covered entities in retaining their capacity to account for disclosures over that same time, but no longer.
Several commenters asked us to consider specific time limits. It was pointed out that proposed § 164.520(f)(6) of the NPRM set a six-year time limit for retaining certain information including authorization forms and contracts with business partners. Included in this list was the accounting of disclosures, but this requirement was inconsistent with the more open-ended language in § 164.515. Commenters suggested that deferring to this six-year limit would make this provision consistent with other record retention provisions of the standard and might relieve some of the burden associated with implementation. Other specific time frames suggested were two years, three years, five years, and seven years.
Another option suggested by commenters was to keep the accounting record for as long as entities have the information maintained and "active" on their systems. Information permanently taken off the covered entity's system and sent to "dead storage" would not be covered. One commenter further recommended that we not require entities to maintain records or account for prior disclosures for members who have "disenrolled."
Response: We agree with commenters who suggested we establish a specific period for which an individual may request an accounting. In the final rule, we provide that individuals have a right to an accounting of the applicable disclosures that have been made in the six-year period prior to a request for an accounting. We adopt this time frame to conform with the other documentation retention requirements in the rule. We also note that an individual may request, and a covered entity may then provide, an accounting of disclosures for a period of time less than six years from the date of the request. For example, an individual could request an accounting only of disclosures that occurred during the year prior to the request. In addition, we note that covered entities do not have to account for disclosures that occurred prior to the compliance date of this rule.
Comments: Commenters asked that we provide more time for entities to respond to requests for accounting. Suggestions ranged from 60 days to 90 days. Another writer suggested that entities be able to take up to three 30-day extensions from the original 30-day deadline. Commenters raised concerns about the proposed requirement that a covered health care provider or health plan act as soon as possible.
Response: We agree with concerns raised by commenters and in the final rule, covered entities are required to provide a requested accounting no later than 60 days after receipt of the request. We also provide for one 30 day extension if the covered entity is unable to provide the accounting within the standard time frame. We eliminate the requirement for a covered entity to act as soon as possible.
We recognize that circumstances may arise in which an individual will request an accounting on an expedited basis. We encourage covered entities to implement procedures for handling such requests. The time limitation is intended to be an outside deadline, rather than an expectation. We expect covered entities always to be attentive to the circumstances surrounding each request and to respond in an appropriate time frame.
Comment: A commenter asked that we provide an exemption for disclosures related to computer upgrades, when protected health information is disclosed to another entity solely for the purpose of establishing or checking a computer system.
Response: This activity falls within the definition of health care operations and is, therefore, excluded from the accounting requirement.
Comment: Many of the commenters on this topic objected to the cost of establishing a privacy official, including the need to hire additional staff, which might need to include a lawyer or other highly paid individual.
Response: We believe that designation of a privacy official is essential to ensure a central point of accountability within each covered entity for privacy-related issues. The privacy official is charged with developing and implementing the policies and procedures for the covered entity, as required throughout the regulation, and for compliance with the regulation generally. While the costs for these activities are part of the costs of compliance with this rule, not extra costs associated with the designation of a privacy official, we do anticipate that there will be some cost associated with this requirement. The privacy official role may be an additional responsibility given to an existing employee in the covered entity, such as an office manager in a small entity or an information officer or compliance official in a larger institution. Cost estimates for the privacy official are discussed in detail in the overall cost analysis.
Comment: A few commenters argued for more flexibility in meeting the requirement for accountability. One health care provider maintained that covered entities should be able to establish their own system of accountability. For example, most physician offices already have the patient protections incorporated in the proposed administrative requirements - the commenter urged that the regulation should explicitly promote the application of flexibility and scalability. A national physician association noted that, in small offices, in particular, responsibility for the policies and procedures should be allowed to be shared among several people. A major manufacturing corporation asserted that mandating a privacy official is unnecessary and that it would be preferable to ask for the development of policies that are designed to ensure that processes are maintained to assure compliance.
Response: We believe that a single focal point is needed to achieve the necessary accountability. At the same time, we recognize that covered entities are organized differently and have different information systems. We therefore do not prescribe who within a covered entity must serve as the privacy official, nor do we prohibit combining this function with other duties. Duties may be delegated and shared, so long as there is one point of accountability for the covered entity's policies and procedures and compliance with this regulation.
Comment: Some commenters echoed the proposal of a professional information management association that the regulation establish formal qualifications for the privacy official, suggesting that this should be a credentialed information management professional with specified minimum training standards. One commenter emphasized that the privacy official should be sufficiently high in management to have influence.
Response: While there may be some advantages to establishing formal qualifications, we concluded the disadvantages outweigh the advantages. Since the job of privacy official will differ substantially among organizations of varying size and function, specifying a single set of qualifications would sacrifice flexibility and scalability in implementation.
Comment: A few commenters suggested that we provide guidance on the tasks of the privacy official. One noted that this would reduce the burden on covered entities to clearly identify those tasks during the initial HIPAA implementation phase.
Response: The regulation itself outlines the tasks of the privacy official, by specifying the policies and procedures required, and otherwise explaining the duties of covered entities. Given the wide variation in the function and size of covered entities, providing further detail here would unnecessarily reduce flexibility for covered entities. We will, however, provide technical assistance in the form of guidance on the various provisions of the regulation before the compliance date.
Comment: Some comments expressed concern that the regulation would require a company with subsidiaries to appoint a privacy official within each subsidiary. Instead they argued that the corporate entity should have the option of designating a single corporate official rather than one at each subsidiary.
Response: In the final regulation, we give covered entities with multiple subsidiaries that meet the definition of covered entities under this rule the flexibility to designate whether such subsidiaries are each a separate covered entity or are together a single covered entity. (See § 164.504(b) for the rules requiring such designation.) If only one covered entity is designated for the subsidiaries, only one privacy officer is needed. Further, we do not prohibit the privacy official of one covered entity from serving as the privacy official of another covered entity, so long as all the requirements of this rule are met for each such covered entity.
Comment: A few commenters felt that the proposed provision was too stringent, and that the content of the training program should be left to the reasonable discretion of the covered entity.
Response: We clarify that we do not prescribe the content of the required training; the nature of the training program is left to the discretion of the covered entity. The scenarios in the NPRM preamble of potential approaches to training for different sized covered entities were intended as examples of the flexibility and scalability of this requirement.
Comment: Most commenters on this provision asserted that recertification/retraining every three years is excessive, restrictive, and costly. Commenters felt that retraining intervals should be left to the discretion of the covered entity. Some commenters supported retraining only in the event of a material change. Some commenters supported the training requirement as specified in the NPRM.
Response: For the reasons cited by the commenters, we eliminate the triennial recertification requirements in the final rule. We also clarify that retraining is not required every three years. Retraining is only required in the case of material changes to the privacy policies and procedures of the covered entity.
Comment: Several commenters objected to the burden imposed by required signatures from employees after they are trained. Many commenters suggested that electronic signatures be accepted for various reasons. Some felt that it would be less costly than manually producing, processing, and retaining the hard copies of the forms. Some suggested sending out the notice to the personal workstation via email or some other electronic format and having staff reply via email. One commenter suggested that the covered entity might opt to give web based training instead of classroom or some other type. The commenter indicated that with web based training, the covered entity could record whether or not an employee had received his or her training through the use of a guest book or registration form on the web site. Thus, a physical signature should not be required.
Response: We agree that there are many appropriate mechanisms by which covered entities can implement their training programs, and therefore remove this requirement for signature. We establish only a general requirement that covered entities document compliance with the training requirement.
Comment: Some commenters were concerned that there was no proposed requirement for business associates to receive training and/or to train their employees. The commenters believed that if the business associate violated any privacy requirements, the covered entity would be held accountable. These commenters urged the Secretary to require periodic training for appropriate management personnel assigned outside of the component unit of the covered entity, including business associates. Other commenters felt that it would not be fair to require covered entities to impose training requirements on business associates.
Response: We do not have the statutory authority directly to require business associates to train their employees. We also believe it would be unnecessarily burdensome to require covered entities to monitor business associates' establishment of specific training requirements. Covered entities' responsibility for breaches of privacy by their business associates is described in §§ 164.504(e) and 164.530(f). If a covered entity believes that including a training requirement in one or more of its business associate contracts is an appropriate means of protecting the health information provided to the business associate, it is free to do so.
Comments: Many commenters argued that training, as well as all of the other administrative requirements, are too costly for covered entities and that small practices would not be able to bear the added costs. Commenters also suggested that HHS should provide training materials at little, or no, cost to the covered entity.
Response: For the final regulation, we make several changes to the proposed provisions. We believe that these changes address the issue of administrative cost and burden to the greatest extent possible, consistent with protecting the privacy of health information. In enforcing the privacy rule, we expect to provide general training materials. We also hope to work with professional associations and other groups that target classes of providers, plans and patients, in developing specialized material for these groups.
We note that, under long-standing legal principles, entities are generally responsible for the actions of their workforce. The requirement to train workforce members to implement the covered entity's privacy policies and procedures, and do such things as pass evidence of potential problems to those responsible, is in line with these principles. For example, the comments and our fact finding indicate that, today, many hospitals require their workforce members to sign a confidentiality agreement, and include confidentiality matters in their employee handbooks.
Comments: A few comments assert that the rule requires some institutions that do not have adequate resources to develop costly physical and technical safeguards without providing a funding mechanism to do so. Another comment said that the vague definitions of adequate and appropriate safeguards could be interpreted by HHS to require the purchase of new computer systems and reprogram many old ones. A few other comments suggested that the safeguards language was vague and asked for more specifics.
Response: We require covered entities to maintain safeguards adequate for their operations, but do not require that specific technologies be used to do so. Safeguards need not be expensive or high-tech to be effective. Sometimes, it is an adequate safeguard to put a lock on a door and only give the keys to those who need access. As described in more detail in the preamble discussion of § 164.530, we do not require covered entities to guarantee the safety of protected health information against all assaults. This requirement is flexible and scalable to allow implementation of required safeguards at a reasonable cost.
