Prdecember2000all8parts PDF

Thursday,
December 28, 2000
Part II
Department of
Health and Human
Services
Office of the Secretary
45 CFR Parts 160 and 164

Standards for Privacy of Individually
Identifiable Health Information; Final
Rule
VerDate 11<MAY>2000 19:16 Dec 27, 2000 Jkt 194001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\28DER2.SGM pfrm08 PsN: 28DER2
82462 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations
DEPARTMENT OF HEALTH AND placed by calling the order desk at (202) (i) Standard: uses and disclosures
HUMAN SERVICES 512–1800 or by fax to (202) 512–2250. consistent with notice.
The cost for each copy is $8.00. As an (j) Standard: disclosures by
Office of the Secretary whistleblowers and workforce member
alternative, you can view and crime victims.
photocopy the Federal Register 164.504 Uses and disclosures:
45 CFR Parts 160 and 164 document at most libraries designated organizational requirements.
Rin: 0991–AB08 as Federal Depository Libraries and at (a) Definitions.
many other public and academic (b) Standard: health care component.
Standards for Privacy of Individually libraries throughout the country that (c) Implementation specification:
receive the Federal Register. application of other provisions.
Identifiable Health Information (d) Standard: affiliated covered entities.
AGENCY: Office of the Assistant
Electronic Access: This document is (e) Standard: business associate contracts.
Secretary for Planning and Evaluation, available electronically at http:// (f) Standard: requirements for group
aspe.hhs.gov/admnsimp/ as well as at health plans.
DHHS. (g) Standard: requirements for a covered
the web site of the Government Printing
ACTION: Final rule. entity with multiple covered functions.
Office at http://www.access.gpo.gov/
164.506 Consent for uses or disclosures to
SUMMARY: This rule includes standards su_docs/aces/aces140.html. carry out treatment, payment, or health
to protect the privacy of individually I. Background care operations.
identifiable health information. The (a) Standard: consent requirement.
rules below, which apply to health Table of Contents (b) Implementation specifications: general
plans, health care clearinghouses, and Sec. requirements.
160.101 Statutory basis and purpose. (c) Implementation specifications: content
certain health care providers, present
160.102 Applicability. requirements.
standards with respect to the rights of (d) Implementation specifications:
individuals who are the subjects of this 160.103 Definitions.
160.104 Modifications. defective consents.
information, procedures for the exercise (e) Standard: resolving conflicting
160.201 Applicability
of those rights, and the authorized and 160.202 Definitions. consents and authorizations.
required uses and disclosures of this 160.203 General rule and exceptions. (f) Standard: joint consents.
information. 160.204 Process for requesting exception 164.508 Uses and disclosures for which an
The use of these standards will authorization is required.
determinations.
(a) Standard: authorizations for uses and
improve the efficiency and effectiveness 160.205 Duration of effectiveness of
disclosures.
of public and private health programs exception determinations.
(b) Implementation specifications: general
and health care services by providing 160.300 Applicability.
requirements.
enhanced protections for individually 160.302 Definitions.
(c) Implementation specifications: core
160.304 Principles for achieving
identifiable health information. These elements and requirements.
compliance. (d) Implementation specifications:
protections will begin to address (a) Cooperation.
growing public concerns that advances authorizations requested by a covered
(b) Assistance. entity for its own uses and disclosures.
in electronic technology and evolution 160.306 Complaints to the Secretary. (e) Implementation specifications:
in the health care industry are resulting, (a) Right to file a complaint. authorizations requested by a covered
or may result, in a substantial erosion of (b) Requirements for filing complaints. entity for disclosures by others.
the privacy surrounding individually (c) Investigation. (f) Implementation specifications:
identifiable health information 160.308 Compliance reviews. authorizations for uses and disclosures
maintained by health care providers, 160.310 Responsibilities of covered entities. of protected health information created
(a) Provide records and compliance for research that includes treatment of
health plans and their administrative
reports. the individual.
contractors. This rule implements the (b) Cooperate with complaint
privacy requirements of the 164.510 Uses and disclosures requiring an
investigations and compliance reviews. opportunity for the individual to agree or
Administrative Simplification subtitle (c) Permit access to information. to object.
of the Health Insurance Portability and 160.312 Secretarial action regarding (a) Standard: use and disclosure for
Accountability Act of 1996. complaints and compliance reviews. facility directories.
DATES: The final rule is effective on (a) Resolution where noncompliance is (b) Standard: uses and disclosures for
February 26, 2001. indicated. involvement in the individual’s care and
(b) Resolution when no violation is found. notification purposes.
FOR FURTHER INFORMATION CONTACT: 164.102 Statutory basis. 164.512 Uses and disclosures for which
Kimberly Coleman, 1–866–OCR–PRIV 164.104 Applicability. consent, an authorization, or opportunity
(1–866–627–7748) or TTY 1–866–788– 164.106 Relationship to other parts. to agree or object is not required.
4989. 164.500 Applicability. (a) Standard: uses and disclosures
164.501 Definitions. required by law.
SUPPLEMENTARY INFORMATION: 164.502 Uses and disclosures of protected (b) Standard: uses and disclosures for
Availability of copies, and electronic health information: general rules. public health activities.
access. (a) Standard. (c) Standard: disclosures about victims of
Copies: To order copies of the Federal (b) Standard: minimum necessary. abuse, neglect or domestic violence.
Register containing this document, send (c) Standard: uses and disclosures of (d) Standard: uses and disclosures for
your request to: New Orders, protected health information subject to health oversight activities.
Superintendent of Documents, P.O. Box an agreed upon restriction. (e) Standard: disclosures for judicial and
371954, Pittsburgh, PA 15250–7954. (d) Standard: uses and disclosures of de- administrative proceedings.
Specify the date of the issue requested identified protected health information. (f) Standard: disclosures for law
(e) Standard: disclosures to business enforcement purposes.
and enclose a check or money order associates. (g) Standard: uses and disclosures about
payable to the Superintendent of (f) Standard: deceased individuals. decedents.
Documents, or enclose your Visa or (g) Standard: personal representatives. (h) Standard: uses and disclosures for
Master Card number and expiration (h) Standard: confidential cadaveric organ, eye or tissue donation
date. Credit card orders can also be communications. purposes.
Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations 82463
(i) Standard: uses and disclosures for (b) Implementation specifications: content Standards for Electronic Transactions 65
research purposes. of the accounting. FR 50312, was published on August 17,
(j) Standard: uses and disclosures to avert (c) Implementation specifications: 2000 (the ‘‘Transactions Rule’’). This
a serious threat to health or safety. provision of the accounting.
regulation establishing Standards for
(k) Standard: uses and disclosures for (d) Implementation specification:
specialized government functions. documentation. Privacy of Individually Identifiable
(l) Standard: disclosures for workers’ 164.530 Administrative requirements. Health Information is the second final
compensation. (a) Standard: personnel designations. rule in the package. A rule establishing
164.514 Other requirements relating to uses (b) Standard: training. a unique identifier for employers to use
and disclosures of protected health (c) Standard: safeguards. in electronic health care transactions, a
information. (d) Standard: complaints to the covered rule establishing a unique identifier for
(a) Standard: de-identification of entity. providers for such transactions, and a
protected health information. (e) Standard: sanctions
rule establishing standards for the
(b) Implementation specifications: (f) Standard: mitigation.
requirements for de-identification of (g) Standard: refraining from intimidating security of electronic information
protected health information. or retaliatory acts. systems have been proposed. See 63 FR
(c) Implementation specifications: re- (h) Standard: waiver of rights. 25272 and 25320 (May 7, 1998); 63 FR
identification. (i) Standard: policies and procedures. 32784 (June 16, 1998); 63 FR 43242
(d) Standard: minimum necessary (j) Standard: documentation. (August 12, 1998). Still to be proposed
requirements. (k) Standard: group health plans. are rules establishing a unique identifier
(e) Standard: uses and disclosures of 164.532 Transition provisions. for health plans for electronic
protected health information for (a) Standard: effect of prior consents and transactions, standards for claims
marketing. authorizations.
(f) Standard: uses and disclosures for (b) Implementation specification:
attachments, and standards for
fundraising. requirements for retaining effectiveness transferring among health plans
(g) Standard: uses and disclosures for of prior consents and authorizations. appropriate standard data elements
underwriting and related purposes. 164.534 Compliance dates for initial needed for coordination of benefits. (See
(h) Standard: verification requirements implementation of the privacy standards. section C, below, for a more detailed
164.520 Notice of privacy practices for (a) Health care providers. explanation of the statutory mandate for
protected health information. (b) Health plans. these regulations.)
(a) Standard: notice of privacy practices. (c) Health care clearinghouses. In enacting HIPAA, Congress
(b) Implementation specifications: content
of notice. Purpose of the Administrative recognized the fact that administrative
(c) Implementation specifications: Simplification Regulations simplification cannot succeed if we do
provision of notice. not also protect the privacy and
(d) Implementation specifications: joint
This regulation has three major confidentiality of personal health
notice by separate covered entities. purposes: (1) To protect and enhance information. The provision of high-
(e) Implementation specifications: the rights of consumers by providing quality health care requires the
documentation. them access to their health information exchange of personal, often-sensitive
164.522 Rights to request privacy protection and controlling the inappropriate use of information between an individual and
for protected health information. that information; (2) to improve the a skilled practitioner. Vital to that
(a) Standard: right of an individual to quality of health care in the U.S. by
request restriction of uses and interaction is the patient’s ability to
restoring trust in the health care system trust that the information shared will be
disclosures.
(b) Standard: confidential
among consumers, health care protected and kept confidential. Yet
communications requirements. professionals, and the multitude of many patients are concerned that their
164.524 Access of individuals to protected organizations and individuals information is not protected. Among the
health information. committed to the delivery of care; and factors adding to this concern are the
(a) Standard: access to protected health (3) to improve the efficiency and growth of the number of organizations
information. effectiveness of health care delivery by involved in the provision of care and
(b) Implementation specifications: creating a national framework for health the processing of claims, the growing
requests for access and timely action. privacy protection that builds on efforts
(c) Implementation specifications: use of electronic information
by states, health systems, and individual technology, increased efforts to market
provision of access.
(d) Implementation specifications: denial organizations and individuals. health care and other products to
of access. This regulation is the second final consumers, and the increasing ability to
(e) Implementation specification: regulation to be issued in the package of collect highly sensitive information
documentation. rules mandated under title II subtitle F about a person’s current and future
164.526 Amendment of protected health section 261–264 of the Health Insurance health status as a result of advances in
information. Portability and Accountability Act of scientific research.
(a) Standard: right to amend. 1996 (HIPAA), Public Law 104–191, Rules requiring the protection of
(b) Implementation specifications: titled ‘‘Administrative Simplification.’’
requests for amendment and timely
health privacy in the United States have
action.
Congress called for steps to improve been enacted primarily by the states.
(c) Implementation specifications: ‘‘the efficiency and effectiveness of the While virtually every state has enacted
accepting the amendment. health care system by encouraging the one or more laws to safeguard privacy,
(d) Implementation specifications: development of a health information these laws vary significantly from state
denying the amendment. system through the establishment of to state and typically apply to only part
(e) Implementation specification: actions standards and requirements for the of the health care system. Many states
on notices of amendment. electronic transmission of certain health have adopted laws that protect the
(f) Implementation specification: information.’’ To achieve that end, health information relating to certain
documentation.
164.528 Accounting of disclosures of
Congress required the Department to health conditions such as mental
protected health information. promulgate a set of interlocking illness, communicable diseases, cancer,
(a) Standard: right to an accounting of regulations establishing standards and HIV/AIDS, and other stigmatized
disclosures of protected health protections for health information conditions. An examination of state
information. systems. The first regulation in this set, health privacy laws and regulations,
however, found that ‘‘state laws, with a at the forefront of our democracy. In the different sorts of personal information,
few notable exceptions, do not extend Declaration of Independence, we health information is among the most
comprehensive protections to people’s asserted the ‘‘unalienable right’’ to ‘‘life, sensitive. Many people believe that
medical records.’’ Many state rules fail liberty and the pursuit of happiness.’’ details about their physical self should
to provide such basic protections as Many of the most basic protections in not generally be put on display for
ensuring a patient’s legal right to see a the Constitution of the United States are neighbors, employers, and government
copy of his or her medical record. See imbued with an attempt to protect officials to see. Informed consent laws
Health Privacy Project, ‘‘The State of individual privacy while balancing it place limits on the ability of other
Health Privacy: An Uneven Terrain,’’ against the larger social purposes of the persons to intrude physically on a
Institute for Health Care Research and nation. person’s body. Similar concerns apply
Policy, Georgetown University (July To take but one example, the Fourth to intrusions on information about the
1999) (http://www.healthprivacy.org) Amendment to the United States person.
(the ‘‘Georgetown Study’’). Constitution guarantees that ‘‘the right Moving beyond these facts of physical
Until now, virtually no federal rules of the people to be secure in their treatment, there is also significant
existed to protect the privacy of health persons, houses, papers and effects, intrusion when records reveal details
information and guarantee patient against unreasonable searches and about a person’s mental state, such as
access to such information. This final seizures, shall not be violated.’’ By during treatment for mental health. If, in
rule establishes, for the first time, a set referring to the need for security of Justice Brandeis’ words, the ‘‘right to be
of basic national privacy standards and ‘‘persons’’ as well as ‘‘papers and let alone’’ means anything, then it likely
fair information practices that provides effects’’ the Fourth Amendment suggests applies to having outsiders have access
all Americans with a basic level of enduring values in American law that to one’s intimate thoughts, words, and
protection and peace of mind that is relate to privacy. The need for security emotions. In the recent case of Jaffee v.
essential to their full participation in of ‘‘persons’’ is consistent with Redmond, 116 S.Ct. 1923 (1996), the
their care. The rule sets a floor of obtaining patient consent before Supreme Court held that statements
ground rules for health care providers, performing invasive medical made to a therapist during a counseling
health plans, and health care procedures. The need for security in session were protected against civil
clearinghouses to follow, in order to ‘‘papers and effects’’ underscores the discovery under the Federal Rules of
protect patients and encourage them to importance of protecting information Evidence. The Court noted that all fifty
seek needed care. The rule seeks to about the person, contained in sources states have adopted some form of the
balance the needs of the individual with such as personal diaries, medical psychotherapist-patient privilege. In
the needs of the society. It creates a records, or elsewhere. As is generally upholding the federal privilege, the
framework of protection that can be true for the right of privacy in Supreme Court stated that it ‘‘serves the
strengthened by both the federal information, the right is not absolute. public interest by facilitating the
government and by states as health The test instead is what constitutes an appropriate treatment for individuals
information systems continue to evolve. ‘‘unreasonable’’ search of the papers and suffering the effects of a mental or
effects. emotional problem. The mental health
Need for a National Health Privacy The United States Supreme Court has of our citizenry, no less than its physical
Framework upheld the constitutional protection of health, is a public good of transcendent
The Importance of Privacy personal health information. In Whalen importance.’’
v. Roe, 429 U.S. 589 (1977), the Court Many writers have urged a
Privacy is a fundamental right. As analyzed a New York statute that
such, it must be viewed differently than philosophical or common-sense right to
created a database of persons who privacy in one’s personal information.
any ordinary economic good. The costs obtained drugs for which there was both
and benefits of a regulation must, of Examples include Alan Westin, Privacy
a lawful and unlawful market. The and Freedom (1967) and Janna
course, be considered as a means of Court, in upholding the statute,
identifying and weighing options. At the Malamud Smith, Private Matters: In
recognized at least two different kinds Defense of the Personal Life (1997).
same time, it is important not to lose of interests within the constitutionally
sight of the inherent meaning of privacy: These writings emphasize the link
protected ‘‘zone of privacy.’’ ‘‘One is the between privacy and freedom and
it speaks to our individual and individual interest in avoiding
collective freedom. privacy and the ‘‘personal life,’’ or the
disclosure of personal matters,’’ such as
A right to privacy in personal ability to develop one’s own personality
this regulation principally addresses.
information has historically found and self-expression. Smith, for instance,
This interest in avoiding disclosure,
expression in American law. All fifty states:
discussed in Whalen in the context of
states today recognize in tort law a medical information, was found to be The bottom line is clear. If we continually,
common law or statutory right to distinct from a different line of cases gratuitously, reveal other people’s privacies,
privacy. Many states specifically concerning ‘‘the interest in we harm them and ourselves, we undermine
the richness of the personal life, and we fuel
provide a remedy for public revelation independence in making certain kinds a social atmosphere of mutual exploitation.
of private facts. Some states, such as of important decisions.’’ Let me put it another way: Little in life is as
California and Tennessee, have a right Individuals’ right to privacy in precious as the freedom to say and do things
to privacy as a matter of state information about themselves is not with people you love that you would not say
constitutional law. The multiple absolute. It does not, for instance, or do if someone else were present. And few
historical sources for legal rights to prevent reporting of public health experiences are as fundamental to liberty and
privacy are traced in many places, information on communicable diseases autonomy as maintaining control over when,
including Chapter 13 of Alan Westin’s or stop law enforcement from getting how, to whom, and where you disclose
Privacy and Freedom and in Ellen information when due process has been personal material. Id. at 240–241.
Alderman & Caroline Kennedy, The observed. But many people believe that In 1890, Louis D. Brandeis and
Right to Privacy (1995). individuals should have some right to Samuel D. Warren defined the right to
Throughout our nation’s history, we control personal and sensitive privacy as ‘‘the right to be let alone.’’
have placed the rights of the individual information about themselves. Among See L. Brandeis, S. Warren, ‘‘The Right
To Privacy,’’ 4 Harv.L.Rev. 193. More 1978 to 82 percent in 1995. Over 80 records is often copied and transmitted
than a century later, privacy continues percent of persons surveyed in 1999 through electronic means.
to play an important role in Americans’ agreed with the statement that they had This ease of information collection,
lives. In their book, The Right to ‘‘lost all control over their personal organization, retention, and exchange
Privacy, (Alfred A. Knopf, New York, information.’’ See Harris Equifax, Health made possible by the advances in
1995) Ellen Alderman and Caroline Information Privacy Study (1993) (http:/ computer and other electronic
Kennedy describe the importance of /www.epic.org/privacy/medical/ technology affords many benefits to
privacy in this way: polls.html). A Wall Street Journal/ABC individuals and to the health care
poll on September 16, 1999 asked industry. Use of electronic information
Privacy covers many things. It protects the
solitude necessary for creative thought. It Americans what concerned them most has helped to speed the delivery of
allows us the independence that is part of in the coming century. ‘‘Loss of personal effective care and the processing of
raising a family. It protects our right to be privacy’’ was the first or second concern billions of dollars worth of health care
secure in our own homes and possessions, of 29 percent of respondents. All other claims. Greater use of electronic data
assured that the government cannot come issues, such a terrorism, world war, and has also increased our ability to identify
barging in. Privacy also encompasses our global warming had scores of 23 percent and treat those who are at risk for
right to self-determination and to define who or less. disease, conduct vital research, detect
we are. Although we live in a world of noisy fraud and abuse, and measure and
self-confession, privacy allows us to keep This growing concern stems from
several trends, including the growing improve the quality of care delivered in
certain facts to ourselves if we so choose. The
use of interconnected electronic media the U.S. The National Research Council
right to privacy, it seems, is what makes us
civilized. for business and personal activities, our recently reported that ‘‘the Internet has
increasing ability to know an great potential to improve Americans’’
Or, as Cavoukian and Tapscott observed health by enhancing communications
the right of privacy is: ‘‘the claim of individual’s genetic make-up, and, in
health care, the increasing complexity of and improving access to information for
individuals, groups, or institutions to care providers, patients, health plan
determine for themselves when, how, the system. Each of these trends brings
administrators, public health officials,
and to what extent information about the potential for tremendous benefits to
biomedical researchers, and other health
them is communicated.’’ See A. individuals and society generally. At the
professionals.’’ See ‘‘Networking Health:
Cavoukian, D. Tapscott, ‘‘Who Knows: same time, each also brings new
Prescriptions for the Internet,’’ National
Safeguarding Your Privacy in a potential for invasions of our privacy.
Academy of Sciences (2000).
Networked World,’’ Random House Increasing Use of Interconnected At the same time, these advances have
(1995). Electronic Information Systems reduced or eliminated many of the
Increasing Public Concern About Loss of financial and logistical obstacles that
Until recently, health information was previously served to protect the
Privacy recorded and maintained on paper and confidentiality of health information
Today, it is virtually impossible for stored in the offices of community- and the privacy interests of individuals.
any person to be truly ‘‘let alone.’’ The based physicians, nurses, hospitals, and And they have made our information
average American is inundated with other health care professionals and available to many more people. The
requests for information from potential institutions. In some ways, this shift from paper to electronic records,
employers, retail shops, telephone imperfect system of record keeping with the accompanying greater flows of
marketing firms, electronic marketers, created a false sense of privacy among sensitive health information, thus
banks, insurance companies, hospitals, patients, providers, and others. Patients’ strengthens the arguments for giving
physicians, health plans, and others. In health information has never remained legal protection to the right to privacy
a 1998 national survey, 88 percent of completely confidential. Until recently, in health information. In an earlier
consumers said they were ‘‘concerned’’ however, a breach of confidentiality period where it was far more expensive
by the amount of information being involved a physical exchange of paper to access and use medical records, the
requested, including 55 percent who records or a verbal exchange of risk of harm to individuals was
said they were ‘‘very concerned.’’ See information. Today, however, more and relatively low. In the potential near
Privacy and American Business, 1998 more health care providers, plans, and future, when technology makes it almost
Privacy Concerns & Consumer Choice others are utilizing electronic means of free to send lifetime medical records
Survey (http://www.pandab.org). These storing and transmitting health over the Internet, the risks may grow
worries are not just theoretical. information. In 1996, the health care rapidly. It may become cost-effective,
Consumers who use the Internet to industry invested an estimated $10 for instance, for companies to offer
make purchases or request ‘‘free’’ billion to $15 billion on information services that allow purchasers to obtain
information often are asked for personal technology. See National Research details of a person’s physical and
and financial information. Companies Council, Computer Science and mental treatments. In addition to
making such requests routinely promise Telecommunications Board, ‘‘For the legitimate possible uses for such
to protect the confidentiality of that Record: Protecting Electronic Health services, malicious or inquisitive
information. Yet several firms have tried Information,’’ (1997). The electronic persons may download medical records
to sell this information to other information revolution is transforming for purposes ranging from identity theft
companies even after promising not to the recording of health information so to embarrassment to prurient interest in
do so. that the disclosure of information may the life of a celebrity or neighbor. The
Americans’ concern about the privacy require only a push of a button. In a comments to the proposed privacy rule
of their health information is part of a matter of seconds, a person’s most indicate that many persons believe that
broader anxiety about their lack of profoundly private information can be they have a right to live in society
privacy in an array of areas. A series of shared with hundreds, thousands, even without having these details of their
national public opinion polls conducted millions of individuals and lives laid open to unknown and
by Louis Harris & Associates documents organizations at a time. While the possibly hostile eyes. These
a rising level of public concern about majority of medical records still are in technological changes, in short, may
privacy, growing from 64 percent in paper form, information from those provide a reason for institutionalizing
privacy protections in situations where Legislative Survey of State The Changing Health Care System
the risk of harm did not previously Confidentiality Laws, with Specific The number of entities who are
justify writing such protections into Emphasis on HIV and Immunization, maintaining and transmitting
law. Report to Centers for Disease Control, individually identifiable health
The growing level of trepidation about Council of State and Territorial information has increased significantly
privacy in general, noted above, has Epidemiologists, and Task Force for over the last 10 years. In addition, the
tracked the rise in electronic Child Survival and Development, Carter rapid growth of integrated health care
information technology. Americans Presidential Center (1996) (Gostin delivery systems requires greater use of
have embraced the use of the Internet Study). integrated health information systems.
and other forms of electronic
Moreover, electronic health data is The health care industry has been
information as a way to provide greater
becoming increasingly ‘‘national’’; as transformed from one that relied
access to information, save time, and
save money. For example, 60 percent of more information becomes available in primarily on one-on-one interactions
Americans surveyed in 1999 reported electronic form, it can have value far between patients and clinicians to a
that they have a computer in their beyond the immediate community system of integrated health care delivery
home; 82 percent reported that they where the patient resides. Neither networks and managed care providers.
have used a computer; 64 percent say private action nor state laws provide a Such a system requires the processing
they have used the Internet; and 58 sufficiently comprehensive and rigorous and collection of information about
percent have sent an e-mail. Among legal structure to allay public concerns, patients and plan enrollees (for
those who are under the age of 60, these protect the right to privacy, and correct example, in claims files or enrollment
percentages are even higher. See the market failures caused by the records), resulting in the creation of
‘‘National Survey of Adults on absence of privacy protections (see databases that can be easily transmitted.
Technology,’’ Henry J. Kaiser Family discussion below of market failure This dramatic change in the practice of
Foundation (February, 2000). But 59 under section V.C). Hence, a national medicine brings with it important
percent of Americans reported that they policy with consistent rules is necessary prospects for the improvement of the
worry that an unauthorized person will to encourage the increased and proper quality of care and reducing the cost of
gain access to their information. A use of electronic information while also that care. It also, however, means that
recent survey suggests that 75 percent of protecting the very real needs of increasing numbers of people have
consumers seeking health information patients to safeguard their privacy. access to health information. And, as
on the Internet are concerned or very health plan functions are increasingly
Advances in Genetic Sciences outsourced, a growing number of
concerned about the health sites they
visit sharing their personal health organizations not affiliated with our
Recently, scientists completed nearly
information with a third party without physicians or health plans also have
a decade of work unlocking the
their permission. Ethics Survey of access to health information.
mysteries of the human genome, According to the American Health
Consumer Attitudes about Health Web creating tremendous new opportunities
Sites, California Health Care Information Management Association
to identify and prevent many of the (AHIMA), an average of 150 people
Foundation, at 3 (January, 2000). leading causes of death and disability in
Unless public fears are allayed, we ‘‘from nursing staff to x-ray technicians,
this country and around the world. Yet to billing clerks’’ have access to a
will be unable to obtain the full benefits
the absence of privacy protections for patient’s medical records during the
of electronic technologies. The absence
health information endanger these course of a typical hospitalization.
of national standards for the
efforts by creating a barrier of distrust While many of these individuals have a
confidentiality of health information has
and suspicion among consumers. A legitimate need to see all or part of a
made the health care industry and the
population in general uncomfortable 1995 national poll found that more than patient’s records, no laws govern who
about this primarily financially-driven 85 percent of those surveyed were either those people are, what information they
expansion in the use of electronic data. ‘‘very concerned’’ or ‘‘somewhat are able to see, and what they are and
Many plans, providers, and concerned’’ that insurers and employers are not allowed to do with that
clearinghouses have taken steps to might gain access to and use genetic information once they have access to it.
safeguard the privacy of individually information. See Harris Poll, 1995 #34. According to the National Research
identifiable health information. Yet they Sixty-three percent of the 1,000 Council, individually identifiable health
must currently rely on a patchwork of participants in a 1997 national survey information frequently is shared with:
State laws and regulations that are said they would not take genetic tests if • Consulting physicians;
incomplete and, at times, inconsistent. insurers and employers could gain • Managed care organizations;
States have, to varying degrees, access to the results. See ‘‘Genetic • Health insurance companies
attempted to enhance confidentiality by Information and the Workplace,’’ • Life insurance companies;
establishing laws governing at least Department of Labor, Department of • Self-insured employers;
some aspects of medical record privacy. Health and Human Services, Equal • Pharmacies;
This approach, though a step in the Employment Opportunity Commission, • Pharmacy benefit managers;
right direction, is inadequate. These January 20, 1998. ‘‘In genetic testing • Clinical laboratories;
laws fail to provide a consistent or studies at the National Institutes of • Accrediting organizations;
comprehensive legal foundation of Health, thirty-two percent of eligible • State and Federal statistical
health information privacy. For people who were offered a test for breast agencies; and
example, there is considerable variation cancer risk declined to take it, citing • Medical information bureaus.
among the states in the type of concerns about loss of privacy and the Much of this sharing of information is
information protected and the scope of potential for discrimination in health done without the knowledge of the
the protections provided. See insurance.’’ Sen. Leahy’s comments for patient involved. While many of these
Georgetown Study, at Executive March 10, 1999 Introduction of the functions are important for smooth
Summary; Lawrence O. Gostin, Zita Medical Information Privacy and functioning of the health care system,
Lazzarrini, Kathleen M. Flaherty, Security Act. there are no rules governing how that
information is used by secondary and (The Ann Arbor News, February 10, of effective privacy protections for
tertiary users. For example, a pharmacy 1999). health information are discussed below
benefit manager could receive • A Utah-based pharmaceutical (see section V.C below). Here, we
information to determine whether an benefits management firm used patient discuss how privacy is a necessary
insurance plan or HMO should cover a data to solicit business for its owner, a foundation for delivery of high quality
prescription, but then use the drug store (Kiplingers, February 2000). health care. In short, the entire health
information to market other products to • An employee of the Tampa, Florida, care system is built upon the
the same patient. Similarly, many of us health department took a computer disk willingness of individuals to share the
obtain health insurance coverage though containing the names of 4,000 people most intimate details of their lives with
our employer and, in some instances, who had tested positive for HIV, the their health care providers.
the employer itself acts as the insurer. virus that causes AIDS (USA Today, The need for privacy of health
In these cases, the employer will obtain October 10, 1996). information, in particular, has long been
identifiable health information about its • The health insurance claims forms recognized as critical to the delivery of
employees as part of the legitimate of thousands of patients blew out of a needed medical care. More than
health insurance functions such as truck on its way to a recycling center in anything else, the relationship between
claims processing, quality improvement, East Hartford, Connecticut (The a patient and a clinician is based on
and fraud detection activities. At the Hartford Courant, May 14, 1999). trust. The clinician must trust the
same time, there is no comprehensive • A patient in a Boston-area hospital patient to give full and truthful
protection prohibiting the employer discovered that her medical record had information about their health,
from using that information to make been read by more than 200 of the symptoms, and medical history. The
decisions about promotions or job hospital’s employees (The Boston Globe, patient must trust the clinician to use
retention. August 1, 2000). that information to improve his or her
Public concerns reflect these • A Nevada woman who purchased a health and to respect the need to keep
developments. A 1993 Lou Harris poll used computer discovered that the such information private. In order to
found that 75 percent of those surveyed computer still contained the receive accurate and reliable diagnosis
worry that medical information from a prescription records of the customers of and treatment, patients must provide
computerized national health the pharmacy that had previously health care professionals with accurate,
information system will be used for owned the computer. The pharmacy detailed information about their
many non-health reasons, and 38 data base included names, addresses, personal health, behavior, and other
percent are very concerned. This poll, social security numbers, and a list of all aspects of their lives. The provision of
taken during the health reform efforts of the medicines the customers had health information assists in the
1993, showed that 85 percent of purchased. (The New York Times, April diagnosis of an illness or condition, in
respondents believed that protecting the 4, 1997 and April 12, 1997). the development of a treatment plan,
confidentiality of medical records is • A speculator bid $4000 for the and in the evaluation of the
‘‘absolutely essential’’ or ‘‘very patient records of a family practice in effectiveness of that treatment. In the
essential’’ in health care reform. An South Carolina. Among the absence of full and accurate
ACLU Poll in 1994 also found that 75 businessman’s uses of the purchased information, there is a serious risk that
percent of those surveyed are concerned records was selling them back to the the treatment plan will be inappropriate
a ‘‘great deal’’ or a ‘‘fair amount’’’ about former patients. (New York Times, to the patient’s situation.
insurance companies putting medical August 14, 1991). Patients also benefit from the
information about them into a computer • In 1993, the Boston Globe reported disclosure of such information to the
information bank to which others have that Johnson and Johnson marketed a health plans that pay for and can help
access. Harris Equifax, Health list of 5 million names and addresses of them gain access to needed care. Health
Information Privacy Study 2,33 (1993) elderly incontinent women. (ACLU plans and health care clearinghouses
http://www.epic.org/privacy/medical/ Legislative Update, April 1998). rely on the provision of such
poll.html. Another survey found that 35 • A few weeks after an Orlando information to accurately and promptly
percent of Fortune 500 companies look woman had her doctor perform some process claims for payment and for
at people’s medical records before routine tests, she received a letter from other administrative functions that
making hiring and promotion decisions. a drug company promoting a treatment directly affect a patient’s ability to
Starr, Paul. ‘‘Health and the Right to for her high cholesterol. (Orlando receive needed care, the quality of that
Privacy,’’ American Journal of Law and Sentinel, November 30, 1997). care, and the efficiency with which it is
Medicine, 1999. Vol 25, pp. 193–201. No matter how or why a disclosure of delivered.