Comments: A few commenters noted that once protected health information becomes non-electronic, by being printed for example, it escapes the protection of the safeguards in the proposed Security Rule. They asked if this safeguards requirement is intended to install similar security protections for non-electronic information.
Response: This provision is not intended to incorporate the provisions in the proposed Security regulation into this regulation, or to otherwise require application of those provisions to paper records.
Comments: Some commenters said that it was unclear what "appropriate" safeguards were required by the rule and who establishes the criteria for them. A few noted that the privacy safeguards were not exactly the same as the security safeguards, or that the 'other safeguards' section was too vague to implement. They asked for more clarification of safeguards requirements and flexible solutions.
Response: In the preamble discussion of § 164.530, we provide examples of types of safeguards that can be appropriate to satisfy this requirement. Other sections of this regulation require specific safeguards for specific circumstances. The discussion of the requirements for "minimum necessary' uses and disclosures of protected health information includes related guidance for developing role-based access policies for a covered entity's workforce. The requirements for "component entities" include requirements for firewalls to prevent access by unauthorized persons. The proposed Security Rule included further details on what safeguards would be appropriate for electronic information systems. The flexibility and scalability of these rules allows covered entities to analyze their own needs and implement solutions appropriate for their own environment.
Comments: A few comments asked for a requirement for a firewall between a health care component and the rest of a larger organization as another appropriate safeguard.
Response: We agree, and have incorporated such a requirement in § 164.504.
Comments: One commenter agreed with the need for administrative, physical, and technical safeguards, but took issue with our specification of the type of documentation or proof that the covered entity is taking action to safeguard protected health information.
Response: This privacy rule does not require specific forms of proof for safeguards.
Comments: A few commenters asked that, for the requirement for a signed certification of training and the requirements for verification of identity, we consider the use of electronic signatures that meet the requirements in the proposed security regulation to meet the requirements of this rule.
Response: In this final rule, we drop the requirements for signed certifications of training. Signatures are required elsewhere in this regulation, for example, for a valid authorization. In the relevant sections we clarify that electronic signatures are sufficient provided they meet standards to be adopted under HIPAA. In addition, we do not intend to interfere with the application of the Electronic Signature in Global and National Commerce Act.
Comments: A few commenters requested that the privacy requirements for appropriate administrative, technical, and physical safeguards be considered to have been met if the requirements of the proposed Security Rule have been met. Others requested that the safeguards requirements of the final Privacy Rule mirror or be harmonized with the final Security Rule so they do not result in redundant or conflicting requirements.
Response: Unlike the proposed regulation, the final regulation covers all protected health information, not just information that had at some point been electronic. Thus, these commenters' assumption that the proposed Privacy Rule and the proposed Security Rule covered the same information is not the case, and taking the approach suggested by these comments would leave a significant number of health records unprotected. The safeguards required by this regulation are appropriate for both paper and electronic information. We will take care to ensure that the final Security Rule works in tandem with these requirements.
Comments: One commenter requested that the final privacy rule be published before the final Security Rule, recognizing that the privacy policies must be in place before the security technology used to implement them could be worked out. Another commenter asked that the final Security Rule be published immediately and not wait for an expected delay while privacy policies are worked out.
Response: Now that this final privacy rule has been published in a timely manner, the final Security Rule can be harmonized with it and published soon.
Comments: Several commenters echoed an association recommendation that, for those organizations that have implemented a computer based patient record that is compliant with the requirements of the proposed Security Rule, the minimum necessary rule should be considered to have been met by the implementation of role-based access controls.
Response: The privacy regulation applies to paper records to which the proposed Security Rule does not apply. Thus, taking the approach suggested by these comments would leave a significant number of health records unprotected. Further, since the final Security Rule is not yet published and the number of covered entities that have implemented this type of computer-based patient record systems is still small, we cannot make a blanket statement. We note that this regulation requires covered entities to develop role-based access rules, in order to implement the requirements for "minimum necessary" uses and disclosures of protected health information. Thus, this regulation provides a foundation for the type of electronic system to which these comments refer.
Comment: Several commenters felt that some form of due process is needed when it comes to internal complaints. Specifically, they wanted to be assured that the covered entity actually hears the complaints made by the individual and that the covered entity resolves the complaint within a reasonable time frame. Without due process the commenters felt that the internal complaint process is open ended. Some commenters wanted the final rule to include an appeals process for individuals if a covered entity's determination in regards to the complaint is unfavorable to the individual.
Response: We do not require covered entities to implement any particular due process or appeals process for complaints, because we are concerned about the burden this could impose on covered entities. We provide individuals with an alternative to take their complaints to the Secretary. We believe that this provides incentives for covered entities to implement a complaint process that resolves complaints to individuals' satisfaction.
Comment: Some commenters felt that the individual making the complaint should exhaust all other avenues to resolve their issues before filing a complaint with the Secretary. A number of commenters felt that any complaint being filed with the Secretary should include documentation of the reviews done by the covered entity.
Response: We reject these suggestions, for two reasons. First, we want to avoid establishing particular process requirements for covered entities' complaint programs. Also, this rule does not require the covered entity to share any information with the complainant, only to document the receipt of the complaint and the resolution, if any. Therefore, we cannot expect the complainant to have this information available to submit to the Secretary. Second, we believe the individual making the complaint should have the right to share the complaint with the Secretary at any point in time. This approach is consistent with existing civil rights enforcement programs for which the Department is responsible. Based on that experience, we believe that most complaints will come first to covered entities for disposition.
Comment: Some commenters wanted the Department to prescribe a minimum amount of time before the covered entity could dispose of the complaints. They felt that storing these complaints indefinitely would be cumbersome and expensive.
Response: We agree, and in the final rule require covered entities to keep all items that must be documented, including complaints, for at least six years from the date of creation.
Comments: Some commenters objected to the need for covered entities to have at least one employee, if not more, to deal with complaints. They felt that this would be costly and is redundant in light of the designation of a contact person to receive complaints.
Response: We do not require assignment of dedicated staff to handle complaints. The covered entity can determine staffing based on its needs and business practices. We believe that consumers need one clear point of contact for complaints, in order that this provision effectively inform consumers how to lodge complaints and so that the compliant will get to someone who knows how to respond. The contact person (or office) is for receipt of complaints, but need not handle the complaints.
Comment: Commenters argued that most covered entities already have strict sanctions in place for violations of a patient's privacy, either due to current laws, contractual obligations, or good operating practices. Requiring covered entities to create a formal sanctioning process would be superfluous.
Response: We believe it is important for the covered entity to have these sanction policies and procedures documented so that employees are aware of what actions are prohibited and punishable. For entities that already have sanctions policies in place, it should not be problematic to document those policies. We do not define the particular sanctions that covered entities must impose.
Comment: Several commenters agreed that training should be provided and expectations should be clear so that individuals are not sanctioned for doing things that they did not know were wrong or inappropriate. A good faith exception should be included in the final rule to protect these individuals.
Response: We agree that employees should be trained to understand the covered entity's expectations and understand the consequences of any violation. This is why we are requiring each covered entity to train its workforce. However, we disagree that a good faith exception is explicitly needed in the final rule. We leave the details of sanctions policies to the discretion of the covered entity. We believe it is more appropriate to leave this judgment to the covered entity that will be familiar with the circumstances of the violation, rather than to specify such requirements in the regulation.
Comment: Some commenters felt that the sanctions need to reach business partners as well, not just employees of the covered entities. These commenters felt all violators should be sanctioned, including government officials and agencies.
Response: All members of a covered entity's workforce are subject to sanctions for violations, including government officials who are part of a covered entity's workforce. Requirements for addressing privacy violations by business associates are discussed in §§ 164.504(e) and 164.530(f).
Comments: Many commenters appreciated the flexibility left to the covered entities to determine sanctions. However, some were concerned that the covered entity would need to predict each type of violation and the associated sanction. They argue that, if the Department could not determine this in the NPRM, then the covered entities should be allowed to come up with sanctions as appropriate at the time of the violation. Some commenters wanted a better explanation and understanding of what HHS' expectation is of when is it appropriate to apply sanctions. Some commenters felt that the sanctioning requirement is nebulous and requires independent judgment of compliance; as a result it is hard to enforce. Offending individuals may use the vagueness of the standard as an defense.
Response: We agree with the commenters that argue that covered entities should be allowed to determine the specific sanctions as appropriate at the time of the violation. We believe it is more appropriate to leave this judgment to the covered entity, because the covered entity will be familiar with the circumstances of the violation and the best way to improve compliance.
Comment: A commenter felt that the self-imposition of this requirement is an inadequate protection, as there is an inherent conflict of interest when an entity must sanction one of its own.
Response: We believe it is in the covered entity's best interests to appropriately sanction those individuals who do not follow the outlined policies and procedures. Allowing violations to go unpunished may lead bigger problems later, and result in complaints being registered with the Department by aggrieved parties and/or an enforcement action.
Comment: This provision should cover all violations, not just repeat violations.
Response: We do not limit this requirement to repeat offenses.
Comments: A few commenters felt that any duty to mitigate would be onerous, especially for small entities. One commenter supported an affirmative duty to mitigate for employees of the covered entity , as long as there is no prescribed mitigation policy. One commenter stated that a requirement for mitigation is unnecessary because any prudent entity would do it.
Some practitioner organizations as well as a health plan, expressed concern about the obligation to mitigate in the context of the business associate relationship. Arguing that it is unnecessary for the regulation to explicitly extend the duty to mitigate to business associates, commenters noted that: any prudent entity would discipline a vendor or employee that violates a regulation; that the matter is best left to the terms of the contract, and that it is difficult and expensive for a business associate to have a separate set of procedures on mitigation for each client/provider. One commenter suggested that the federal government should fund the monitoring needed to administer the requirement.
Response: Eliminating the requirement to mitigate harm would undermine the purposes of this rule by reducing covered entities' accountability to their patients for failure to protect their confidential data. To minimize burden, we do not prescribe what mitigation policies and procedures must be implemented. We require only that the covered entity mitigate harm. We also assume that violations will be rare, and so the duty to mitigate harm will rarely be triggered. To the extent a covered entity already has methods for mitigating harm, this rule will not pose significant burden, since we don't require the covered entity to follow any prescribed method or set of rules.
We also modify the NPRM to impose the duty to mitigate only where the covered entity has actual knowledge of harm. Further reducing burden, the rule requires mitigation "to the extent practicable." It does not require the covered entity to eliminate the harm unless that is practicable. For example, if protected health information is advertently provided to a third party without authorization in a domestic abuse situation, the covered entity would be expected to promptly contact the patient as well as appropriate authorities and apprize them of the potential danger .
The harm to the individual is the same, whether the privacy breach was caused by a member of the covered entity's workforce, or by a contractor. We believe the cost of this requirement to be minimal for covered entities that engage in prudent business practices for exchanging protected health information with their business associates.
Comment: A few commenters noted that it is difficult to determine whether a violation has resulted in a deleterious effect, especially as the entity cannot know all places to which information has gone and uses that have been made of it. Consequently, there should be a duty to mitigate even if a deleterious effect cannot be shown, because the individual has no other redress.
Response: As noted above, this provision only applies if the covered entity has actual knowledge of the harm, and requires mitigation "to the extent practicable." The covered entity is expected to take reasonable steps based on knowledge of where the information has been disclosed, how it might be used to cause harm to the patient or another individual, and what steps can actually have a mitigating effect in that specific situation.
Comments: Commenters stated that the language of the regulation was in some places vague and imprecise thus providing covered entities with insufficient guidance and allowing variation in interpretation. Commenters also noted that this could result in inconsistency in implementation as well as permitting such inconsistency to be used as a defense by an offending entity. Particular language for which at least one commenter requested clarification included "reasonable steps" and what is entailed in the duty to mitigate.
Response: We considered ways in which we might increase specificity, including defining "to the extent practicable" and "reasonable steps" and relating the mitigating action to the deleterious impact. While this approach could remove from the covered entity the burden of decision-making about actions that need to be taken, we believe that other factors outweighed this potential benefit. Not only would there be a loss of desirable flexibility in implementation, but it would not be possible to define "to the extent practicable" in a way that makes sense for all types of covered entities. We believe that allowing flexibility and judgment by those familiar with the circumstances to dictate the approach is the best approach to mitigating harm.
Comment: Several commenters stated that the regulation should prohibit covered entities from engaging in intimidating or retaliatory acts against any person, not just against the "individual," as proposed. They suggested adding "or other person or entity" after "any individual."
Response: We agree, and allow any person to file a compliant with the Secretary. "Person" is not limited to natural persons, but includes any type of organization, association or group such as other covered entities, health oversight agencies and advocacy groups.
Comment: A few commenters suggested deleting this provision in its entirety. One commenter indicated that the whistleblower and retaliation provisions could be inappropriately used against a hospital and that the whistleblower's ability to report numerous violations will result in a dangerous expansion of liability. Another commenter stated that covered entities could not take action against an employee who had violated the employer's privacy provisions if this employee files a complaint with the Secretary.
Several commenters suggested deleting "in any manner" and "or opposing any act or practice made unlawful by this subpart" in § 164.522(d)(4). The commenters indicated that, as proposed, the rule would make it difficult to enforce compliance within the workforce. One commenter stated that the proposed 164.522(d)(4) "is extremely broad and may allow an employee to reveal protected health information to fellow employees, the media and others (e.g., an employee may show a medical record to a friend or relative before filing a complaint with the Department). This commenter further stated that covered entities will "absolutely be prevented from prohibiting such conduct." One commenter suggested adding that a covered entity may take disciplinary action against any member of its work force or any business partner who uses or discloses individually identifiable health information in violation of this subpart in any manner other than through the processes set forth in the regulation.
Response: To respond to these comments, we make several changes to the proposed provision.
First, where the activity does not involve the filing of a complaint under § 160.306 of this part or participation in an investigation or proceeding initiated by the government under the rule, we delete the phrase "in any manner" and add a requirement that the individual's opposition to "any act or practice" made unlawful by this subpart be in good faith, and that the expression of that opposition must be reasonable. Second, we add a requirement that the individual's opposition to "any act or practice" made unlawful by this subpart must not involve a disclosure of protected health information that is in violation of this subpart. Thus, the employee who discloses protected health information to the media or friends is not protected. In providing interpretations of the retaliation provision, we will consider existing interpretations of similar provisions such as the guidance issued by EEOC in this regard.
There are no comments directly about this section because it was not included in the proposed rule.
Comments: Many of the comments to this provision addressed the costs and complexity of the regulation as a whole, not the additional costs of documenting policies and procedures per se. Some did, either implicitly or explicitly, object to the need to develop and document policies and procedures as creating excessive administrative burden. Many of these commenters also asserted that there is a contradiction between the administrative burden of this provision and one of the statutory purposes of this section of the HIPAA to reduce costs through administrative simplification. Suggested alternatives were generally reliance on existing regulations and ethical standards, or on current business practices.
Response: A specific discussion of cost and burden is found in the Regulatory Impact Analysis of this final rule.
We do not believe there is a contradiction between the administrative costs of this provision and of the goal of administrative simplification. In the Administrative Simplification provisions of the HIPAA, Congress combined a mandate to facilitate the efficiencies and cost savings for the health care industry that the increasing use of electronic technology affords, with a mandate to improve privacy and confidentiality protections. Congress recognized, and we agree, that the benefits of electronic commerce can also cause increased vulnerability to inappropriate access and use of medical information, and so must be balanced with increased privacy protections. By including the mandate for privacy standards in section 264 of the HIPAA, Congress determined that existing regulations and ethical standards, and current business practices were insufficient to provide the necessary protections.
Congress mandated that the total benefits associated with administrative simplification must outweigh its costs, including the costs of implementing the privacy regulation. We are well within this mandate.
Comments: Several commenters suggested that the documentation requirements not be established as a standard under the regulation, because standards are subject to penalties. They recommend we delete the documentation standards and instead provide specific guidance and technical assistance. Several commenters objected to the suggestion in the NPRM that professional associations assist their members by developing appropriate policies for their membership. Several commentators representing professional associations believed this to be an onerous and costly burden for the associations, and suggested instead that we develop specific models which might require only minor modification. Some of these same associations were also concerned about liability issues in developing such guidelines. One commenter argued that sample forms, procedures, and policies should be provided as part of the Final Rule, so that practitioners would not be overburdened in meeting the demands of the regulations. They urged us to apply this provision only to larger entities.
Response: The purpose of requiring covered entities to develop policies and procedures for implementing this regulation is to ensure that important decisions affecting individuals' rights and privacy interests are made thoughtfully, not on an ad hoc basis. The purpose of requiring covered entities to maintain written documentation of these policies is to facilitate workforce training, and to facilitate creation of the required notice of information practices. We further believe that requiring written documentation of key decisions about privacy will enhance accountability, both within the covered entity and to the Department, for compliance with this regulation.
We do not include more specific guidance on the content of the required policies and procedures because of the vast difference in the size of covered entities and types of covered entities' businesses. We believe that covered entities should have the flexibility to design the policies and procedures best suited to their business and information practices. We do not exempt smaller entities, because the privacy of their patients is no less important than the privacy of individuals who seek care from large providers. Rather, to address this concern we ensure that the requirements of the rule are flexible so that smaller covered entities need not follow detailed rules that might be appropriate for larger entities with complex information systems.
We understand that smaller covered entities may require some assistance, and intend to provide such technical assistance after publication of this rule. We hope to work with professional associations and other groups that target classes of providers, plans and patients, in developing specialized material for these groups. Our discussions with several such organizations indicate their intent to work on various aspects of model documentation, including forms. Because the associations' comments regarding concerns about liability did not provide sufficient details, we cannot address them here.
Comment: Many commenters discussed the need for a recognition of scalability of the policies and procedures of an entity based on size, capabilities, and needs of the participants. It was noted that the actual language of the draft regulations under § 164.520 did not address scalability, and suggested that some scalability standard be formally incorporated into the regulatory language and not rely solely on the NPRM introductory commentary.
Response: In § 164.530(i)(1) of the final rule, we specify that we require covered entities to implement policies and procedures that take into account the size of the covered entity and the types of activities that relate to protected health information undertaken by the covered entity.
Comment: One commenter objected to our proposal to allow covered entities to make uses or disclosures not permitted by their current notice if a compelling reason exists to make the use or disclosure and the entity documents the reasons and changes its policies within 30 days of the use or disclosure. The commenter argued that the subjective language of the regulation might give entities the ability to engage in post hoc justifications for violations of their own information practices and policies. The commenter suggested that there should be an objective standard for reviewing the covered entity's reasons before allowing the covered entity to amend its policies.
Response: We eliminate this provision from the final rule. The final rule requires each covered entity to include in its notice of information practices a statement of all permitted uses under this rule, not just those in which the covered entity actually engages in at the time of that notice.
Comment: Some commenters expressed concern that the required retention period in the NPRM applied to the retention of medical records.
Response: The retention requirement of this regulation only applies to the documentation required by the rule, for example, keeping a record of accounting for disclosures or copies of policies and procedures. It does not apply to medical records.
Comments: Comments on the six year retention period were mixed. Some commenters endorsed the six-year retention period for maintaining documentation. One of the comments stated this retention period would assist physicians legally. Other commenters believed that the retention period would be an undue burden. One commenter noted that most State Board of Pharmacy regulations require pharmacies to keep records for two years, so the six year retention period would triple document retention costs.
Response: We established the retention period at six years because this is the statute of limitations for the civil monetary penalties. This rule does not apply to all pharmacy records, but only to the documentation required by this rule.
There were no comments directly about this section because it was not included in the proposed rule.