Concerns about the lack of attention personal information is made, the harm Accurate medical records assist
to information privacy in the health care to the individual is the same. In the face communities in identifying troubling
industry are not merely theoretical. In of industry evolution, the potential public health trends and in evaluating
the absence of a national legal benefits of our changing health care the effectiveness of various public
framework of health privacy system, and the real risks and health efforts. Accurate information
protections, consumers are increasingly occurrences of harm, protection of helps public and private payers make
vulnerable to the exposure of their privacy must be built into the routine correct payments for care received and
personal health information. Disclosure operations of our health care system. lower costs by identifying fraud.
of individually identifiable information Accurate information provides scientists
can occur deliberately or accidentally Privacy Is Necessary To Secure with data they need to conduct research.
and can occur within an organization or Effective, High Quality Health Care We cannot improve the quality of health
be the result of an external breach of While privacy is one of the key values care without information about which
security. Examples of recent privacy on which our society is built, it is more treatments work, and which do not.
breaches include: than an end in itself. It is also necessary Individuals cannot be expected to
• A Michigan-based health system for the effective delivery of health care, share the most intimate details of their
accidentally posted the medical records both to individuals and to populations. lives unless they have confidence that
of thousands of patients on the Internet The market failures caused by the lack such information will not be used or
shared inappropriately. Privacy (July, 1999) (Best Principles Study). The what is and what is not an allowable use
violations reduce consumers’ trust in Best Principles Study states that— of a person’s identifiable health
the health care system and institutions To protect their privacy and avoid information, such standards can help to
that serve them. Such a loss of faith can embarrassment, stigma, and discrimination, restore and preserve trust in the health
impede the quality of the health care some people withhold information from their care system and the individuals and
they receive, and can harm the financial health care providers, provide inaccurate institutions that comprise that system.
health of health care institutions. information, doctor-hop to avoid a As medical historian Paul Starr wrote:
consolidated medical record, pay out-of- ‘‘Patients have a strong interest in
Patients who are worried about the
pocket for care that is covered by insurance, preserving the privacy of their personal
possible misuse of their information and—in some cases—avoid care altogether.
often take steps to protect their privacy. health information but they also have an
Recent studies show that a person who Best Principles Study, at 9. In their interest in medical research and other
does not believe his privacy will be comments on our proposed rule, efforts by health care organizations to
protected is much less likely to numerous organizations representing improve the medical care they receive.
participate fully in the diagnosis and health plans, health providers, As members of the wider community,
treatment of his medical condition. A employers, and others acknowledged they have an interest in public health
national survey conducted in January the value of a set of national privacy measures that require the collection of
1999 found that one in five Americans standards to the efficient operation of personal data.’’ (P. Starr, ‘‘Health and
believe their health information is being their practices and businesses. the Right to Privacy,’’ American Journal
used inappropriately. See California of Law & Medicine, 25, nos. 2&3 (1999)
Breaches of Health Privacy Harm More
HealthCare Foundation, ‘‘National 193–201). The task of society and its
Than Our Health Status
Survey: Confidentiality of Medical government is to create a balance in
A breach of a person’s health privacy which the individual’s needs and rights
Records’’ (January, 1999) (http://
can have significant implications well are balanced against the needs and
www.chcf.org). More troubling is the
beyond the physical health of that rights of society as a whole.
fact that one in six Americans reported
person, including the loss of a job, National standards for medical
that they have taken some sort of
alienation of family and friends, the loss privacy must recognize the sometimes
evasive action to avoid the
of health insurance, and public competing goals of improving
inappropriate use of their information
humiliation. For example: individual and public health, advancing
by providing inaccurate information to • A banker who also sat on a county scientific knowledge, enforcing the laws
a health care provider, changing health board gained access to patients’ of the land, and processing and paying
physicians, or avoiding care altogether. records and identified several people claims for health care services. This
Similarly, in its comments on our with cancer and called in their need for balance has been recognized by
proposed rule, the Association of mortgages. See the National Law many of the experts in this field.
American Physicians and Surgeons Journal, May 30, 1994. Cavoukian and Tapscott described it
reported 78 percent of its members • A physician was diagnosed with this way: ‘‘An individual’s right to
reported withholding information from AIDS at the hospital in which he privacy may conflict with the collective
a patient’s record due to privacy practiced medicine. His surgical rights of the public * * *. We do not
concerns and another 87 percent privileges were suspended. See Estate of suggest that privacy is an absolute right
reported having had a patient request to Behringer v. Medical Center at that reigns supreme over all other rights.
withhold information from their Princeton, 249 N.J. Super. 597. It does not. However, the case for
records. For an example of this • A candidate for Congress nearly privacy will depend on a number of
phenomenon in a particular saw her campaign derailed when factors that can influence the balance—
demographic group, see Drs. Bearman, newspapers published the fact that she the level of harm to the individual
Ford, and Moody, ‘‘Foregone Health had sought psychiatric treatment after a involved versus the needs of the
Care among Adolescents,’’ JAMA, vol. suicide attempt. See New York Times, public.’’
282, no. 23 (999); Cheng, T.L., et al., October 10, 1992, Section 1, page 25.
‘‘Confidentiality in Health Care: A • A 30-year FBI veteran was put on The Federal Response
Survey of Knowledge, Perceptions, and administrative leave when, without his There have been numerous federal
Attitudes among High School permission, his pharmacy released initiatives aimed at protecting the
Students,’’ JAMA, vol. 269, no. 11 information about his treatment for privacy of especially sensitive personal
(1993), at 1404–1407. depression. (Los Angeles Times, information over the past several
The absence of strong national September 1, 1998) Consumer Reports years—and several decades. While the
standards for medical privacy has found that 40 percent of insurers rules below are likely the largest single
widespread consequences. Health care disclose personal health information to federal initiative to protect privacy, they
professionals who lose the trust of their lenders, employers, or marketers are by no means alone in the field.
patients cannot deliver high-quality without customer permission. ‘‘Who’s Rather, the rules arrive in the context of
care. In 1999, a coalition of reading your Medical Records,’’ recent legislative activity to grapple
organizations representing various Consumer Reports, October 1994, at with advances in technology, in
stakeholders including health plans, 628, paraphrasing Sweeny, Latanya, addition to an already established body
physicians, nurses, employers, ‘‘Weaving Technology and Policy of law granting federal protections for
disability and mental health advocates, Together to Maintain Confidentiality,’’ personal privacy.
accreditation organizations as well as The Journal Of Law Medicine and In 1965, the House of Representatives
experts in public health, medical ethics, Ethics (Summer & Fall 1997) Vol. 25, created a Special Subcommittee on
information systems, and health policy Numbers 2,3. Invasion of Privacy. In 1973, this
adopted a set of ‘‘best principles’’ for The answer to these concerns is not Department’s predecessor agency, the
health care privacy that are consistent for consumers to withdraw from society Department of Health, Education and
with the standards we lay out here. (See and the health care system, but for Welfare issued The Code of Fair
the Health Privacy Working Group, society to establish a clear national legal Information Practice Principles
‘‘Best Principles for Health Privacy’’ framework for privacy. By spelling out establishing an important baseline for
information privacy in the U.S. These In 1997, a Presidential advisory provisions are found at section 262 of
principles formed the basis for the commission, the Advisory Commission HIPAA, which enacted a new part C of
federal Privacy Act of 1974, which on Consumer Protection and Quality in title XI of the Social Security Act
regulates the government’s use of the Health Care Industry, recognized the (hereinafter we refer to the Social
personal information by limiting the need for patient privacy protection in its Security Act as the ‘‘Act’’ and we refer
disclosure of personally-identifiable recommendations for a Consumer Bill of to all other laws cited in this document
information, allows consumers access to Rights and Responsibilities (November by their names).
information about them, requires federal 1997). In 1997, Congress enacted the In section 262, Congress primarily
agencies to specify the purposes for Balanced Budget Act (Public Law 105– sought to facilitate the efficiencies and
collecting personal information, and 34), which added language to the Social cost savings for the health care industry
provides civil and criminal penalties for Security Act (18 U.S.C. 1852) to require that the increasing use of electronic
misuse of information. Medicare+Choice organizations to technology affords. Thus, section 262
In the last several years, with the establish safeguards for the privacy of directs HHS to issue standards to
rapid expansion in electronic individually identifiable patient facilitate the electronic exchange of
technology—and accompanying information. Similarly, the Veterans information with respect to financial
concerns about individual privacy— Benefits section of the U.S. Code and administrative transactions carried
laws, regulations, and legislative provides for confidentiality of medical out by health plans, health care
proposals have been developed in areas records in cases involving drug abuse, clearinghouses, and health care
ranging from financial privacy to genetic alcoholism or alcohol abuse, HIV providers who transmit information
privacy to the safeguarding of children infection, or sickle cell anemia (38 electronically in connection with such
on-line. For example, the Children’s U.S.C. 7332). transactions.
Online Privacy Protection Act was As described in more detail in the At the same time, Congress
enacted in 1998, providing protection next section, Congress recognized the recognized the challenges to the
for children when interacting at web- importance of protecting the privacy of confidentiality of health information
sites. In February, 2000, President health information by enacting the presented by the increasing complexity
Clinton signed Executive Order 13145, Health Insurance Portability and of the health care industry, and by
banning the use of genetic information Accountability Act of 1996. The Act advances in health information systems
in federal hiring and promotion called on Congress to enact a medical technology and communications.
decisions. The landmark financial privacy statute and asked the Secretary Section 262 thus also directs HHS to
modernization bill, signed by the of Health and Human Services to develop standards to protect the
President in November, 1999, likewise provide Congress with security, including the confidentiality
contained financial privacy protections recommendations for protecting the and integrity, of health information.
for consumers. There also has been Congress has long recognized the
confidentiality of health care
recent legislative activity on need for protection of health
information. The Congress further
establishing legal safeguards for the information privacy generally, as well as
recognized the importance of such
privacy of individuals’ Social Security the privacy implications of electronic
standards by providing the Secretary
numbers, and calls for regulation of on- data interchange and the increased ease
with authority to promulgate regulations
line privacy in general. of transmitting and sharing individually
on health care privacy in the event that identifiable health information.
These most recent laws, regulations,
lawmakers were unable to act within the Congress has been working on broad
and legislative proposals come against
allotted three years. health privacy legislation for many
the backdrop of decades of privacy-
Finally, it also is important for the years and, as evidenced by the self-
enhancing statutes passed at the federal
U.S. to join the rest of the developed imposed three year deadline included in
level to enact safeguards in fields
world in establishing basic medical the HIPAA, discussed below, believes it
ranging from government data files to
privacy protections. In 1995, the can and should enact such legislation. A
video rental records. In the 1970s,
European Union (EU) adopted a Data significant portion of the first
individual privacy was paramount in
Privacy Directive requiring its 15 Administrative Simplification section
the passage of the Fair Credit Reporting
member states to adopt consistent debated on the floor of the Senate in
Act (1970), the Privacy Act (1974), the
privacy laws by October 1998. The EU 1994 (as part of the Health Security Act)
Family Educational Rights and Privacy
Act (1974), and the Right to Financial urged all other nations to do the same consisted of privacy provisions. In the
Privacy Act (1978). These key laws were or face the potential loss of access to version of the HIPAA passed by the
followed in the next decade by another information from EU countries. House of Representatives in 1996, the
series of statutes, including the Privacy Statutory Background requirement for the issuance of privacy
Protection Act (1980), the Electronic standards was located in the same
History of the Privacy Component of the
Communications Privacy Act (1986), the section of the bill (section 1173) as the
Administrative Simplification
Video Privacy Protection Act (1988), requirements for issuance of the other
Provisions
and the Employee Polygraph Protection HIPAA Administrative Simplification
Act (1988). In the last ten years, The Congress addressed the standards. In conference, the
Congress and the President have passed opportunities and challenges presented requirement for privacy standards was
additional legal privacy protection by the rapid evolution of health moved to a separate section in the same
through, among others, the Telephone information systems in the Health part of HIPAA, section 264, so that
Consumer Protection Act (1991), the Insurance Portability and Congress could link the Privacy
Driver’s Privacy Protection Act (1994), Accountability Act of 1996 (HIPAA), standards to Congressional action.
the Telecommunications Act (1996), the Public Law 104–191, which was enacted Section 264(b) requires the Secretary
Children’s Online Privacy Protection on August 21, 1996. Sections 261 of HHS to develop and submit to the
Act (1998), the Identity Theft and through 264 of HIPAA are known as the Congress recommendations for:
Assumption Deterrence Act (1998), and Administrative Simplification • The rights that an individual who is
Title V of the Gramm-Leach-Bliley Act provisions. The major part of these a subject of individually identifiable
(1999) governing financial privacy. Administrative Simplification health information should have.
• The procedures that should be procedural requirements concerning the more frequently than once every 12
established for the exercise of such adoption of standards, including the months. The Secretary also must ensure
rights. role of standard setting organizations that procedures exist for the routine
• The uses and disclosures of such and required consultations, summarized maintenance, testing, enhancement, and
information that should be authorized in subsection F and section VI, below. expansion of code sets and that there are
or required. Section 1173 of the Act requires the crosswalks from prior versions.
The Secretary’s Recommendations were Secretary to adopt standards for Section 1175 of the Act prohibits
submitted to the Congress on September transactions, and data elements for such health plans from refusing to process, or
11, 1997. Section 264(c)(1) provides transactions, to enable health from delaying processing of, a
that: information to be exchanged transaction that is presented in standard
electronically. Section 1173(a)(1) format. It also establishes a timetable for
If legislation governing standards with
respect to the privacy of individually
describes the transactions to be compliance: each person to whom a
identifiable health information transmitted in promulgated, which include the nine standard or implementation
connection with the transactions described in transactions listed in section 1173(a)(2) specification applies is required to
section 1173(a) of the Social Security Act (as and other transactions determined comply with the standard within 24
added by section 262) is not enacted by appropriate by the Secretary. The months (or 36 months for small health
[August 21, 1999], the Secretary of Health remainder of section 1173 sets out plans) of its adoption. A health plan or
and Human Services shall promulgate final requirements for the specific standards other entity may, of course, comply
regulations containing such standards not the Secretary is to adopt: Unique health voluntarily before the effective date. The
later than [February 21, 2000]. Such identifiers, code sets, security standards, section also provides that compliance
regulations shall address at least the subjects electronic signatures, and transfer of with modifications to standards or
described in subsection (b).
information among health plans. Of implementation specifications must be
As the Congress did not enact particular relevance to this proposed accomplished by a date designated by
legislation regarding the privacy of rule is section 1173(d), the security the Secretary, which date may not be
individually identifiable health standard provision. The security earlier than 180 days from the notice of
information prior to August 21, 1999, standard authority applies to both the change.
HHS published proposed rules setting transmission and the maintenance of Section 1176 of the Act establishes
forth such standards on November 3, health information, and requires the civil monetary penalties for violation of
1999, 64 FR 59918, and is now entities described in section 1172(a) to the provisions in part C of title XI of the
publishing the mandated final maintain reasonable and appropriate Act, subject to several limitations.
regulation. safeguards to ensure the integrity and Penalties may not be more than $100
These privacy standards have been, confidentiality of the information, per person per violation and not more
and continue to be, an integral part of protect against reasonably anticipated than $25,000 per person for violations of
the suite of Administrative threats or hazards to the security or a single standard for a calendar year.
Simplification standards intended to integrity of the information or The procedural provisions of section
simplify and improve the efficiency of unauthorized uses or disclosures of the 1128A of the Act apply to actions taken
the administration of our health care information, and to ensure compliance to obtain civil monetary penalties under
system. with part C by the entity’s officers and this section.
employees. Section 1177 establishes penalties for
The Administrative Simplification any person that knowingly uses a
In section 1174 of the Act, the
Provisions, and Regulatory Actions to Secretary is required to establish unique health identifier, or obtains or
Date standards for all of the above discloses individually identifiable
Part C of title XI consists of sections transactions, except claims attachments, health information in violation of the
1171 through 1179 of the Act. These by February 21, 1998. The statutory part. The penalties include: (1) A fine of
sections define various terms and deadline for the claims attachment not more than $50,000 and/or
impose several requirements on HHS, standard is February 21, 1999. imprisonment of not more than 1 year;
health plans, health care clearinghouses, As noted above, a proposed rule for (2) if the offense is ‘‘under false
and health care providers who conduct most of the transactions was published pretenses,’’ a fine of not more than
the identified transactions on May 7, 1998, and the final $100,000 and/or imprisonment of not
electronically. Transactions Rule was promulgated on more than 5 years; and (3) if the offense
The first section, section 1171 of the August 17, 2000. The delay was caused is with intent to sell, transfer, or use
Act, establishes definitions for purposes by the deliberate consensus building individually identifiable health
of part C of title XI for the following process, working with industry, and the information for commercial advantage,
terms: code set, health care large number of comments received personal gain, or malicious harm, a fine
clearinghouse, health care provider, (about 17,000). In addition, in a series of not more than $250,000 and/or
health information, health plan, of Notices of Proposed Rulemakings, imprisonment of not more than 10
individually identifiable health HHS published other proposed years.
information, standard, and standard standards, as described above. Each of Under section 1178 of the Act, the
setting organization. these steps was taken in concert with requirements of part C, as well as any
Section 1172 of the Act makes the the affected professions and industries, standards or implementation
standard adopted under part C to ensure rapid adoption and specifications adopted thereunder,
applicable to: (1) Health plans, (2) compliance. preempt contrary state law. There are
health care clearinghouses, and (3) Generally, after a standard is three exceptions to this general rule of
health care providers who transmit established, it may not be changed preemption: State laws that the
health information in electronic form in during the first year after adoption Secretary determines are necessary for
connection with transactions referred to except for changes that are necessary to certain purposes set forth in the statute;
in section 1173(a)(1) of the Act permit compliance with the standard. state laws that the Secretary determines
(hereinafter referred to as the ‘‘covered Modifications to any of these standards address controlled substances; and state
entities’’). Section 1172 also contains may be made after the first year, but not laws relating to the privacy of
individually identifiable health asking individuals to add social goals approach this dilemma by requiring
information that are contrary to and into the balance. covered entities to obtain a
more stringent than the federal The vast difference among regulated representation or documentation of
requirements. There also are certain entities also informed our approach in purpose from the person requesting
areas of state law (generally relating to significant ways. This regulation applies information. While there would be
public health and oversight of health to solo practitioners, and multi-national advantages to legislation regulating such
plans) that are explicitly carved out of health plans. It applies to pharmacies third persons directly, we cannot justify
the general rule of preemption and and information clearinghouses. These abandoning any effort to enhance
addressed separately. entities differ not only in the nature and privacy.
Section 1179 of the Act makes the scope of their businesses, but also in the It also became clear from the
above provisions inapplicable to degree of sophistication of their comments and our fact-finding that we
financial institutions (as defined by information systems and information have expectations as a society that
section 1101 of the Right to Financial needs. We therefore designed the core conflict with individuals’ views about
Privacy Act of 1978) or anyone acting on requirements of this regulation to be the privacy of health information. We
behalf of a financial institution when flexible and ‘‘scalable.’’ This is reflected expect the health care industry to
‘‘authorizing, processing, clearing, throughout the rule, particularly in the develop treatment protocols for the
settling, billing, transferring, implementation specifications for delivery of high quality health care. We
reconciling, or collecting payments for a making the minimum necessary uses expect insurers and the government to
financial institution.’’ and disclosures, and in the reduce fraud in the health care system.
Finally, as explained above, section administrative policies and procedures We expect to be protected from
264 requires the Secretary to issue requirements. epidemics, and we expect medical
standards with respect to the privacy of We also are informed by the rapid research to produce miracles. We expect
individually identifiable health evolution in industry organization and the police to apprehend suspects, and
information. Section 264 also contains a practice. Our goal is to enhance privacy we expect to pay for our care by credit
preemption provision that provides that protections in ways that do not impede card. All of these activities involve
contrary provisions of state laws that are this evolution. For example, we disclosure of health information to
more stringent than the federal received many comments asking us to someone other than our physician.
standards, requirements, or assign a status under this regulation While most commenters support the
implementation specifications will not based on a label or title. For example, concept of health privacy in general,
be preempted. many commenters asked whether many go on to describe activities that
‘‘disease management’’ is a ‘‘health care depend on the disclosure of health
Our Approach to This Regulation operation,’’ or whether a ‘‘pharmacy information and urge us to protect those
Balance benefits manager’’ is a covered entity. information flows. Section III, in which
From the comments and our fact- we respond to the comments, describes
A number of facts informed our finding, however, we learned that these our approach to balancing these
approach to this regulation. Determining terms do not have consistent meanings conflicting expectations.
the best approach to protecting privacy today; rather, they encompass diverse Finally, we note that many
depends on where we start, both with activities and information practices. commenters were concerned that this
respect to existing legal expectations Further, the statutory definitions of key regulation would lessen current privacy
and also with respect to the terms such as health care provider and protections. It is important to
expectations of individuals, health care health care clearinghouse describe understand this regulation as a new
providers, payers and other functions, not specific types of persons federal floor of privacy protections that
stakeholders. From the comments we or entities. To respect both the does not disturb more protective rules
received on the proposed rule, and from Congressional approach and industry or practices. Nor do we intend this
the extensive fact finding in which we evolution, we design the rule to follow regulation to describe a set of a ‘‘best
engaged, a confused picture developed. activities and functions, not titles and practices.’’ Rather, this regulation
We learned that stakeholders in the labels. describes a set of basic consumer
system have very different ideas about Similarly, many comments asked protections and a series of regulatory
the extent and nature of the privacy whether a particular person would be a permissions for use and disclosure of
protections that exist today, and very ‘‘business associate’’ under the rule, health information. The protections are
different ideas about appropriate uses of based on the nature of the person’s a mandatory floor, which other
health information. This leads us to seek business. Whether a business associate governments and any covered entity
to balance the views of the different arrangement must exist under the rule, may exceed. The permissions are just
stakeholders, weighing the varying however, depends on the relationship that, permissive—the only disclosures
interests on each particular issue with a between the entities and the services of health information required under
view to creating balance in the being performed, not on the type of this rule are to the individual who is the
regulation as a whole. persons or companies involved. subject of the information or to the
For example, we received hundreds of Our approach is also significantly Secretary for enforcement of this rule.
comments explaining the legitimacy of informed by the limited jurisdiction We expect covered entities to rely on
various uses and disclosure of health conferred by HIPAA. In large part, we their professional ethics and use their
information. We agree that many uses have the authority to regulate those who own best judgements in deciding which
and disclosures of health information create and disclose health information, of these permissions they will use.
are ‘‘legitimate,’’ but that is not the end but not many key stakeholders who
of the inquiry. Neither privacy, nor the receive that health information from a Combining Workability With New
important social goals described by the covered entity. Again, this led us to look Protections
commenters, are absolutes. In this to the balance between the burden on This rule establishes national
regulation, we are asking health covered entities and need to protect minimum standards to protect the
providers and institutions to add privacy in determining our approach to privacy of individually identifiable
privacy into the balance, and we are such disclosures. In some instances, we health information in prescribed
settings. The standards address the procedures to come into compliance disclosure of health information are
many varied uses and disclosures of with them. For individuals, the system different and in many ways
individually identifiable health may look substantially more incompatible. Comments from
information by health plans, certain complicated because, for the first time, individuals revealed a common belief
health care providers and health care we are ensuring that individuals will that, today, people must be asked
clearinghouses. The complexity of the receive detailed information about how permission for each and every release of
standards reflects the complexity of the their individually identifiable health their health information. Many believe
health care marketplace to which they information may be used and disclosed. that they ‘‘own’’ the health records
apply and the variety of subjects that We also provide individuals with about them. However, current law and
must be addressed. The rule applies not additional tools to exercise some control practice do not support this view.
only to the core health care functions over those uses and disclosures. The Current privacy protection practices
relating to treating patients and additional complexity for individuals is are determined in part by the standards
reimbursing health care providers, but the price of expanding their and practices that the professional
also to activities that range from when understanding and their rights. associations have adopted for their
individually identifiable health The Department will work actively members. Professional codes of conduct
information should be available for with members of the health care for ethical behavior generally can be
research without authorization to industry, representatives of individuals found as opinions and guidelines
whether a health care provider may and others during the implementation of developed by organizations such as the
release protected health information this rule. As stated elsewhere, our focus American Medical Association,
about a patient for law enforcement is to develop broader understanding of American Nurses’ Association, the
purposes. The number of discrete how the standards work and to facilitate American Hospital Association, the
provisions, and the number of compliance. We intend to provide American Psychiatric Association, and
commenters requesting that the rule guidance and check lists as appropriate, the American Dental Association. These
recognize particular activities, is particularly to small businesses affected are generally issued though an
evidence of the significant role that by the rule. We also will work with organization’s governing body. The
individually identifiable health trade and professional associations to codes do not have the force of law, but
information plays in many vital public develop guidance and provide technical providers often recognize them as
and private concerns. assistance so that they can help their binding rules.
At the same time, the large number of members understand and comply with Our review of professional codes of
comments from individuals and groups these new standards. If this effort is to ethics revealed partial, but loose,
representing individuals demonstrate succeed, the various public and private support for individuals’ expectations of
the deep public concern about the need participants inside and outside of the privacy. For example, the American
to protect the privacy of individually health care system will need to work Medical Association’s Code of Ethics
identifiable health information. The together to assure that the competing recognizes both the right to privacy and
discussion above is rich with evidence interests described above remain in the need to balance it against societal
about the importance of protecting balance and that an ethic that recognizes needs. It reads in part: ‘‘conflicts
privacy and the potential adverse their importance is established. between a patient’s right to privacy and
consequences to individuals and their a third party’s need to know should be
health if such protections are not Enforcement
resolved in favor of the patient, except
extended. The Secretary has decided to delegate where that would result in serious
The need to balance these competing her responsibility under this regulation health hazard or harm to the patient or
interests—the necessity of protecting to the Department’s Office for Civil others.’’ AMA Policy No 140.989. See
privacy and the public interest in using Rights (OCR). OCR will be responsible also, Mass. Med. Society, Patient
identifiable health information for vital for enforcement of this regulation. Privacy and Confidentiality (1996), at
public and private purposes—in a way Enforcement activities will include 14:
that is also workable for the varied working with covered entities to secure
stakeholders causes much of the Patients enter treatment with the
voluntary compliance through the expectation that the information they share
complexity in the rule. Achieving provision of technical assistance and
workability without sacrificing will be used exclusively for their clinical
other means; responding to questions care. Protection of our patients’ confidences
protection means some level of
regarding the regulation and providing is an integral part of our ethical training.
complexity, because the rule must track
interpretations and guidance; These codes, however, do not apply to
current practices and current practices
responding to state requests for many who obtain information from
are complex. We believe that the
exception determinations; investigating providers. For example, the National
complexity entailed in reflecting those
complaints and conducting compliance Association of Insurance Commissioners
practices is better public policy than a
reviews; and, where voluntary model code, ‘‘Health Information
perhaps simpler rule that disturbed
compliance cannot be achieved, seeking Privacy Model Act’’ (1998), applies to
important information flows.
Although the rule taken as a whole is civil monetary penalties and making insurers but has not been widely
complicated, we believe that the referrals for criminal prosecution. adopted. Codes of ethics are also often
standards are much less complex as Consent written in general terms that do not
they apply to particular actors. What a provide guidance to providers and plans
health plan or covered health care Current Law and Practice confronted with specific questions
provider must do to comply with the The issue that drew the most about protecting health information.
rule is clear, and the two-year delayed comments overall is the question of State laws are a crucial means of
implementation provides a substantial when individuals’ permission should be protecting health information, and today
period for trade and professional obtained prior to use or disclosure of state laws vary dramatically. Some
associations, working with their their health information. We learned states defer to the professional codes of
members, to assess the effects of the that individuals’ views and the legal conduct, others provide general
standards and develop policies and view of ‘‘consent’’ for use and guidelines for privacy protection, and
others provide detailed requirements authorization prior to release of health have signed. These and other concerns
relating to the protection of information information. There may, however, be led us to propose that covered entities
relating to specific diseases or to entire other controls on release of health be permitted to use and disclose
classes of information. Cf., D.C. Code information. For instance, most health protected health information for
Ann. § 2–3305.14(16) and Haw. Rev. care professional licensure laws include treatment, payment and health care
Stat. 323C, et seq. In general, state general prohibitions against ‘‘breaches operations without the express consent
statutes and case law addressing of confidentiality.’’ In some states, of the subject individual.
consent to use of health information do patients can hold providers accountable In the final rule, we alter our
not support the public’s strong for some unauthorized disclosures of proposed approach and require, in most
expectations regarding consent for use health information about them under instances, that health care providers
and disclosure of health information. various tort theories, such as invasion of who have a direct treatment relationship
Only about half of the states have a privacy and breach of a confidential with their patients obtain the consent of
general law that prohibits disclosure of relationship. While these controls may their patients to use and disclose
health information without patient affect certain disclosure practices, they protected health information for
authorization and some of these are do not amount to a requirement that a treatment, payment and health care
limited to hospital medical records. provider obtain authorization for each operations. While our concern about the
Even when a state has a law limiting and every disclosure of health coerced nature of these consents
disclosure of health information, the information. remains, many comments that we
law typically exempts many types of Further, patients are typically not received from individuals, health care
disclosure from the authorization given a choice; they must sign the professionals, and organizations that
requirement. Georgetown Study, Key ‘‘consent’’ in order to receive care. As represent them indicated that both
Findings; Lisa Dahm, ‘‘50-State Survey the Georgetown Study points out, ‘‘In patients and practitioners believe that
on Patient Health Care Record effect, the authorization may function patient consent is an important part of
Confidentiality,’’ American Health more as a waiver of consent—the patient the current health care system and
Lawyers Association (1999). One of the may not have an opportunity to object should be retained.
most common exemptions from a to any disclosures.’’ Georgetown Study, Providing and obtaining consent
consent requirement is disclosure of Key Findings. clearly has meaning for patients and
health information for treatment and In the many cases where neither state practitioners. Patient advocates argued
related purposes. See, e.g., Wis.Stat. law nor professional ethical standards that the act of signing focuses the
§ 164.82; Cal. Civ. Code 56:10; National exist, the only privacy protection patient’s attention on the substance of
Conference of Commissioners on individuals have is limited to the the transaction and provides an
Uniform State Laws, Uniform Health- policies and procedures that the health opportunity for the patient to ask
Care Information Act, Minneapolis, MN, care entity adopts. Corporate privacy questions about or seek modifications in
August 9, 1985. Some states include policies are often proprietary. While the provider’s practices. Many health
utilization review and similar activities several professional associations care practitioners and their
in the exemption. See, e.g., Ariz. Rev. attached their privacy principles to their representatives argued that seeking a
Stat. § 12–2294. Another common comments, health care entities did not. patient’s consent to disclose
exemption from consent is disclosure of One study we found indicates that these confidential information is an ethical
health information for purposes of policies are not adequate to provide requirement that strengthens the
obtaining payment. See, e.g., Fla. Stat. physician-patient relationship. Both
appropriate privacy protections and
Ann. § 455.667; Tex. Rev. Civ. Stat. Art. practitioners and patients argued that
alleviate public concern. The Committee
4495, § 5.08(h); 410 Ill. Comp. Stat. 50/ the approach proposed in the NPRM
on Maintaining Privacy and Security in
3(d). Other common exemptions include actually reduced patient protections by
Health Care Applications of the
disclosures for emergency care, and for eliminating the opportunity for patients
National Information Infrastructure
disclosures to government authorities to agree to how their confidential
made multiple findings highlighting the
(such as a department of public health). information would be used and
need for heightened privacy and
See Gostin Study, at 1–2; 48–51. Some disclosed.
security, including: While we believe that the provisions
states also exempt disclosure to law
enforcement officials (e.g., Finding 5: The greatest concerns regarding in the NPRM that provided for detailed
Massachusetts, Ch. 254 of the Acts of the privacy of health information derives notice to the patient and the right to
2000), coroners (Wis. Stat. § 146.82), from widespread sharing of patient request restrictions would have
information throughout the health care provided an opportunity for patients
and for such purposes as business industry and the inadequate federal and state
operations, oversight, research, and for and providers to discuss and negotiate
regulatory framework for systematic
directory information. Under these protection of health information. over information practices, it is clear
exceptions, providers can disclose For the Record: Protecting Electronic from the comments that many
health information without any consent Health Information, National Academy Press, practitioners and patients believe the
or authorization from the patient. When Washington DC, 1997. approach proposed in the NPRM is not
states require specific, written an acceptable replacement for the
Consent Under This Rule patient providing consent.
authorization for disclosure of health
information, the authorizations are In the NPRM, we expressed concern To encourage a more informed
usually only required for certain types about the coercive nature of consents interaction between the patient and the
of disclosures or certain types of currently obtained by providers and provider during the consent process, the
information, and one authorization can plans relating to the use and disclosure final rule requires that the consent form
suffice for multiple disclosures over of health information. We also that is presented to the patient be
time. expressed concern about the lack of accompanied by a notice that contains
The states that do not have laws information available to the patient a detailed discussion of the provider’s
prohibiting disclosure of health during the process, and the fact that health information practices. The
information impose no specific patients often were not even presented consent form must reference the notice
requirements for consent or with a copy of the consent that they and also must inform the patient that he
or she has the right to ask the health suite of administrative simplification Electronic Data Interchange (WEDI), and
care provider to request certain regulations as a whole, and the cost the American Dental Association (ADA).
restrictions as to how the information of savings realized should likewise be Section 1172(f) also requires the
the patient will be used or disclosed. calculated on an aggregated basis, as is Secretary to rely on the
Our goal is to provide an opportunity done below. Because the privacy recommendations of the NCVHS and
for and to encourage more informed standards are an integral and necessary consult with other appropriate federal
discussions between patients and part of the suite of Administrative and state agencies and private
providers about how protected health Simplification standards, and because organizations.
information will be used and disclosed that suite of standards will result in
within the health care system. substantial administrative cost savings, We engaged in the required
We considered and rejected other the privacy standards are ‘‘consistent consultations including the Attorney
approaches to consent, including those with the objective of reducing the General, NUBC, NUCC, WEDI and the
that involved individuals providing a administrative costs of providing and ADA. We consulted with the NCVHS in
global consent to uses and disclosures paying for health care.’’ developing the Recommendations, upon
when they sign up for insurance. While As more fully discussed in the which this proposed rule is based. We
such approaches do require the patient Regulatory Impact and Regulatory continued to consult with this
to provide consent, it is not really an Flexibility analyses below, we recognize committee by requesting the committee
informed one or a voluntary one. It is that these privacy standards will entail to review the proposed rule and provide
also unclear how a consent obtained at substantial initial and ongoing comments prior to its publication, and
the enrollment stage would be administrative costs for entities subject by reviewing transcripts of its public
meaningfully communicated to the to the rules. It is also the case that the meeting on privacy and related topics.
many providers who create the health privacy standards, like the security We consulted with representatives of
information in the first instance. The standards authorized by section 1173(d) the National Congress of American
ability to negotiate restrictions or of the Act, are necessitated by the
Indians, the National Indian Health
otherwise have a meaningful discussion technological advances in information
Board, and the self governance tribes.
with the front-line provider would be exchange that the remaining
independent of, and potentially in Administrative Simplification standards We also met with representatives of the
conflict with, the consent obtained at facilitate for the health care industry. National Governors’ Association, the
the enrollment stage. In addition, The same technological advances that National Conference of State
employers today are moving toward make possible enormous administrative Legislatures, the National Association of
simplified enrollment forms, using cost savings for the industry as a whole Public Health Statistics and Information
check-off boxes and similar devices. The have also made it possible to breach the Systems, and a number of other state
opportunity for any meaningful security and privacy of health organizations to discuss the framework
consideration or interaction at that point information on a scale that was for the proposed rule, issues of special
is slight. For these and other reasons, we previously inconceivable. The Congress interests to the states, and the process
decided that, to the extent a consent can recognized that adequate protection of for providing comments on the
accomplish the goal sought by the security and privacy of health proposed rule.
individuals and providers, it must be information is a sine qua non of the Many of these groups submitted
focused on the direct interaction increased efficiency of information
comments to the proposed rule, and
between an individual and provider. exchange brought about by the
The comments and fact-finding those were taken into account in
electronic revolution, by enacting the
indicate that our approach will not security and privacy provisions of the developing the final regulation.
significantly change the administrative law. Thus, as a matter of policy as well In addition to the required
aspect of consent as it exists today. Most as law, the administrative standards consultations, we met with numerous
direct treatment providers today obtain should be viewed as a whole in individuals, entities, and agencies
some type of consent for some uses and determining whether they are regarding the regulation, with the goal
disclosures of health information. Our ‘‘consistent with’’ the objective of of making these standards as compatible
regulation will ensure that those reducing administrative costs. as possible with current business
consents cover the routine uses and practices, while still enhancing privacy
Consultations
disclosures of health information, and protection. During the open comment
provide an opportunity for individuals The Congress required the Secretary
period, we met with dozens of groups.
to obtain further information and have to consult with specified groups in
further discussion, should they so developing the standards under sections Relevant federal agencies participated
desire. 262 and 264. Section 264(d) of HIPAA in the interagency working groups that
specifically requires the Secretary to developed the NPRM and the final
Administrative Costs consult with the National Committee on regulation, with additional
Section 1172(b) of the Act provides Vital and Health Statistics (NCVHS) and representatives from all operating
that ‘‘[a]ny standard adopted under this the Attorney General in carrying out her divisions and many staff offices of HHS.
part [part C of title XI of the Act] shall responsibilities under the section. The following federal agencies and
be consistent with the objective of Section 1172(b)(3) of the Act, which was offices were represented on the
reducing the administrative costs of enacted by section 262, requires that, in interagency working groups: the
providing and paying for health care.’’ developing a standard under section Department of Justice, the Department
The privacy and security standards are 1172 for which no standard setting of Commerce, the Social Security
the platform on which the remaining organization has already developed a Administration, the Department of
standards rest; indeed, the design of part standard, the Secretary must, before Defense, the Department of Veterans
C of title XI makes clear that the various adopting the standard, consult with the Affairs, the Department of Labor, the
standards are intended to function National Uniform Billing Committee Office of Personnel Management, and
together. Thus, the costs of privacy and (NUBC), the National Uniform Claim the Office of Management and Budget.
security are properly attributable to the Committee (NUCC), the Workgroup for
II. Section-by-Section Description of performance of, or perform on behalf of, accreditation, data aggregation, and
Rule Provisions a function or activity for the covered financial services. The list is intended to
Part 160—Subpart A—General entity. ‘‘Business partner’’ would have include the types of services commonly
Provisions included contractors or other persons provided to covered entities where the
who receive protected health disclosure of protected health
Part 160 applies to all the information from the covered entity (or information is routine to the
administrative simplification from another business partner of the performance of the service, but when
regulations. We include the entire covered entity) for the purposes the person providing the service may
regulation text in this rule, not just described in the previous sentence, not always be acting ‘‘on behalf of’’ the
those provisions relevant to this Privacy including lawyers, auditors, covered entity.
regulation. For example, the term consultants, third-party administrators, In the final rule, we reorganize the list
‘‘trading partner’’ is defined here, for health care clearinghouses, data of examples of the functions or activities
use in the Health Insurance Reform: processing firms, billing firms, and that may be conducted by business
Standards for Electronic Transactions other covered entities. ‘‘Business associates. We place a part of the
regulation, published at 65 FR 50312, partner’’ would have excluded persons proposed list in the portion of the
August 17, 2000 (the ‘‘Transactions who are within the covered entity’s definition that addresses when a person
Rule’’). It does not appear in the workforce, as defined in this section. is providing functions or activities for or
remainder of this Privacy rule. This rule reflects the change in the on behalf of a covered entity. We place
Sections 160.101 and 160.104 of name from ‘‘business partner’’ to other parts of the list in the portion of
Subpart A of part 160 were promulgated ‘‘business associate,’’ included in the the definition that specifies the services
in the Transactions Rule, and we do not Transactions Rule. that give rise to a business associate
change them here. We do, however, In the final rule, we change the relationship, as discussed above. We
make changes and additions to definition of ‘‘business associate’’ to also have expanded the examples to
§ 160.103, the definitions section of clarify the circumstances in which a provide additional guidance and in
Subpart A. The definitions that were person is acting as a business associate response to questions from commenters.
promulgated in the Transactions Rule of a covered entity. The changes clarify We have added data aggregation to the
and that remain unchanged here are: that the business association occurs list of services that give rise to a
Act, ANSI, covered entity, compliance when the right to use or disclose the business associate relationship. Data
date, group health plan, HCFA, HHS, protected health information belongs to aggregation, as discussed below, is
health care provider, health the covered entity, and another person where a business associate in its
information, health insurance issuer, is using or disclosing the protected capacity as the business associate of one
health maintenance organization, health information (or creating, covered entity combines the protected
modify or modification, Secretary, small obtaining and using the protected health health information of such covered
health plan, standard setting information) to perform a function or entity with protected health information
organization, and trading partner activity on behalf of the covered entity. received by the business associate in its
agreement. Of these terms, we discuss We also clarify that providing specified capacity as a business associate of
further in this preamble only covered services to a covered entity creates a another covered entity in order to
entity and health care provider. business associate relationship if the permit the creation of data for analyses
Section 160.102—Applicability provision of the service involves the that relate to the health care operations
disclosure of protected health of the respective covered entities.
The proposed rule stated that the information to the service provider. In Adding this service to the business
subchapter (Parts 160, 162, and 164) the proposed rule, we had included a associate definition clarifies the ability
applies to the entities set out at section list of persons that were considered to of covered entities to contract with
1172(a) of the Act: Health plans, health be business partners of the covered business associates to undertake quality
care clearinghouses, and health care entity. However, it is not always clear assurance and comparative analyses that
providers who transmit any health whether the provision of certain involve the protected health information
information in electronic form in services to a covered entity is ‘‘for’’ the of more than one contracting covered
connection with a transaction covered covered entity or whether the service entity. For example, a state hospital
by the subchapter. The final rule adds provider is acting ‘‘on behalf of’’ the association could act as a business
a provision (§ 160.102(b)) clarifying that covered entity. For example, a person associate of its member hospitals and
to the extent required under section providing management consulting could combine data provided to it to
201(a)(5) of HIPAA, nothing in the services may need protected health assist the hospitals in evaluating their
subchapter is to be construed to information to perform those services, relative performance in areas such as
diminish the authority of any Inspector but may not be acting ‘‘on behalf of’’ the quality, efficiency and other patient care
General. This was done in response to covered entity. This we believe led to issues. As discussed below, however,
comment, to clarify that the some general confusion among the the business associate contracts of each
administrative simplification rules, commenters as to whether certain of the hospitals would have to permit
including the rules below, do not arrangements fell within the definition the activity, and the protected health
conflict with the cited provision of of a business partner under the information of one hospital could not be
HIPAA. proposed rule. The construction of the disclosed to another hospital unless the
Section 160.103—Definitions final rule clarifies that the provision of disclosure is otherwise permitted by the
the specified services gives rise to a rule.
Business Associate business associate relationship if the The definition also states that a
We proposed to define the term performance of the service involves business associate may be a covered
‘‘business partner’’ to mean, with disclosure of protected health entity, and that business associate
respect to a covered entity, a person to information by the covered entity to the excludes a person who is part of the
whom the covered entity discloses business associate. The specified covered entity’s workforce.
protected health information so that the services are legal, actuarial, accounting, We also clarify in the final rule that
person can carry out, assist with the consulting, management, administrative a business association arises with
respect to a covered entity when a The business associate relationship oversight of federal programs and the
person performs functions or activities does not describe all relationships health care system. These oversight
on behalf of, or provides the specified between covered entities and other agencies are not performing services for
services to or for, an organized health persons or organizations. While we or on behalf of the covered entities and
care health care arrangement in which permit uses or disclosures of protected so are not business associates of the
the covered entity participates. This health information for a variety of covered entities. Therefore HCFA, the
change recognizes that where covered purposes, business associate contracts federal agency that administers
entities participate in certain joint or other arrangements are only required Medicare, is not required to enter into
arrangements for the financing or for those cases in which the covered a business associate contract in order to
delivery of health care, they often entity is disclosing information to disclose protected health information to
contract with persons to perform someone or some organization that will the Department’s Office of Inspector
functions or to provide services for the use the information on behalf of the General.
joint arrangement. This change is covered entity, when the other person We do not require a covered entity to
consistent with changes made in the will be creating or obtaining protected enter into a business associate contract
final rule to the definition of health care health information on behalf of the with a person or organization that acts
operations, which permits covered covered entity, or when the business merely as a conduit for protected health
entities to use or disclose protected associate is providing the specified information (e.g., the US Postal Service,
health information not only for their services to the covered entity and the certain private couriers and their
own health care operations, but also for provision of those services involves the electronic equivalents). A conduit
the operations of an organized health disclosure of protected health transports information but does not
care arrangement in which the covered information by the covered entity to the access it other than on a random or
entity participates. By making these business associate. For example, when a infrequent basis as may be necessary for
changes, we avoid the confusion that health care provider discloses protected the performance of the transportation
could arise in trying to determine health information to health plans for service, or as required by law. Since no
whether a function or activity is being payment purposes, no business disclosure is intended by the covered
provided on behalf of (or if a specified associate relationship is established. entity and the probability of exposure of
service is being provided to or for) a While the covered provider may have an any particular protected health
covered entity or on behalf of or for a agreement to accept discounted fees as information to a conduit is very small,
joint enterprise involving the covered reimbursement for services provided to we do not consider a conduit to be a
entity. The change clarifies that in either health plan members, neither entity is business associate of the covered entity.
instance the person performing the acting on behalf of or providing a We do not consider a financial
function or activity (or providing the service to the other. institution to be acting on behalf of a
specified service) is a business Similarly, where a physician or other covered entity, and therefore no
associate. provider has staff privileges at an business associate contract is required,
We also add language to the final rule institution, neither party to the when it processes consumer-conducted
that clarifies that the mere fact that two relationship is a business associate financial transactions by debit, credit or
covered entities participate in an based solely on the staff privileges other payment card, clears checks,
organized health care arrangement does because neither party is providing initiates or processes electronic funds
not make either of the covered entities functions or activities on behalf of the transfers, or conducts any other activity
a business associate of the other covered other. However, if a party provides that directly facilitates or effects the
entity. The fact that the entities services to or for the other, such as transfer of funds for compensation for
participate in joint health care where a hospital provides billing health care. A typical consumer-
operations or other joint activities, or services for physicians with staff conducted payment transaction is when
pursue common goals through a joint privileges, a business associate a consumer pays for health care or
activity, does not mean that one party is relationship may arise with respect to health insurance premiums using a
performing a function or activity on those services. Likewise, where a group check or credit card. In these cases the
behalf of the other party (or is providing health plan purchases insurance or identity of the consumer is always
a specified services to or for the other coverage from a health insurance issuer included and some health information
party). or HMO, the provision of insurance by (e.g., diagnosis or procedure) may be
In general under this provision, the health insurance issuer or HMO to implied through the name of the health
actions relating to the protected health the group health plan does not make the care provider or health plan being paid.
information of an individual undertaken issuer a business associate. In such case, Covered entities that initiate such
by a business associate are considered, the activities of the health insurance payment activities must meet the
for the purposes of this rule, to be issuer or HMO are on their own behalf minimum necessary disclosure
actions of the covered entity, although and not on the behalf of the group requirements described in the preamble
the covered entity is subject to sanctions health plan. We note that where a group to § 164.514.
under this rule only if it has knowledge health plan contracts with a health
Covered Entity
of the wrongful activity and fails to take insurance issuer or HMO to perform
the required actions to address the functions or activities or to provide We provided this definition in the
wrongdoing. For example, if a business services that are in addition to or not NPRM for convenience of reference and
associate maintains the medical records directly related to the provision of proposed it to mean the entities to
or manages the claims system of a insurance, the health insurance issuer or which part C of title XI of the Act
covered entity, the covered entity is HMO may be a business associate with applies. These are the entities described
considered to have protected health respect to those additional functions, in section 1172(a)(1): Health plans,
information and the covered entity must activities or services. We also note that health care clearinghouses, and health
ensure that individuals who are the covered entities are permitted to care providers who transmit any health
subject of the information can have disclose protected health information to information in electronic form in
access to it pursuant to § 164.524. oversight agencies that act to provide connection with a transaction referred
to in section 1173(a)(1) of the Act (a service, assessment, or procedure with added’’ networks and switches, that
‘‘standard transaction’’). respect to the physical or mental does either of the following functions:
We note that health care providers condition, or functional status, of an (1) Processes or facilitates the
who do not submit HIPAA transactions individual or that affects the structure or processing of health information
in standard form become covered by function of the body; and received from another entity in a
this rule when other entities, such as a (2) Sale or dispensing of a drug, nonstandard format or containing
billing service or a hospital, transmit device, equipment, or other item in nonstandard data content into standard
standard electronic transactions on their accordance with a prescription. data elements or a standard transaction.
behalf. A provider could not circumvent We delete the term ‘‘providing’’ from (2) Receives a standard transaction
these requirements by assigning the task the definition to delineate more clearly from another entity and processes or
to its business associate since the the relationship between ‘‘treatment,’’ as facilitates the processing of health
business associate would be considered the term is defined in § 164.501, and information into nonstandard format or
to be acting on behalf of the provider. ‘‘health care.’’ Other key revisions nonstandard data content for the
See the definition of ‘‘business include adding the term ‘‘assessment’’ receiving entity.
associate.’’ in subparagraph (1) and deleting
We note here that the term health care
Where a public agency is required or proposed subparagraph (3) from the
clearinghouse may have other meanings
authorized by law to administer a health rule. Therefore the procurement or
and connotations in other contexts, but
plan jointly with another entity, we banking of organs, blood (including
the regulation defines it specifically,
consider each agency to be a covered autologous blood), sperm, eyes or any
and an entity is considered a health care
entity with respect to the health plan other tissue or human product is not
clearinghouse only to the extent that it
functions it performs. Unlike private considered to be health care under this
meets the criteria in this definition.
sector health plans, public plans are rule and the organizations that perform
Telecommunications entities that
often required by or expressly such activities would not be considered
provide connectivity or mechanisms to
authorized by law to jointly administer health care providers when conducting
health programs that meet the definition these functions. As described in convey information, such as telephone
of ‘‘health plan’’ under this regulation. § 164.512(h), covered entities are companies and Internet Service
In some instances the public entity is permitted to disclose protected health Providers, are not health care
required or authorized to administer the information without individual clearinghouses as defined in the rule
program with another public agency. In authorization, consent, or agreement unless they actually carry out the
other instances, the public entity is (see below for explanation of functions outlined in our definition.
required or authorized to administer the authorizations, consents, and Value added networks and switches are
program with a private entity. In either agreements) as necessary to facilitate not health care clearinghouses unless
circumstance, we note that joint cadaveric donation. they carry out the functions outlined in
administration does not meet the the definition. The examples of entities
Health Care Clearinghouse in our proposed definition we continue
definition of ‘‘business associate’’ in
§ 164.501. Examples of joint In the NPRM, we defined ‘‘health care to consider to be health care
administration include state and federal clearinghouse’’ as a public or private clearinghouses, as well as any other
administration of the Medicaid and entity that processes or facilitates the entities that meet that definition, to the
SCHIP program, or joint administration processing of nonstandard data extent that they perform the functions in
of a Medicare+Choice plan by the elements of health information into the definition.
Health Care Financing Administration standard data elements. The entity In order to fall within this definition
and the issuer offering the plan. receives health care transactions from of clearinghouse, the covered entity
health care providers or other entities, must perform the clearinghouse
Health Care translates the data from a given format function on health information received
We proposed to define ‘‘health care’’ into one acceptable to the intended from some other entity. A department or
to mean the provision of care, services, payor or payors, and forwards the component of a health plan or health
or supplies to a patient and to include processed transaction to appropriate care provider that transforms
any: (1) Preventive, diagnostic, payors and clearinghouses. Billing nonstandard information into standard
therapeutic, rehabilitative, maintenance, services, repricing companies, data elements or standard transactions
or palliative care, counseling, service, or community health management (or vice versa) is not a clearinghouse for
procedure with respect to the physical information systems, community health purposes of this rule, unless it also
or mental condition, or functional information systems, and ‘‘value-added’’ performs these functions for another
status, of a patient or affecting the networks and switches would have been entity. As described in more detail in
structure or function of the body; (2) considered to be health care § 164.504(d), we allow affiliates to
sale or dispensing of a drug, device, clearinghouses for purposes of this part, perform clearinghouse functions for
equipment, or other item pursuant to a if they perform the functions of health each other without triggering the
prescription; or (3) procurement or care clearinghouses as described in the definition of ‘‘clearinghouse’’ if the
banking of blood, sperm, organs, or any preceding sentences. conditions in § 164.504(d) are met.
other tissue for administration to In the final regulation, we modify the
Health Care Provider
patients. definition of health care clearinghouse
The final rule revises both the NPRM to reflect changes in the definition We proposed to define health care
definition and the definition as published in the Transactions Rule. The provider to mean a provider of services
provided in the Transactions Rule, to definition in the final rule is: as defined in section 1861(u) of the Act,
now mean ‘‘care, services, or supplies Health care clearinghouse means a a provider of medical or health services
related to the health of an individual. public or private entity, including as defined in section 1861(s) of the Act,
Health care includes the following: billing services, repricing companies, and any other person or organization
(1) Preventive, diagnostic, community health management who furnishes, bills, or is paid for
therapeutic, rehabilitative, maintenance, information systems or community health care services or supplies in the
or palliative care, and counseling, health information systems, and ‘‘value- normal course of business.
In the final rule, we delete the term organization by a clinical psychologist * * * (15) bone mass measurement * * *. (etc.)
‘‘services and supplies,’’ in order to or by a clinical social worker * * * (and)
furnished as an incident to such clinical Health Plan
eliminate redundancy within the
psychologist’s services or clinical social We proposed to define ‘‘health plan’’
definition. The definition also reflects
worker’s services * * *; essentially as section 1171(5) of the Act
the addition of the applicable U.S.C. (I) blood clotting factors, for hemophilia
citations (42 U.S.C. 1395x(u) and 42 defines it. Section 1171 of the Act refers
patients * * *;
U.S.C. 1395x(s), respectively) for the (J) prescription drugs used in to several definitions in section 2791 of
referenced provisions of the Act that immunosuppressive therapy furnished, to an the Public Health Service Act, 42 U.S.C.
were promulgated in the Transactions individual who receives an organ transplant 300gg–91, as added by Public Law 104–
Rule. for which payment is made under this title 191.
To assist the reader, we also provide (42 U.S.C. 1395 et seq.), but only in the case As defined in section 1171(5), a
here excerpts from the relevant sections of (certain) drugs furnished * * * ‘‘health plan’’ is an individual plan or
(K)(i) services which would be physicians’ group health plan that provides, or pays
of the Act. (Refer to the U.S.C. sections services if furnished by a physician * * *
cited above for complete definitions in the cost of, medical care. We proposed
and which are performed by a physician
sections 1861(u) and 1861(s).) Section that this definition include, but not be
assistant * * *; and
1861(u) of the Act defines a ‘‘provider (ii) services which would be physicians’ limited to the 15 types of plans (e.g.,
of services,’’ to include, for example, services if furnished by a physician * * * group health plan, health insurance
and which are performed by a nurse * * *; issuer, health maintenance organization)
a hospital, critical access hospital, skilled
nursing facility, comprehensive outpatient (L) certified nurse-midwife services; listed in the statute, as well as any
rehabilitation facility, home health agency, (M) qualified psychologist services; combination of them. Such term would
hospice program, or, for purposes of section (N) clinical social worker services * * *; have included, when applied to public
1814(g) (42 U.S.C. 1395f(g)) and section (O) erythropoietin for dialysis patients benefit programs, the component of the
1835(e) (42 U.S.C. 1395n(e)), a fund.’’ Section * * *; government agency that administers the
1861(s) of the Act defines the term, ‘‘medical (P) prostate cancer screening tests * * *;
(Q) an oral drug (which is approved by the
program. Church plans and government
and other health services,’’ and includes a plans would have been included to the
list of covered items or services, as illustrated Federal Food and Drug Administration)
prescribed for use as an anti-cancer extent that they fall into one or more of
by the following excerpt:
(s) Medical and other health services. The chemotherapeutic agent for a given the listed categories.
term ‘‘medical and other health services’’ indication, and containing an active In the proposed rule, ‘‘health plan’’
means any of the following items or services: ingredient (or ingredients) * * *; included the following, singly or in
(1) Physicians’ services; (R) colorectal cancer screening tests * * *; combination:
(2) (A) services and supplies * * * (S) diabetes outpatient self-management (1) A group health plan, defined as an
furnished as an incident to a physician’s training services * * *; and employee welfare benefit plan (as
professional service, or kinds which are (T) an oral drug (which is approved by the currently defined in section 3(1) of the
commonly furnished in physicians’ offices federal Food and Drug Administration)
prescribed for use as an acute anti-emetic
Employee Retirement Income and
and are commonly either rendered without Security Act of 1974, 29 U.S.C. 1002(1)),
charge or included in the physicians’ bills; used as part of an anti-cancer
chemotherapeutic regimen * * * including insured and self-insured
(B) hospital services * * * incident to
physicians’ services rendered to outpatients (3) diagnostic X-ray tests * * * furnished plans, to the extent that the plan
and partial hospitalization services incident in a place of residence used as the patient’s provides medical care (as defined in
to such services; home * * * ; section 2791(a)(2) of the Public Health
(C) diagnostic services which are— (4) X-ray, radium, and radioactive isotope Service Act, 42 U.S.C. 300gg–91(a)(2)),
(i) furnished to an individual as an therapy, including materials and services of including items and services paid for as
outpatient by a hospital or by others under technicians; medical care, to employees or their
arrangements with them made by a hospital, (5) surgical dressings, and splints, casts,
and other devices used for reduction of
dependents directly or through
and
fractures and dislocations; insurance or otherwise, that:
(ii) ordinarily furnished by such hospital
(or by others under such arrangements) to its (6) durable medical equipment; (i) Has 50 or more participants; or
outpatients for the purpose of diagnostic (7) ambulance service where the use of (ii) Is administered by an entity other
study; other methods of transportation is than the employer that established and
(D) outpatient physical therapy services contraindicated by the individual’s condition maintains the plan.
and outpatient occupational therapy services; * * *; (2) A health insurance issuer, defined
(E) rural health clinic services and (8) prosthetic devices (other than dental) as an insurance company, insurance
federally qualified health center services; which replace all or part of an internal body service, or insurance organization that is
(F) home dialysis supplies and equipment, organ (including colostomy bags and licensed to engage in the business of
self-care home dialysis support services, and supplies directly related to colostomy care), insurance in a state and is subject to
institutional dialysis services and supplies; * * * and including one pair of conventional
(G) antigens * * * prepared by a physician eyeglasses or contact lenses furnished
state or other law that regulates
* * * for a particular patient, including subsequent to each cataract surgery * * * [;] insurance.
antigens so prepared which are forwarded to (9) leg, arm, back, and neck braces, and (3) A health maintenance
another qualified person * * * for artificial legs, arms, and eyes, including organization, defined as a federally
administration to such patient, * * * by or replacements if required * * * ; qualified health maintenance
under the supervision of another such (10) (A) pneumococcal vaccine and its organization, an organization recognized
physician; administration * * *; and as a health maintenance organization
(H)(i) services furnished pursuant to a (B) hepatitis B vaccine and its under state law, or a similar
contract under section 1876 (42 U.S.C. administration * * *, and organization regulated for solvency
1395mm) to a member of an eligible (11) services of a certified registered nurse
under state law in the same manner and
organization by a physician assistant or by a anesthetist * * *;
nurse practitioner * * * and such services (12) * * * extra-depth shoes with inserts to the same extent as such a health
and supplies furnished as an incident to his or custom molded shoes with inserts for an maintenance organization.
service to such a member * * * and individual with diabetes, if * * *; (4) Part A or Part B of the Medicare
(ii) services furnished pursuant to a risk- (13) screening mammography * * *; program under title XVIII of the Act.
sharing contract under section 1876(g) (42 (14) screening pap smear and screening (5) The Medicaid program under title
U.S.C. 1395mm(g)) to a member of an eligible pelvic exam; and XIX of the Act.
(6) A Medicare supplemental policy also meet the definition of health care (3) Addition or revision of the
(as defined in section 1882(g)(1) of the provider.’’ Second, many commenters relevant statutory cites where
Act, 42 U.S.C. 1395ss). were confused by the statutory appropriate;
(7) A long-term care policy, including inclusion as a health plan of any ‘‘other (4) Deletion of the term ‘‘or assisted’’
a nursing home fixed-indemnity policy. individual or group plan that provides when referring to government programs;
(8) An employee welfare benefit plan or pays the cost of medical care;’’ they (5) Replacement of the word
or any other arrangement that is questioned how the provision applied to ‘‘organization’’ with ‘‘program’’ when
established or maintained for the many government programs. We referring to Medicare + Choice;
purpose of offering or providing health therefore clarify that while many (6) Deletion of the term ‘‘health’’
benefits to the employees of two or more government programs (other than the when referring to a group plan in
employers. programs specified in the statute) subparagraph (xvi);
(9) The health care program for active provide or pay the cost of medical care, (7) Extraction of the definitions of
military personnel under title 10 of the we do not consider them to be ‘‘group health plan,’’ ‘‘health insurance
United States Code. individual or group plans and therefore, issuer,’’ and ‘‘health maintenance
(10) The veterans health care program do not consider them to be health plans. organization’’ into Part 160 as distinct
under 38 U.S.C. chapter 17. Government funded programs that do definitions;
(11) The Civilian Health and Medical (8) In the definition of ‘‘group health
not have as their principal purpose the
Program of the Uniformed Services plan,’’ deletion of the term ‘‘currently’’
provision of, or payment for, the cost of
(CHAMPUS), as defined in 10 U.S.C. from the reference to the statutory cite
health care but which do incidentally
1072(4). of ERISA, addition of the relevant
provide such services are not health statutory cite for the term ‘‘participant,’’
(12) The Indian Health Service plans (for example, programs such as
program under the Indian Health Care and addition of the term
the Special Supplemental Nutrition ‘‘reimbursement;’’
Improvement Act (25 U.S.C. 1601, et Program for Women, Infants and
seq.). (9) In the definition of ‘‘health
Children (WIC) and the Food Stamp insurance issuer,’’ addition of the
(13) The Federal Employees Health
Program, which provide or pay for relevant statutory cite, deletion of the
Benefits Program under 5 U.S.C. chapter
nutritional services, are not considered term ‘‘or other law’’ after ‘‘state law,’’
89.
(14) An approved state child health to be health plans). Government funded addition of health maintenance
plan for child health assistance that programs that have as their principal organizations for consistency with the
meets the requirements of section 2103 purpose the provision of health care, statute, and clarification that the term
of the Act. either directly or by grant, are also not does not include a group health plan;
(15) A Medicare Plus Choice considered to be health plans. Examples and
organization as defined in 42 CFR 422.2, include the Ryan White Comprehensive (10) In the definition of ‘‘health
with a contract under 42 CFR part 422, AIDS Resources Emergency Act, maintenance organization,’’ addition of
subpart K. government funded health centers and the relevant statutory cite.
In addition to the 15 specific immunization programs. We note that Finally, we add to this definition a
categories, we proposed that the list some of these may meet the rule’s high risk pool that is a mechanism
include any other individual plan or definition of health care provider. established under state law to provide
group health plan, or combination We note that in certain instances health insurance coverage or
thereof, that provides or pays for the eligibility for or enrollment in a health comparable coverage to eligible
cost of medical care. The Secretary plan that is a government program individuals. High risk pools are
would determine which plans that meet providing public benefits, such as designed mainly to provide health
these criteria would to be considered Medicaid or SCHIP, is determined by an insurance coverage for individuals who,
health plans for the purposes of this agency other than the agency that due to health status or pre-existing
rule. administers the program, or conditions, cannot obtain insurance
Consistent with the other titles of individually identifiable health through the individual market or who
HIPAA, our proposed definition did not information used to determine can do so only at very high premiums.
include certain types of insurance enrollment or eligibility in such a health Some states use their high risk pool as
entities, such as workers’ compensation plan is collected by an agency other an alternative mechanism under section
and automobile insurance carriers, other than the agency that administers the 2744 of HIPAA. We do not reference the
property and casualty insurers, and health plan. In these cases, we do not definition of ‘‘qualified high risk pool’’
certain forms of limited benefits consider an agency that is not otherwise in HIPAA because that definition
coverage, even when such arrangements a covered entity, such as a local welfare includes the requirements for a state to
provide coverage for health care agency, to be a covered entity because use its risk pool as its alternative
services. it determines eligibility or enrollment or mechanism under HIPAA. Some states
In the final rule, we add two collects enrollment information as may have high risk pools, but do not use
provisions to clarify the types of authorized by law. We also do not them as their alternative mechanism
policies or programs that we do not consider the agency to be a business and therefore may not meet the
consider to be a health plan. First, the associate when conducting these definition in HIPAA. We want to make
rule excepts any policy, plan or program functions, as we describe further in the clear that state high risk pools are
to the extent that it provides, or pays for business associate discussion above. covered entities under this rule whether
the cost of, excepted benefits, as defined The definition in the final rule also or not they meet the definition of a
in section 2791(c)(1) of the PHS Act, 42 reflects the following changes qualified high risk pool under section
U.S.C. 300gg–91(c)(1). We note that, promulgated in the Transactions Rule: 2744. High risk pools, as described in
while coverage for on-site medical (1) Exclusion of nursing home fixed- this rule, do not include any program
clinics is excluded from definition of indemnity policies; established under state law solely to
‘‘health plans,’’ such clinics may meet (2) Addition of the word ‘‘issuer’’ to provide excepted benefits. For example,
the definition of ‘‘health care provider’’ Medicare supplemental policy, and a state program established to provide
and persons who work in the clinic may long-term care policy; workers’ compensation coverage is not
considered to be a high risk pool under associate contract, we assume the case law. The definition of ‘‘state law’’
the rule. person is a member of the covered was drawn from the statutory definition
entity’s workforce. We note that of this term elsewhere in HIPAA. We
Implementation Specification
independent contractors may or may not note that state action having the force
This definition was adopted in the be workforce members. However, for and effect of law may include common
Transactions Rule and is minimally compliance purposes we will assume law. We eliminate the term ‘‘decision’’
revised here. We add the words that such personnel are members of the from the proposed rule because it is
‘‘requirements or’’ before the word workforce if no business associate redundant.