Comment: Commenters urged the Department to clarify whether the "reach of the transition requirement" is limited to a particular time frame, to the provider's activities in a particular job, or work for a particular employer. For example, one commenter questioned how long a nurse is a covered entity after she moves from a job reviewing files with protected health information to an administrative job that does not handle protected health information; or whether an occupational health nurse who used to transmit first reports of injury to her company's workers' compensation carrier last year but no longer does so this year because of a carrier change still is a covered entity.
Response: Because this comment addresses a question of enforcement, we will address it in the enforcement regulation.
Comment: Several commenters sought clarification as to the application of the privacy rule to research already begun prior to the effective date or compliance date of the final rule. These commenters argued that applying the privacy rule to research already begun prior the rule's effective date would substantially overburden IRBs and that the resulting research interruptions could harm participants and threaten the reliability and validity of conclusions based upon clinical trial data. The commenters recommended that the rule grandfather in any ongoing research that has been approved by and is under the supervision of an IRB.
Response: We generally agree with the concerns raised by commenters. In the final rule, we have provided that covered entities may rely upon consents, authorizations, or other express legal permissions obtained from an individual for a specific research project that includes the treatment of individuals to use or disclose protected health information the covered entity obtained before or after the applicable compliance date of this rule as long as certain requirements are met. These consents, authorizations, or other express legal permissions may specifically permit a use or disclosure of individually identifiable health information for purposes of the project or be a general consent of the individual to participate in the project. A covered entity may use or disclose protected health information it created or received before or after the applicable compliance date of this rule for purposes of the project provided that the covered entity complies with all limitations expressed in the consent, authorization, or permission.
In regard to research projects that include the treatment of individuals, such as clinical trials, covered entities engaged in these projects will have obtained at least an informed consent from the individual to participate in the project. In some cases, the researcher may also have obtained a consent, authorization, or other express legal permission to use or disclose individually identifiable health information in a specific manner. To avoid disrupting ongoing research and because the participants have already agreed to participate in the project (which expressly permits or implies the use or disclosure of their protected health information), we have grandfathered in these consents, authorizations, and other express legal permissions.
It is unlikely that a research project that includes the treatment of individuals could proceed under the Common Rule with a waiver of informed consent. However, to the extent such a waiver has been granted, we believe individuals participating in the project should be able to determine how their protected health information is used or disclosed. Therefore, we require researchers engaged in research projects that include the treatment of individuals who obtained an IRB waiver of informed consent under the Common Rule to obtain an authorization or a waiver of such authorization from an IRB or a privacy board under § 164.512(i) of this rule.
If a covered entity obtained a consent, authorization, or other express legal permission from the individual who is the subject of the research, it would be able to rely upon that consent, authorization, or permission, consistent with any limitations it expressed, to use or disclose the protected health information it created or received prior to or after the compliance date of this regulation. If a covered entity wishes to use or disclose protected health information but no such consent, authorization, or permission exists, it must obtain an authorization pursuant to § 164.508 or obtain a waiver of authorization under § 164.512(i). To the extent such a project is ongoing and the researchers are unable to locate the individuals whose protected health information they are using or disclosing, we believe the IRB or privacy board under the criteria set forth in § 164.512(i) will be able to take that circumstance into account when conducting its review. In most instances, we believe this type of research will be able to obtain a waiver of authorization and be able to continue uninterrupted.
Comment: Several comments raised questions about the application of the rule to individually identifiable information created prior to (1) the effective date of the rule, and (2) the compliance dates of the rule. One commenter suggested that the rule should apply only to information gathered after the effective date of the final rule. A drug manufacturer asked what would be the effect of the rule on research on records compiled before the effective date of the rule.
Response: We disagree with the commenter's suggestion. The requirements of this regulation apply to all protected health information held by a covered entity, regardless of when or how the covered entity obtained the information. Congress required us to adopted privacy standards that apply to individually identifiable health information. While it limited the compliance date for health plans, covered health care providers, and healthcare clearinghouses, it did not provide similar limiting language with regard to individually identifiable health information. Therefore, uses and disclosures of protected health information made by a covered entity after the compliance date of this regulation must meet the requirements of these rules. Uses or disclosures of individually identifiable health information made prior to the compliance date are not affected; covered entities will not be sanctioned under this rule based on past uses or disclosures that are inconsistent with this regulation.
Consistent with the definition of individually identifiable health information in HIPAA, of which protected health information is a subset, we do not distinguish between protected health information in research records and protected health information in other records. Thus, a covered entity's research records are subject to this regulation to the extent they contain protected health information.
Section 1175(b)(1)(A) of the Act requires all covered entities other than small health plans to comply with a standard or implementation specification "not later than 24 months after the date on which an initial standard or implementation specification is adopted or established"; section 1175(b)(1)(B) provides that small health plans must comply not later than 36 months after that date. The proposed rule provided, at proposed § 164.524 (which was titled "Effective date"), that a covered entity was required to be in compliance with the proposed subpart E not later than 24 months following the effective date of the rule, except that small health plans were required to be in compliance not later than 36 months following the effective date of the rule.
The final rules retain these dates in the text of Subpart E, but denominate them as "compliance dates," to distinguish the statutory dates from the date on which the rules become effective. The effective date of the final rules is 60 days following publication in the Federal Register.
Meaning of Effective Date
Comment: A number of commenters expressed confusion about the difference between the effective date of the rule and the effective date on which compliance was required (the statutory compliance dates set out at section 1175(b)(1), summarized above).
Response: The Department agrees that the title of proposed § 164.524 was confusing. Similar comments were received on the Transactions Rule. Those comments were addressed by treating the "effective date" of the rule as the date on which adoption takes effect (the "Effective Date" heading at the beginning of the preamble), while the dates provided for by section 1175(b)(1) of the statute were denominated as "compliance dates." These changes are reflected in the definition of "compliance date" in § 160.103 below (initially published as part of the Transactions Rule) and are also reflected at § 164.524 below. Section 164.524 below has also been reorganized to follow the organization of the analogous provisions of the Transactions Rule. The underlying policy, however, remains as proposed.
Extend the Compliance Date
Comment: Some commenters recommended that the compliance date be extended. A number of comments objected that the time frame for compliance with the proposed standards is unrealistically short. It was pointed out that providers and others would have to do the following, among other things, prior to the applicable compliance date: assess their current systems and departments, determine which state laws were preempted and which were not, update and reprogram computer systems, train workers, create and implement the required privacy policies and procedures, and create or update contracts with business partners. One comment also noted that the task of coming into compliance during the same time period with the other regulations being issued under HIPAA would further complicate the task. These comments generally supported an extension of the compliance dates by one or more years. Other comments supported extending the compliance dates on the ground that the complexity of the tasks involved in implementing the regulation would be a heavy financial burden for providers and others, and that they should be given more time to comply, in order to spread the associated capital and workforce costs over a longer period. It was also suggested that there be provision for granting extensions of the compliance date, based on some criteria, such as a good faith effort to comply or that the compliance dates be extended to two years following completion of a "state-by-state preemption analysis" by the Department.
Response: The Secretary acknowledges that covered entities will have to make changes to their policies and procedures during the period between the effective date of the rules below and the applicable compliance dates. The delayed compliance dates which the statute provides for constitute a recognition of the fact changes will be required and are intended to permit covered entities to manage and implement these changes in an orderly fashion. However, because the time frames for compliance with the initial standards are established by statute, the Secretary has no discretion to extend them: compliance is statutorily required "not later than" the applicable compliance date. Nor do we believe that it would be advisable to accomplish this result by delaying the effective date of the final rules beyond 60 days. Since the Transactions Rule is now in effect, it is imperative to bring the privacy protections afforded by the rules below into effect as soon as possible. Retaining the delayed effective date of 60 days, as originally contemplated, will minimize the gap between transactions covered by those rules and not also afforded protection under the rules below.
Comment: Several comments suggested that the privacy standards be phased in gradually, to ease the manpower and cost burdens of compliance. A couple of equipment manufacturing groups suggested that updating of various types of equipment would be necessary for compliance purposes, and suggested a phased approach to this -- for example, an initial phase consisting of preparation of policies, plans, and risk assessments, a second phase consisting of bringing new equipment into compliance, and a final phase consisting of bringing existing equipment into compliance.
Response: As noted in the preceding response, section 1175(b)(1) does not allow the Secretary discretion to change the time frame within which compliance must be achieved. Congress appears to have intended the phasing in of compliance to occur during the two-year compliance period, not thereafter.
Comment: Several comments stated that, as drafted, the preemption provisions would be effective as of the rule's effective date (i.e., 60 days following publication), even though covered entities would not be required to comply with the rules for at least another two years. According to these comments, the "preempted" state laws would not be in effect in the interim, so that the actual privacy protection would decrease during that period. A couple of comments also expressed concern about how the preemption provisions would work, given the one-year difference in applicable compliance dates for small health plans and other covered entities. A state medical society pointed out that this gap would also be very troublesome for providers who deal with both "small health plans" and other health plans. One comment asked what entities that decided to come into compliance early would have to do with respect to conflicting state laws and suggested that, since all parties "need to know with confidence which laws govern at the moment, ... [t]here should be uniform effective dates."
Response: We agree that clarification is needed with respect to the applicability of state laws in the interim between the effective date and the compliance dates. What the comments summarized above appeared to assume is that the preemption provisions of section 1178 operate to broadly and generally invalidate any state law that comes within their ambit. We do not agree that this is the effect of section 1178. Rather, what section 1178 does - where it acts to preempt - is to preempt the state law in question with respect to the actions of covered entities to which the state law applies. Thus, if a provision of state law is preempted by section 1178, covered entities within that state to which the state law applies do not have to comply with it, and must instead comply with the contrary federal standard, requirement, or implementation specification. However, as compliance with the contrary federal standard, requirement, or implementation specification is not required until the applicable compliance date, we do not view the state law in question as meeting the test of being "contrary." That is, since compliance with the federal standard, requirement, or implementation standard is not required prior to the applicable compliance date, it is possible for covered entities to comply with the state law in question. See § 160.202 (definition of "contrary"). Thus, since the state law is not "contrary" to an applicable federal standard, requirement, or implementation specification in the period before which compliance is required, it is not preempted.