‘‘instructions.’’ The word ‘‘instructions’’ contract exists. Proposed § 160.203 proposed a
is appropriate in the context of the general rule reflecting the statutory
implementation specifications adopted Part 160—Subpart B—Preemption of general rule and exceptions that
in the Transactions Rule, which are State Laws generally mirrored the statutory
generally a series of instructions as to Statutory Background language of the exceptions. The one
how to use particular electronic forms. substantive addition to the statutory
Section 1178 of the Act establishes a
However, that word is not apropos in exception language was with respect to
‘‘general rule’’ that state law provisions
the context of the rules below. In the the statutory exception, ‘‘for other
that are contrary to the provisions or
rules below, the implementation purposes.’’ The following language was
requirements of part C of title XI or the
specifications are specific requirements added: ‘‘for other purposes related to
standards or implementation
for how to comply with a given improving the Medicare program, the
specifications adopted or established
standard. The change to this definition Medicaid program, or the efficiency and
thereunder are preempted by the federal effectiveness of the health care system.’’
thus ties in to this regulatory requirements. The statute provides three
framework. Proposed § 160.204 proposed two
exceptions to this general rule: (1) In processes, one for the making of
Standard section 1178(a)(2)(A)(i), for state laws exception determinations, relating to
This definition was adopted in the that the Secretary determines are determinations under section
Transactions Rule and we have necessary to prevent fraud and abuse, 1178(a)(2)(A) of the Act, the other for
modified it to make it clearer. We also ensure appropriate state regulation of the rendering of advisory opinions, with
add language reflecting section 264 of insurance and health plans, for state respect to section 1178(a)(2)(B) of the
the statute, to clarify that the standards reporting on health care delivery, and Act. The processes proposed were
adopted by this rule meet this other purposes; (2) in section similar in the following respects: (1)
definition. 1178(a)(2)(A)(ii), for state laws that Only the state could request an
address controlled substances; and (3) exception determination or advisory
State in section 1178(a)(2)(B), for state laws opinion, as applicable; (2) both required
We modify the definition of state as relating to the privacy of individually the request to contain the same
adopted in the Transactions Rule to identifiable health information that as information, except that a request for an
clarify that this term refers to any of the provided for by the related provision of exception determination also had to set
several states. section 264(c)(2) of HIPAA, are contrary out the length of time the requested
to and more stringent than the federal exception would be in effect, if less than
Transaction requirements. Section 1178 also carves three years; (3) both sets of requirements
We change the term ‘‘exchange’’ to the out, in sections 1178(b) and 1178(c), provided that requests had to be
term ‘‘transmission’’ in the definition of certain areas of state authority that are submitted to the Secretary as required
Transaction to clarify that these not limited or invalidated by the by the Secretary, and until the
transactions may be one-way provisions of part C of title XI: these Secretary’s determination was made, the
communications. areas relate to public health and state federal standard, requirement or
regulation of health plans. implementation specification remained
Workforce The NPRM proposed a new Subpart B in effect; (4) both sets of requirements
We proposed in the NPRM to define of the proposed part 160. The new provided that the Secretary’s decision
workforce to mean employees, Subpart B, which would apply to all would be effective intrastate only; (5)
volunteers, trainees, and other persons standards, implementation both sets of requirements provided that
under the direct control of a covered specifications, and requirements any change to either the federal or state
entity, including persons providing adopted under HIPAA, would consist of basis for the Secretary’s decision would
labor on an unpaid basis. four sections. Proposed § 160.201 require a new request, and the federal
The definition in the final rule reflects provided that the provisions of Subpart standard, implementation specification,
one revision established in the B applied to exception determinations or requirement would remain in effect
Transactions Rule, which replaces the and advisory opinions issued by the until the Secretary acted favorably on
term ‘‘including persons providing labor Secretary under section 1178. Proposed the new request; (6) both sets of
on an unpaid basis’’ with the term § 160.202 set out proposed definitions requirements provided that the
‘‘whether or not they are paid by the for four terms: (1) ‘‘Contrary,’’ (2) ‘‘more Secretary could seek changes to the
covered entity.’’ In addition, we clarify stringent,’’ (3) ‘‘relates to the privacy of federal rules or urge states or other
that if the assigned work station of individually identifiable health organizations to seek changes; and (7)
persons under contract is on the covered information,’’ and (4) ‘‘state law.’’ The both sets of requirements provided for
entity’s premises and such persons definition of ‘‘contrary’’ was drawn from annual publication of Secretarial
perform a substantial proportion of their case law concerning preemption. A decisions. In addition, the process for
activities at that location, the covered seven-part set of specific criteria, drawn exception determinations provided for a
entity may choose to treat them either from fair information principles, was maximum effective period of three years
as business associates or as part of the proposed for the definition of ‘‘more for such determinations.
workforce, as explained in the stringent.’’ The definition of ‘‘relates to The following changes have been
discussion of the definition of business the privacy of individually identifiable made to subpart B in the final rules.
associate. If there is no business health information’’ was also based on First, § 160.201 now expressly
implements section 1178. Second, the federal standard, requirement, or Implied Repeal Analysis
definition of ‘‘more stringent’’ has been implementation specification in When faced with the need to
changed by eliminating the criterion question meets the exception criteria as determine how different federal laws
relating to penalties and by framing the well as or better than the state law for interact with one another, we turn to the
criterion under paragraph (1) more which the exception is requested, the judiciary’s approach. Courts apply the
generally. Also, we have clarified that request will be denied; this language has implied repeal analysis to resolve
the term ‘‘individual’’ means the person been deleted. Thus, the criterion for tensions that appear to exist between
who is the subject of the individually granting or denying an exception two or more statutes. While the
identifiable health information, since request is whether the applicable implication of a regulation-on-
the term ‘‘individual’’ is defined this exception criterion or criteria are met. regulation conflict is unclear, courts
way only in subpart E of part 164, not agree that administrative rules and
in part 160. Third, the definition of A new § 160.205 is also adopted,
replacing part of what was proposed at regulations that do not conflict with
‘‘state law’’ has been changed by express statutory provisions have the
substituting the words ‘‘statute, proposed § 160.204. The new § 160.205
sets out the rules relating to the force and effect of law. Thus, we believe
constitutional provision’’ for the word courts would apply the standard rules of
‘‘law,’’ the words ‘‘common law’’ for the effectiveness of exception
determinations. Exception interpretation that apply to statutes to
word ‘‘decision,’’ and adding the words address questions of interpretation with
‘‘force and’’ before the word ‘‘effect’’ in determinations are effective until either
the underlying federal or state laws regard to regulatory conflicts.
the proposed definition. Fourth, in When faced with two potentially
§ 160.203, several criteria relating to the change or the exception is revoked, by
the Secretary, based on a determination conflicting statutes, courts attempt to
statutory grounds for exception construe them so that both are given
determinations have been further that the grounds supporting the
effect. If this construction is not
spelled out: (1) The words ‘‘ related to exception no longer exist. The proposed
possible, courts will look for express
the provision of or payment for health maximum of three years has been
language in the later statute, or an intent
care’’ have been added to the exception eliminated.
in its legislative history, indicating that
for fraud and abuse; (2) the words ‘‘to Relationship to Other Federal Laws Congress intended the later statute to
the extent expressly authorized by repeal the earlier one. If there is no
statute or regulation’’ have been added Covered entities subject to these rules expressed intent to repeal the earlier
to the exception for state regulation of are also subject to other federal statutes statute, courts will characterize the
health plans; (3) the words ‘‘of serving and regulations. For example, federal statutes as either general or specific.
a compelling need related to public programs must comply with the statutes Ordinarily, later, general statutes will
health, safety, or welfare, and, where a and regulations that govern them. not repeal the special provisions of an
standard, requirement, or Pursuant to their contracts, Medicare earlier, specific statute. In some cases,
implementation specification under part providers must comply with the when a later, general statute creates an
164 of this subchapter is at issue, where requirements of the Privacy Act of 1974. irreconcilable conflict or is manifestly
the Secretary determines that the Substance abuse treatment facilities are inconsistent with the earlier, specific
intrusion into privacy is warranted subject to the Substance Abuse statute in a manner that indicates a clear
when balanced against the need to be Confidentiality provisions of the Public and manifest Congressional intent to
served’’ have been added to the general Health Service Act, section 543 and its repeal the earlier statute, courts will
exception ‘‘for other purposes’’; and (4) regulations. And, health care providers find that the later statute repeals the
the statutory provision regarding in schools, colleges, and universities earlier statute by implication. In these
controlled substances has been may come within the purview of the cases, the latest legislative action may
elaborated on as follows: ‘‘Has as its Family Educational Rights and Privacy prevail and repeal the prior law, but
principal purpose the regulation of the Act. Thus, covered entities will need to only to the extent of the conflict.
manufacture, registration, distribution, There should be few instances in
determine how the privacy regulation
dispensing, or other control of any which conflicts exist between a statute
will affect their ability to comply with
controlled substance, as defined at 21 or regulation and the rules below. For
these other federal laws.
U.S.C. 802, or which is deemed a example, if a statute permits a covered
controlled substance by state law.’’ Many commenters raised questions entity to disclose protected health
The most extensive changes have about how different federal statutes and information and the rules below permit
been made to proposed § 160.204. The regulations intersect with the privacy such a disclosure, no conflict arises; the
provision for advisory opinions has regulation. While we address specific covered entity could comply with both
been eliminated. Section 160.204 now concerns in the response to comments and choose whether or not to disclose
sets out only a process for requesting later in the preamble, in this section, we the information. In instances in which
exception determinations. In most explore some of the general interaction a potential conflict appears, we would
respects, this process is the same as issues. These summaries do not identify attempt to resolve it so that both laws
proposed. However, the proposed all possible conflicts or overlaps of the applied. For example, if a statute or
restriction of the effect of exception privacy regulation and other federal regulation permits dissemination of
determinations to wholly intrastate laws, but should provide general protected health information, but the
transactions has been eliminated. guidance for complying with both the rules below prohibit the use or
Section 160.204(a) has been modified to privacy regulation and other federal disclosure without an authorization, we
allow any person, not just a state, to laws. The summaries also provide believe a covered entity would be able
submit a request for an exception examples of how covered entities can to comply with both because it could
determination, and clarifies that analyze other federal laws when specific obtain an authorization under § 164.508
requests from states may be made by the questions arise. HHS may consult with before disseminating the information
state’s chief elected official or his or her other agencies concerning the under the other law.
designee. Proposed § 160.204(a)(3) interpretation of other federal laws as Many apparent conflicts will not be
stated that if it is determined that the necessary. true conflicts. For example, if a conflict
appears to exist because a previous allows a federal agency the discretion to to FOIA must evaluate each disclosure
statute or regulation requires a specific make a routine use disclosure, but the on a case-by-case basis, as they do now
use or disclosure of protected health privacy regulation prohibits the under current FOIA procedures.
information that the rules below appear disclosure, the federal agency will have
Federal Substance Abuse
to prohibit, the use or disclosure to apply its discretion in a way that
Confidentiality Requirements
pursuant to that statute or regulation complies with the regulation. This
would not be a violation of the privacy means not making the particular The federal confidentiality of
regulation because § 164.512(a) permits disclosure. substance abuse patient records statute,
covered entities to use or disclose section 543 of the Public Health Service
The Freedom of Information Act
protected health information as required Act, 42 U.S.C. 290dd-2, and its
by law. FOIA, 5 U.S.C. 552, provides for implementing regulation, 42 CFR part 2,
If a statute or regulation prohibits public disclosure, upon the request of establish confidentiality requirements
dissemination of protected health any person, of many types of for patient records that are maintained
information, but the privacy regulation information in the possession of the in connection with the performance of
requires that an individual have access federal government, subject to nine any federally-assisted specialized
to that information, the earlier, more exemptions and three exclusions. For alcohol or drug abuse program.
specific statute would apply. The example, Exemption 6 permits federal Substance abuse programs are generally
interaction between the Clinical agencies to withhold ‘‘personnel and programs or personnel that provide
Laboratory Improvement Amendments medical files and similar files the alcohol or drug abuse treatment,
regulation is an example of this type of disclosure of which would constitute a diagnosis, or referral for treatment. The
conflict. From our review of several clearly unwarranted invasion of term ‘‘federally-assisted’’ is broadly
federal laws, it appears that Congress personal privacy.’’ 5 U.S.C. 552(b)(6). defined and includes federally
did not intend for the privacy regulation Uses and disclosures required by
conducted or funded programs,
to overrule existing statutory FOIA come within § 164.512(a) of the
federally licensed or certified programs,
requirements in these instances. privacy regulation that permits uses or
and programs that are tax exempt.
disclosures required by law if the uses
Examples of Interaction Certain exceptions apply to information
or disclosures meet the relevant
held by the Veterans Administration
We have summarized how certain requirements of the law. Thus, a federal
and the Armed Forces.
federal laws interact with the privacy agency must determine whether it may
regulation to provide specific guidance apply an exemption or exclusion to There are a number of health care
in areas deserving special attention and redact the protected health information providers that are subject to both these
to serve as examples of the analysis when responding to a FOIA request. rules and the substance abuse statute
involved. In the Response to Comment When a FOIA request asks for and regulations. In most cases, a conflict
section, we have provided our responses documents that include protected health will not exist between these rules. These
to specific questions raised during the information, we believe the agency, privacy rules permit a health care
comment period. when appropriate, must apply provider to disclose information in a
Exemption 6 to preclude the release of number of situations that are not
The Privacy Act medical files or otherwise redact permitted under the substance abuse
The Privacy Act of 1974, 5 U.S.C. identifying details before disclosing the regulation. For example, disclosures
552a, prohibits disclosures of records remaining information. allowed, without patient authorization,
contained in a system of records We offer the following analysis for under the privacy rule for law
maintained by a federal agency (or its federal agencies and federal contractors enforcement, judicial and
contractors) without the written request who operate Privacy Act systems of administrative proceedings, public
or consent of the individual to whom records on behalf of federal agencies health, health oversight, directory
the record pertains. This general rule is and must comply with FOIA and the assistance, and as required by other
subject to various statutory exceptions. privacy regulation. If presented with a laws would generally be prohibited
In addition to the disclosures explicitly FOIA request that would result in the under the substance abuse statute and
permitted in the statute, the Privacy Act disclosure of protected health regulation. However, because these
permits agencies to disclose information information, a federal agency must first disclosures are permissive and not
for other purposes compatible with the determine if FOIA requires the mandatory, there is no conflict. An
purpose for which the information was disclosure or if an exemption or entity would not be in violation of the
collected by identifying the disclosure exclusion would be appropriate. We privacy rules for failing to make these
as a ‘‘routine use’’ and publishing notice believe that generally a disclosure of disclosures.
of it in the Federal Register. The Act protected health information, when Similarly, provisions in the substance
applies to all federal agencies and requested under FOIA, would come abuse regulation provide for permissive
certain federal contractors who operate within FOIA Exemption 6. We disclosures in case of medical
Privacy Act systems of records on behalf recognize, however, that the application emergencies, to the FDA, for research
of federal agencies. of this exemption to information about activities, for audit and evaluation
Some federal agencies and contractors deceased individuals requires a activities, and in response to certain
of federal agencies that are covered different analysis than that applicable to court orders. Because these are
entities under the privacy rules are living individuals because, as a general permissive disclosures, programs
subject to the Privacy Act. These entities rule, under the Privacy Act, privacy subject to both the privacy rules and the
must comply with all applicable federal rights are extinguished at death. substance abuse rule are able to comply
statutes and regulations. For example, if However, under FOIA, it is entirely with both rules even if the privacy rules
the privacy regulation permits a appropriate to consider the privacy restrict these types of disclosures. In
disclosure, but the disclosure is not interests of a decedent’s survivors under addition, the privacy rules generally
permitted under the Privacy Act, the Exemption 6. See Department of Justice require that an individual be given
federal agency may not make the FOIA Guide 2000, Exemption 6: Privacy access to his or her own health
disclosure. If, however, the Privacy Act Considerations. Covered entities subject information. Under the substance abuse
regulation, programs may provide such statutes together is that the effect of providing access to the individual
access, so there is no conflict. section 264(c)(2) is only to leave in student who is the subject of the
The substance abuse regulation place state privacy protections that information, would turn the record into
requires notice to patients of the would otherwise apply and that are an education record. As education
substance abuse confidentiality more stringent than the federal privacy records, they would be subject to the
requirements and provides for written protections. protections of FERPA.
consent for disclosure. While the Many health plans covered by the These exclusions are not applicable to
privacy rules have requirements that are privacy regulation are also subject to all schools, however. If a school does
somewhat different, the program may ERISA requirements. Our discussions not receive federal funds, it is not an
use notice and authorization forms that and consultations have not uncovered educational agency or institution as
include all the elements required by any particular ERISA requirements that defined by FERPA. Therefore, its
both regulations. The substance abuse would conflict with the rules. records that contain individually
rule provides a sample notice and a identifiable health information are not
The Family Educational Rights and
sample authorization form and states education records. These records may
Privacy Act
that the use of these forms would be be protected health information. The
sufficient. While these forms do not FERPA, as amended, 20 U.S.C. 1232g, educational institution or agency that
satisfy all of the requirements of the provides parents of students and eligible employs a school nurse is subject to our
privacy regulation, there is no conflict students (students who are 18 or older) regulation as a health care provider if
because the substance abuse regulation with privacy protections and rights for the school nurse or the school engages
does not mandate the use of these forms. the records of students maintained by in a HIPAA transaction.
federally funded educational agencies or While we strongly believe every
Employee Retirement Income Security institutions or persons acting for these individual should have the same level
Act of 1974 agencies or institutions. We have of privacy protection for his/her
ERISA was enacted in 1974 to excluded education records covered by individually identifiable health
regulate pension and welfare employee FERPA, including those education information, Congress did not provide
benefit plans established by private records designated as education records us with authority to disturb the scheme
sector employers, unions, or both, to under Parts B, C, and D of the it had devised for records maintained by
provide benefits to their workers and Individuals with Disabilities Education educational institutions and agencies
dependents. Under ERISA, plans that Act Amendments of 1997, from the under FERPA. We do not believe
provide ‘‘through the purchase of definition of protected health Congress intended to amend or preempt
insurance or otherwise * * * medical, information. For example, individually FERPA when it enacted HIPAA.
surgical, or hospital care or benefits, or identifiable health information of With regard to the records described
benefits in the event of sickness, students under the age of 18 created by at 20 U.S.C. 1232g(a)(4)(b)(iv), we
accident, disability, [or] death’’ are a nurse in a primary or secondary considered requiring health care
defined as employee welfare benefit school that receives federal funds and providers engaged in HIPAA
plans. 29 U.S.C. 1002(1). In 1996, that is subject to FERPA is an education transactions to comply with the privacy
HIPAA amended ERISA to require record, but not protected health regulation up to the point these records
portability, nondiscrimination, and information. Therefore, the privacy were used or disclosed for purposes
renewability of health benefits provided regulation does not apply. We followed other than treatment. At that point, the
by group health plans and group health this course because Congress records would be converted from
insurance issuers. Numerous, although specifically addressed how information protected health information into
not all, ERISA plans are covered under in education records should be education records. This conversion
the rules proposed below as ‘‘health protected in FERPA. would occur any time a student sought
plans.’’ We have also excluded certain to exercise his/her access rights. The
Section 514(a) of ERISA, 29 U.S.C. records, those described at 20 U.S.C. provider, then, would need to treat the
1144(a), preempts all state laws that 1232g(a)(4)(B)(iv), from the definition of record in accordance with FERPA’s
‘‘relate to’’ any employee benefit plan. protected health information because requirements and be relieved from its
However, section 514(b) of ERISA, 29 FERPA also provided a specific obligations under the privacy
U.S.C. 1144(b)(2)(A), expressly saves structure for the maintenance of these regulation. We chose not to adopt this
from preemption state laws that regulate records. These are records (1) of approach because it would be unduly
insurance. Section 514(b)(2)(B) of students who are 18 years or older or are burdensome to require providers to
ERISA, 29 U.S.C. 1144(b)(2)(B), provides attending post-secondary educational comply with two different, yet similar,
that an ERISA plan is deemed not to be institutions, (2) maintained by a sets of regulations and inconsistent with
an insurer for the purpose of regulating physician, psychiatrist, psychologist, or the policy in FERPA that these records
the plan under the state insurance laws. recognized professional or be exempt from regulation to the extent
Thus, under the deemer clause, states paraprofessional acting or assisting in the records were used only to treat the
may not treat ERISA plans as insurers that capacity, (3) that are made, student.
subject to direct regulation by state law. maintained, or used only in connection
Finally, section 514(d) of ERISA, 29 with the provision of treatment to the Gramm-Leach-Bliley
U.S.C. 1144(d), provides that ERISA student, and (4) that are not available to In 1999, Congress passed Gramm-
does not ‘‘alter, amend, modify, anyone, except a physician or Leach-Bliley (GLB), Pub. L. 106–102,
invalidate, impair, or supersede any law appropriate professional reviewing the which included provisions, section 501
of the United States.’’ record as designated by the student. et seq., that limit the ability of financial
We considered whether the Because FERPA excludes these records institutions to disclose ‘‘nonpublic
preemption provision of section from its protections only to the extent personal information’’ about consumers
264(c)(2) of HIPAA would give effect to they are not available to anyone other to non-affiliated third parties and
state laws that would otherwise be than persons providing treatment to require financial institutions to provide
preempted by section 514(a) of ERISA. students, any use or disclosure of the customers with their privacy policies
As discussed above, our reading of the record for other purposes, including and practices with respect to nonpublic
personal information. In addition, various federal laws (such as Medicare, funded under section 1943(b) of the
Congress required seven agencies with Medicaid, and ERISA). Public Health Service Act require
jurisdiction over financial institutions to Congress explicitly included some of compliance with 42 CFR part 2, and,
promulgate regulations as necessary to these programs in HIPAA, subjecting thus, raise the issues identified above in
implement these provisions. GLB and them directly to the privacy regulation. the substance abuse confidentiality
its accompanying regulations define Section 1171 of the Act defines the term regulations discussion. There are a
‘‘financial institutions’’ as including ‘‘health plan’’ to include the following number of federal programs which,
institutions engaged in the financial federally conducted, regulated, or either by statute or by regulation,
activities of bank holding companies, funded programs: Group plans under restrict the disclosure of patient
which may include the business of ERISA that either have 50 or more information to, with minor exceptions,
insuring. See 15 U.S.C. 6809(3); 12 participants or are administered by an disclosures ‘‘required by law.’’ See, for
U.S.C. 1843(k). However, Congress did entity other than the employer who example, the program of projects for
not provide the designated federal established and maintains the plan; prevention and control of sexually
agencies with the authority to regulate federally qualified health maintenance transmitted diseases funded under
health insurers. Instead, it provided organizations; Medicare; Medicaid; section 318(e)(5) of the Public Health
states with an incentive to adopt and Medicare supplemental policies; the Service Act (42 CFR 51b.404); the
have their state insurance authorities health care program for active military regulations implementing the
enforce these rules. See 15 U.S.C. 6805. personnel; the health care program for community health center program
If a state were to adopt laws consistent veterans; the Civilian Health and funded under section 330 of the Public
with GLB, health insurers would have to Medical Program of the Uniformed Health Service Act (42 CFR 51c.110);
determine how to comply with both sets Services (CHAMPUS); the Indian health the regulations implementing the
of rules. service program under the Indian Health program of grants for family planning
Thus, GLB has caused concern and Care Improvement Act, 25 U.S.C. 1601, services under title X of the Public
confusion among health plans that are et seq.; and the Federal Employees Health Service Act (42 CFR 59.15); the
subject to our privacy regulation. Health Benefits Program. There also are regulations implementing the program
Although Congress remained silent as to many other federally conducted, of grants for black lung clinics funded
its understanding of the interaction of regulated, or funded programs in which under 30 U.S.C. 437(a) (42 CFR
GLB and HIPAA’s privacy provisions, individually identifiable health 55a.104); the regulations implementing
the Federal Trade Commission and information is created or maintained, the program of maternal and child
other agencies implementing the GLB but which do not come within the health projects funded under section
privacy provisions noted in the statutory definition of ‘‘health plan.’’ 501 of the Act (42 CFR 51a.6); the
preamble to their GLB regulations that While these latter types of federally regulations implementing the program
they ‘‘would consult with HHS to avoid conducted, regulated, or assisted of medical examinations of coal miners
the imposition of duplicative or programs are not explicitly covered by (42 CFR 37.80(a)). These legal
inconsistent requirements.’’ 65 Fed. Reg. part C of title XI in the same way that requirements would restrict the grantees
33646, 33648 (2000). Additionally, the the programs listed in the statutory or other entities providing services
FTC also noted that ‘‘persons engaged in definition of ‘‘health plan’’ are covered, under the programs involved from
providing insurance’’ would be within the statute may nonetheless apply to making many of the disclosures that
the enforcement jurisdiction of state transactions and other activities §§ 164.510 or 164.512 would permit. In
insurance authorities and not within the conducted under such programs. This is some cases, permissive disclosures for
jurisdiction of the FTC. Id. likely to be the case when the federal treatment, payment, or health care
Because the FTC has clearly stated entity or federally regulated or funded operations would also be limited.
that it will not enforce the GLB privacy entity provides health services; the Because §§ 164.510 and 164.512 are
provisions against persons engaged in requirements of part C may apply to merely permissive, there would not be
providing insurance, health plans will such an entity as a ‘‘health care a conflict between the program
not be subject to dual federal agency provider.’’ Thus, the issue of how requirements, because it would be
jurisdiction for information that is both different federal requirements apply is possible to comply with both. However,
nonpublic personal information and likely to arise in numerous contexts. entities subject to both sets of
protected health information. If states There are a number of authorities requirements would not have the total
choose to adopt GLB-like laws or under the Public Health Service Act and range of discretion that they would have
regulations, which may or may not track other legislation that contain explicit if they were subject only to this
the federal rules completely, health confidentiality requirements, either in regulation.
plans would need to evaluate these laws the enabling legislation or in the
under the preemption analysis implementing regulations. Many of Food, Drug, and Cosmetic Act
described in subpart B of Part 160. these are so general that there would The Food, Drug, and Cosmetic Act, 21
appear to be no problem of U.S.C. 301, et seq., and its
Federally Funded Health Programs accompanying regulations outline the
inconsistency, in that nothing in those
These rules will affect various federal laws or regulations would appear to responsibilities of the Food and Drug
programs, some of which may have restrict the provider’s ability to comply Administration with regard to
requirements that are, or appear to be, with the privacy regulation’s monitoring the safety and effectiveness
inconsistent with the requirements of requirements. of drugs and devices. Part of the
these regulations. These programs There may, however, be authorities agency’s responsibility is to obtain
include those operated directly by the under which either the requirements of reports about adverse events, track
federal government (such as health the enabling legislation or of the medical devices, and engage in other
programs for military personnel and program regulations would impose types of post marketing surveillance.
veterans) as well as programs in which requirements that differ from these Because many of these reports contain
health services or benefits are provided rules. protected health information, the
by the private sector or by state or local For example, regulations applicable to information within them may come
governments, but which are governed by the substance abuse block grant program within the purview of the privacy rules.
Although some of these reports are defined to include the individual, the disclose protected health information
required by the Food, Drug, and clinical laboratory would have to for specific purposes.
Cosmetic Act or its accompanying provide the individual with these rights. When a covered entity is faced with
regulations, other types of reporting are Similarly, if the individual was the a question as to whether the privacy
voluntary. We believe that these reports, person who ordered the test and an regulation would prohibit the disclosure
while not mandated, play a critical role authorized person included such a of protected health information that it
in ensuring that individuals receive safe person, the laboratory would be seeks to disclose pursuant to a federal
and effective drugs and devices. required to provide the individual with law, the covered entity should
Therefore, in § 164.512(b)(1)(iii), we these rights. determine if the disclosure is required
have provided that covered entities may Additionally, CLIA regulations by that law. In other words, it must
disclose protected health information to exempt the components or functions of determine if the disclosure is mandatory
a person subject to the jurisdiction of ‘‘research laboratories that test human rather than merely permissible. If it is
the Food and Drug Administration for specimens but do not report patient mandatory, a covered entity may
specified purposes, such as reporting specific results for the diagnosis, disclose the protected health
adverse events, tracking medical prevention or treatment of any disease information pursuant to § 164.512(a),
devices, or engaging in other post or impairment of, or the assessment of which permits covered entities to
marketing surveillance. We describe the the health of individual patients’’ from disclose protected health information
scope and conditions of such the CLIA regulatory scheme. 42 CFR without an authorization when the
disclosures in more detail in 493.3(a)(2). If subject to the access disclosure is required by law. If the
§ 164.512(b). requirements of this regulation, such disclosure is not required (but only
entities would be forced to meet the permitted) by the federal law, the
Clinical Laboratory Improvement covered entity must determine if the
Amendments requirements of CLIA from which they
are currently exempt. To eliminate this disclosure comes within one of the
CLIA, 42 U.S.C. 263a, and the other permissible disclosures. If the
additional regulatory burden, we have
accompanying regulations, 42 CFR part disclosure does not come within one of
also excluded covered entities that are
493, require clinical laboratories to the provisions for permissible
exempt from CLIA under that rule from
comply with standards regarding the disclosures, the covered entity must
the access requirement of this
testing of human specimens. This law obtain an authorization from the
regulation.
requires clinical laboratories to disclose individual who is the subject of the
test results or reports only to authorized Although we are concerned about the information or de-identify the
persons, as defined by state law. If a lack of immediate access by the information before disclosing it.
state does not define the term, the individual, we believe that, in most If another federal law prohibits a
federal law defines it as the person who cases, individuals who receive clinical covered entity from using or disclosing
orders the test. tests will be able to receive their test information that is also protected health
We realize that the person ordering results or reports through the health information, but the privacy regulation
the test is most likely a health care care provider who ordered the test for permits the use or disclosure, a covered
provider and not the individual who is them. The provider will receive the entity will need to comply with the
the subject of the protected health information from the clinical laboratory. other federal law and not use or disclose
information included within the result Assuming that the provider is a covered the information.
or report. Under this requirement, entity, the individual will have the right
therefore, a clinical laboratory may be of access and right to inspect and copy Federal Disability Nondiscrimination
prohibited by law from providing the this protected health information Laws
individual who is the subject of the test through his or her provider. The federal laws barring
result or report with access to this Other Mandatory Federal or State Laws discrimination on the basis of disability
information. protect the confidentiality of certain
Although we believe individuals Many federal laws require covered medical information. The information
should be able to have access to their entities to provide specific information protected by these laws falls within the
individually identifiable health to specific entities in specific larger definition of ‘‘health information’’
information, we recognize that in the circumstances. If a federal law requires under this privacy regulation. The two
specific area of clinical laboratory a covered entity to disclose a specific primary disability nondiscrimination
testing and reporting, the Health Care type of information, the covered entity laws are the Americans with Disabilities
Financing Administration, through would not need an authorization under Act (ADA), 42 U.S.C. 12101 et seq., and
regulation, has provided that access may § 164.508 to make the disclosure the Rehabilitation Act of 1973, as
be more limited. To accommodate this because the final rule permits covered amended, 29 U.S.C. 701 et seq.,
requirement, we have provided at entities to make disclosures that are although other laws barring
§ 164.524(1)(iii) that covered entities required by law under § 164.512(a). discrimination on the basis of disability
maintaining protected health Other laws, such as the Social Security (such as the nondiscrimination
information that is subject to the CLIA Act (including its Medicare and provisions of the Workforce Investment
requirements do not have to provide Medicaid provisions), the Family and Act of 1988, 29 U.S.C. 2938) may also
individuals with a right of access to or Medical Leave Act, the Public Health apply. Federal disability
a right to inspect and obtain a copy of Service Act, Department of nondiscrimination laws cover two
this information if the disclosure of the Transportation regulations, the general categories of entities relevant to
information to the individual would be Environmental Protection Act and its this discussion: employers and entities
prohibited by CLIA. accompanying regulations, the National that receive federal financial assistance.
Not all clinical laboratories, however, Labor Relations Act, the Federal Employers are not covered entities
will be exempted from providing Aviation Administration, and the under the privacy regulation. Many
individuals with these rights. If a Federal Highway Administration rules, employers, however, are subject to the
clinical laboratory operates in a state in may also contain provisions that require federal disability nondiscrimination
which the term ‘‘authorized person’’ is covered entities or others to use or laws and, therefore, must protect the
confidentiality of all medical Association of New England, Inc., 37 health, and disability-related
information concerning their applicants F.3d 12 (1st Cir. 1994)(setting forth three information. See, e.g., section 188 of the
and employees. bases for ADA Title I jurisdiction over Workforce Investment Act of 1988 (29
The employment provisions of the an employer-provided medical U.S.C. 2938) and 29 CFR 37.3(b). Thus,
ADA, 42 U.S.C. 12111 et seq., expressly reimbursement plan, in a discrimination covered entities that are subject to this
cover employers of 15 or more challenge to the plan’s HIV/AIDS cap). privacy regulation, may also be subject
employees, employment agencies, labor Transmission of applicant or employee to the restrictions in these laws as well.
organizations, and joint labor- health information by the employer’s
management committees. Since 1992, U.S. Safe Harbor Privacy Principles
management to the group health plan
employment discrimination complaints (European Union Directive on Data
may be permitted under the ADA
arising under sections 501, 503, and 504 Protection)
standards as the use of medical
of the Rehabilitation Act also have been information for insurance purposes. The E.U. Directive became effective in
subject to the ADA’s employment Similarly, disclosure of such medical October 1998 and prohibits European
nondiscrimination standards. See information by the group health plan, Union Countries from permitting the
‘‘Rehabilitation Act Amendments,’’ Pub. under the limited circumstances transfer of personal data to another
L. No. 102–569, 106 Stat. 4344. permitted by this privacy regulation, country without ensuring that an
Employers subject to ADA may involve use of the information for ‘‘adequate level of protection,’’ as
nondiscrimination standards have insurance purposes as broadly described determined by the European
confidentiality obligations regarding in the ADA discussion above. Commission, exists in the other country
applicant and employee medical Entities that receive federal financial or pursuant to one of the Directive’s
information. Employers must treat such assistance, which may also be covered derogations of this rule, such as
medical information, including medical entities under the privacy regulation, pursuant to unambiguous consent or to
information from voluntary health or are subject to section 504 of the fulfill a contract with the individual. In
wellness programs and any medical Rehabilitation Act (29 U.S.C. 794) and July 2000, the European Commission
information that is voluntarily disclosed its implementing regulations. Each concluded that the U.S. Safe Harbor
as a confidential medical record, subject federal agency has promulgated such Privacy Principles 1 constituted
to limited exceptions. regulations that apply to entities that ‘‘adequate protection.’’ Adherence to the
Transmission of health information by receive financial assistance from that Principles is voluntary. Organizations
an employer to a covered entity, such as agency (‘‘recipients’’). These regulations wishing to engage in the exchange of
a group health plan, is governed by the may limit the disclosure of medical personal data with E.U. countries may
ADA confidentiality restrictions. The information about persons who apply to assert compliance with the Principles as
ADA, however, has been interpreted to or participate in a federal financially one means of obtaining data from E.U.
permit an employer to use medical assisted program or activity. For countries.
information for insurance purposes. See example, the Department of Labor’s The Department of Commerce, which
29 CFR part 1630 App. at § 1630.14(b) section 504 regulation (found at 29 CFR negotiated these Principles with the
(describing such use with reference to part 32), consistent with the ADA European Commission, has provided
29 CFR 1630.16(f), which in turn standards, requires recipients that guidance for U.S. organizations seeking
explains that the ADA regulation ‘‘is not conduct employment-related programs, to adhere to the guidelines and comply
intended to disrupt the current including employment training with U.S. law. We believe this guidance
regulatory structure for self-insured programs, to maintain confidentiality addresses the concerns covered entities
employers * * * or current industry regarding any information about the seeking to transfer personal data from
practices in sales, underwriting, pricing, medical condition or history of E.U. countries may have. When ‘‘U.S.
administrative and other services, applicants to or participants in the law imposes a conflicting obligation,
claims and similar insurance related program or activity. Such information U.S. organizations whether in the safe
activities based on classification of risks must be kept separate from other harbor or not must comply with the
as regulated by the states’’). See also, information about the applicant or law.’’ An organization does not need to
‘‘Enforcement Guidance on Disability- participant and may be provided to comply with the Principles if a
Related Inquiries and Medical certain specified individuals and conflicting U.S. law ‘‘explicitly
Examinations of Employees under the entities, but only under certain limited authorizes’’ the particular conduct. The
Americans with Disabilities Act,’’ 4, circumstances described in the organization’s non-compliance is
n.10 (July 26, 2000), ll FEP Manual regulation. See 29 CFR 32.15(d). Apart ‘‘limited to the extent necessary to meet
(BNA) ll (‘‘Enforcement Guidance on from those circumstances, the the overriding legitimate interests
Employees’’). See generally, ‘‘ADA information must be afforded the same further[ed] by such authorization.’’
Enforcement Guidance on confidential treatment as medical However, if only a difference exists such
Preemployment Disability-Related records, id. Also, recipients of federal that an ‘‘option is allowable under the
Questions and Medical Examinations’’ financial assistance from the Principles and/or U.S. law,
(October 10, 1995), 8 FEP Manual (BNA) Department of Health and Human organizations are expected to opt for the
405:7191 (1995) (also available at http:/ Services, such as hospitals, are subject higher protection where possible.’’
/www.eeoc.gov). Thus, use of medical to the ADA’s employment Questions regarding compliance and
information for insurance purposes may nondiscrimination standards. They interpretation will be decided based on
include transmission of health must, accordingly, maintain U.S. law. See Department of Commerce,
information to a covered entity. confidentiality regarding the medical Memorandum on Damages for Breaches
If an employer-sponsored group condition or history of applicants for
health plan is closely linked to an employment and employees. 1 The Principles are: (1) Notice; (2) Choice (i.e.,
employer, the group health plan may be The statutes and implementing consent); (3) Onward Transfer (i.e., subsequent
subject to ADA confidentiality regulations under which the federal disclosures); (4) Security; (5) Data Integrity; (6)
Access; and (7) Enforcement. Department of
restrictions, as well as this privacy financial assistance is provided may Commerce, Safe Harbor Principles, July 21, 2000
regulation. See Carparts Distribution contain additional provisions regulating (‘‘Principles’’). They do not apply to manually
Center, Inc. v. Automotive Wholesaler’s collection and disclosure of medical, processed data.
of Privacy, Legal Authorizations and Proposed § 164.522(e) provided that the protected health information, at any
Mergers and Takeovers in U.S. Law 5 Secretary would inform the covered time and without notice where exigent
(July 17, 2000); Department of entity and the individual complainant if circumstances exist, such as where
Commerce, Safe Harbor Privacy an investigation or review indicated a documents might be hidden or
Principles Issued by the U.S. failure to comply and would seek to destroyed. Eighth, the provision
Department of Commerce on July 21, resolve the matter informally if possible. proposed at § 164.522(d) that would
2000, 65 FR 45666 (2000). The If the matter could not be resolved prohibit covered entities from taking
Principles and our privacy regulation informally, the Secretary would be able retaliatory action against individuals for
are based on common principles of fair to issue written findings, be required to filing a complaint with the Secretary or
information practices. We believe they inform the covered entity and the for certain other actions has been
are essentially consistent and that an complainant, and be able to pursue civil changed and moved to § 164.530. Ninth,
organization complying with our enforcement action or make a criminal
privacy regulation can fairly and § 160. 312(a)(2) deletes the reference in
referral. The Secretary would also be
correctly self-certify that it complies the proposed rule to using violation
required to inform the covered entity
with the Principles. If a true conflict findings as a basis for initiating action
and the individual complainant if no
arises between the privacy regulation to secure penalties. This deletion is not
violation was found.
and the Principles, the Department of a substantive change. This language was
We make the following changes and removed because penalties will be
Commerce’s guidance provides that an additions to proposed § 164.522 in the
entity must comply with the U.S. law. addressed in the enforcement
final rule. First, we have moved this
regulation. As in the NPRM, the
Part 160—Subpart C—Compliance and section to part 160, as a new subpart C,
Secretary may promulgate alternative
Enforcement ‘‘Compliance and Enforcement.’’
procedures for complaints relating to
Proposed § 164.522 included five Second, we add new sections that
national security. For example, to
paragraphs addressing activities related explain the applicability of these
provisions and incorporate certain protect classified information, we may
to the Secretary’s enforcement of the promulgate rules that would allow an
rule. These provisions were based on definitions. Accordingly, we change the
proposed references to violations to intelligence community agency to create
procedures and requirements in various a separate body within that agency to
civil rights regulations. Proposed ‘‘this subpart’’ to violations of ‘‘the
applicable requirements of part 160 and receive complaints.
§ 164.522(a) provided that the Secretary
would, to the extent practicable, seek the applicable standards, requirements, The Department plans to issue an
the cooperation of covered entities in and implementation specifications of Enforcement Rule that applies to all of
obtaining compliance, and could subpart E of part 164 of this the regulations that the Department
provide technical assistance to covered subchapter.’’ Third, the final rule at issues under the Administrative
entities to help them comply § 160.306(a) provides that any person, Simplification provisions of HIPAA.
voluntarily. Proposed § 164.522(b) not just an ‘‘individual’’ (the person This regulation will address the
provided that individuals could file who is the subject of the individually imposition of civil monetary penalties
complaints with the Secretary. identifiable health information) may file and the referral of criminal cases where
However, where the complaint related a complaint with the Secretary. Other there has been a violation of this rule.
to the alleged failure of a covered entity references in this subpart to an Penalties are provided for under section
to amend or correct protected health individual have been changed 262 of HIPAA. The Enforcement Rule
information as proposed in the rule, the accordingly. Fourth, we delete the would also address the topics covered
Secretary would not make certain proposed § 164.522(a) language that by Subpart C below. It is expected that
determinations such as whether indicated that the Secretary would not this Enforcement Rule would replace
protected health information was determine whether information was Subpart C.
accurate or complete. This paragraph accurate or complete, or whether errors
also listed the requirements for filing or omissions might have an adverse Part 164—Subpart A—General
complaints and indicated that the effect on the individual. While the Provisions
Secretary may investigate such policy is not changed in that the
Section 164.102—Statutory Basis
complaints and what might be reviewed Secretary will not make such
as part of such investigation. determinations, we believe the language In the NPRM, we provided that the
Under proposed § 164.522(c), the is unnecessary and may suggest that we provisions of this part are adopted
Secretary would be able to conduct would make all other types of pursuant to the Secretary’s authority to
compliance reviews. Proposed determinations, such as all prescribe standards, requirements, and
§ 164.522(d) described the determinations in which the regulation implementation standards under part C
responsibilities that covered entities defers to the professional judgment of of title XI of the Act and section 264 of
keep records and reports as prescribed the covered entity. Fifth, § 160.306(b)(3) Public Law 104–191. The final rule
by the Secretary, cooperate with requires that complaints be filed within
adopts this language.
compliance reviews, permit the 180 days of when the complainant knew
Secretary to have access to their or should have known that the act or Section 164.104—Applicability
facilities, books, records, and other omission complained of occurred,
sources of information during normal unless this time limit is waived by the In the NPRM, we provided that except
business hours, and seek records held Secretary for good cause shown. Sixth, as otherwise provided, the provisions of
by other persons. This paragraph also § 160.310(b) requires cooperation with this part apply to covered entities:
stated that the Secretary would maintain investigations as well as compliance health plans, health care clearinghouses,
the confidentiality of protected health reviews. Seventh, § 160.310 (c)(1) and health care providers who transmit
information she collected and prohibit provides that the Secretary must be health information in electronic form in
covered entities from taking retaliatory provided access to a covered entity’s connection with any transaction
action against individuals for filing facilities, books, records, accounts, and referred to in section 1173(a)(1) of the
complaints or for other activities. other sources of information, including Act. The final rule adopts this language.
Section 164.106—Relationship to Other materially to the substance of protected covered entity, then the business
Parts health information of an individual. associate requirements of this rule do
The final rule adds a new provision The revised language provides that not apply.
stating that in complying with the clearinghouses are not subject to certain We clarify that the Department of
requirements of this part, covered requirements in the rule when acting as Defense or any other federal agency and
entities are required to comply with the business associates of other covered any non-governmental organization
applicable provisions of parts 160 and entities. As revised, a clearinghouse acting on its behalf, is not subject to this
162 of this subchapter. This language acting as a business associate is subject rule when it provides health care in
references Subchapter C in this only to the provisions of this section, to another country to foreign national
regulation, Administrative Data the definitions, to the general rules for beneficiaries. The Secretary believes
Standards and Related Requirements; uses and disclosures of protected health that this exemption is warranted
Part 160, General Administrative information (subject to limitations), to because application of the rule could
Requirements; and Part 162, the provision relating to health care have the unintended effect of impeding
Administrative Requirements. Part 160 components, to the provisions relating or frustrating the conduct of such
includes requirements such as keeping to uses and disclosures for which activities, such as interfering with the
records and submitting compliance consent, individual authorization or an ability of military command authorities
reports to the Secretary and cooperating opportunity to agree or object is not to obtain protected health information
with the Secretary’s complaint required (subject to limitations), to the on prisoners of war, refugees, or
investigations and compliance reviews. transition requirements and to the detainees for whom they are responsible
Part 162 includes requirements such as compliance date. With respect to the under international law. See the
requiring a covered entity that conducts uses and disclosures authorized under preamble to the definition of
an electronic transaction, adopted under § 164.502 or § 164.512, a clearinghouse ‘‘individual’’ for further discussion.
this part, with another covered entity to acting as a business associate is not
authorized by the rule to make any use Covered Information
conduct the transaction as a standard
transaction as adopted by the Secretary. or disclosure not permitted by its We proposed in the NPRM to apply
business associate contract. the requirements of the rule to
Part 164—Subpart B–D—Reserved Clearinghouses acting as business individually identifiable health
Part 164—Subpart E—Privacy associates are not subject to the other information that is or has been
requirements of this rule, which include electronically transmitted or maintained
Section 164.500—Applicability the provisions relating to procedural by a covered entity. The provisions
The discussion below describes the requirements, requirements for would have applied to the information
entities and the information that are obtaining consent, individual itself, referred to as protected health
subject to the final regulation. authorization or agreement, provision of information in the rule, and not to the
Many of the provisions of the a notice, individual rights to request particular records in which the
regulation are presented as ‘‘standards.’’ privacy protection, access and amend information is contained. We proposed
Generally, the standards indicate what information and receive an accounting that once information was maintained
must be accomplished under the of disclosures and the administrative or transmitted electronically by a
regulation and implementation requirements. covered entity, the protections would
specifications describe how the We note that, even as business follow the information in whatever
standards must be achieved. associates, clearinghouses remain form, including paper records, in which
covered entities. Clearinghouses, like it exists while held by a covered entity.
Covered Entities
other covered entities, are responsible The proposal would not have applied to
We proposed in the NPRM to apply under this regulation for abiding by the
the standards in the regulation to health information that was never
terms of business associate contracts. electronically maintained or transmitted
plans, health care clearinghouses, and to For example, while the provisions
any health care provider who transmits by a covered entity.
regarding individuals’ access to and In the final rule, we extend the scope
health information in electronic form in right to request corrections to protected of protections to all individually
connection with transactions referred to health information about them apply identifiable health information in any
in section 1173(a)(1) of the Act. The only to health plans and covered health form, electronic or non-electronic, that
proposal referred to these entities as care providers, clearinghouses may have is held or transmitted by a covered
‘‘covered entities.’’ some responsibility for providing such
We have revised § 164.500 to clarify entity. This includes individually
access under their business associate
the applicability of the rule to health identifiable health information in paper
contracts. A clearinghouse (or any other
care clearinghouses. As we stated in the records that never has been
covered entity) that violates the terms of
preamble to the NPRM, we believe that electronically stored or transmitted. (See
a business associate contract also is in
in most instances health care § 164.501, definition of ‘‘protected
direct violation of this rule and, as a
clearinghouses will receive protected health information,’’ for further
covered entity, is subject to compliance
health information as a business discussion.)
and enforcement action.
associate to another covered entity. This We clarify that a covered entity is Section 164.501—Definitions
understanding was confirmed by the only subject to these rules to the extent
comments and by our fact finding. that they possess protected health Correctional Institution
Clearinghouses rarely have direct information. Moreover, these rules only The proposed rule did not define the
contact with individuals, and usually apply with regard to protected health term correctional institution. The final
will not be in a position to create information. For example, if a covered rule defines correctional institution as
protected health information or to entity does not disclose or receive from any penal or correctional facility, jail,
receive it directly from them. Unlike its business associate any protected reformatory, detention center, work
health plans and providers, health information and no protected farm, halfway house, or residential
clearinghouses usually convey and health information is created or received community program center operated by,
repackage information and do not add by its business associate on behalf of the or under contract to, the United States,
a state, a territory, a political information received by a business covered entity’s designated record sets.
subdivision of a state or territory, or an associate in its capacity as the business Although we do not specify particular
Indian tribe, for the confinement or associate of a covered entity, as the types of records that are always
rehabilitation of persons charged with combining of such protected health included in the designated record sets of
or convicted of a criminal offense or information by the business associate clearinghouses when they are not acting
other persons held in lawful custody. with protected health information as business associates, this definition
Other persons held in lawful custody received by the business associate in its includes a group of records that such a
includes juvenile offenders adjudicated capacity as a business associate of clearinghouse uses, in whole or in part,
delinquent, aliens detained awaiting another covered entity, to permit the to make decisions about individuals.
deportation, persons committed to creation of data for analyses that relate For the most part we retain, with
mental institutions through the criminal to the health care operations of the slight modifications, the definition of
justice system, witnesses, or others respective covered entities. The ‘‘record,’’ defining it as any item,
awaiting charges or trial. This language definition is included in the final rule collection, or grouping of information
was necessary to explain the privacy to help describe how business associates that includes protected health
rights and protections of inmates in this can assist covered entities to perform information and is maintained,
regulation. health care operations that involve collected, used, or disseminated.
comparative analysis of protected health
Covered Functions Direct Treatment Relationship
information from otherwise unaffiliated
We add a new term, ‘‘covered covered entities. Data aggregation is a This term was not included in the
functions,’’ as a shorthand way of service that gives rise to a business proposed rule. Direct treatment
expressing and referring to the functions associate relationship if the performance relationship means a relationship
that the entities covered by section of the service involves disclosure of between a health care provider and an
1172(a) of the Act perform. Section 1171 protected health information by the individual that is not an indirect
defines the terms ‘‘health plan’’, ‘‘health covered entity to the business associate. treatment relationship (see definition of
care provider’’, and ‘‘health care indirect treatment relationship, below).
clearinghouse’’ in functional terms. Designated Record Set For example, outpatient pharmacists
Thus, a ‘‘health plan’’ is an individual In the proposed rule, we defined and Web-based providers generally have
or group plan ‘‘that provides, or pays designated record set as ‘‘a group of direct treatment relationships with
the cost of, medical care * * *’’, a records under the control of a covered patients. Outpatient pharmacists fill
‘‘health care provider’’ ‘‘furnish[es] entity from which information is prescriptions written by other providers,
health care services or supplies,’’ and a retrieved by the name of the individual but they furnish the prescription and
‘‘health care clearinghouse’’ is an entity or by some identifying number, symbol, advice about the prescription directly to
‘‘that processes or facilitates the or other identifying particular assigned the patient, not through another treating
processing of * * * data elements of to the individual and which is used by provider. Web-based providers generally
health information * * *’’. Covered the covered entity to make decisions deliver health care independently,
functions, therefore, are the activities about the individual.’’ We defined a without the orders of another provider.
that any such entity engages in that are ‘‘record’’ as ‘‘any item, collection, or A provider may have direct treatment
directly related to operating as a health grouping of protected health relationships with some patients and
plan, health care provider, or health information maintained, collected, used, indirect treatment relationships with
care clearinghouse; that is, they are the or disseminated by a covered entity.’’ others. In some provisions of the final
functions that make it a health plan, In the final rule, we modify the rule, providers with indirect treatment
health care provider, or health care definition of designated record set to relationships are excepted from
clearinghouse. specify certain records maintained by or requirements that apply to other
The term ‘‘covered functions’’ is not for a covered entity that are always part providers. See § 164.506 regarding
intended to include various support of a covered entity’s designated record consent for uses and disclosures of
functions, such as computer support, sets and to include other records that protected health information for
payroll and other office support, and are used to make decisions about treatment, payment, and health care
similar support functions, although we individuals. We do not use the means of operations, and § 164.520 regarding
recognize that these support functions retrieval of a record as a defining notice of information practices. These
must occur in order for the entity to criteria. exceptions apply only with respect to
carry out its health care functions. For health plans, designated record the individuals with whom the provider
Because such support functions are sets include, at a minimum, the has an indirect treatment relationship.
often also performed for parts of an enrollment, payment, claims
organization that are not doing adjudication, and case or medical Disclosure
functions directly related to the health management record systems of the plan. We proposed to define ‘‘disclosure’’ to
care functions and may involve access For covered health care providers, mean the release, transfer, provision of
to and/or use of protected health designated record sets include, at a access to, or divulging in any other
information, the rules below describe minimum, the medical record and manner of information outside the
requirements for ensuring that billing record about individuals entity holding the information. The final
workforce members who perform these maintained by or for the provider. In rule is unchanged. We note that the
support functions do not impermissibly addition to these records, designated transfer of protected health information
use or disclose protected health record sets include any other group of from a covered entity to a business
information. See § 164.504. records that are used, in whole or in associate is a disclosure for purposes of
part, by or for a covered entity to make this regulation.
Data Aggregation decisions about individuals. We note
The NPRM did not include a that records that otherwise meet the Health Care Operations
definition of data aggregation. In the definition of designated record set and The preamble to the proposed rule
final rule, data aggregation is defined, which are held by a business associate explained that in order for treatment
with respect to protected health of the covered entity are part of the and payment to occur, protected health
information must be used within support of’’ treatment and payment management in this definition or in the
entities and shared with business functions. Instead, in the final rule, definition of treatment. This topic is
partners. In the proposed rule we health care operations are the discussed further in the comment
provided a definition for ‘‘health care enumerated activities to the extent that responses below.
operations’’ to clarify the activities we the activities are related to the covered (2) We have deleted ‘‘undergraduate
considered to be ‘‘compatible with and entity’s functions as a health care and graduate’’ as a qualifier for
directly related to’’ treatment and provider, health plan or health care ‘‘students,’’ to make the term more
payment and for which protected health clearinghouse, i.e., the entity’s ‘‘covered general and inclusive. We add the term
information could be used or disclosed functions.’’ We make this change to ‘‘practitioners.’’ We expand the
without individual authorization. These clarify that health care operations purposes encompassed to include
activities included conducting quality includes general administrative and situations in which health care
assessment and improvement activities, business functions necessary for the providers are working to improve their
reviewing the competence or covered entity to remain a viable skills. The rule also adds the training of
qualifications and accrediting/licensing business. While it is possible to draw a non-health care professionals.
of health care professionals and plans, connection between all the enumerated (3) The rule expands the range of
evaluating health care professional and activities and ‘‘treatment and payment,’’ insurance related activities to include
health plan performance, training future for some general business activities (e.g., those related to the creation, renewal or
health care professionals, insurance audits for financial disclosure replacement of a contract for health
activities relating to the renewal of a statements) that connection may be insurance or health benefits, as well as
contract for insurance, conducting or tenuous. The proposed concept also did ceding, securing, or placing a contract
arranging for medical review and not include the operations of those for reinsurance of risk relating to claims
auditing services, and compiling and health care clearinghouses that may be for health care (including stop-loss and
analyzing information in anticipation of covered by this rule outside their status excess of loss insurance). For these
or for use in a civil or criminal legal as business associate to a covered entity. activities, we also eliminate the
proceeding. Recognizing the dynamic We expand the definition to include proposed requirement that these uses
nature of the health care industry, we disclosures for the enumerated activities and disclosures apply only to protected
acknowledged that the specified of organized health care arrangements in health information about individuals
categories may need to be modified as which the covered entity participates. already enrolled in a health plan. Under
the industry evolves. See also the definition of organized this provision, a group health plan that
The preamble discussion of the health care arrangements, below. wants to replace its insurance carrier
proposed general rules listed certain In addition, we make the following
may disclose certain protected health
activities that would not be considered changes and additions to the
information to insurance issuers in
health care operations because they enumerated subparagraphs:
(1) We add language to clarify that the order to obtain bids on new coverage,
were sufficiently unrelated to treatment
primary purpose of the studies and an insurance carrier interested in
and payment to warrant requiring an
individual to authorize such use or encompassed by ‘‘quality assessment bidding on new business may use
disclosure. Those activities included: and improvement activities’’ must not protected health information obtained
marketing of health and non-health be to obtain generalizable knowledge. A from the potential new client to develop
items and services; disclosure of study with such a purpose would meet the product and pricing it will offer. For
protected health information for sale, the rule’s definition of research, and use circumstances in which no new contract
rent or barter; use of protected health or disclosure of protected health is issued, we add a provision in
information by a non-health related information would have to meet the § 164.514(g) restricting the recipient
division of an entity; disclosure of requirements of §§ 164.508 or health plan from using or disclosing
protected health information for 164.512(i). Thus, studies may be protected health information obtained
eligibility, enrollment, underwriting, or conducted as a health care operation if for this purpose, other than as required
risk rating determinations prior to an development of generalizable by law. Uses and disclosures in these
individuals’ enrollment in a health plan; knowledge is not the primary goal. cases come within the definition of
disclosure to an employer for However, if the study changes and the ‘‘health care operations,’’ provided that
employment determinations; and covered entity intends the results to be the requirements of § 164.514(g) are met,
fundraising. generalizable, the change should be if applicable. See § 164.504(f) for
In the final rule, we do not change the documented by the covered entity as requirements for such disclosures by
general approach of defining health care proof that, when initiated, the primary group health plans, as well as specific
operations: health care operations are purpose was health care operations. restrictions on the information that may
the listed activities undertaken by the We add population-based activities be disclosed to plan sponsors for such
covered entity that maintains the related to improving health or reducing purposes. We note that a covered health
protected health information (i.e., one health care costs, protocol development, care provider must obtain an
covered entity may not disclose case management and care coordination, authorization under § 164.508 in order
protected health information for the contacting of health care providers and to disclose protected health information
operations of a second covered entity); patients with information about about an individual for purposes of pre-
a covered entity may use any protected treatment alternatives, and related enrollment underwriting; the
health information it maintains for its functions that do not entail direct underwriting is not an ‘‘operation’’ of
operations (e.g., a plan may use patient care. Many commenters the provider and that disclosure is not
protected health information about recommended adding the term ‘‘disease otherwise permitted by a provision of
former enrollees as well as current management’’ to health care operations. this rule.
enrollees); we expand the proposed list We were unable, however, to find a (4) We delete reference to the
to reflect many changes requested by generally accepted definition of the ‘‘compiling and analyzing information
commenters. term. Rather than rely on this label, we in anticipation of or for use in a civil or
We modify the proposal that health include many of the functions often criminal legal proceeding’’ and replace
care operations represent activities ‘‘in included in discussions of disease it with a broader reference to
conducting or arranging for ‘‘legal representatives are not providing associated entities, that hold themselves
services.’’ services to or for the covered entity, out as an organized arrangement to
We add two new categories of and, therefore, no business associate share protected health information
activities: contract is required. Also included are under § 164.506. In these cases, the
(5) Business planning and resolution of disputes from patients or sharing of protected health information
development, such as conducting cost- enrollees regarding the quality of care will be either for the operations of the
management and planning-related and similar matters. disclosing entity or for the organized
analyses related to managing and We also add use for customer service, health care arrangement in which the
operating the entity, including including the provision of data and entity is participating.
formulary development and statistical analyses for policyholders, Whether a disclosure is allowable for
administration, development or plan sponsors, or other customers, as health care operations under this
improvement of methods of payment or long as the protected health information provision is determined separately from
coverage policies. is not disclosed to such persons. We whether a business associate contract is
(6) Business management activities recognize that part of the general required. These provisions of the rule
and general administrative functions, management of a covered entity is operate independently. Disclosures for
such as management activities relating customer service. We clarify that health care operations may be made to
to implementation of and compliance customer service may include the use of an entity that is neither a covered entity
with the requirements of this protected health information to provide nor a business associate of the covered
subchapter, fundraising for the benefit data and statistical analyses. For entity. For example, a covered academic
of the covered entity to the extent example, a plan sponsor may want to medical center may disclose certain
permitted without authorization under understand why its costs are rising protected health information to
§ 164.514(f), and marketing of certain faster than average, or why utilization in community health care providers who
services to individuals served by the one plant location is different than in participate in one of its continuing
covered entity, to the extent permitted another location. An association that medical education programs, whether or
without authorization under sponsors an insurance plan for its not such providers are covered health
§ 164.514(e) (see discussion in the members may want information on the care providers under this rule. A
preamble to that section, below). For relative costs of its plan in different provider attending a continuing
example, under this category we permit areas. Some plan sponsors may want education program is not thereby
uses or disclosures of protected health more detailed analyses that attempt to performing services for the covered
information to determine from whom an identify health problems in a work site. entity sponsoring the program and, thus,
authorization should be obtained, for We note that when a plan sponsor has is not a business associate for that
example to generate a mailing list of several different group health plans, or purpose. Similarly, health plans may
individuals who would receive an when such plans provide insurance or disclose for due diligence purposes to
authorization request. coverage through more than one health another entity that may or may not be
We add to the definition of health insurance issuer or HMO, the covered a covered entity or a business associate.
care operations disclosure of protected entities may jointly engage in this type
health information for due diligence to Health Oversight Agency
of analysis as a health care operation of
a covered entity that is a potential the organized health care arrangement. The proposed rule would have
successor in interest. This provision This activity qualifies as a health care defined ‘‘health oversight agency’’ as
includes disclosures pursuant to the operation only if it does not result in the ‘‘an agency, person, or entity, including
sale of a covered entity’s business as a disclosure of protected health the employees or agents thereof, (1) That
going concern, mergers, acquisitions, information to the customer. The results is: (i) A public agency; or (ii) A person
consolidations, and other similar types of the analyses must be presented in a or entity acting under grant of authority
of corporate restructuring between way that does not disclose protected from or contract with a public agency;
covered entities, including a division of health information. A disclosure of and (2) Which performs or oversees the
a covered entity, and to an entity that is protected health information to the performance of any audit; investigation;
not a covered entity but will become a customer as a health care operation inspection; licensure or discipline; civil,
covered entity if the transfer or sale is under this provision violates this rule. criminal, or administrative proceeding
completed. Other types of sales of This provision is not intended to permit or action; or other activity necessary for
assets, or disclosures to organizations covered entities to circumvent other appropriate oversight of the health care
that are not and would not become provisions in this rule, including system, of government benefit programs
covered entities, are not included in the requirements relating to disclosures of for which health information is relevant
definition of health care operations and protected health information to plan to beneficiary eligibility, or of
could only occur if the covered entity sponsors or the requirements relating to government regulatory programs for
obtained valid authorization for such research. See § 164.504(f) and which health information is necessary
disclosure in accordance with § 164.508, § 164.512(i). for determining compliance with
or if the disclosure is otherwise We use the term customer to provide program standards.’’ The proposed rule
permitted under this rule. flexibility to covered entities. We do not also described the functions of health
We also add to health care operations intend the term to apply to persons with oversight agencies in the proposed
disclosure of protected health whom the covered entity has no other health oversight section (§ 164.510(c))
information for resolution of internal business; this provision is intended to by repeating much of this definition.
grievances. These uses and disclosures permit covered entities to provide In the final rule, we modify the
include disclosure to an employee and/ service to their existing customer base. definition of health oversight agency by
or employee representative, for example We note that this definition, either eliminating from the definition the
when the employee needs protected alone or in conjunction with the language in proposed § 164.510(c) (now
health information to demonstrate that definition of ‘‘organized health care § 164.512(d)). In addition, the final rule
the employer’s allegations of improper arrangement,’’ allows an entity such as clarifies this definition by specifying
conduct are untrue. We note that such an integrated staff model HMO, whether that a ‘‘health oversight agency’’ is an
employees and employee legally integrated or whether a group of agency or authority of the United States,
a state, a territory, a political oversight of health benefit plans; of those services are furnished to the
subdivision of a state or territory, or an oversight of health care providers; patient through the direct treating
Indian tribe, or a person or entity acting oversight of health care and health care provider. This definition is necessary to
under a grant of authority from or delivery; oversight activities that clarify the relationships between
contract with such public agency, involve resolution of consumer providers and individuals in the
including the employees or agents of complaints; oversight of regulation. For example, see the consent
such public agency or its contractors or pharmaceuticals, medical products and discussion at § 164.506.
grantees, that is authorized by law to devices, and dietary supplements; and a
oversee the health care system or health oversight agency’s analysis of Individual
government programs in which health trends in health care costs, quality, We proposed to define ‘‘individual’’
information is necessary to determine health care delivery, access to care, and to mean the person who is the subject
eligibility or compliance, or to enforce health insurance coverage for health of the protected health information. We
civil rights laws for which health oversight purposes. proposed that the term include, with
information is relevant. We recognize that health oversight respect to the signing of authorizations
The preamble to the proposed rule agencies, such as the U.S. Department of and other rights (such as access,
listed the following as examples of Labor’s Pension and Welfare Benefits copying, and correction), the following
health oversight agencies that conduct Administration, may perform more than types of legal representatives:
oversight activities relating to the health one type of health oversight. For (1) With respect to adults and
care system: state insurance example, agencies may sometimes emancipated minors, legal
commissions, state health professional perform audits and investigations and at representatives (such as court-appointed
licensure agencies, Offices of Inspectors other times conduct general oversight of guardians or persons with a power of
General of federal agencies, the health benefit plans. Such entities are attorney), to the extent to which
Department of Justice, state Medicaid considered health oversight agencies applicable law permits such legal
fraud control units, Defense Criminal under the rule for any and all of the representatives to exercise the person’s
Investigative Services, the Pension and health oversight functions that they rights in such contexts.
Welfare Benefit Administration, the perform. (2) With respect to unemancipated
HHS Office for Civil Rights, and the The definition of health oversight minors, a parent, guardian, or person
FDA. The proposed rule listed the agency does not include private acting in loco parentis, provided that
Social Security Administration and the organizations, such as private-sector when a minor lawfully obtains a health
Department of Education as examples of accrediting groups. Accreditation care service without the consent of or
health oversight agencies that conduct organizations are performing health care
notification to a parent, guardian, or
oversight of government benefit operations functions on behalf of health
other person acting in loco parentis, the
programs for which health information plans and covered health care providers.
minor shall have the exclusive right to
is relevant to beneficiary eligibility. The Accordingly, in order to obtain
exercise the rights of an individual with
proposed rule listed the Occupational protected health information without
respect to the protected health
Health and Safety Administration and individuals’ authorizations, accrediting
information relating to such care.
the Environmental Protection Agency as groups must enter into business
associate agreements with health plans (3) With respect to deceased persons,
examples of oversight agencies that
and covered health care providers for an executor, administrator, or other
conduct oversight of government
these purposes. Similarly, private person authorized under applicable law
regulatory programs for which health
entities, such as coding committees, that to act on behalf of the decedent’s estate.
information is necessary for determining
compliance with program standards. help government agencies that are In addition, we proposed to exclude
In the final rule, we include the health plans make coding and payment from the definition:
following as additional examples of decisions are performing health care (1) Foreign military and diplomatic
health oversight activities: (1) The U.S. payment functions on behalf the personnel and their dependents who
Department of Justice’s civil rights government agencies and, therefore, receive health care provided by or paid
enforcement activities, and in must enter into business associate for by the Department of Defense or
particular, enforcement of the Civil agreements in order to receive protected other federal agency or by an entity
Rights of Institutionalized Persons Act health information from the covered acting on its behalf, pursuant to a
(42 U.S.C. 1997–1997j) and the entity (absent individuals’ authorization country-to-country agreement or federal
Americans with Disabilities Act (42 for such disclosure). statute.
U.S.C. 12101 et seq.), as well as the (2) Overseas foreign national
Indirect Treatment Relationship beneficiaries of health care provided by
EEOC’s civil rights enforcement
activities under titles I and V of the This term was not included in the the Department of Defense or other
ADA; (2) the FDA’s oversight of food, proposed rule. An ‘‘indirect treatment federal agency or by a non-governmental
drugs, biologics, devices, and other relationship’’ is a relationship between organization acting on its behalf.
products pursuant to the Food, Drug, a health care provider and an individual In the final rule, we eliminate from
and Cosmetic Act (21 U.S.C. 301 et seq.) in which the provider delivers health the definition of ‘‘individual’’ the
and the Public Health Service Act (42 care to the individual based on the provisions designating a legal
U.S.C. 201 et seq.); and (3) data analysis orders of another health care provider representative as the ‘‘individual’’ for
—performed by a public agency or by a and the health care services, products, purposes of exercising certain rights
person or entity acting under grant of diagnoses, or results are typically with regard to protected health
authority from or under contract with a furnished to the patient through another information. Instead, we include in the
public agency —to detect health care provider, rather than directly. For final rule a separate standard for
fraud. example, radiologists and pathologists ‘‘personal representatives.’’ A covered
‘‘Overseeing the health care system,’’ generally have indirect treatment entity must treat a personal
which is included in the definition of relationships with patients because they representative of an individual as the
health oversight, encompasses activities deliver diagnostic services based on the individual except under specified
such as: oversight of health care plans; orders of other providers and the results circumstances. See discussion in
§ 164.502(g) regarding personal provider * * *’’ to ‘‘created or received receives direct or indirect remuneration
representatives. by a health care provider * * * ‘‘in from a third party for making a written
In addition, we eliminate from the order to conform to the statute. We communication otherwise described in
definition of ‘‘individual’’ the above otherwise retain the definition of an exception, then the communication
exclusions for foreign military and ‘‘individually identifiable health is not excluded from the definition of
diplomatic personnel and overseas information’’ without change in the marketing. The activities we except
foreign national beneficiaries. We final rule. from the definition of marketing are
address the special circumstances for encompassed by the definitions of
use and disclosure of protected health Inmate treatment, payment, and health care
information about individuals who are The proposed rule did not define the operations. Covered entities may
foreign military personnel in term inmate. In the final rule, it is therefore use and disclose protected
§ 164.512(k). We address overseas defined as a person incarcerated in or health information for these excepted
foreign national beneficiaries in otherwise confined to a correctional activities without authorization under
§ 164.500, ‘‘Applicability.’’ The institution. The addition of this § 164.508 and pursuant to any
protected health information of definition is necessary to explain the applicable consent obtained under
individuals who are foreign diplomatic privacy rights and protections of § 164.506.
personnel and their dependents are not inmates in this regulation. The first exception applies to
subject to special treatment under the communications made by a covered
Law Enforcement Official entity for the purpose of describing the
final rule.
Individually identifiable health The proposed rule would have entities participating in a provider
information about one individual may defined a ‘‘law enforcement official’’ as network or health plan network. It also
exist in the health records of another ‘‘an official of an agency or authority of applies to communications made by a
individual; health information about the United States, a state, a territory, a covered entity for the purpose of
one individual may include health political subdivision of a state or describing if and the extent to which a
information about a second person. For territory, or an Indian tribe, who is product or service, or payment for a
example, a patient’s medical record may empowered by law to conduct: (1) An product or service, is provided by the
contain information about the medical investigation or official proceeding covered entity or included in a benefit
conditions of the patient’s parents, inquiring into a violation of, or failure plan. This exception permits covered
children, and spouse, as well as their to comply with, any law; or (2) a entities to use or disclose protected
names and contact information. For the criminal, civil, or administrative health information when discussing
purpose of this rule, if information proceeding arising from a violation of, topics such as the benefits and services
about a second person is included or failure to comply with, any law.’’ available under a health plan, the
within the protected health information The final rule modifies this definition payment that may be made for a product
of an individual, the second person is slightly. The definition in the final rule or service, which providers offer a
not the person who is the subject of the recognizes that law enforcement particular product or service, and
protected health information. The officials are empowered to prosecute whether a provider is part of a network
second person is not the ‘‘individual’’ cases as well as to conduct or whether (and what amount of)
with regard to that protected health investigations and civil, criminal, or payment will be provided with respect
information, and under this rule thus administrative proceedings. In addition, to the services of particular providers.
does not have the individual’s rights the definition in the final rule reflects This exception expresses our intent not
(e.g., access and amendment) with the fact that when investigations begin, to interfere with communications made
regard to that information. often it is not clear that law has been to individuals about their health
violated. Thus, the final rule describes benefits.