Several implications of this analysis should be spelled out. First, one conclusion that flows from this analysis is that preemption is specific to covered entities and does not represent a general invalidation of state law, as suggested by many commenters. Second, because preemption is covered entity-specific, preemption will occur at different times for small health plans than it will occur for all other covered entities. That is, the preemption of a given state law for a covered entity, such as a provider, that is covered by the 24-month compliance date of section 1175(b)(1)(A) will occur 12 months earlier than the preemption of the same state law for a small health plan that is covered by the 36-month compliance date of section 1175(b)(1)(B). Third, the preemption occurs only for covered entities; a state law that is preempted under section 1178(a)(1) would not be preempted for persons and entities to which it applies who are not covered entities. Thus, to the extent covered entities or non-covered entities follow the federal standards on a voluntary basis (i.e., the covered entity prior to the applicable compliance date, the non-covered entity at any time), the state law in question will not be preempted for them.
Comment: Several comments, pointing to the "Small Business" discussion in the preamble to the proposed rules, applauded the decision to extend the compliance date to three years for small businesses. It was requested that the final rules clarify that the three year compliance date applies to small doctors offices and other small entities, as well as to small health plans.
Response: We recognize that our discussion in the preamble to the proposed rules may have suggested that more covered entities came within the 36 month compliance date than is in fact the case. Again, this is an area in which we are limited by statute. Under section 1175(b) of the Act, only small health plans have three years to come into compliance with the standards below. Thus, other "small businesses" that are covered entities must comply by the two-year compliance date.
Comment: Several comments suggested that the security standard be issued either with or after the privacy standards. It was argued that both sets of standards deal with protecting health information and will require extensive personnel training and revisions to business practices, so that coordinating them would make sense. An equipment manufacturers group also pointed out that it would be logical for covered entities and their business partners to know what privacy policies are required in purchasing security systems, and that "the policies on privacy are implemented through the security standards rather than having already finalized security standards drive policy."
Response: We agree with these comments, and are making every effort to coordinate the final security standards with the privacy standards below. The privacy standards below are being published ahead of the security standards, which is also responsive to the stated concerns.
Comment: Several comments raised questions about the application of the rule to individually identifiable information created prior to (1) the effective date of the rule, and (2) the compliance dates of the rule. One provider group suggested that the rule should apply only to information gathered after the effective date of the final rule. A drug manufacturer asked what would be the effect of the rule on research on records compiled before the effective date of the rule.
Response: These comments are addressed in connection with the discussion of § 164.532 above.
Comment: Many commenters made general statements to the effect that the cost estimates for implementing the provisions of the proposed regulation were incomplete or greatly understated.
Response: The proposal, including the cost analysis, is, in effect, a first draft. The purpose of the proposal was to solicit public comment and to use those comments to refine the final regulation. As a result of the public comment, the Department has significantly refined our initial cost estimates for implementing this regulation. The cost analysis below reflects a much more complete analysis of the major components of the regulation than was presented in the proposal.
Comment: Numerous commenters noted that significant areas of potential cost had not been estimated and that if they were estimated, they would greatly increase the total cost of the regulation. Potential cost areas identified by various respondents as omitted from the analyses include the minimum disclosure requirements; the requisite monitoring by covered entities of business partners with whom they share private health information; creation of de-identified information; internal complaint processes; sanctions and enforcement; the designation of a privacy official and creation of a privacy board; new requirements for research/optional disclosures; and future litigation costs.
Response: We noted in the proposed rule that we did not have data from which to estimate the costs of many provisions, and solicited comments providing such data. The final analysis below reflects the best estimate possible for these areas, based on the information available. The data and the underlying assumptions are explained in the cost analysis section below.
Comment: A number of comments suggested that the final regulation be delayed until more thorough analyses could be undertaken and completed. One commenter stated that the Department should refrain from implementing the regulation until a more realistic assessment of costs could be made and include local governments in the process. Similarly, a commenter requested that the Department assemble an outside panel of health industry experts, including systems analysts, legal counsel, and management consultants to develop stronger estimates.
Response: The Department has engaged in extensive research, data collection and fact-finding to improve the quality of its economic analysis. This has included comments from and discussions with the kinds of experts one commenter suggested. The estimates represent a reasonable assessment of the policies proposed.
Comment: Several commenters indicated that the proposed regulation would impose significant new costs on providers' practices. Furthermore, they believe that it runs counter to the explicit statutory intent of HIPAA's Administrative Simplification provisions which require that "any standard adopted . . . shall be consistent with the objective of reducing the administrative costs of providing and paying for health care."
Response: As the Department explained in the Transactions Rule, this provision applies to the administrative simplification regulations of HIPAA in the aggregate. The Transactions Rule is estimated to save the health care system $29.9 billion in nominal dollars over ten years. Other regulations published pursuant to the administrative simplification authority in HIPAA, including the privacy regulation, will result in costs, but these costs are within the statutory directive so long as they do not exceed the $29.9 billion in estimated savings. Furthermore, as explained in the Transactions Rule, and the preamble to this rule, assuring privacy is essential to sustaining many of the advances that computers will provide. If people do not have confidence that their medical privacy will be protected, they will be much less likely to allow their records to be used for any purpose or might even avoid obtaining necessary medical care.
Comment: Several commenters criticized the omission of aggregate, quantifiable benefit estimates in the proposed rule. Some respondents argued that the analysis in the proposed rule used "de minimus" cost estimates to argue only that benefits would certainly exceed such a low barrier. These commenters further characterized the benefits analysis in the Notice of Proposed Rulemaking as "hand waving" used to divert attention from the fact that no real cost-benefit comparison is presented. Another commenter stated that the benefit estimates rely heavily on anecdotal and unsubstantiated inferences. This respondent believes that the benefit estimates are based on postulated, but largely unsubstantiated causal linkages between increased privacy and earlier diagnosis and medical treatment.
Response: The benefits of privacy are diffused and intangible but real. Medical privacy is not a good people buy or sell in a market; therefore, it is very difficult to quantify. The benefits discussion in the proposal reflects this difficulty. The examples presented in the proposal were meant to be illustrative of the benefits based on a few areas of medicine where some relevant data was available. Unfortunately, no commenters provided either a better methodological approach or better data for assessing the overall benefits of privacy. Therefore, we believe the analysis in the proposal represents a valid illustration of the benefits of privacy, and we do not believe it is feasible to provide an overall dollar estimate of the benefits of privacy in the aggregate.
Comment: One commenter criticized the benefit analysis as being incomplete because it did not consider the potential cost of new treatments that might be engendered by increased confidence in medical privacy resulting from the regulation.
Response: There is no data or model to reliably assess such long-term behavioral and scientific changes, nor to determine what portion of the increasingly rapid evolution of new improved treatments might stem from improved privacy protections. Moreover, to be complete, such analysis would have to include the savings that might be realized from earlier detection and treatment. It is not possible at this time to project the magnitude or even the direction of the net effects of the response to privacy that the commenter suggests.
Comment: Numerous commenters noted the potential cost and burden of keeping track in medical records of information which had been transmitted electronically, which would be subject to the rule, as opposed to information that had only been maintained in paper form.
Response: This argument was found to have considerable merit and was one of the reasons that the Department concluded that the final regulation should apply to all medical records maintained by covered entities, including information that had never been transmitted electronically. The costs analysis below reflects the change in scope.
Comment: Several commenters expressed their belief that the administrative and cost burdens associated with the notice requirements were understated in the proposed rule. While some respondents took issue with the policy development cost estimates associated with the notice, more were focused on its projected implementation and production costs. For example, one respondent stated that determining "first service" would be an onerous task for many small practices, and that provider staff will now have to manually review each patient's chart or access a computer system to determine whether the patient has been seen since implementation of the rule.
Response: The policy in the final rule has been changed to make the privacy policy notice to patients less burdensome. Providers will be able to distribute the notice when a patient is seen and will not have to distribute it to a patient more than once, unless substantive changes are made in the notice. This change will significantly reduce the cost of distributing the privacy notices.
Comment: Some commenters also took issue with the methodology used to calculate the cost estimates for notices. These respondents believe that the survey data used in the proposed rule to estimate the costs (i.e., "encounters," "patients," and "episodes" per year) are very different concepts that, when used together, render the purported total meaningless. Commenters further stated that they can verify the estimate of 543 million patients cited as being seen at least once every five years.
Response: In the course of receiving treatment, a patient may go to a number of medical organizations. For example, a person might see a doctor in a physician's office, be admitted to a hospital, and later go to a pharmacy for medication. Each time a person "encounters" a facility, a medical record may be started or additions made to an existing record. The concept in the proposal was to identify the number of record sets that a person might have for purposes of estimating notice and copying costs. For example, whether a person made one or ten visits in the course of a year to a specific doctor would, for our purposes, be one record set because in each visit the doctor would most likely be adding information to an existing medical record. The comments demonstrated that we had not explained the concept well. As explained below we modified the concept to more effectively measure the number of record sets that exist and explain it more clearly.
Comment: Several commenters criticized the lack of supporting evidence for the cost estimates of notice development and dissemination. Another opinion voiced in the comments is that the estimated cost for plans of $0.75 per insured person is so low that it may cover postage, but it cannot include labor and capital usage costs.
Response: Based on comments and additional fact finding, the Department was able to gain a better understanding of how covered entities would develop policies and disseminate information. The cost analysis below explains more fully how we derived the final cost estimates for these areas.
Comment: A commenter noted that privacy policy costs assume that national associations will develop privacy policies for members but HHS analysis does not account for the cost to the national associations. A provider cost range of $300-$3,000 is without justification and seems low.
Response: The cost to the national associations was included in the proposal estimates, and it is included in the final analysis (see below).
Comment: A commenter states that the notice costs discussion mixes the terms "patients", "encounters" and "episodes" and 397 million encounter estimate is unclear.
Response: A clearer explanation of the concepts employed in this analysis is provided below.