Individually Identifiable Health law enforcement investigations and The second exception applies to
Information official proceedings as inquiring into a communications tailored to the
We proposed to define ‘‘individually potential violation of law. In addition, it circumstances of a particular individual,
identifiable health information’’ to mean describes law enforcement-related civil, made by a health care provider to an
information that is a subset of health criminal, or administrative proceedings individual as part of the treatment of the
information, including demographic as arising from alleged violation of law. individual, and for the purpose of
information collected from an furthering the treatment of that
Marketing individual. This exception leaves health
individual, and that:
(1) Is created by or received from a The proposed rule did not include a care providers free to use or disclose
health care provider, health plan, definition of ‘‘marketing.’’ The proposed protected health information as part of
employer, or health care clearinghouse; rule generally required that a covered a discussion of its products and
and entity would need an authorization from services, or the products and services of
(2) Relates to the past, present, or an individual to use or disclose others, and to prescribe, recommend, or
future physical or mental health or protected health information for sell such products or services, as part of
condition of an individual, the marketing. the treatment of an individual. This
provision of health care to an In the final rule we define marketing exception includes activities such as
individual, or the past, present, or as a communication about a product or referrals, prescriptions,
future payment for the provision of service a purpose of which is to recommendations, and other
health care to an individual, and encourage recipients of the communications that address how a
(i) Which identifies the individual, or communication to purchase or use the product or service may relate to the
(ii) With respect to which there is a product or service. The definition does individual’s health. This exception
reasonable basis to believe that the not limit the type or means of expresses our intent not to interfere
information can be used to identify the communication that are considered with communications made to
individual. marketing. individuals about their treatment.
In the final rule, we change ‘‘created The definition of marketing contains The third exception applies to
by or received from a health care three exceptions. If a covered entity communications tailored to the
circumstances of a particular individual receive health care from more than one themselves as a common enterprise
and made by a health care provider or health care provider. Perhaps the most (e.g., Acme IPA), whether or not they
health plan to an individual in the common example of this type of are under common ownership or
course of managing the treatment of that organized health care arrangement is the control, whether or not they practice
individual or for the purpose of hospital setting, where a hospital and a together in an integrated clinical setting,
directing or recommending to that physician with staff privileges at the and whether or not they share financial
individual alternative treatments, hospital together provide treatment to risk.
therapies, providers, or settings of care. the individual. Participants in such If such a group engages jointly in one
As with the previous exception, this clinically integrated settings need to be or more of the listed activities, the
exception permits covered entities to able to share health information freely participating covered entities will need
discuss freely their products and not only for treatment purposes, but also to share protected health information to
services and the products and services to improve their joint operations. For undertake such activities and to
of third parties, in the course of example, any physician with staff improve their joint operations. In this
managing an individual’s care or privileges at a hospital must be able to example, the physician participants in
providing or discussing treatment participate in the hospital’s morbidity the IPA may share financial risk through
alternatives with an individual, even and mortality reviews, even when the common withhold pools with health
when such activities involve the use or particular physician’s patients are not plans or similar arrangements. The IPA
disclose protected health information. being discussed. Nurses and other participants who manage the financial
Section 164.514 contains provisions hospital personnel must also be able to arrangements need protected health
governing use or disclosure of protected participate. These activities benefit the information about all the participants’
health information in marketing common enterprise, even when the patients in order to manage the
communications, including a benefits to a particular participant are arrangement. (The participants may also
description of certain marketing not evident. While protected health hire a third party to manage their
communications that may use or information may be freely shared among financial arrangements.) If the
include protected health information providers for treatment purposes under participants in the IPA engage in joint
but that may be made by a covered other provisions of this rule, some of quality assurance or utilization review
entity without individual authorization. these joint activities also support the activities, they will need to share
The definition of health care operations health care operations of one or more protected health information about their
includes those marketing participants in the joint arrangement. patients much as participants in an
communications that may be made Thus, special rules are needed to ensure integrated clinical setting would. Many
without an authorization pursuant to that this rule does not interfere with joint activities that require the sharing
§ 164.514. Covered entities may legitimate information sharing among of protected health information benefit
therefore use and disclose protected the participants in these arrangements. the common enterprise, even when the
health information for these activities benefits to a particular participant are
pursuant to any applicable consent We also include within the definition not evident.
obtained under § 164.506, or, if they are an organized system of health care in We include three relationships related
not required to obtain a consent under which more than one covered entity to group health plans as organized
§ 164.506, without one. participates, and in which the health care arrangements. First, we
participating covered entities hold include a group health plan and an
Organized Health Care Arrangement themselves out to the public as issuer or HMO with respect to the group
This term was not used in the participating in a joint arrangement, and health plan within the definition, but
proposed rule. We define the term in in which the joint activities of the only with respect to the protected health
order to describe certain arrangements participating covered entities include at information of the issuer or HMO that
in which participants need to share least one of the following: utilization relates to individuals who are or have
protected health information about their review, in which health care decisions been participants or beneficiaries in the
patients to manage and benefit the by participating covered entities are group health plan. We recognize that
common enterprise. To allow uses and reviewed by other participating covered many group health plans are funded
disclosures of protected health entities or by a third party on their partially or fully through insurance, and
information for these arrangements, we behalf; quality assessment and that in some cases the group health plan
also add language to the definition of improvement activities, in which and issuer or HMO need to coordinate
‘‘health care operations.’’ See discussion treatment provided by participating operations to properly serve the
of that term above. covered entities is assessed by other enrollees. Second, we include a group
We include five arrangements within participating covered entities or by a health plan and one or more other group
the definition of organized health care third party on their behalf; or payment health plans each of which are
arrangement. The arrangements involve activities, if the financial risk for maintained by the same plan sponsor.
clinical or operational integration delivering health care is shared in We recognize that in some instances
among legally separate covered entities whole or in part by participating plan sponsors provide health benefits
in which it is often necessary to share covered entities through the joint through a combination of group health
protected health information for the arrangement and if protected health plans, and that they may need to
joint management and operations of the information created or received by a coordinate the operations of such plans
arrangement. They may range in legal covered entity is reviewed by other to better serve the participants and
structure, but a key component of these participating covered entities or by a beneficiaries of the plans. Third, we
arrangements is that individuals who third party on their behalf for the include a combination of group health
obtain services from them have an purpose of administering the sharing of plans maintained by the same plan
expectation that these arrangements are financial risk. A common example of sponsor and the health insurance
integrated and that they jointly manage this type of organized health care issuers and HMOs with respect to such
their operations. We include within the arrangement is an independent practice plans, but again only with respect to the
definition a clinically integrated care association formed by a large number of protected health information of such
setting in which individuals typically physicians. They may advertise issuers and HMOs that relates to
individuals who are or have been provider may disclose protected health information for ‘‘billing, claims
enrolled in such group health plans. We information only about the patient to management, collection activities and
recognize that is some instances a plan whom care was rendered in order to related health care data processing.’’
sponsor may provide benefits through obtain payment for that care, or only the ‘‘Claims management’’ also includes
more than one group health plan, and protected health information about auditing payments, investigating and
that such plans may fund the benefits persons enrolled in the particular health resolving payment disputes and
through one or more issuers or HMOs. plan that seeks to audit the provider’s responding to customer inquiries
Again, coordinating health care records). We expand the proposed list to regarding payments. Disclosure of
operations among these entities may be reflect many changes requested by protected health information for
necessary to serve the participants and commenters. compliance with civil or criminal
beneficiaries in the group health plans. We add eligibility determinations as subpoenas, or with other applicable
We note that the necessary coordination an activity included in the definition of laws, are covered under § 164.512 of
may necessarily involve the business payment. We expand coverage this regulation. (See discussion above
associates of the covered entities and determinations to include the regarding the interaction between 1179
may involve the participation of the coordination of benefits and the and this regulation.)
plan sponsor to the extent that it is determination of a specific individual’s We modify the proposed regulation
providing plan administration functions cost sharing amounts. The rule deletes text to clarify that payment includes
and subject to the limits in § 164.504. activities related to the improvement of activities undertaken to reimburse
methods of paying or coverage policies health care providers for treatment
Payment from this definition and instead provided to individuals.
We proposed the term payment to includes them in the definition of health Covered entities may disclose
mean: care operations. We add to the protected health information for
(1) The activities undertaken by or on definition ‘‘collection activities.’’ We payment purposes to any other entity,
behalf of a covered entity that is: replace ‘‘medical data processing’’ regardless of whether it is a covered
(i) A health plan, or by a business activities with health care data entity. For example, a health care
partner on behalf of a health plan, to processing related to billing, claims provider may disclose protected health
obtain premiums or to determine or management, and collection activities. information to a financial institution in
fulfill its responsibility for coverage We add activities for the purpose of order to cash a check or to a health care
under the health plan and for provision obtaining payment under a contract for clearinghouse to initiate electronic
of benefits under the health plan; or reinsurance (including stop-loss and transactions. However, if a covered
(ii) A health care provider or health excess of loss insurance). Utilization entity engages another entity, such as a
plan, or a business partner on behalf of review activities now include billing service or a financial institution,
such provider or plan, to obtain concurrent and retrospective review of to conduct payment activities on its
reimbursement for the provision of services. behalf, the other entity may meet the
health care. In addition, we modify this definition definition of ‘‘business associate’’ under
(2) Activities that constitute payment to clarify that the activities described in this rule. For example, an entity is
include: section 1179 of the Act are included in acting as a business associate when it is
(i) Determinations of coverage, the definition of ‘‘payment.’’ We add operating the accounts receivable
adjudication or subrogation of health new subclause (vi) allowing covered system on behalf of a health care
benefit claims; entities to disclose to consumer provider.
(ii) Risk adjusting amounts due based reporting agencies an individual’s name, Similarly, payment includes
on enrollee health status and address, date of birth, social security disclosure of protected health
demographic characteristics; number and payment history, account information by a health care provider to
(iii) Billing, claims management, and number, as well as the name and an insurer that is not a ‘‘health plan’’ as
medical data processing; address of the individual’s health care defined in this rule, to obtain payment.
(iv) Review of health care services provider and/or health plan, as For example, protected health
with respect to medical necessity, appropriate. Covered entities may make information may be disclosed to obtain
coverage under a health plan, disclosure of this protected health reimbursement from a disability
appropriateness of care, or justification information to consumer reporting insurance carrier. We do not interpret
of charges; and agencies for purposes related to the definition of ‘‘payment’’ to include
(v) Utilization review activities, collection of premiums or activities that involve the disclosure of
including precertification and reimbursement. This allows reporting protected health information by a
preauthorization of services. not just of missed payments and covered entity, including a covered
In the final rule, we maintain the overdue debt but also of subsequent health care provider, to a plan sponsor
general approach of defining of positive payment experience (e.g., to for the purpose of obtaining payment
payment: payment activities are expunge the debt). We consider such under a group health plan maintained
described generally in the first clause of positive payment experience to be by such plan sponsor, or for the purpose
the definition, and specific examples are ‘‘related to’’ collection of premiums or of obtaining payment from a health
given in the second clause. Payment reimbursement. insurance issuer or HMO with respect to
activities relate to the covered entity The remaining activities described in a group health plan maintained by such
that maintains the protected health section 1179 are included in other plan sponsor, unless the plan sponsor is
information (i.e., one covered entity language in this definition. For example, performing plan administration
may not disclose protected health ‘‘authorizing, processing, clearing, pursuant to § 164.504(f).
information for the payment activities of settling, billing, transferring, reconciling The Transactions Rule adopts
a second covered entity). A covered or collecting, a payment for, or related standards for electronic health care
entity may use or disclose only the to, health plan premiums or health transactions, including two for
protected health information about the care’’ are covered by paragraph (2)(iii) of processing payments. We adopted the
individual to whom care was rendered, the definition, which allows use and ASC X12N 835 transaction standard for
for its payment activities (e.g., a disclosure of protected health ‘‘Health Care Payment and Remittance
Advice’’ transactions between health the standards established in that definitions of those terms. Instead, the
plans and health care providers, and the regulation to perform electronic final rule defines protected health
ASC X12N 820 standard for ‘‘Health transactions, including enrollment and information to be individually
Plan Premium Payments’’ transactions disenrollment transactions. We do not identifiable health information that is:
between entities that arrange for the change that policy through this rule. (1) Transmitted by electronic media;
provision of health care or provide Plan sponsors that perform enrollment (2) Maintained in any medium
health care coverage payments and functions are doing so on behalf of the described in the definition of electronic
health plans. Under these two participants and beneficiaries of the media at § 162.103 of this subchapter; or
transactions, information to effect funds group health plan and not on behalf of (3) Transmitted or maintained in any
transfer is transmitted in a part of the the group health plan itself. For other form or medium.
transaction separable from the part purposes of this rule, plan sponsors are We refer to electronic media, as
containing any individually identifiable not subject to the requirements of defined in § 162.103, which means the
health information. § 164.504 regarding group health plans mode of electronic transmission. It
We note that a covered entity may when conducting enrollment activities. includes the Internet (wide-open),
conduct the electronic funds transfer Extranet (using Internet technology to
portion of the two payment standard Protected Health Information link a business with information only
transactions with a financial institution We proposed to define ‘‘protected accessible to collaborating parties),
without restriction, because it contains health information’’ to mean leased lines, dial-up lines, private
no protected health information. The individually identifiable health networks, and those transmissions that
protected health information contained information that is or has been are physically moved from one location
in the electronic remittance advice or electronically maintained or to another using magnetic tape, disk, or
the premium payment enrollee data electronically transmitted by a covered compact disk media.
portions of the transactions is not entity, as well as such information when The definition of protected health
necessary either to conduct the funds it takes any other form. For purposes of information is set out in this form to
transfer or to forward the transactions. this definition, we proposed to define emphasize the severability of this
Therefore, a covered entity may not ‘‘electronically transmitted’’ as provision. As discussed below, we
disclose the protected health including information exchanged with a believe we have ample legal authority to
information to a financial institution for computer using electronic media, such cover all individually identifiable health
these purposes. A covered entity may as the movement of information from information transmitted or maintained
transmit the portions of the transactions one location to another by magnetic or by covered entities. We have structured
containing protected health information optical media, transmissions over the the definition this way so that, if a court
through a financial institution if the Internet, Extranet, leased lines, dial-up were to disagree with our view of our
protected health information is lines, private networks, telephone voice authority in this area, the rule would
encrypted so it can be read only by the response, and ‘‘faxback’’ systems. We still be operational, albeit with respect
intended recipient. In such cases no proposed that this definition not to a more limited universe of
protected health information is include ‘‘paper-to-paper’’ faxes, or information.
disclosed and the financial institution is person-to-person telephone calls, video Other provisions of the rules below
acting solely as a conduit for the teleconferencing, or messages left on may also be severable, depending on
individually identifiable data. voice-mail. their scope and operation. For example,
Further, ‘‘electronically maintained’’ if the rule itself provides a fallback, as
Plan Sponsor it does with respect to the various
was proposed to mean information
In the final rule we add a definition stored by a computer or on any discretionary uses and disclosures
of ‘‘plan sponsor.’’ We define plan electronic medium from which the permitted under § 164.512, the
sponsor by referencing the definition of information may be retrieved by a provisions would be severable under
the term provided in (3)(16)(B) of the computer, such as electronic memory case law.
Employee Retirement Income Security chips, magnetic tape, magnetic disk, or The definition in the final rule retains
Act (ERISA). The plan sponsor is the compact disc optical media. the exception relating to individually
employer or employee organization, or The proposal’s definition explicitly identifiable health information in
both, that establishes and maintains an excluded: ‘‘education records’’ governed by
employee benefit plan. In the case of a (1) Individually identifiable health FERPA. We also exclude the records
plan established by two or more information that is part of an ‘‘education described in 20 U.S.C.
employers, it is the association, record’’ governed by the Family 1232g(a)(4)(B)(iv). These are records of
committee, joint board of trustees, or Educational Rights and Privacy Act students held by post-secondary
other similar group or representative of (FERPA), 20 U.S.C. 1232g. educational institutions or of students
the parties that establish and maintain (2) Individually identifiable health 18 years of age or older, used
the employee benefit plan. This term information of inmates of correctional exclusively for health care treatment
includes church health plans and facilities and detainees in detention and which have not been disclosed to
government health plans. Group health facilities. anyone other than a health care provider
plans may disclose protected health In this final rule we expand the at the student’s request. (See discussion
information to plan sponsors who definition of protected health of FERPA above.)
conduct payment and health care information to encompass all We have removed the exception for
operations activities on behalf of the individually identifiable health individually identifiable health
group health plan if the requirements information transmitted or maintained information of inmates of correctional
for group health plans in § 164.504 are by a covered entity, regardless of form. facilities and detainees in detention
met. Specifically, we delete the conditions facilities. Individually identifiable
The preamble to the Transactions for individually identifiable health health information about inmates is
Rule noted that plan sponsors of group information to be ‘‘electronically protected health information under the
health plans are not covered entities maintained’’ or ‘‘electronically final rule, and special rules for use and
and, therefore, are not required to use transmitted’’ and the corresponding disclosure of the protected health
information about inmates and their several examples of activities that development, testing and evaluation,
ability to exercise the rights granted in would be considered as required by law designed to develop or contribute to
this rule are described below. for the purposes of the proposed rule, generalizable knowledge.
including a valid Inspector General
Psychotherapy Notes Research Information Unrelated to
subpoena, grand jury subpoena, civil
Section 164.508(a)(3)(iv)(A) of the Treatment
investigative demand, or a statute or
proposed rule defined psychotherapy regulation requiring production of We delete this definition and the
notes as notes recorded (in any medium) information justifying a claim would associated requirements from the final
by a health care provider who is a constitute a disclosure required by law. rule. Refer to § 164.508(f) for new
mental health professional documenting In the final rule we include a new requirements regarding authorizations
or analyzing the contents of definition, move the preamble for research that includes treatment of
conversation during a private clarifications to the regulatory text and the individual.
counseling session or a group, joint, or add several items to the illustrative list. Treatment
family counseling session. The For purposes of this regulation,
proposed definition excluded ‘‘required by law’’ means a mandate The proposed rule defined
medication prescription and contained in law that compels a covered ‘‘treatment’’ as the provision of health
monitoring, counseling session start and entity to make a use or disclosure of care by, or the coordination of health
stop times, the modalities and protected health information and that is care (including health care management
frequencies of treatment furnished, enforceable in a court of law. Among the of the individual through risk
results of clinical tests, and any examples listed in definition are assessment, case management, and
summary of the following items: Medicare conditions of participation disease management) among, health
Diagnosis, functional status, the with respect to health care providers care providers; the referral of a patient
treatment plan, symptoms, prognosis participating in that program, court- from one provider to another; or the
and progress. Furthermore, we stated in ordered warrants, and subpoenas issued coordination of health care or other
the preamble of the proposed rule that by a court. We note that disclosures services among health care providers
psychotherapy notes would have to be ‘‘required by law’’ include disclosures and third parties authorized by the
maintained separately from the medical of protected health information required health plan or the individual. The
record. by this regulation in § 164.502(a)(2). It preamble noted that the definition was
In this final rule, we retain the does not include contracts between intended to relate only to services
definition of psychotherapy notes that private parties or similar voluntary provided to an individual and not to an
we had proposed, but add to the arrangements. This list is illustrative entire enrolled population.
regulation text the requirement that, to only and is not intended in any way to In the final rule, we do not change the
meet the definition of psychotherapy limit the scope of this paragraph or general approach to defining treatment:
notes, the information must be other paragraphs in § 164.512 that treatment means the listed activities
separated from the rest of the permit uses or disclosures to the extent undertaken by any health care provider,
individual’s medical record. required by other laws. We note that not just a covered health care provider.
nothing in this rule compels a covered A plan can disclose protected health
Public Health Authority entity to make a use or disclosure information to any health care provider
The proposed rule would have required by the legal demands or to assist the provider’s treatment
defined ‘‘public health authority’’ as ‘‘an prescriptions listed in this clarification activities; and a health care provider
agency or authority of the United States, or by any other law or legal process, and may use protected health information
a state, a territory, or an Indian tribe that a covered entity remains free to about an individual to treat another
is responsible for public health matters challenge the validity of such laws and individual. A health care provider may
as part of its official mandate.’’ processes. use any protected health information it
The final rule changes this definition maintains for treatment purposes (e.g., a
slightly to clarify that a ‘‘public health Research provider may use protected health
authority’’ also includes a person or We proposed to define ‘‘research’’ as information about former patients as
entity acting under a grant of authority it is defined in the Federal Policy for the well as current patients). We modify the
from or contract with a public health Protection of Human Subjects, at 45 CFR proposed list of treatment activities to
agency. Therefore, the final rule defines part 46, subpart A (referred to elsewhere reflect changes requested by
this term as an agency or authority of in this rule as ‘‘Common Rule’’), and in commenters.
the United States, a state, a territory, a addition, elaborated on the meaning of Specifically, we modify the proposed
political subdivision of a state or the term ‘‘generalizable knowledge.’’ In definition of ‘‘treatment’’ to include the
territory, or an Indian tribe, or a person § 164.504 of the proposed rule we management of health care and related
or entity acting under a grant of defined research as ‘‘* * * a systematic services. Under the definition, the
authority from or contract with such investigation, including research provision, coordination, or management
public agency, including the employees development, testing and evaluation, of health care or related services may be
or agents of such public agency or its designed to develop or contribute to undertaken by one or more health care
contractors or persons or entities to generalizable knowledge. ‘Generalizable providers. ‘‘Treatment’’ includes
whom it has granted authority, that is knowledge’ is knowledge related to coordination or management by a health
responsible for public health matters as health that can be applied to care provider with a third party and
part of its official mandate. populations outside of the population consultation between health care
served by the covered entity.’’ providers. The term also includes
Required By Law The final rule eliminates the further referral by a health care provider of a
In the preamble to the NPRM, we did elaboration of ‘‘generalizable patient to another health care provider.
not include a definition of ‘‘required by knowledge.’’ Therefore, the rule defines Treatment refers to activities
law.’’ We discussed what it meant for an ‘‘research’’ as the term is defined in the undertaken on behalf of a single patient,
action to be considered to be ‘‘required’’ Common Rule: a systematic not a population. Activities are
or ‘‘mandated’’ by law and included investigation, including research considered treatment only if delivered
by a health care provider or a health protected health information without In the final rule, the general standard
care provider working with another authorization for treatment, payment, remains that covered entities may use or
party. Activities of health plans are not and health care operations. The disclose protected health information
considered to be treatment. Many proposal would not have restricted to only as permitted or required by this
services, such as a refill reminder whom disclosures could be made for the rule. However, we make significant
communication or nursing assistance purposes of treatment, payment, or changes to the conditions under which
provided through a telephone service, operations. The proposal would have uses and disclosures are permitted.
are considered treatment activities if allowed disclosure of the protected We revise the application of the
performed by or on behalf of a health health information of one individual for general standard to require covered
care provider, such as a pharmacist, but the treatment or payment of another, as health care providers who have a direct
are regarded as health care operations if appropriate. We also proposed to treatment relationship with an
done on behalf of a different type of prohibit covered entities from seeking individual to obtain a general ‘‘consent’’
entity, such as a health plan. individual authorization for uses and from the individual in order to use or
We delete specific reference to risk disclosures for treatment, payment, and disclose protected health information
assessment, case management, and health care operations unless required about the individual for treatment,
disease management. Activities often by state or other applicable law. payment and health care operations (for
referred to as risk assessment, disease We proposed two exceptions to this details on who must obtain such
and case management are treatment general rule which prohibited covered consents and the requirements they
activities only to the extent that they are entities from using or disclosing must meet, see § 164.506). These
services provided to a particular patient research information unrelated to consents are intended to accommodate
by a health care provider; population treatment or psychotherapy notes for both the covered provider’s need to use
based analyses or records review for the treatment, payment, or health care or disclose protected health information
purposes of treatment protocol operations purposes unless a specific for treatment, payment, and health care
development or modification are health authorization was obtained from the operations, and also the individual’s
care operations, not treatment activities. subject of the information. In addition, interest in understanding and
If a covered entity is licensed as both a we proposed that a covered entity be acquiescing to such uses and
health plan and a health care provider, prohibited from conditioning treatment, disclosures. In general, other covered
a single activity could be considered to enrollment in a health plan or payment entities are permitted to use and
be both treatment and health care decisions on a requirement that the disclose protected health information to
operations; for compliance purposes we individual provide a specific carry out treatment, payment, or health
would consider the purpose of the authorization for the disclosure of these care operations (as defined in this rule)
activity. Given the integration of the two types of information (see proposed without obtaining such consent, as in
health care system we believe that § 164.508(a)(3)(iii)). the proposed rule. Covered entities
further classification of activities into We also proposed to permit covered must, as under the proposed rule, obtain
either treatment or health care entities to use or disclose an the individual’s ‘‘authorization’’ in
operations would not be helpful. See the individual’s protected health order to use or disclose psychotherapy
definition of health care operations for information for specified public and notes for most purposes: see
additional discussion. public policy-related purposes, § 164.508(a)(2) for exceptions to this
Use including public health, research, health rule. We delete the proposed special
oversight, law enforcement, and use by treatment of ‘‘research information
We proposed to define ‘‘use’’ to mean coroners. In addition, the proposal unrelated to treatment.’’
the employment, application, would have permitted covered entities We revise the application of the
utilization, examination, or analysis of to use and disclose protected health general standard to require all covered
information within an entity that holds information when required to do so by entities to obtain the individual’s verbal
the information. In the final rule, we other law or pursuant to an ‘‘agreement’’ before using or disclosing
clarify that use refers to the use of authorization from the individual protected health information for facility
individually identifiable health allowing them to use or disclose the directories, to persons assisting in the
information. We replace the term information for purposes other than individual’s care, and for other purposes
‘‘holds’’ with the term ‘‘maintains.’’ treatment, payment or health care described in § 164.510. Unlike
These changes are for clarity only, and operations. ‘‘consent’’ and ‘‘authorization,’’ verbal
are not intended to effect any We proposed to require covered agreement may be informal and implied
substantive change. entities to disclose protected health from the circumstances (for details on
Section 164.502—General Rules for information for only two purposes: to who must obtain such agreements and
Uses and Disclosures of Protected permit individuals to inspect and copy the requirements they must meet, see
Health Information protected health information about § 164.510). Verbal agreements are
themselves and for enforcement of the intended to accommodate situations
Section 164.502(a)—Use and Disclosure rule. where it is neither appropriate to
for Treatment, Payment and Health We proposed not to require covered remove from the individual the ability
Care Operations entities to vary the level of protection to control the protected health
As a general rule, we proposed in the accorded to protected health information nor appropriate to require
NPRM to prohibit covered entities from information based on the sensitivity of formal, written permission to share such
using or disclosing protected health such information. In addition, we information. For the most part, these
information except as authorized by the proposed to require that each affected provisions reflect current practices.
individual who is the subject of such entity assess its own needs and devise, As under the proposed rule, we
information or as explicitly permitted implement, and maintain appropriate permit covered entities to use or
by the rule. The proposed rule explicitly privacy policies, procedures, and disclose protected health information
would have permitted covered entities documentation to address its business without the individual’s consent,
to use or disclose an individual’s requirements. authorization or agreement for specified
public policy purposes, in compliance requirements below in the discussion of contract, and would impose certain
with the requirements in § 164.512. § 164.514(d). security, inspection and reporting
We permit covered entities to disclose requirements on the business partner.
Section 164.502(c)—Uses and
protected health information to the We proposed to define the term
Disclosures Under a Restriction
individual who is the subject of that ‘‘business partner’’ to mean, with
Agreement
information without any condition. We respect to a covered entity, a person to
note that this may include disclosures to The proposed rule would have whom the covered entity discloses
‘‘personal representatives’’ of required that covered health care protected health information so that the
individuals as provided by § 164.502(g). providers permit individuals to request person can carry out, assist with the
We permit a covered entity to use or restrictions of uses and disclosures of performance of, or perform on behalf of,
disclose protected health information protected health information and would a function or activity for the covered
for other lawful purposes if the entity have prohibited covered providers from entity.
obtains a written ‘‘authorization’’ from using or disclosing protected health In the final rule, we change the term
the individual, consistent with the information in violation of any agreed- ‘‘business partner’’ to ‘‘business
provisions of § 164.508. Unlike to restriction. associate’’ and in the definition clarify
‘‘consents,’’ these ‘‘authorizations’’ are The final rule retains an individual’s the full range of circumstances in which
specific and detailed. (For details on right to request restrictions on uses or a person is acting as a business associate
who must obtain such authorizations disclosures for treatment, payment or of a covered entity. (See definition of
and the requirements they must meet, health care operations and prohibits a ‘‘business associate’’ in § 160.103.)
see § 164.508.) They are intended to covered entity from using or disclosing These changes mean that § 164.502(e)
provide the individuals with concrete protected health information in a way requires a business associate contract (or
information about, and control over, the that is inconsistent with an agreed upon other arrangement, as applicable) not
uses and disclosures of protected health restriction between the covered entity only when the covered entity discloses
information about themselves. and the individual, but makes some protected health information to a
changes to this right. Most significantly, business associate, but also when the
The final rule retains the provision
under the final rule individuals have the business associate creates or receives
that requires a covered entity to disclose
right to request restrictions of all protected health information on behalf
protected health information only in
covered entities. This standard is set of the covered entity.
two instances: When individuals In the final rule, we modify the
forth in § 164.522. Details about the
request access to information about proposed standard and implementation
changes to the standard are explained in
themselves, and when disclosures are specifications for business associates in
the preamble discussion to § 164.522.
compelled by the Secretary for a number of significant ways. These
compliance and enforcement purposes. Section 164.502(d)—Creation of De- modifications are explained in the
Finally, § 164.502(a)(1) also requires identified Information preamble discussion of § 164.504(e).
covered entities to use or disclose In proposed § 164.506(d) of the
protected health information in Section 164.502(f)—Deceased
NPRM, we proposed to permit use of
compliance with the other provisions of Individuals
protected health information for the
§ 164.502, for example, consistent with purpose of creating de-identified We proposed to extend privacy
the minimum necessary standard, to information and we provided detailed protections to the protected health
create de-identified information, or to a mechanisms for doing so. information of a deceased individual for
personal representative of an individual. In § 164.502(d) of the final rule, we two years following the date of death.
These provisions are described below. permit a covered entity to use protected During the two-year time frame, we
We note that a covered entity may use health information to create de- proposed in the definition of
or disclose protected health information identified information, whether or not ‘‘individual’’ that the right to control the
as permitted by and in accordance with the de-identified information is to be deceased individual’s protected health
a provision of this rule, regardless of used by the covered entity. We clarify information would be held by an
whether that use or disclosure fails to that de-identified information created in executor or administrator, or other
meet the requirements for use or accordance with our procedures (which person (e.g., next of kin) authorized
disclosure under another provision of have been moved to § 164.514(a)) is not under applicable law to act on behalf of
this rule. subject to the requirements of these the decedent’s estate. The only
privacy rules unless it is re-identified. proposed exception to this standard
Section 164.502(b)—Minimum
Disclosure of a key or mechanism that allowed for uses and disclosures of a
Necessary Uses and Disclosures
could be used to re-identify such decedent’s protected health information
The proposed rule required a covered information is also defined to be for research purposes without the
entity to make all reasonable efforts not disclosure of protected health authorization of a legal representative
to use or disclose more than the information. See the preamble to and without the Institutional Review
minimum amount of protected health § 164.514(a) for further discussion. Board (IRB) or privacy board approval
information necessary to accomplish the required (in proposed § 164.510(j)) for
intended purpose of the use or Section 164.502(e)—Business Associates most other uses and disclosures for
disclosure (proposed § 164.506(b)). This In the proposed rule, other than for research.
final rule significantly modifies the purposes of consultation or referral for In the final rule (§ 164.502(f)), we
proposed requirements for treatment, we would have allowed a modify the standard to extend
implementing the minimum necessary covered entity to disclose protected protection of protected health
standard. In the final rule, § 164.502(b) health information to a business partner information about deceased individuals
contains the basic standard and only pursuant to a written contract that for as long as the covered entity
§ 164.514 describes the requirements for would, among other specified maintains the information. We retain
implementing the standard. Therefore provisions, limit the business partner’s the exception for uses and disclosures
we discuss all aspects of the minimum uses and disclosures of protected health for research purposes, now part of
necessary standard and specific information to those permitted by the § 164.512(i), but also require that the
covered entity take certain verification remove from the definition of information relevant to such personal
measures prior to release of the ‘‘individual’’ the provisions regarding representation, with three exceptions.
decedent’s protected health information legal representatives. The circumstances Under the general rule, in most
for such purposes (see §§ 164.514(h) and in which a representative must be circumstances the minor would not
164.512(i)(1)(iii)). treated as an individual for purposes of have the capacity to act as the
We remove from the definition of this rule are addressed in a separate individual, and the parent would be
‘‘individual’’ the provision related to standard titled ‘‘personal able to exercise rights and authorities on
deceased persons. Instead, we create a representatives.’’ (§ 164.502(g)). The behalf of the minor. Under the
standard for ‘‘personal representatives’’ standard regarding personal exceptions to the rule on personal
(§ 164.502(g), see discussion below) that representatives incorporates some representatives of unemancipated
requires a covered entity to treat a changes to the proposed provisions minors, the minor, and not the parent,
personal representative of an individual regarding legal representatives. In would be treated as the individual and
as the individual in certain general, under the final regulation, the able to exercise the rights and
circumstances, i.e., allows the ‘‘personal representatives’’ provisions authorities of an individual under the
representative to exercise the rights of are directed at the more formal rule. These exceptions occur if: (1) The
the individual. With respect to deceased representatives, while § 164.510(b) minor consents to a health care service;
individuals, the final rule describes addresses situations in which persons no other consent to such health care
when a covered entity must allow a are informally acting on behalf of an service is required by law, regardless of
person who otherwise is permitted individual. whether the consent of another person
under applicable law to act with respect With respect to adults or emancipated has also been obtained; and the minor
to the interest of the decedent or on minors, we clarify that a covered entity has not requested that such person be
behalf of the decedent’s estate, to make must treat a person as a personal treated as the personal representative;
decisions regarding the decedent’s representative of an individual if such (2) the minor may lawfully obtain such
protected health information. person is, under applicable law, health care service without the consent
The final rule also adds a provision to authorized to act on behalf of the of a parent, and the minor, a court, or
§ 164.512(g), that permits covered individual in making decisions related another person authorized by law
entities to disclose protected health to health care. This includes a court- consents to such health care service; or
information to a funeral director, appointed guardian and a person with a (3) a parent assents to an agreement of
consistent with applicable law, as power of attorney, as set forth in the confidentiality between a covered
necessary to carry out their duties with NPRM, but may also include other health care provider and the minor with
respect to the decedent. Such persons. The authority of a personal respect to such health care service. We
disclosures are permitted both after representative under this rule is limited: note that the definition of health care
death and in reasonable anticipation of the representative must be treated as the includes services, but we use ‘‘health
death. individual only to the extent that care service’’ in this provision to clarify
Section 164.502(g)—Personal protected health information is relevant that the scope of the rights of minors
Representatives to the matters on which the personal under this rule is limited to the
representative is authorized to represent protected health information related to
In the proposed rule we defined the individual. For example, if a a particular service.
‘‘individual’’ to include certain persons person’s authority to make health care Under this provision, we do not
who were authorized to act on behalf of decisions for an individual is limited to provide a minor with the authority to
the person who is the subject of the decisions regarding treatment for act under the rule unless the state has
protected health information. For adults cancer, such person is a personal given them the ability to obtain health
and emancipated minors, the NPRM representative and must be treated as care without consent of a parent, or the
provided that ‘‘individual’’ includes a the individual with respect to protected parent has assented. In addition, we
legal representative to the extent to health information related to the cancer defer to state law where the state
which applicable law permits such legal treatment of the individual. Such a authorizes or prohibits disclosure of
representative to exercise the person is not the personal representative protected health information to a parent.
individual’s rights in such contexts. of the individual with respect to all See part 160, subpart B, Preemption of
With respect to unemancipated minors, protected health information about the State Law. This rule does not affect
we proposed that the definition of individual, and therefore, a covered parental notification laws that permit or
‘‘individual’’ include a parent, guardian, entity may not disclose protected health require disclosure of protected health
or person acting in loco parentis, information that is not relevant to the information to a parent. However, the
(hereinafter referred to as ‘‘parent’’) cancer treatment to the person, unless rights of a minor under this rule are not
except when an unemancipated minor otherwise permitted under the rule. We otherwise affected by such notification.
obtained health care services without intend this provision to apply to In the final rule, the provision
the consent of, or notification to, a persons empowered under state or other regarding personal representatives of
parent. Under the proposed rule, if a law to make health related decisions for deceased individuals has been changed
minor obtained health care services an individual, whether or not the to clarify the provision. The policy has
under these conditions, the minor instrument or law granting such not changed substantively from the
would have had the exclusive rights of authority specifically addresses health NPRM.
an individual with respect to the information. Finally, we added a provision in the
protected health information related to In addition, we clarify that with final rule to permit covered entities to
such health care services. respect to an unemancipated minor, if elect not to treat a person as a personal
In the final rule, the definition of under applicable law a parent may act representative in abusive situations.
‘‘individual’’ is limited to the subject of on behalf of an unemancipated minor in Under this provision, a covered entity
the protected health information, which making decisions related to health care, need not treat a person as a personal
includes unemancipated minors and a covered entity must treat such person representative of an individual if the
other individuals who may lack as a personal representative under this covered entity, in the exercise of
capacity to act on their own behalf. We rule with respect to protected health professional judgment, decides that it is
not in the best interest of the individual In the final rule, we require covered reflect the fact that these disclosures are
to treat the person as the individual’s providers to accommodate reasonable not made by the covered entity and
personal representative and the covered requests by patients about how the therefore this material does not belong
entity has a reasonable belief that the covered provider communicates with in the section on safeguarding
individual has been or may be subjected the individual. For example, an information against disclosure.
to domestic violence, abuse, or neglect individual who does not want his or her We retain the basic concept in the
by such person, or that treating such family members to know about a certain NPRM of providing protection to a
person as the personal representative treatment may request that the provider covered entity for the good faith
could endanger the individual. communicate with the individual at his whistleblower action of a member of its
Section 164.502(g) requires a covered or her place of employment, or to send workforce or a business associate. We
entity to treat a person that meets the communications to a designated clarify that a whistleblower disclosure
requirements of a personal address. Covered providers must by an employee, subcontractor, or other
representative as the individual (with accommodate the request unless it is person associated with a business
the exceptions described above). We unreasonable. Similarly, the final rule associate is considered a whistleblower
note that disclosure of protected health permits individuals to request that disclosure of the business associate
information to a personal representative health plans communicate with them by under this provision. However, in the
is mandatory under this rule only if alternative means, and the health plan final rule, we modify the scope of
disclosure to the individual is must accommodate such a request if it circumstances under which a covered
mandatory. Disclosure to the individual is reasonable and the individual states entity is protected in whistleblower
is mandatory only under §§ 164.524 and that disclosure of the information could situations. A covered entity is not in
164.528. Further, as noted above, the endanger the individual. The specific violation of the requirements of this rule
personal representative’s rights are provisions relating to confidential when a member of its workforce or a
limited by the scope of its authority communications are in § 164.522. business associate of the covered entity
under other law. Thus, this provision Section 164.502(i)—Uses and discloses protected health information
does not constitute a general grant of Disclosures Consistent with Notice to: (i) A health oversight agency or
authority to personal representatives. public health authority authorized by
We make disclosure to personal We proposed to prohibit covered law to investigate or otherwise oversee
representatives mandatory to ensure entities from using or disclosing the relevant conduct or conditions of
that an individual’s rights under protected health information in a the covered entity; (ii) an appropriate
§§ 164.524 and 164.528 are preserved manner inconsistent with their notice of health care accreditation organization;
even when individuals are incapacitated information practices. We retain this or (iii) an attorney, for the purpose of
or otherwise unable to act for provision in the final rule. See § 164.520 determining his or her legal options
themselves to the same degree as other regarding notice content and with respect to whistleblowing. We
individuals. If the covered entity were distribution requirements. delete disclosures to a law enforcement
to have the discretion to recognize a Section 164.502(j)—Disclosures by official.
personal representative as the Whistleblowers and Workforce Member We expand the scope of this section
individual, there could be situations in Crime Victims to cover disclosures of protected health
which no one could invoke an information to an oversight or
individual’s rights under these sections. Disclosures by Whistleblowers accreditation organization for the
We continue to allow covered entities In § 164.518(c)(4) of the NPRM we purpose of reporting breaches of
to use their discretion to disclose certain addressed the issue of whistleblowers professional standards or problems with
protected health information to family by proposing that a covered entity not quality of care. The covered entity will
members, relatives, close friends, and be held in violation of this rule because not be in violation of this rule, provided
other persons assisting in the care of an a member of its workforce or a person that the disclosing individual believes
individual, in accordance with associated with a business associate of in good faith that the covered entity has
§ 164.510(b). We recognize that many the covered entity used or disclosed engaged in conduct which is unlawful
health care decisions take place on an protected health information that such or otherwise violates professional or
informal basis, and we permit person believed was evidence of a civil clinical standards, or that the care,
disclosures in certain circumstance to or criminal violation, and any services or conditions provided by the
permit this practice to continue. Health disclosure was: (1) Made to relevant covered entity potentially endanger one
care providers may continue to use their oversight agencies or law enforcement or more patients, workers or the public.
discretion to address these informal or (2) made to an attorney to allow the Since these provisions only relate to
situations. attorney to determine whether a whistleblower actions in relation to the
violation of criminal or civil law had covered entity, disclosure of protected
Section 164.502(h)—Confidential health information to expose malfeasant
occurred or to assess the remedies or
Communications conduct by another person, such as
actions at law that may be available to
In the NPRM, we did not directly the person disclosing the information. knowledge gained during the course of
address the issue of whether an We included an extensive discussion treatment about an individual’s illicit
individual could request that a covered on how whistleblower actions can drug use, would not be protected
entity restrict the manner in which it further the public interest, including activity.
communicated with the individual. The reference to the need in some We clarify that this section only
NPRM did provide individuals with the circumstances to utilize protected applies to protection of a covered entity,
right to request that health care health information for this purpose as based on the whistleblower action of a
providers restrict uses and disclosures well as reference to the qui tam member of its workforce or business
of protected health information for provisions of the Federal False Claims associates. Since the HIPAA legislation
treatment, payment and health Act. only applies to covered entities, not
operations, but providers were not In the final rule we retitle the their workforces, it is beyond the scope
required to agree to such a restriction. provision and include it in § 164.502 to of this rule to directly regulate the
whistleblower actions of members of a proposal we noted that some focus its compliance efforts on the
covered entity’s workforce. organizations that are primarily component that is actually performing
In the NPRM, we had proposed to involved in non-health care activities do the health care functions. On the other
require covered entities to apply provide health care services or operate hand, where most of what the covered
sanctions to members of its workforce health plans or health care entity does consist of covered functions,
who improperly disclose protected clearinghouses. Examples included a it makes sense to require the entity as
health information. In this final rule, we school with an on-site health clinic and a whole to comply with the rules. The
retain this requirement in an employer that self administers a provisions at §§ 164.504(a)–(c) provide
§ 164.530(e)(1) but modify the proposed sponsored health plan. In such cases, that for a hybrid entity, the rules apply
provision on sanctions to clarify that the the proposal said that the health care only to the part of the entity that is the
sanctions required under this rule do component of the entity would be health care component. At the same
not apply to workforce members of a considered the covered entity, and any time, the lack of corporate boundaries
covered entity for whistleblower release of information from that increases the risk that protected health
disclosures. component to another office or person information will be used in a manner
in the organization would be a regulated that would not otherwise be permitted
Disclosures by Workforce Members Who disclosure. We would have required by these rules. Thus, we require that the
Are Crime Victims such entities to create barriers to covered entity erect firewalls to protect
The proposed rule did not address prevent protected health information against the improper use or disclosure
disclosures by workforce members who from being used or disclosed for within or by the organization. See
are victims of a crime. In the final rule, activities not authorized or permitted § 164.504(c)(2).
we clarify that a covered entity is not in under the proposal. The term ‘‘primary functions’’ in the
violation of the rule when a workforce We discuss group health plans and definition of ‘‘hybrid entity’’ is not
member of a covered entity who is the their relationships with plan sponsors meant to operate with mathematical
victim of a crime discloses protected below under ‘‘Requirements for Group precision. Rather, we intend that a more
health information to law enforcement Health Plans.’’ common sense evaluation take place: Is
officials about the suspected perpetrator In the final rule we address the issue most of what the covered entity does
of the crime. We limit the amount of of differentiating health plan, covered related to its health care functions? If so,
protected health information that may health care provider and health care then the whole entity should be
be disclosed to the limited information clearinghouse activities from other covered. Entities with different
for identification and location described functions carried out by a single legal insurance lines, if not separately
in § 164.512(f)(2). entity in paragraphs (a)–(c) of § 164.504. incorporated, present a particular issue
We note that this provision is similar We have created a new term, ‘‘hybrid with respect to this analysis. Because
to the provision in § 164.512(f)(5), entity’’, to describe the situation where the definition of ‘‘health plan’’ excludes
which permits a covered entity to a health plan, health care provider, or many types of insurance products (in
disclose protected health information to health care clearinghouse is part of a the exclusion under paragraph (2)(i) of
law enforcement that the covered entity larger legal entity; under the definition, the definition), we would consider an
believes in good faith constitutes a ‘‘hybrid entity’’ is ‘‘a single legal entity entity that has one or more of these lines
evidence of criminal conduct that that is a covered entity and whose of insurance in addition to its health
occurred on the premises of the covered covered functions are not its primary insurance lines to come within the
entity. This provision differs in that it functions.’’ The term ‘‘covered definition of ‘‘hybrid entity,’’ because
permits the disclosure even if the crime functions’’ is discussed above under the other lines of business constitute
occurred somewhere other than on the § 164.501. By ‘‘single legal entity’’ we substantial parts of the total business
premises of the covered entity. For mean a legal entity, such as a operation and are required to be
example, if a hospital employee is the corporation or partnership, that cannot separate from the health plan(s) part of
victim of an attack outside of the be further differentiated into units with the business.
hospital, but spots the perpetrator their own legal identities. For example, An issue that arises in the hybrid
sometime later when the perpetrator for purposes of this rule a multinational entity situation is what records are
seeks medical care at the hospital, the corporation composed of multiple covered in the case of an office of the
workforce member who was attacked subsidiary companies would not be a hybrid entity that performs support
single legal entity, but a small functions for both the health care
may notify law enforcement of the
manufacturing firm and its health clinic, component of the entity and for the rest
perpetrator’s location and other
if not separately incorporated, could be of the entity. For example, this situation
identifying information. We do not
a single legal entity. could arise in the context of a company
permit, however, the disclosure of The health care component rules are with an onsite clinic (which we will
protected health information other than designed for the situation in which the assume is a covered health care
that described in § 164.512(f)(2). health care functions of the legal entity provider), where the company’s
Section 164.504—Uses and are not its dominant mission. Because business office maintains both clinic
Disclosures—Organizational some part of the legal entity meets the records and the company’s personnel
Requirements—Component Entities, definition of a health plan or other records. Under the definition of the term
Affiliated Entities, Business Associates covered entity, the legal entity as a ‘‘health care component,’’ the business
and Group Health Plans whole could be required to comply with office is part of the health care
the rules below. However, in such a component (in this hypothetical, the
Section 164.504(a)–(c)—Health Care situation, it makes sense not to require clinic) ‘‘to the extent that’’ it is
Component (Component Entities) the entire entity to comply with the performing covered functions on behalf
In the preamble to the proposed rule requirements of the rules below, when of the clinic involving the use or
we introduced the concept of a most of its activities may have little or disclosure of protected health
‘‘component entity’’ to differentiate the nothing to do with the provision of information that it receives from, creates
health care unit of a larger organization health care; rather, as a practical matter, or maintains for the clinic. Part of the
from the larger organization. In the it makes sense for such an entity to business office, therefore, is part of the
health care component, and part of the entity (legal entity) remains responsible consultation or referral. A covered
business office is outside the health care for compliance vis-a-vis subpart C of entity would have been in violation of
component. This means that the non- part 160. See § 164.504(c)(3)(i). We do this rule if the covered entity knew or
health care component part of the this simply to make these reasonably should have known of a
business office is not covered by the responsibilities clear and to avoid material breach of the contract by a
rules below. Under our hypothetical, confusion on this point. Also, in the business associate and it failed to take
then, the business office would not be hybrid entity situation the covered reasonable steps to cure the breach or
required to handle its personnel records entity/legal entity has control over the terminate the contract. We proposed in
in accordance with the rules below. The entire workforce, not just the workforce the preamble that when a covered entity
hybrid entity would be required to of the health care component. Thus, the acted as a business associate to another
establish firewalls with respect to these covered entity is in a position to covered entity, the covered entity that
record systems, to ensure that the clinic implement policies and procedures to was acting as business associate also
records were handled in accordance ensure that the part of its workforce that would have been responsible for any
with the rules. is doing mixed or non-covered functions violations of the regulation.
With respect to excepted benefits, the does not impermissibly use or disclose We also proposed that covered health
rules below operate as follows. protected health information. Its care providers receiving protected
(Excepted benefits include accident, responsibility to do so is clarified in health information for consultation or
disability income, liability, workers’ § 164.504(c)(3)(ii). referral purposes would still have been
compensation and automobile medical subject to this rule, and could not have
payment insurance.) Excepted benefit Section 164.504(d)—Affiliated Entities
used or disclosed such protected health
programs are excluded from the health Some legally distinct covered entities information for a purpose other than the
care component (or components) may share common administration of purpose for which it was received (i.e.,
through the definition of ‘‘health plan.’’ organizationally differentiated but the consultation or referral). Further, we
If a particular organizational unit similar activities (for example, a noted that providers making disclosures
performs both excepted benefits hospital chain). In § 164.504(d) we for consultations or referrals should be
functions and covered functions, the permit legally distinct covered entities careful to inform the receiving provider
activities associated with the excepted that share common ownership or
of any special limitations or conditions
benefits program may not be part of the control to designate themselves, or their
to which the disclosing provider had
health care component. For example, an health care components, together to be
agreed to impose (e.g., the disclosing
accountant who works for a covered a single covered entity. Common control
provider had provided notice to its
entity with both a health plan and a life exists if an entity has the power,
patients that it would not make
insurer would have his or her directly or indirectly, significantly to
disclosures for research).
accounting functions performed for the influence or direct the actions or
policies of another entity. Common We proposed that business associates
health plan as part of the component,
ownership exists if an entity or entities would not have been permitted to use
but not the life insurance accounting
possess an ownership or equity interest or disclose protected health information
function. See § 164.504(c)(2)(iii). We
of 5 percent or more in another entity. in ways that would not have been
require this segregation of excepted
Such organizations may promulgate a permitted of the covered entity itself
benefits because HIPAA does not cover
single shared notice of information under these rules, and covered entities
such programs, policies and plans, and
practices and a consent form. For would have been required to take
we do not permit any use or disclosure
example, a corporation with hospitals in reasonable steps to ensure that protected
of protected health information for the
twenty states may designate itself as a health information disclosed to a
purposes of operating or performing the
covered entity and, therefore, able to business associate remained protected.
functions of the excepted benefits
without authorization from the merge information for joint marketplace In the NPRM (proposed
individual, except as otherwise analyses. The requirements that apply to § 164.506(e)(2)) we would have required
permitted in this rule. a covered entity also apply to an that the contractual agreement between
In § 164.504(c)(2) we require covered affiliated covered entity. For example, a covered entity and a business
entities with a health care component to under the minimum necessary associate be in writing and contain
establish safeguard policies and provisions, a hospital in one state could provisions that would:
procedures to prevent any access to not share protected health information • Prohibit the business associate from
protected health information by its other about a particular patient with another further using or disclosing the protected
organizational units that would not be hospital if such a use is not necessary health information for any purpose
otherwise permitted by this rule. We for treatment, payment or health care other than the purpose stated in the
note that section 1173(d)(1)(B) of HIPAA operations. The covered entities that contract.
requires policies and procedures to together make up the affiliated covered • Prohibit the business associate from
isolate the activities of a health care entity are separately subject to liability further using or disclosing the protected
clearinghouse from a ‘‘larger under this rule. The safeguarding health information in a manner that
organization’’ to prevent unauthorized requirements for affiliated covered would violate the requirements of this
access by the larger organization. This entities track the requirements that proposed rule if it were done by the
safeguard provision is consistent with apply to health care components. covered entity.
the statutory requirement and extends to • Require the business associate to
any covered entity that performs ‘‘non- Section 164.504(e)—Business Associates maintain safeguards as necessary to
covered entity functions’’ or operates or In the NPRM, we proposed to require ensure that the protected health
conducts functions of more than one a contract between a covered entity and information is not used or disclosed
type of covered entity. a business associate, except for except as provided by the contract.
Because, as noted, the covered entity disclosures of protected health • Require the business associate to
in the hybrid entity situation is the legal information by a covered entity that is report to the covered entity any use or
entity itself, we state explicitly what is a health care provider to another health disclosure of the protected health
implicitly the case, that the covered care provider for the purposes of information of which the business
associate becomes aware that is not the protected health information to definition of business associate; we
provided for in the contract. combine or aggregate the information. A make special provisions for government
• Require the business associate to covered entity would not have been agencies that by law cannot enter into
ensure that any subcontractors or agents permitted to obtain protected health contracts with one another or that
to whom it provides protected health information through a business operate under other legal requirements
information received from the covered associate that it could not otherwise incompatible with some aspects of the
entity will agree to the same restrictions obtain itself. required contractual satisfactory
and conditions that apply to the In the final rule we retain the overall assurances; we provide a new
business associate with respect to such approach proposed: covered entities mechanism for covered entities to hire
information. may disclose protected health a third party to aggregate data.
• Require the business associate to information to persons that meet the The final rule provides several
provide access to non-duplicative rule’s definition of business associate, or exception to the business associate
protected health information to the hire such persons to obtain or create requirements, where a business
subject of that information, in protected health information for them, associate relationship would otherwise
accordance with proposed § 164.514(a). only if covered entities obtain specified exist. We substantially expand the
• Require the business associate to satisfactory assurances from the exception for disclosure of protected
make available its internal practices, business associate that it will health information for treatment. Rather
books and records relating to the use appropriately handle the information; than allowing disclosures without
and disclosure of protected health the regulation specifies the elements of business associate assurances only for
information received from the covered such satisfactory assurances; covered the purpose of consultation or referral,
entity to the Secretary for the purposes entities have responsibilities when such in the final rule we allow covered
of enforcing the provisions of this rule. specified satisfactory assurances are entities to make any disclosure of
• Require the business associate, at violated by the business associate. We protected health information for
termination of the contract, to return or retain the requirement that specified treatment purposes to a health care
destroy all protected health information satisfactory assurances must be obtained provider without a business associate
received from the covered entity that the if a covered entity’s business associate arrangement. This provision includes all
business associate still maintains in any is also a covered entity. We note that a activities that fall under the definition
form to the covered entity and prohibit master business associate contract or of treatment.
the business associate from retaining MOU that otherwise meets the We do not require a business associate
such protected health information in requirements regarding specified contract for a group health plan to make
any form. satisfactory assurances meets the disclosures to the plan sponsor, to the
• Require the business associate to requirements with respect to all the extent that the health plan meets the
incorporate any amendments or signatories. applicable requirements of § 164.504(f).
corrections to protected health A covered entity may disclose We also include an exception for
information when notified by the protected health information to a certain jointly administered government
covered entity that the information is business associate, consistent with the programs providing public benefits.
inaccurate or incomplete. other requirements of the final rule, as Where a health plan that is a
• State that individuals who are the necessary to permit the business government program provides public
subject of the protected health associate to perform functions and benefits, such as SCHIP and Medicaid,
information disclosed are intended to be activities for or on behalf of the covered and where eligibility for, or enrollment
third party beneficiaries of the contract. entity, or to provide the services in, the health plan is determined by an
• Authorize the covered entity to specified in the business associate agency other than the agency
terminate the contract, if the covered definition to or for the covered entity. administering the health plan, or where
entity determines that the business As discussed below, a business the protected health information used to
associate has violated a material term of associate may only use the protected determine enrollment or eligibility in
the contract. health information it receives in its the health plan is collected by an agency
We also stated in the preamble to the capacity as a business associate to a other than the agency administering the
NPRM that the contract could have covered entity as permitted by its health plan, and the joint activities are
included any additional arrangements contract or agreement with the covered authorized by law, no business associate
that did not violate the provisions of entity. contract is required with respect to the
this regulation. We do not attempt to directly regulate collection and sharing of individually
We explained in the preamble to the business associates, but pursuant to our identifiable health information for the
NPRM that a business associate authority to regulate covered entities we performance of the authorized functions
(including business associates that are place restrictions on the flow of by the health plan and the agency other
covered entities) that had contracts with information from covered entities to than the agency administering the
more than one covered entity would non-covered entities. We add a health plan. We note that the phrase
have had no authority to combine, provision to clarify that a violation of a ‘‘government programs providing public
aggregate or otherwise use for a single business associate agreement by a benefits’’ refers to programs offering
purpose protected health information covered entity that is a business benefits to specified members of the
obtained from more than one covered associate of another covered entity public and not to programs that offer
entity unless doing so would have been constitutes a violation of this rule. benefits only to employees or retirees of
a lawful use or disclosure for each of the In the final rule, we make significant government agencies.
covered entities that supplied the changes to the requirements regarding We note that we do not consider a
protected health information that is business associates. As explained below financial institution to be acting on
being combined, aggregated or used. In in more detail: we make significant behalf of a covered entity, and therefore
addition, the business associate would changes to the content of the required no business associate contract is
have had to have been authorized contractual satisfactory assurances; we required, when it processes consumer-
through the contract or arrangement include exceptions for arrangements conducted financial transactions by
with each covered entity that supplied that would otherwise meet the debit, credit or other payment card,
clears checks, initiates or processes the contract if steps to cure such a associate to use and disclose protected
electronic funds transfers, or conducts material breach fail. The rule now health information it receives in its
any other activity that directly facilitates stipulates, however, that if the covered capacity as a business associate for its
or effects the transfer of funds for entity is unable to cure a material proper management and administration
compensation for health care. A typical breach of the business associate’s and to carry out its legal
consumer-conducted payment obligation under the contract, it is responsibilities. The contract must limit
transaction is when a consumer pays for expected to terminate the contract, further disclosures of the protected
health care or health insurance when feasible. This qualification has health information for these purposes to
premiums using a check or credit card. been added to accommodate those that are required by law and to
In these cases, the identity of the circumstances where terminating the those for which the business associate
consumer is always included and some contract would be unreasonably obtains reasonable assurances that the
health information (e.g., diagnosis or burdensome on the covered entity, such protected health information will be
procedure) may be implied through the as when there are no viable alternatives held confidentially and that it will be
name of the health care provider or to continuing a contract with that notified by the person to whom it
health plan being paid. Covered entities particular business associate. It does not discloses the protected health
that initiate such payment activities mean, for instance, that the covered information of any breaches of
must meet the minimum necessary entity can choose to continue the confidentiality.
disclosure requirements described in contract with a non-compliant business Second, we permit a covered entity to
the preamble to § 164.514. associate merely because it is more authorize the business associate to
In the final rule, we reduce the extent convenient or less costly than contracts provide data aggregation services to the
to which a covered entity must monitor with other potential business associates. covered entity. As discussed above in
the actions of its business associate and We also require that if a covered entity § 164.501, data aggregation, with respect
we make it easier for covered entities to determines that it is not feasible to to protected health information received
identify the circumstances that will terminate a non-compliant business by a business associate in its capacity as
require them to take actions to correct associate, the covered entity must notify the business associate of a covered
a business associate’s material violation the Secretary. entity, is the combining of such
of the contract, in the following ways. We retain all of the requirements for
protected health information by the
We delete the proposed language a business associate contract that were
business associate with protected health
requiring covered entities to ‘‘take listed in proposed § 164.506(e)(2), with
reasonable steps to ensure’’ that each some modifications. See § 164.504(e)(2). information received by the business
business associate complies with the We retain the requirement that the associate in its capacity as a business
rule’s requirements. Additionally, we business associate contract must associate of another covered entity, to
now require covered entities to take provide that the business associate will permit the creation of data for analyses
reasonable steps to cure a breach or not use or further disclose the that relate to the health care operations
terminate the contract for business information other than as permitted or of the respective covered entities. We
associate behaviors only if they know of required by the contract or as required added this service to the business
a material violation by a business by law. We do not mean by this associate definition to clarify the ability
associate. In implementing this requirement that the business associate of covered entities to contract with
standard, we will view a covered entity contract must specify each and every business associates to undertake quality
that has substantial and credible use and disclosure of protected health assurance and comparative analyses that
evidence of a violation as knowing of information permitted to the business involve the protected health information
such violation. While this standard associate. Rather, the contract must state of more than one contracting covered
relieves the covered entity of the need the purposes for which the business entity. We except data aggregation from
to actively monitor its business associate may use and disclose the general requirement that a business
associates, a covered entity nonetheless protected health information, and must associate contract may not authorize a
is expected to investigate when they indicate generally the reasons and types business associate to use or further
receive complaints or other information of persons to whom the business disclose protected health information in
that contain substantial and credible associate may make further disclosures. a manner that would violate the
evidence of violations by a business For example, attorneys often need to requirements of this subpart if done by
associate, and it must act upon any provide information to potential the covered entity in order to permit the
knowledge of such violation that it witnesses, opposing counsel, and others combining or aggregation of protected
possesses. We note that a in the course of their representation of health information received in its
whistleblowing disclosure by a business a client. The business associate contract capacity as a business associate of
associate of a covered entity that meets pursuant to which protected health different covered entities when it is
the requirements of § 164.502(j)(1) does information is provided to its attorney performing this service. In many cases,
not put the covered entity in violation may include a general statement the combining of this information for
of this rule, and the covered entity has permitting the attorney to disclose the respective health care operations of
no duty to correct or cure, or to protected health information to these the covered entities is not something
terminate the relationship. types of people, within the scope of its that the covered entities could do—a
We also qualify the requirement for representation of the covered entity. covered entity cannot generally disclose
terminating contracts with non- We retain the requirement that a protected health information to another
compliant business associates. The final business associate contract may not covered entity for the disclosing covered
rule still requires that the business authorize a business associate to use or entity’s health care operations.
associate contract authorize the covered further disclose protected health However, we permit covered entities
entity to terminate the contract, if the information in a manner that would that enter into business associate
covered entity determines that the violate the requirements of this subpart contracts with a business associate for
business associate has violated a if done by the covered entity, but we data aggregation to permit the business
material term of the contract, and it add two exceptions. First, we permit a associate to combine or aggregate the
requires the covered entity to terminate covered entity to authorize a business protected health information they
disclose to the business associate for includes subcontractors, and we note contract that will satisfy the
their respective health care operations. that a business associate contract must requirement for satisfactory assurances
We note that there may be other make the business associate responsible under this section. First, when a
instances in which a business associate for ensuring that any person to whom it government agency is a business
may combine or aggregate protected delegates a function, activity or service associate of another government agency
health information received in its which is within its business associate that is a covered entity, we permit
capacity as a business associate of contract with the covered entity agrees memorandum of understanding between
different covered entities, such as when to abide by the restrictions and the agencies to constitute satisfactory
it is performing health care operations conditions that apply to the business assurance for the purposes of this rule,
on behalf of covered entities that associate under the contract. We note if the memorandum accomplishes each
participate in an organized health care that a business associate will need to of the objectives of the business
arrangement. A business associate that consider the purpose for which associate contract. We recognize that the
is performing payment functions on protected health information is being relationships of government agencies
behalf of different covered entities also disclosed in determining whether the are often organized as a matter of law,
may combine protected health recipient must be bound to the and that it is not always feasible for one
information when it is necessary, such restrictions and conditions of the agency to contract with another for all
as when the covered entities share business associate contract. When the of the purposes provided for in this
financial risk or otherwise jointly bill disclosure is a delegation of a function, section. We also recognize that it may be
for services. activity or service that the business incorrect to view one government
In the final rule we clarify that the associate has agreed to perform for a agency as ‘‘acting on behalf of’’ the other
business associate contract must require covered entity, the recipient who government agency; under law, each
the business associate to make available undertakes such a function steps into agency may be acting to fulfill a
protected health information for the shoes of the business associate and statutory mission. We note that in some
amendment and to incorporate such must be bound to the restrictions and instances, it may not be possible for the
amendments. The business associate conditions. When the disclosure is to a agencies to include the right to
contract must also require the business third party who is not performing terminate the arrangement because the
associate to make available the business associate functions, activities relationship may be established under
information required to provide an or services for on behalf of the covered law. In such instances, the covered
accounting of disclosures. We provide entity, but is the type of disclosure that entity government agency would need
more flexibility to the requirement that the covered entity itself could make to fulfill the requirement to report
all protected health information be without giving rise to a business known violations of the memorandum
returned by the business associate upon associate relationship, the business to the Secretary.
termination of the contract. The rule associate is not required to ensure that Where the covered entity is a
now stipulates that if feasible, the the restrictions or conditions of the government agency, we consider the
protected health information should be business associate contract are satisfactory assurances requirement to
destroyed or returned at the end of a maintained. be satisfied if other law contains
contract. Accordingly, a contract with a For example, if a business associate requirements applicable to the business
business associate must state that if acts as the billing agent of a health care associate that accomplish each of the
there are reasons that the return or provider, and discloses protected health objectives of the business associate
destruction of the information is not information on behalf of the hospital to contract. We recognize that in some
feasible and the information must be health plans, the business associate has cases, covered entities that are
retained for specific reasons and uses, no responsibility with respect to further government agencies may be able to
such as for future audits, privacy uses or disclosures by the health plan. impose the requirements of this section
protections must continue after the In the example above, where a covered directly on the persons acting as their
contract ends, for as long as the business entity has a business associate contract business associates. We also recognize
associate retains the information. The with a lawyer, and the lawyer discloses that often one government agency is
contract also must state that the uses of protected health information to an acting as a business associate of another
information after termination of the expert witness in preparation for government agency, and either party
contract must be limited to the specific litigation, the lawyer again would have may have the legal authority to establish
set of uses or disclosures that make it no responsibility under this subpart the requirements of this section by
necessary for the business associate to with respect to uses or disclosures by regulation. We believe that imposing
retain the information. the expert witness, because such these requirements directly on business
We also remove the requirement that witness is not undertaking the associates provides greater protection
business associate contracts contain a functions, activities or services that the than we can otherwise provide under
provision stating that individuals whose business associate lawyer has agreed to this section, and so we recognize such
protected health information is perform. However, if a covered entity other laws as sufficient to substitute for
disclosed under the contract are contracts with a third party a business associate contract.