Comment: Numerous commenters questioned the methodology used to estimate the systems compliance cost and stated that the ensuing cost estimates were grossly understated. Some stated that the regulation will impose significant information technology costs to comply with requirement to account for disclosures, additional costs for hiring new personnel to develop privacy policies, and higher costs for training personnel.
Response: Significant comments were received regarding the cost of systems compliance. In response, the Department retained the assistance of consultants with extensive expertise in health care information technology. We have relied on their work to revise our estimates, as described below. The analysis does not include "systems compliance" as a cost item, per se. Rather, in the final analysis we organized estimates around the major policy provisions so the public could more clearly see the costs associated with them. To the extent that the policy might require systems changes (and a number of them do), we have incorporated those costs in the provision's estimate.
Comment: Items explicitly identified by commenters as significantly adding to systems compliance costs include tracking disclosures of protected health information and patient authorizations; restricting access to the data; accommodating minimum disclosure provisions; installing notices and disclaimers; creating de-identified data; tracking uses of protected health information by business partners; tracking amendments and corrections; increased systems capacity; and annual systems maintenance. The commenters noted that some of the aforementioned items are acknowledged in the proposed rule as future costs to covered entities, but several others are singularly ignored.
Response: The Department recognizes the validity of much of this criticism. Unfortunately, other than general criticism, commenters provided no specific data or methodological information which might be used to improve the estimates. Therefore, the Department retained consultants with extensive expertise in these areas to assess the proposed regulation, which helped the Department refine its policies and cost estimates.
In addition, it is important to note that the other HIPAA administrative simplification regulations will require systems changes. As explained generally in the cost analysis for the electronic Transactions rule, it is assumed that providers and vendors will undertake systems changes for these regulations collectively, thereby minimizing the cost of changes.
Comment: Numerous commenters disagreed with the cost estimates in the NPRM for inspection and copying of patient records, believing that they were too low.
Response: The Department has investigated the potential costs through a careful reading of the comments and subsequent factfinding discussions with a variety of providers. We believe the estimates, explained more fully below, represent a reasonable estimate in the aggregate. It is important to note, however, that this analysis is not measuring the cost of all inspection and copying because a considerable amount of this already occurs. The Department is only measuring the incremental increase likely to occur as a result of this regulation.
Comment: One commenter speculates that, even at a minimum charge of $.50/page, (and not including search and retrieval charges), costs could run as high as $450 million annually.
Response: The $0.50 per page in the proposal represent an average of several data sources. Subsequently, an industry commenter, which provided extensive medical records copying, stated that this was a reasonable average cost. Hence, we retained the number for the final estimate.
Comment: One respondent states that, since the proposed rules give patients the right to inspect and copy their medical records regardless of storage medium, HHS must make a distinction in its cost estimates between records stored electronically and those which must be accessed by manual means, since these costs will differ.
Response: The cost estimates made for regulations are not intended to provide such refined gradations; rather, they are intended to show the overall costs for the regulation as a whole and its major components. For inspections and copying (and virtually all other areas for which estimates are made) estimates are based on averages; particular providers may experience greater or lesser costs than the average cost used in this analysis.
Comment: Several commenters noted that the Department did not appear to include the cost of establishing storage systems, retrieval fees and the cost of searching for records, and that these costs, if included, would significantly increase the Department's estimate.
Response: Currently, providers keep and maintain medical records and often provide copies to other providers and patients. Therefore, much of the cost of maintaining records already exists. Indeed, based on public comments, the Department has concluded that there will be relatively few additional copies requested as the result of this regulation (see below). We have measured and attributed to this regulation the incremental cost, which is the standard for conducting this kind of analysis.
Comment: A federal agency expressed concern over the proposal to allow covered entities to charge a fee for copying personal health information based on reasonable costs. The agency requests personal health information from many covered entities and pays a fee that it establishes. Allowing covered entities to establish the fee, the agency fears, may cost them significantly more than the current amounts they pay and as a result, could adversely affect their program.
Response: The proposal and the final rule establish the right to access and copy records only for individuals, not other entities; the "reasonable fee" is only applicable to the individual's request. The Department's expectation is that other existing practices regarding fees, if any, for the exchange of records not requested by an individual will not be affected by this rule.
Comment: The proposed rule estimated the cost of amending and correcting patients' records at $75 per instance and $260 million per year for small entities. At least one commenter stated that such requests will rise significantly upon implementation of the regulations and increase in direct proportion to the number of patients served. Another commenter described the more subtle costs associated with record amendment and correction, which would include a case-by-case clinical determination by providers on whether to grant such requests, forwarding the ensuing record changes to business partners, and issuing written statements to patients on the reasons for denials, including a recourse for complaints.
Response: The comments were considered in revising the proposal, and the decision was made to clarify in the final regulation that providers must only append the record (the policy is explained further in the preamble and the regulation text). The provider is now only required to note in the medical record any comments from the patient; they may, but are not required to, correct any errors. This change in policy significantly reduces the cost from the initial proposal estimate.
Comment: Several commenters criticized the proposed rule's lack of justification for assumptions regarding the percentage of patients who request inspection and copying, who also request amendment and correction. Another commenter pointed out that the cost estimate for amendment and correction is dependent on a base assumption that only 1.5 percent of patients will request inspection of their records. As such, if this estimate were too low by just one percentage point, then the estimates for inspection and copying plus the costs for amendment and correction could rise by 67 percent.
Response: Based on information and data received in the public comments, the estimate for the number of people requesting inspection and copying has been revised. No commenter provided specific information on the number of amended record requests that might result, but the Department subsequently engaged in fact-finding and made appropriate adjustments in its estimates. The revisions are explained further below.
Comment: One respondent indicated that the development, collection, and data entry of all the authorizations will create a new transaction type for employers, health plans, and providers, and result in duplicated efforts among them. This commenter estimates that the costs of mailing, re-mailing, answering inquiries, making outbound calls and performing data entry in newly created authorization computer systems could result in expenses of close to $2.0 billion nationally. Another commenter indicated that authorization costs will be at least double the notice dissemination costs due to the cost of both outbound and return postage.
Response: Public commenters and subsequent factfinding clearly indicate that most providers with patient contact already obtain authorizations for release of records, so for them there is virtually no new cost. Further, this comment does not reflect the actual regulatory requirement. For example, there is no need to engage in mailing and re-mailing of forms, and we do not foresee any reason why there should be any significant calls involved.
Comment: A commenter criticized the percentage (1%) that we used to calculate the number of health care encounters expected to result in requests to withhold the release of protected information. This respondent postulates that even if one in six patients who encounter the U.S. health care system opt to restrict access to their records, the total expected national cost per year could rise to $900 million.
Response: The final regulation requirements regarding the release of protected health information has been substantially changed, thereby greatly reducing the potential cost burden. A fuller explanation of the cost is provided below in the regulatory impact analysis.
Comment: An additional issue raised by commenters was the added cost of seeking authorizations for health promotion and disease management activities, health care operations that traditionally did not require such action.
Response: In the final regulation, a covered entity can use medical information collected for treatment or operations for its own health promotion and disease management efforts without obtaining additional authorization. Therefore, there is no additional cost incurred.
Comment: A number of commenters were concerned about the cost of monitoring business partners. Specifically, one commenter stated that the provisions of the proposed regulation pertaining to business partners would likely force the discontinuation of outsourcing for some functions, thereby driving up the administrative cost of health care.
Response: The final regulation clarifies the obligations of the business associates in assuring privacy. As explained in the preamble, business associates must take reasonable steps to assure confidentiality of health records they may have, and the covered entity must take appropriate action if they become aware of a violation of the agreement they have with the business associate. This does not represent an unreasonable burden; indeed, the provider is required to take the same kind of precautions and provide the same kind of oversight that they would in many other kinds of contractual relationships to assure they obtain the quality and level of performance that they would expect from a business associate.
Comment: HHS failed to consider enforcement costs associated with monitoring partners and litigation costs arising from covered entities seeking restitution from business partners whose behavior puts the covered entity at risk for noncompliance.
Response: The Department acknowledged in the proposal that it was not estimating the cost of compliance with the business associates provision because of inadequate information. It requested information on this issue, but no specific information was provided in the comments. However, based on revisions in the final policy and subsequent factfinding, the Department has provided an estimate for this requirement, as explained below.
Comment: Many of the commenters believe that the Department used unrealistic assumptions in the development of the estimated cost of the training provisions and they provided their own estimates.
Response: The commenters' estimates varied widely, and could not be used by the Department in revising its analysis because there was inadequate explanation of how the estimates were made.
Comment: Several commenters argued that if even an hour of time of each of the entity's employees is spent on training instead of "work" and they are paid the minimum wage, an entity would incur $100 of cost for training no more than 20 employees. The commenters noted that the provision of health care services is a labor-intensive enterprise, and many covered entities have thousands of employees, most of whom make well in excess of minimum wage. They questioned whether the estimates include time taken from the employee's actual duties (opportunity cost) and the cost of a trainer and materials.
Response: As explained in more detail below, the Department made extensive revisions in its training estimate, including the number of workers in the health care sector, the cost of workers in training based on average industry wages, and training costs (instructors and materials). The revised estimate is a more complete and accurate estimate of the costs likely to be borne as a result of the final regulation.
Comment: One commenter estimated that simply training an employee could have a burdensome impact on his company. He argued, for example, a 10-hour annual requirement takes 0.5% of an employee's time if they work a 2000-hour year, but factoring in sick and vacation leave, the effects of industry turnover could significantly increase the effect.
Response: In the analysis below, the Department has factored in turnover rates, employment growth and greater utilization based on data obtained from broad-based surveys and a public comment.
Comment: Some commenters felt that the regulatory training provisions are overly burdensome. Specific concerns centered around the requirement to train all individuals who may come in contact with protected health information and the requirement to have such individuals sign a new certifying statement at least every three years. Some commenters felt that the content of the training program should be left to the discretion of the covered entity.
Response: Changes and clarifications in the training requirements are made in the final regulation, explained below. For example, the certification requirement has been eliminated. As in the NPRM, the content of the training program is left to the discretion of the covered entity. These changes are expected to lessen the training burden and are reflected in the final cost estimates.
Comment: A Member of Congress and a number of privacy and consumer groups expressed their concern with whether the Office for Civil Rights (OCR) in HHS has adequate funding to carry out the major responsibility of enforcing the complaint process established by this rule. The Member stated that "[d]ue to the limited enforcement ability allowed for in this rule by HIPAA, it is essential that OCR have the capacity to enforce the regulations. Now is the time for The Secretary to begin building the necessary infrastructure to enforce the regulation effectively."
Response: The Secretary agrees with the commenters and is committed to an effective enforcement program. We will work with Congress to ensure that the Department has the necessary funds to secure voluntary compliance through education and technical assistance, to investigate complaints and conduct compliance reviews, to provide states with exception determinations and to use civil and criminal penalties when necessary.
Comment: Many commenters stated that the cost estimates on the effect of the proposed regulation on small businesses were understated or incomplete.
Response: The Department conducted a thorough review of potential data sources that would improve the quality of the analysis of the effects on small business. The final regulatory flexibility analysis below is based on the best data available (much of it from the Small Business Administration) and represents a reliable estimate for the effects on small entities in various segments of the health care industry. It is important to note that the estimates are for small business segments in the aggregate; the cost to individual firms will vary, perhaps considerably, based on its particular circumstances.
Comment: The cost of implementing privacy regulations, when added to the cost of other required HIPAA regulations, could increase overhead significantly. As shown in the 1993 Workgroup on Electronic Data Interchange (WEDI) Report, providers will bear the larger share of implementation costs and will save less than payors.
Response: The regulatory flexibility analysis below shows generally the marginal effect of the privacy regulation on small entities. Collectively, the HIPAA administrative standards will save money in the health care system. As important, given the rapid expansion of electronic commerce, it is probable that small entities would need to comply with standards for electronic commerce in order to complete effectively, even if the standards were voluntary. The establishment of uniform standards through regulation help small entities because they will not have to invest in multiple systems, which is what they would confront if they system remained voluntary.
Comment: One respondent believed that the initial and ongoing costs for small provider offices could be as much as 11 times higher than the estimates provided in the proposed rule. Other commenters stated that the estimates for small entities are "absurdly low".
Response: Although there were a number of commenters highly critical of the small business analysis, none provided alternative estimates or even provided a rationale for their statements. Many appeared to assume that all costs associated with medical record confidentiality should be estimated. This represents a misunderstanding of the purpose of the analysis: to estimate the incremental effects of this regulation, i.e., the new costs (and savings) that will result from changes required by the regulation. The Department has made substantial changes in the final small entities analysis (below), reflecting policy changes in the final rule and additional information and data collected by the Department since the issuance of the proposal last fall. We believe that these estimates reasonably reflect the costs that various types of small entities will experience in general, though the actual costs of particular providers might vary considerably based on their current practices and technology.
Comment: A respondent expressed the belief that small providers would bear a disproportionate share of the regulation's administrative burden because of the likelihood of larger companies incurring fewer marginal costs due to greater in-house resources to aid in the legal and technical analysis of the proposed rule.
Response: As explained below, the Department does not agree with the assertion that small entities will be disproportionately affected. Based on discussions with a number of groups, the Department expects many professional and trade associations to provide their members with analysis of the regulation, including model policies, statements and basic training materials. This will minimize the cost for most small entities. Providers that use protected health information for voluntary practices, such as marketing or research, are more likely to need specific legal and technical assistance, but these are likely to be larger providers.
Comment: Several commenters took issue with the "top-down" approach that we used to estimate costs for small businesses, believing that this methodology provided only a single point estimate, gave no indication of the variation around the estimate, and was subject to numerous methodological errors since the entities to which the numerator pertained may not have been the same as the denominator. These respondents further recommended that we prepare a "bottom-up" analysis using case studies and/or a survey of providers to refine the estimates.
Response: The purpose of the regulatory flexibility analysis is to provide a better insight into the relative burden of small businesses compared to larger firms in complying with a regulation. There may be considerable variance around average costs within particular industry sectors, even among small businesses within them. The estimates are based on the best data available, including information from the Small Business Administration, the Census Bureau, and public comments.
Comment: A commenter stated that the proposal's cost estimate does not account for additional administrative costs imposed on physicians, such as requirements to rewrite contracts with business partners.
Response: Such costs are included in the analysis below.
Comment: Numerous public comments were directed specifically at the systems compliance cost estimates for small businesses. One respondent maintained that the initial upgrade cost alone would range from $50 thousand to more than $1 million per covered entity.
Response: The cost estimates for systems compliance varied enormously; unfortunately, none of the commenters provided documentation of how they made their estimates, preventing us from comparing their data and assumptions to the Department's. Because of concern about the costs in this area, however, the Department retained an outside consultant to provide greater expertise and analysis. The product of this effort has been incorporated in the analysis below.
Comment: One commenter stated that just the development and documentation of new health information policies and procedures (which would require an analysis of the federal regulations and state law privacy provisions), would cost far more than the $396 cited in the Notice of Proposed Rulemaking as the average start-up cost for small businesses.
Response: As explained below in the cost analysis, the Department anticipates that most of the policies and procedures that will be required under the final rule will be largely standardized, particularly for small businesses. Thus, much of the work and cost can be done by trade associations and professional groups, thereby minimizing the costs and allowing it to be spread over a large membership base.
Comment: A number of comments criticized the initial estimates for notices, inspection and copying, amendments and correction, and training as they relate to small businesses.
Response: The Department has made substantial revisions in its estimates for all of these areas which is explained below in the regulatory flexibility analysis.
Comment: One commenter noted that there appeared to be a discrepancy in the number of small entities cited. There is no explanation for the difference and no explanation for difference between "establishments" and "entities."
Response: There are discrepancies among the data bases on the number of "establishments" and "entities" or "firms". The problem arises because most surveys count (or survey) establishments, which are physical sites. A single firm or entity may have many establishments. Moreover, although an establishment may have only a few employees, the firm may have a large number of workers (the total of all its various establishments) and therefore not be a small entity.
As discussed below, there is some discrepancy between the aggregate numbers we use for the regulatory impact analysis (RIA) and the regulatory flexibility analysis (RFA). We concluded that for purposes of the RFA, which is intended to measure the effects on small entities, we would use Small Business Administration data, which defines entities based on revenues rather than physical establishments to count the number of small entities in various SIC. This provides a more accurate estimate of small entities affected. For the RIA, which is measuring total effects, we believe the establishment based surveys provide a more reliable count.
Comment: Because small businesses must notify patients of their privacy policies on patients' first visit after the effective date of the regulation, several commenters argued that staff would have to search records either manually or by computer on a daily basis to determine if patients had been seen since the regulation was implemented.
Response: Under the final regulation, all covered entities will have to provide patients copies of their privacy policy at the first visit after the effective date of the regulation. The Department does not view this as burdensome. We expect that providers will simply place a note or marker at the beginning of a file (electronic or paper) when a patient is given the notice. This is neither time-consuming nor expensive, and it will not require constant searches of records.
Comment: A commenter stated that the definitions of small business, small entity, and a small health plan are inconsistent because the NPRM includes firms with annual receipts of $5 million or less and non-profits.
Response: The Small Business Administration, whose definitions we use for this analysis, includes firms with $5 million or less in receipts and all non-profits as "small businesses." We recognize that some health plans, though very large in terms of receipts (and insured lives), nonetheless would be considered "small businesses" under this definition because they are non-profits. In the final regulatory flexibility analysis, we generally have maintained the Small Business Administration definitions because it is the accepted standard for these analyses. However, we have added several categories, such as IRBs and employer sponsored group health plans, which are not small entities, per se, but will be effected by the final rule and we were able to identify costs imposed by the regulation on them.
Comment: The same commenter wanted clarification that all non-profit organizations are small entities and that the extended effective date for compliance applies to them.
Response: For purposes of the regulatory flexibility analysis, the Department is utilizing the Small Business Administration guidelines. However, under HIPAA the Secretary may extend the effective compliance date from 24 months to 36 months for "small health plans". The Secretary is given the explicit discretion of defining the term for purposes of compliance with the regulation. For compliance purposes, the Secretary has decided to define "small health plans" as those with receipts of $5 million or less, regardless of their tax status. As noted above, some non-profit plans are large in terms of revenues (i.e., their revenues exceed $5 million annually). The Department determined that such plans do not need extra time for compliance.
Comment: Several commenters requested that "small providers" [undefined] be permitted to take 36 months to come into compliance with the final regulation, just as small health plans will be permitted to do so.
Response: Congress specified small health plans, but not small providers, as needing extra time to comply. The majority of providers affected by the regulation are "small", based on the SBA definitions; in other words, granting the delay would be tantamount to make the effective date three years rather than two. In making policy decisions for the final regulation, extensive consideration was given to minimizing the cost and administrative burden associated with implementing the rule. The Department believes that the requirements of the final rule will not be difficult to fulfill, and therefore, it has maintained the two year effective date.
Comment: One commenter submitted a detailed analysis of privacy legislation that was pending and concluded that they might cost over $40 billion.
Response: The study did not analyze the policies in the proposal, and therefore, the estimates do not reflect the costs that would have been imposed by the proposed regulation. In fact, the analysis was prepared before the Administration's proposed privacy regulation was even published. As a result, the analysis is of limited relevance to the regulation actually proposed.
The following are examples of assumptions and costs in the analysis that do not match privacy policies or requirements stated in the proposed rule.
1. Authorizations: The study assumed rules requiring new authorizations from current subscribers to use their data for treatment, payment of claims, or other health plan operations. The proposed rule would have prohibited providers or plans from obtaining patient authorization to use data for treatment, payment or health care operations, and the final rule makes obtaining consent for these purposes voluntary for all health plans and for providers that do not have direct treatment relationships with individuals.
2. Disclosure History: The study assumes that providers, health plans, and clearinghouses would have to track all disclosures of health information. Under the NPRM and the final rule, plans, providers and clearinghouses are only required to account for disclosures that are not for treatment, payment, and health care operations, a small minority of all disclosures.
3. Inspection, Copying, and Amendment: The study assumed requirements to allow patients and their subscribers to inspect, copy, and amend all information that includes their name, social security number or other identifying feature (e.g. customer service calls, internal memorandum, claim runs). However, the study assumed broader access than provided in the rule, which requires access only to information in records used to make decisions about individuals, not all records with identifiable information.
4. Infrastructure development: The study attributed significant costs to infrastructure implementation of (computer systems, training, and other compliance costs). As explained below, the compliance requirements are much less extensive than assumed in this study. For example, many providers and plans will not be required to modify their privacy systems but will only be required to document their practices and notify patients of these practices, and others will be able to purchase low-cost, off-the-shelf software that will facilitate the new requirements. The final regulation will not require massive capital expenditures; we assumed, based on our consultants' work, that providers will rely on low-cost incremental adjustments initially, and as their technology becomes outdated, they will replace it with new systems that incorporate the HIPAA standard requirements.
Although many of the policy assumptions in the study are fundamentally different than those in the proposed or final regulation, the study did provide some assistance to the Department in preparing its final analysis. The Department compared data, methodologies and model assumptions, which helped us think more critically about our own analysis and enhanced the quality of our final work.
Comment: One commenter submitted a detailed analysis of the NPRM Regulatory Impact Analysis and concluded that it might cost over $64 billion over 5 years. This analysis provided an interesting framework for analyzing the provision for the rule. More precisely, the analysis generally attempted to identify the number of entities would be required to comply with each of the significant provision of the proposed rule, then estimated the numbers of hours required to comply per entity, and finally, estimated an hourly wage.
Response: HHS adopted this general structure for the final RIA because it provided a better framework for analysis than what the Department had done in the NPRM. However, HHS did not agree with many of the specific assumptions used by in this analysis, for several reasons. First, in some instances the assumptions were no longer relevant because the requirements of the NPRM were altered in the final rule. For other assumptions, HHS found more appropriate data sources for the number of covered entities, wages rates and trend rates or other factors affecting costs. In addition, HHS believes that in a few instances, this analysis over-estimated what is required of covered entities to comply. Based on public comments and its own factfinding, the Department believes many of its assumptions used in the final analysis more accurately reflect what is likely to be the real cost of the regulation.
2. Privacy Protection Study Commission, "Personal Privacy in an Information Society," July 1977, p. 298-299.
3. Health Privacy Working Group, "Best Principles for Health Privacy," Health Privacy Project, Institute for Health Care Research and Policy, Georgetown University, July 1999.
4. National Committee on Quality Assurance and the Joint Commission on Accreditation of Healthcare Organizations, "Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment,"1998, p. 25.
5. ASTM, "Standard Guide for Confidentiality, Privacy, Access and Data Security, Principles for Health Information Including Computer-Based Patient Records," E 1869-97, § 11.1.1.
6. Definition of Disease Management, October 1999, from web site of Disease Management Association of America (http://www.dmaa.org/definition.html) accessed May 21, 2000.
Other references used for our analysis include:
Mary C. Gurnee, et al, Constructing Disease Management Programs, Managed Care, June 1997, accessed at http://managedcaremag.com, 5/19/2000
Peter Wehrwein, Disease Management Gains a Degree of Respectability, Managed Care, August 1997, accessed at http://www.managedcaremag.com, 5/18/00
John M. Harris, Jr., Disease management: New Wine in Old Bottles, 124 Annals of Internal Medicine 838 (1996)
Robert S. Epstein and Louis M. Sherwood, From Outcomes research to disease management: A Guide for the Perplexed, 124 Annals of Internal Medicine 832 (1996)
Anne Mason et al, Disease management, the Pharmaceutical Industry and the NHS, Office of Health Economics (United Kingdom), accessed at http://www.ohe.org, 5/19/2000
Thomas Bodenheimer, Disease Management -- Promises and Pitfalls, 340 New Eng. J. Med, April 15, 1999, accessed at http://www.nejm.org, 4/20/99
Bernard Lo and Ann Alpers, Uses and Abuses of Prescription Drug information in pharmacy benefits Management Programs, 283 JAMA 801 (2000)
Robert F. DeBusk, Correspondence, Disease Management, and Regina E. Herzlinger, Correspondence, Disease Management, 341 New Eng. J. Med, Sept 2, 1999, accessed 9/2/99
Letter, John A. Gans, American Pharmaceutical Association, to Health Care Financing Administration, Reference HCFA-3002-P, April 12, 1999, accessed at http://www.aphanet.org, 1/18/2000
Ronald M. Davis, et al, Editorial, Advances in Managing Chronic Disease, 320 BMJ 525 (2000), accessed at http://www.bmj.com, 2/25/00
Thomas Bodenheimer, Education and Debate, disease management in the American Market, 320 BMJ 563 (2000), accessed at http://www.bmj.com, 2/25/2000
David J. Hunter, Disease management: Has it a future?, 320 BMJ 530 (2000), accessed http://www.bmj.com 2/25/2000
Trisha Greenhalgh, Commercial partnerships in chronic disease management: proceeding with caution, 320 BMJ 566 (2000).
Edmund X. DeJesus, Disease management in a Warehouse, Healthcare Informatics, September 1999, accessed at http://www.healthcare-informatics.com, 5/19/00
Regulation, 42 CFR 422.112, Medicare+Choice Program, subpart C, Benefits and Beneficiary Protections, sec. 422.112, Access to Services
Arnold Chen, Best Practices in Coordinated Care, Submitted by Mathematica Policy Research, Inc., to Health Care Financing Administration, March 22, 2000.
7. Confidentiality in Adolescent Health Care, a joint policy statement of the American Academy of Pediatrics; the American Academy of Family Physicians; the American College of Obstetricians and Gynecologists; NAACOG-The Organization for Obstetric, Gynecologic, and Neonatal Nurses; and the National Medical Association.
8. J. Merz, P. Sankar, S.S. Yoo, "Hospital Consent for Disclosure of Medical Records," Journal of Law, Medicine & Ethics, 26 (1998): 241-248.
9. Privacy Protection Study Commission, "Personal Privacy in an Information Society," July 1977, p. 306.
10. Privacy Protection Study Commission, "Personal Privacy in an Information Society," July 1977, pp. 215-217.
11. Health Privacy Working Group, "Best Principles for Health Privacy," Health Privacy Project, Institute for Health Care Research and Policy, Georgetown University, July 1999, p. 19.
12. AMA Council on Ethical and Judicial Affairs, "Opinion E-5.05: Confidentiality," Issued December 1983, Updated June 1994.
13. Privacy Protection Study Commission, "Personal Privacy in an Information Society," July 1977, p. 196-197.
14. Privacy Protection Study Commission, "Personal Privacy in an Information Society," July 1977, p. 315
15. ASTM, "Standard Guide for Confidentiality, Privacy, Access and Data Security, Principles for Health Information Including Computer-Based Patient Records," E 1869-97, § 12.1.4.
16. Confidentiality and Data Access Committee, Federal Committee on Statistical Methodology, Office of Management and Budget.
17. Sweeney, L. Guaranteeing Anonymity when Sharing Medical Data, the Datafly System. Masys, D., Ed. Proceedings, American Medical Informatics Association, Nashville, TN: Hanley & Belfus, Inc., 1997:51-55.
18. The U.S. Census Bureau's Recommendations Concerning the Census 2000 Public Use Microdata Sample (PUMS) Files [http://www.ipums.org/~census2000/2000pums_bureau.pdf], Population Division, U.S. Census Bureau, November 3, 2000.
19. Figures derived from U.S. Census data on 1990 Decennial Census of Population and Housing, Summary Tape File 3B (STF3B). These data are available to the public (for a fee) at http://www.census.gov/mp/www/rom/msrom6af.html.
20. Statistical Policy Working Paper 22 - Report on Statistical Disclosure Limitation Methodology (http://www.fcsm.gov/working-papers/wp22.html) (prepared by the Subcommittee on Disclosure Limitation Methodology, Federal Committee on Statistical Methodology, Office of Management and Budget).
21. The Geographic Component of Disclosure Risk for Microdata. Brian Greenberg and Laura Voshell. Bureau of the Census Statistical Research Division Report: Census/SRD/RR-90-13, October, 1990.
22. A Simulation Study of the Identifiability of Survey Respondents when their Community of Residence is Known. John Horm, National Center for Health Statistics, 2000.
23. Privacy Protection Study Commission, "Personal Privacy in an Information Society," July 1977, p. 313.
24. Privacy Protection Study Commission, "Personal Privacy in an Information Society," July 1977, p. 192.
25. Health Privacy Working Group, "Best Principles for Health Privacy," Health Privacy Project, Institute for Health Care Research and Policy, Georgetown University, July 1999, p. 19.
26. National Committee on Quality Assurance, "Surveyor Guidelines for the Accreditation of MCOs,"effective July 1, 2000 - June 30, 2001, p. 324.
27. ASTM, "Standard Guide for Confidentiality, Privacy, Access and Data Security, Principles for Health Information Including Computer-Based Patient Records," E 1869-97, § 9.2.
28. Privacy Protection Study Commission, "Personal Privacy in an Information Society," July 1977, p. 300-303.
29. Health Privacy Working Group, "Best Principles for Health Privacy," Health Privacy Project, Institute for Health Care Research and Policy, Georgetown University, July 1999.
30. National Committee on Quality Assurance and the Joint Commission on Accreditation of Healthcare Organizations, "Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment,"1998, p. 25.
31. ASTM, "Standard Guide for Confidentiality, Privacy, Access and Data Security, Principles for Health Information Including Computer-Based Patient Records," E 1869-97, § 11.1.1.
32. Privacy Protection Study Commission, "Personal Privacy in an Information Society," July 1977, p. 306-307.