intended third-party beneficiaries of the administrator to provide claims We also recognize that there may be
contract. Third party beneficiary or management, and the administrator some circumstances where the
similar responsibilities may arise under delegates management of the pharmacy relationship between covered entities
these business associate arrangements benefits to a third party, the business and business associates is otherwise
by operation of state law; we do not associate third party administrator must mandated by law. In the final rule, we
intend in this rule to affect the operation ensure that the pharmacy manager provide that where a business associate
of such state laws. abides by the restrictions and conditions is required by law to act as a business
We modify the requirement that a in the business associate contract associate to a covered entity, the
business associate contract require the between the covered entity and the third covered entity may disclose protected
business associate to ensure that agents party administrator. health information to the business
abide by the provisions of the business We provide in § 164.504(c)(3) several associate to the extent necessary to
associate contract. We clarify that agents methods other than a business associate comply with the legal mandate without
meeting the requirement to have a information obtained from covered Specifically included in the definition
business associate contract (or, in the entities participating in the arrangement of ‘‘health plan’’ are group health plans
case of government agencies, a to the extent necessary to carry out the (as defined in section 2791(a) of the
memorandum of understanding or law authorized activity and in conformance Public Health Service Act) with 50 or
pertaining to the business associate) if it with its business associate contracts. As more participants or those of any size
makes a good faith attempt the obtain described above, a business associate that are administered by an entity other
satisfactory assurances required by this providing data aggregation services to than the employer who established and
section and, if unable to do so, different covered entities also could maintains the plan. These group health
documents the attempt and the reasons combine and use the protected health plans may be fully insured or self-
that such assurances cannot be information of the covered entities to insured. Neither employers nor other
obtained. This provision addresses assist with their respective health care group health plan sponsors are defined
situations where law requires one party operations. A covered entity that is as covered entities. However, employers
to act as the business associate of undertaking payment activities on and other plan sponsors—particularly
another party. The fact that the parties behalf of different covered entities also those sponsors with self-insured group
have contractual obligations that may be may use or disclose protected health health plans—may perform certain
enforceable is not sufficient to meet the information obtained as a business functions that are integrally related to or
required by law test in this provision. associate of one covered entity when similar to the functions of group health
This provision recognizes that in undertaking such activities as a business plans and, in carrying out these
some instances the law requires that a associate of another covered entity functions, often require access to
government agency act as a business where the covered entities have individual health information held by
associate of a covered entity. For authorized the activities and where they the group health plan.
example, the United States Department are necessary to secure payment for the Most group health plans are also
of Justice is required by law to defend entities. For example, when a group of regulated under the Employee
tort suits brought against certain providers share financial risk and Retirement Income Security Act of 1974
covered entities; in such circumstances, contract with a business associate to (ERISA). Under ERISA, a group health
however, the United States, and not the conduct payment activities on their plan must be a separate legal entity from
individual covered entity, is the client behalf, the business associate may use its plan sponsor. ERISA-covered group
and is potentially liable. In such the protected health information health plans usually do not have a
situations, covered entities must be able received from the covered entities to corporate presence, in other words, they
to disclose protected health information assist them in managing their shared may not have their own employees and
needed to carry out the representation, risk arrangement. sometimes do not have their own assets
but the particular requirements that Finally, we note that the requirements (i.e., they may be fully insured or the
would otherwise apply to a business imposed by this provision are intended benefits may be funded through the
associate relationship may not be to extend privacy protection to general assets of the plan sponsor, rather
possible to obtain. Subsection (iii) situations in which a covered entity than through a trust). Often, the only
makes clear that, where the relationship discloses substantial amounts of tangible evidence of the existence of a
is required by law, the covered entity protected health information to other group health plan is the contractual
complies with the rule if it attempts, in persons so that those persons can agreement that describes the rights and
good faith, to obtain satisfactory perform functions or activities on its responsibilities of covered participants,
assurances as are required by this behalf or deliver specified services to it. including the benefits that are offered
paragraph and, if such attempt fails, A business associate contract basically and the eligible recipients.
documents the attempts and the reasons requires the business associate to ERISA requires the group health plan
that such assurances cannot be maintain the confidentiality of the to identify a ‘‘named fiduciary,’’ a
obtained. protected health information that it person responsible for ensuring that the
The operation of the final rule receives and generally to use and plan is operated and administered
maintains the construction discussed in disclose such information for the properly and with ultimate legal
the preamble to the NPRM that a purposes for which it was provided. responsibility for the plan. If the plan
business associate (including a business This requirement does not interfere with documents under which the group
associate that is a covered entity) that the relationship between a covered health plan was established and is
has business associate contracts with entity and business associate, or require maintained permit, the named fiduciary
more than one covered entity generally the business associate to subordinate its may delegate certain responsibilities to
may not use or disclose the protected professional judgment to that of a trustees and may hire advisors to assist
health information that it creates or covered entity. Covered entities may it in carrying out its functions. While
receives in its capacity as a business rely on the professional judgment of generally the named fiduciary is an
associate of one covered entity for the their business associates as to the type individual, it may be another entity. The
purposes of carrying out its and amount of protected health plan sponsor or employees of the plan
responsibilities as a business associate information that is necessary to carry sponsor are often the named fiduciaries.
of another covered entity, unless doing out a permitted activity. The These structural and operational
so would be a lawful use or disclosure requirements of this provision are aimed relationships present a problem in our
for each of the covered entities and the at securing the continued ability to protect health information
business associate’s contract with each confidentiality of protected health from being used inappropriately in
of the covered entities permits the information disclosed to third parties employment-related decisions. On the
business associate to undertake the that are serving the covered entity’s one hand, the group health plan, and
activity. For example, a business interests. any health insurance issuer or HMO
associate performing a function under providing health insurance or health
health care operations on behalf of an Section 164.504(f)—Group Health Plans coverage to the group health plan, are
organized health care arrangement Covered entities under HIPAA covered entities under the regulation
would be permitted to combine or include health care clearinghouses, and may only disclose protected health
aggregate the protected health health care providers and health plans. information as authorized under the
regulation or with individual consent. disclosures of protected health and HMOs. Without a certification,
On the other hand, plan sponsors may information; (2) specify that disclosure health insurance issuers and HMOs
need access to protected health is permitted only upon receipt of a would need to review the plan
information to carry out administration certification from the plan sponsor that documents in order to ensure that the
functions on behalf of the plan, but the plan documents have been amended amendments have been made before
under circumstances in which securing and the plan sponsor has agreed to they could disclose protected health
individual consent is impractical. We certain conditions regarding the use and information to plan sponsors. The
note that we sometimes refer in the rule disclosure of protected health certification, however, is a simple
and preamble to health insurance information; and (3) provide adequate statement that the amendments have
issuers and HMOs that provide health firewalls to: identify the employees or been made and that the plan sponsor
insurance or health coverage to a group classes of employees who will have has agreed to certain restrictions on the
health plan as health insurance issuers access to protected health information; use and disclosure of protected health
or HMOs with respect to a group health restrict access solely to the employees information. The receipt of the
plan. identified and only for the functions certification therefore, is sufficient basis
The proposed rule used the health performed on behalf of the group health for the health insurance issuer or HMO
care component approach for employers plan; and provide a mechanism for to disclose protected health information
and other plan sponsors. Under this resolving issues of noncompliance. to the plan sponsor.
approach, only the component of an Any employee of the plan sponsor Many activities included in the
employer or other plan sponsor would who receives protected health definitions of health care operations and
be treated as a covered entity. The information for payment, health care payment are commonly referred to as
component of the plan sponsor would operations or other matters related to plan administration functions in the
have been able to use protected health the group health plan must be identified ERISA group health plan context. For
information for treatment, payment, and in the plan documents either by name purposes of this rule, plan
health care operations, but not for other or function. We assume that since administration activities are limited to
purposes, such as discipline, hiring and individuals employed by the plan activities that would meet the definition
firing, placement and promotions. We sponsor may change frequently, the of payment or health care operations,
have modified the final rule in a number group health plan would likely describe but do not include functions to modify,
of ways. such individuals in a general manner. amend, or terminate the plan or solicit
In the final rule, we recognize plan Any disclosure to employees or classes bids from prospective issuers. Plan
sponsors’ legitimate need for health of employees not identified in the plan administration functions include quality
information in certain situations while, documents is not a permissible assurance, claims processing, auditing,
at the same time, protecting health disclosure. To the extent a group health monitoring, and management of carve-
information from being used for plan does have its own employees out plans—such as vision and dental.
employment-related functions or for separate from the plan sponsor’s Under the final rule, ‘‘plan
other functions related to other employees, as the workforce of a administration’’ does not include any
employee benefit plans or other benefits covered entity (i.e. the group health employment-related functions or
provided by the plan sponsor. We do plan), they also are bound by the functions in connection with any other
not attempt to directly regulate permitted uses and disclosures of this benefits or benefit plans, and group
employers or other plan sponsors, but rule. health plans may not disclose
pursuant to our authority to regulate The certification that must be given to information for such purposes absent an
health plans, we place restrictions on the group health plan must state that the authorization from the individual. For
the flow of information from covered plan sponsor agrees to: (1) Not use or purposes of this rule, enrollment
entities to non-covered entities. further disclose protected health functions performed by the plan
The final rule permits group health information other than as permitted or sponsor on behalf of its employees are
plans, and allows them to authorize required by the plan documents or as not considered plan administration
health insurance issuers or HMOs with required by law; (2) ensure that any functions.
respect to the group health plan, to subcontractors or agents to whom the Plan sponsors have access to
disclose protected health information to plan sponsor provides protected health protected health information only to the
plan sponsors if the plan sponsors information agree to the same extent group health plans have access to
voluntarily agree to use and disclose the restrictions; (3) not use or disclose the protected health information and plan
information only as permitted or protected health information for sponsors are permitted to use or
required by the regulation. The employment-related actions; (4) report disclose protected health information
information may be used only for plan to the group health plan any use or only as would be permitted by group
administration functions performed on disclosure that is inconsistent with the health plans. That is, a group health
behalf of the group health plan which plan documents or this regulation; (5) plan may permit a plan sponsor to have
are specified in plan documents. The make the protected health information access to or to use protected health
group health plan is not required to accessible to individuals; (6) allow information only for purposes allowed
have a business associate contract with individuals to amend their information; by the regulation.
the plan sponsor to disclose the (7) provide an accounting of its As explained above, where a group
protected health information or allow disclosures; (8) make its practices health plan purchases insurance or
the plan sponsor to create protected available to the Secretary for coverage from a health insurance issuer
health information on its behalf, if the determining compliance; (9) return and or HMO, the provision of insurance or
conditions of § 164.504(e) are met. destroy all protected health information coverage by the health insurance issuer
In order for the group health plan to when no longer needed, if feasible; and or HMO to the group health plan does
disclose protected health information to (10) ensure that the firewalls have been not make the health insurance issuer or
a plan sponsor, the plan documents established. HMO a business associate. In such case,
under which the plan was established We have included this certification the activities of the health insurance
and is maintained must be amended to: requirement in part, as a way to reduce issuer or HMO are on their own behalf
(1) Describe the permitted uses and the burden on health insurance issuers and not on the behalf of the group
health plan. We note that where a group conditions above and without using the without authorization. See proposed
health plan contracts with a health standard transactions described in the § 164.506(a)(1).
insurance issuer or HMO to perform Transactions Rule. We also proposed to prohibit covered
functions or activities or to provide entities from requiring individuals to
Section 164.504(g)—Multiple Covered sign authorizations for uses and
services that are in addition to or not
Function Entities disclosures of protected health
directly related to the provision of
insurance, the health insurance issuer or Although not addressed in the information for treatment, payment, and
HMO may be a business associate with proposed rule, this final rule also health care operations, unless required
respect to those additional functions, recognizes that a covered entity may as by other applicable law. See proposed
activities, or services. In addition, group a single legal entity, affiliated entity, or § 164.508(a)(iv). We instead proposed
health plans that provide health benefits other arrangement combine the requiring covered entities to produce a
only through an insurance contract and functions or operations of health care notice describing their information
do not create, maintain, or receive providers, health plans and health care practices, including practices with
protected health information (except for clearinghouses (for example, integrated respect to uses and disclosures to carry
summary information described below health plans and health care delivery out treatment, payment, and health care
or information that merely states systems may function as both health operations.
whether an individual is enrolled in or plans and health care providers). The In the final rule, we retain the
has been disenrolled from the plan) do rule permits such covered entities to use requirement for covered entities to
not have to meet the notice or disclose the protected health obtain the individual’s written
requirements of § 164.520 or the information of its patients or members permission (an ‘‘authorization’’) for uses
administrative requirements of for all covered entity functions, and disclosures of protected health
§ 164.530, except for the documentation consistent with the other requirements information that are not otherwise
requirement in § 164.530(j), because of this rule. The health care component permitted or required under the rule.
these requirements are satisfied by the must meet the requirements of this rule However, under the final rule, we add
issuer or HMO that is providing benefits that apply to a particular type of a second type of written permission for
under the group health plan. A group covered entity when it is functioning as use or disclosure of protected health
health plan, however, may not permit a that entity; e.g., when a health care information: a ‘‘consent’’ for uses and
health insurance issuer or HMO to component is operating as a health care disclosures to carry out treatment,
disclose protected health information to provider it must meet the requirements payment, and health care operations. In
a plan sponsor unless the notice of this rule applicable to a health care the final rule, we permit, and in some
required in 164.520 indicate such provider. However, such covered cases require, covered entities to obtain
disclosure may occur. entities may not use or disclose the the individual’s written permission for
The final rule also permits a health protected health information of an the covered entity to use or disclose
plan that is providing insurance to a individual who is not involved in a protected health information other than
group health plan to provide summary particular covered entity function for psychotherapy notes to carry out
information to the plan sponsor to that function, and such information treatment, payment, and health care
permit the plan sponsor to solicit must be segregated from any joint operations. We refer to this written
premium bids from other health plans information systems. For example, an permission as a ‘‘consent.’’
or for the purpose of modifying, The ‘‘consent’’ and the
HMO may integrate data about health
amending, or terminating the plan. The ‘‘authorization’’ do not overlap. The
plan members and clinic services to
rule provides that summary information requirement to obtain a ‘‘consent’’
members, but a health care system may
is information that summarizes claims applies in different circumstances than
not share information about a patient in
history, claims expenses, or types of the requirement to obtain an
its hospital with its health plan if the
claims experienced by individuals for authorization. In content, a consent and
patient is not a member of the health
whom the plan sponsor has provided an authorization differ substantially
plan.
health benefits under a group health from one another.
plan, provided that specified identifiers Section 164.506—Uses and Disclosures As described in detail below, a
are not included. Summary information for Treatment, Payment, and Health ‘‘consent’’ allows use and disclosure of
may be disclosed under this provision Care Operations protected health information only for
even if it does not meet the definition treatment, payment, and health care
Introduction: ‘‘Consent’’ versus operations. It is written in general terms
of de-identified information. As part of ‘‘Authorization’’
the notice requirements in § 164.520, and refers the individual to the covered
health plans must inform individuals In the proposed rule, we used the entity’s notice for further information
that they may disclose protected health term ‘‘authorization’’ to describe the about the covered entity’s privacy
information to plan sponsors. The individual’s written permission for a practices. It allows use and disclosure of
provision to allow summaries of claims covered entity to use and disclose protected health information by the
experience to be disclosed to plan protected health information, regardless covered entity seeking the consent, not
sponsors that purchase insurance will of the purpose of the use or disclosure. by other persons. Most persons who
allow them to shop for replacement Authorization would have been obtain a consent will be health care
coverage, and get meaningful bids from required for all uses and disclosures that providers; health plans and health care
prospective issuers. It also permits a were not otherwise permitted or clearinghouses may also seek a consent.
plan sponsor to get summary required under the NPRM. The consent requirements appear in
information as part of its consideration We proposed to permit covered § 164.506 and are described in this
of whether or not to change the benefits entities, subject to limited exceptions section of the preamble.
that are offered or employees or whether for psychotherapy notes and research With a few exceptions, an
or not to terminate a group health plan. information unrelated to treatment, to ‘‘authorization’’ allows use and
We note that a plan sponsor may use and disclose protected health disclosure of protected health
perform enrollment functions on behalf information to carry out treatment, information for purposes other than
of its employees without meeting the payment, and health care operations treatment, payment, and health care
operations. In order to make uses and another provider without seeing the obtain such consent. Third, the
disclosures that are not covered by the patient would have an indirect exception applies to protected health
consent requirements and not otherwise treatment relationship with that patient information created or received in
permitted or required under the final and would not be required to obtain the treatment situations where there are
rule, covered entities must obtain the patient’s consent to use protected health substantial barriers to communicating
individual’s ‘‘authorization.’’ An information about the patient for the with the individual and, in the exercise
‘‘authorization’’ must be written in consultation. These covered providers of professional judgment, the covered
specific terms. It may allow use and are, however, permitted to obtain provider clearly infers from the
disclosure of protected health consent, as described below. circumstances the individual’s consent
information by the covered entity Second, covered health care providers to receive treatment. For example, there
seeking the authorization, or by a third that create or receive protected health may be situations in which a mentally
party. In some instances, a covered information in the course of providing incapacitated individual seeks treatment
entity may not refuse to treat or cover health care to inmates of a correctional from a health care provider but is
individuals based on the fact that they institution are not required to obtain the unable to provide informed consent to
refuse to sign an authorization. See inmate’s consent prior to using or undergo such treatment and does not
§ 164.508 and the corresponding disclosing protected health information have a personal representative available
preamble discussion regarding about the inmate to carry out treatment, to provide such consent on the
authorization requirements. payment, and health care operations. individual’s behalf. If the covered
See § 164.501 and the corresponding provider, in her professional judgment,
Section 164.506(a)—Consent preamble discussion regarding the believes she can legally provide
Requirements definitions of ‘‘correctional institution’’ treatment to that individual, we also
We make significant changes in the and ‘‘inmate.’’ These providers may use permit the provider to use and disclose
final rule with respect to uses and and disclose protected health protected health information resulting
disclosures of protected health information as otherwise permitted from the treatment without the
information to carry out treatment, under the rule. These providers are individual’s consent. We intend covered
payment, and health care operations. permitted, however, to obtain consent, health care providers that legally
We do not prohibit covered entities as described below. provide treatment without the
from seeking an individual’s written In addition, we permit covered health individual’s consent to that treatment to
permission for use or disclosure of care providers to use and disclose be able to use and disclose protected
protected health information to carry protected health information, without health information resulting from that
out treatment, payment, or health care consent, to carry out treatment, treatment to carry out treatment,
operations. payment, and health care operations, if payment, or health care operations
Except as described below, we instead the protected health information was without obtaining the individual’s
require covered health care providers to created or received in certain treatment consent for such use or disclosure. We
obtain the individual’s consent prior to situations. In the treatment situations do not intend to impose unreasonable
using or disclosing protected health described in § 164.506(a)(3) and barriers to individuals’ ability to
information to carry out treatment, immediately below, the covered health receive, and health care providers’
payment, or health care operations. If care provider must attempt to obtain the ability to provide, health care.
the covered provider does not obtain the individual’s consent. If the covered Under § 164.506(a)(4), covered health
individual’s consent, the provider is provider is unable to obtain consent, but care providers that have an indirect
prohibited from using or disclosing documents the attempt and the reason treatment relationship with an
protected health information about the consent was not obtained, the covered individual, as well as health plans and
individual for purposes of treating the provider may, without consent, use and health care clearinghouses, may elect to
individual, obtaining payment for disclose the protected health seek consent for their own uses and
health care delivered to the individual, information resulting from the treatment disclosures to carry out treatment,
or for the provider’s health care as otherwise permitted under the rule. payment, and health care operations. If
operations. See § 164.506(a)(1). All other protected health information such a covered entity seeks consent for
We except two types of health care about that individual that the covered these purposes, the consent must meet
providers from this consent health care provider creates or receives, the minimum requirements described
requirement. First, covered health care however, is subject to the consent below.
providers that have an indirect requirements. If a covered health care provider with
treatment relationship with an This exception to the consent an indirect treatment relationship, a
individual are not required to obtain the requirement applies to protected health health plan, or a health care
individual’s consent prior to using or information created or received in any clearinghouse does not seek consent, the
disclosing protected health information of three treatment situations. First, the covered entity may use or disclose
about the individual to carry out exception applies to protected health protected health information to carry
treatment, payment, and health care information created or received in out treatment, payment, and health care
operations. An ‘‘indirect treatment emergency treatment situations. In these operations as otherwise permitted under
relationship’’ is defined in § 164.501 situations, covered providers must the rule and consistent with its notice
and described in the corresponding attempt to obtain the consent as soon as of privacy practices (see § 164.520
preamble. These providers may use and reasonably practicable after the delivery regarding notice requirements and
disclose protected health information as of the emergency treatment. Second, the § 164.502(i) regarding requirements to
otherwise permitted under the rule and exception applies to protected health adhere to the notice).
consistent with their notice of privacy information created or received in If a covered health care provider with
practices (see § 164.520 regarding notice situations where the covered health care an indirect treatment relationship, a
requirements and § 164.502(i) regarding provider is required by law to treat the health plan, or a health care
requirements to adhere to the notice). individual (for example, certain clearinghouse does ask an individual to
For example, a covered provider that publicly funded providers) and the sign a consent, and the individual does
provides consultation services to covered health care provider attempts to not do so, the covered entity is
prohibited under § 164.502(a)(1) from health information to carry out § 164.508(b)(3).) The covered entity that
using or disclosing protected health treatment, payment, and health care is creating protected health information
information for the purpose(s) included operations. Covered providers may for the research may elect to combine
in the consent. A covered entity that refuse to treat individuals who do not the consent required under this section
seeks a consent must adhere to the consent to uses and disclosures for these with the research-related authorization
individual’s decision. purposes. See § 164.506(b)(1). We note required under § 164.508(f). For
In § 164.506(a)(5), we specify that a that there are exceptions to the consent example, a covered health care provider
consent obtained by one covered entity requirements for covered health care that provides health care to an
is not effective to permit another providers that are required by law to individual for research purposes and for
covered entity to use or disclose treat individuals. See § 164.506(a)(3), non-research purposes must obtain a
protected health information, unless the described above. consent under this section for all of the
consent is a joint consent. See Similarly, in the final rule, we permit protected health information it
§ 164.506(f) and the corresponding health plans to condition an maintains. In addition, it must obtain an
preamble discussion below regarding individual’s enrollment in the health authorization in accordance with
joint consents. A consent provides the plan on the receipt of the individual’s § 164.508(f) which describes how it will
individual’s permission only for the consent for the health plan to use and use and disclose the protected health
covered entity that obtains the consent disclose protected health information to information it creates for the research
to use or disclose protected health carry out treatment, payment, and for purposes of treatment, payment, and
information for treatment, payment, and health care operations, if the consent is health care operations. Section
health care operations. A consent under sought in conjunction with the 164.506(b)(4) permits the covered entity
this section does not operate to enrollment process. If the health plan to satisfy these two requirements with a
authorize another covered entity to use seeks the individual’s consent outside of single document. See § 164.508(f) and
or disclose protected health the enrollment process, the health plan the corresponding preamble discussion
information, except where the other may not condition any services on for a more detailed description of
covered entity is operating as a business obtaining such consent. research authorization requirements.
associate. We note that, where a covered Under § 164.520, covered entities
Under § 164.506(b)(5), individuals
entity is acting as a business associate must produce a notice of privacy
may revoke a consent in writing at any
of another covered entity, the business practices. A consent may not be
time, except to the extent that the
associate covered entity is acting for or combined in a single document with the
covered entity has taken action in
on behalf of the principal covered notice of privacy practices. See
reliance on the consent. Upon receipt of
entity, and its actions for or on behalf § 164.506(b)(3).
Under § 164.506(b)(4), consents for the written revocation, the covered
of the principal covered entity are
uses and disclosures of protected health entity must stop processing the
authorized by the consent obtained by
information to carry out treatment, information for use or disclosure, except
the principal covered entity. Thus,
payment, and health care operations to the extent that it has taken action in
under this section, a health plan can
may be combined in a single document reliance on the consent. A covered
obtain a consent that permits the health
covering all three types of activities and health care provider may refuse, under
plan and its business associates to use
may be combined with other types of this rule, to continue to treat an
and disclose protected health
legal permission from the individual. individual that revokes his or her
information that the health plan and its
For example, a consent to use or consent. A health plan may disenroll an
business associates create or receive.
disclose protected health information individual that revokes a consent that
That consent cannot, however, permit
another covered entity (that is not a under this rule may be combined with was sought in conjunction with the
business associate) to disclose protected an informed consent to receive individual’s enrollment in the health
health information to the health plan or treatment, a consent to assign payment plan.
to any other person. of benefits to a provider, or narrowly Covered entities must document and
If a covered entity wants to obtain the tailored consents required under state retain any signed consent as required by
individual’s permission for another law for the use or disclosure of specific § 164.530(j).
covered entity to disclose protected types of protected health information Section 164.506(c)—Consent Content
health information to it for treatment, (e.g., state laws requiring specific Requirements
payment, or health care operations consent for any sharing of information
purposes, it must seek an authorization related to HIV/AIDS). Under § 164.506(c), the consent must
in accordance with § 164.508(e). For Within a single consent document, be written in plain language. See the
example, when a covered provider asks the consent for use and disclosure of preamble discussion regarding notice of
the individual for written permission to protected health information required or privacy practices for a description of
obtain the individual’s medical record permitted under this rule must be plain language requirements. We do not
from another provider for treatment visually and organizationally separate provide a model consent in this rule.
purposes, it must do so with an from the other consents or We will provide further guidance on
authorization, not a consent. Since the authorizations and must be separately drafting consent documents prior to the
permission is for disclosure of protected signed by the individual and dated. compliance date.
health information by another person, a Where research includes treatment of Under § 164.506(c)(1), the consent
consent may not be used. the individual, a consent under this rule must inform the individual that
may be combined with the authorization protected health information may be
Section 164.506(b)—Consent General for the use or disclosure of protected used and disclosed by the covered
Requirements health information created for the entity to carry out treatment, payment,
In the final rule, we permit a covered research, in accordance with or health care operations. The covered
health care provider to condition the § 164.508(f). (This is the only case in entity must determine which of these
provision of treatment on the receipt of which an authorization under § 164.508 elements (use and/or disclosure;
the individual’s consent for the covered of this rule may be combined with a treatment, payment, and/or health care
provider to use and disclose protected consent under § 164.506 of this rule. See operations) to include in the consent
document, as appropriate for the administrative simplification standards by the nursing home grants permission
covered entity’s practices. we are required to adopt under HIPAA, for the physician to disclose particular
For covered health care providers that an electronic signature that meets those types of information, such as genetic
are required to obtain consent, the standards will be sufficient under this information, but the consent obtained
requirement applies only to the extent rule. We do not require any verification by the physician excludes such
the covered provider uses or discloses of the individual’s identity or information or the physician has agreed
protected health information. For authentication of the individual’s to a restriction on that type of
example, if all of a covered provider’s signature. We expect covered health information, the physician may not
health care operations are conducted by care providers that are required to disclose that information. The physician
members of the covered provider’s own obtain consent to employ the same level must adhere to the more restrictive
workforce, the covered provider may of scrutiny to these signatures as they do written legal permission from the
choose to obtain consent only for uses, to the signature obtained on a document individual.
not disclosures, of protected health regarding the individual’s consent to When a conflict between a consent
information to carry out health care undergo treatment by the provider. and another written legal permission
operations. If an individual pays out of from the individual exists, as described
pocket for all services received from the Section 164.506(d)—Defective Consents above, the covered entity may attempt to
covered provider and the provider will Under § 164.506(d), there is no resolve the conflict with the individual
not disclose any information about the ‘‘consent’’ within the meaning of the by either obtaining a new consent from
patient to a third party payor, the rule if the completed document lacks a the individual or by having a discussion
provider may choose not to obtain the required element or if the individual has or otherwise communicating with the
individual’s consent to disclose revoked the consent in accordance with individual to determine the individual’s
information for payment purposes. In § 164.506(b)(5). preference regarding the use or
order for a covered provider to be able Section 164.506(e)—Resolving disclosure. If the individual’s preference
to use and disclose information for all Conflicting Consents and is communicated orally, the covered
three purposes, however, all three Authorizations entity must document the individual’s
purposes must be included in the preference and act in accordance with
consent. Situations may arise where a covered that preference. In the example
Under §§ 164.506(c)(2) and (3), the entity that has obtained the individual’s described above, the primary care
consent must refer the individual to the consent for the covered entity to use or physician could ask the patient to sign
covered entity’s notice for additional disclose protected health information to a new consent that would permit the
information about the uses and carry out treatment, payment, or health disclosure of the genetic information.
disclosures of information described in care operations is asked to disclose Alternatively, the physician could ask
the consent. The consent must also protected health information pursuant the patient whether the patient intended
indicate that the individual has the right to another written legal permission from for the genetic information to be
to review the notice prior to signing the the individual, such as an authorization, disclosed to the nursing home. If the
consent. If the covered entity has that was obtained by another person. patient confirms that he or she intended
reserved the right to change its privacy Under § 164.506(e), when the terms of a for the genetic information to be shared,
practices in accordance with covered entity’s consent conflict with the physician can document that fact
§ 164.520(b)(1)(v)(C), the consent must the terms of another written legal (e.g., by making a notation in the
indicate that the terms of the notice may permission from the individual to use or medical record) and disclose the
change and must describe how the disclose protected health information information to the nursing home.
individual may obtain a revised notice. (such as a consent obtained under state We believe covered entities will rarely
See § 164.520 and the corresponding law by another covered entity or an be faced with conflicts between
preamble discussion regarding notice authorization), the covered entity must consents and other written legal
requirements. adhere to the more restrictive document. permission from the individual for uses
Under § 164.506(c)(4), the consent By conflict, we mean that the consent and disclosures to carry out treatment,
must inform individuals that they have and authorization contain payment, and health care operations.
the right to request restrictions on uses inconsistencies. In implementing this Under § 164.506(a)(5), we specify that a
and disclosures of protected health section, we note that the consent under consent only permits the covered entity
information for treatment, payment, and this section references the notice that obtains the consent to use or
health care operations purposes. It must provided to the individual and the disclose protected health information. A
also state that the covered entity is not individual’s right to request restrictions. consent obtained by one covered entity
required to agree to an individual’s In determining whether the covered is not effective to permit another
request, but that if the covered entity entity’s consent conflicts with another different covered entity to use or
does agree to the request, the restriction written legal permission provided by disclose protected health information.
is binding on the covered entity. See the individual, the covered entity must Conflicting consents obtained by
§ 164.522(a) regarding the right to consider any limitations on its uses or covered entities, therefore, are not
request restrictions. disclosures resulting from the notice possible. We expect authorizations that
Under § 164.506(c)(5), the consent provided to the individual or from permit another covered entity to use and
must indicate that the individual has restrictions to which it has agreed. For disclose protected health information
the right to revoke the consent in example, a covered nursing home may for treatment, payment, and health care
writing, except to the extent that the elect to ask the patient to sign an operations purposes will rarely be
covered entity has taken action in authorization for the patient’s covered necessary, because we expect covered
reliance on the consent. primary care physician to forward the entities that maintain protected health
Under § 164.506(c)(6), the consent patient’s medical records to the nursing information to obtain consents that
must include the individual’s signature home. The physician may have permit them to make anticipated uses
and the date of signature. Once we previously obtained the individual’s and disclosures for these purposes.
adopt the standards for electronic consent for disclosure for treatment Nevertheless, covered entities are
signature, another of the required purposes. If the authorization obtained permitted under § 164.508(e) to obtain
authorization for another covered entity admission, and some time later the enforcement of the rule (see proposed
to use or disclose protected health individual is readmitted through the § 164.522). Individual authorization
information to carry out treatment, associated emergency department, the would not have been required for these
payment, and health care operations. emergency department’s consent uses and disclosures.
We recognize these authorizations may requirement will already have been met. We proposed to require covered
be useful to demonstrate an individual’s These joint consents are the only type entities to obtain the individual’s
intent and relationship to the intended of consent by which one covered entity authorization for all other uses and
recipient of the information. For can obtain the individual’s permission disclosures of protected health
example, these authorizations may be for another covered entity to use or information. Under proposed
useful in situations where a health plan disclose protected health information to § 164.508(a), uses and disclosures that
wants to obtain information from one carry out treatment, payment, or health would have required individual
provider in order to determine payment care operations. authorization included, but were not
of a claim for services provided by a limited to, the following:
different provider (e.g., information Effect of Consent • Use for marketing of health and
from a primary care physician that is These consents, as well as the non-health items and services by the
necessary to determine payment of authorizations described in § 164.508, covered entity;
services provided by a specialist) or should not be construed to waive, • Disclosure by sale, rental, or barter;
where an individual’s new physician directly or indirectly, any privilege • Use and disclosure to non-health
wants to obtain the individual’s medical granted under federal, state, or local law related divisions of the covered entity,
records from prior physicians. Other or procedure. Consents obtained under e.g., for use in marketing life or casualty
persons not covered by this rule may this regulation are not appropriate for insurance or banking services;
also seek authorizations and state law the disposition of more technical and • Disclosure, prior to an individual’s
may require written permission for legal proceedings and may not comport enrollment in a health plan, to the
specific types of information, such as with procedures and standards of health plan or health care provider for
information related to HIV/AIDS or to federal, state, or local judicial practice. making eligibility or enrollment
mental health. Because an individual For example, state courts and other determinations relating to the
may sign conflicting documents over decision-making bodies may choose to individual or for underwriting or risk
time, we clarify that the covered entity examine more closely the circumstances rating determinations;
maintaining the protected health and propriety of such consent and may • Disclosure to an employer for use in
information to be used or disclosed adopt more protective standards for employment determinations; and
must adhere to the more restrictive application in their proceedings. In the • Use or disclosure for fundraising.
permission the individual has granted, In the preamble to the proposed rule,
judicial setting, as in the legislative and
unless the covered entity resolves the we stated that covered entities would be
executive settings, states may provide
conflict with the individual. bound by the terms of authorizations.
for greater protection of privacy.
Uses or disclosures by the covered
Section 164.506(f)—Joint Consents Additionally, both the Congress and the
entity for purposes inconsistent with the
Secretary have established a general
Covered entities that participate in an statements made in the authorization
approach to protecting from explicit
organized health care arrangement and would have constituted a violation of
preemption state laws that are more
that develop a joint notice under the rule.
protective of privacy than the In the final rule, under § 164.508(a),
§ 164.520(d) may develop a joint protections set forth in this regulation.
consent in which the individual as in the proposed rule, covered entities
consents to the uses and disclosures of Section 164.508—Uses and Disclosures must have authorization from
protected health information by each of for Which an Authorization Is Required individuals before using or disclosing
the covered entities in the arrangement protected health information for any
Section 164.508(a)—Standard purpose not otherwise permitted or
to carry out treatment, payment, and/or
health care operations. The joint We proposed to require covered required by this rule. Specifically,
consent must identify with reasonable entities to obtain the individual’s except for psychotherapy notes (see
specificity the covered entities, or class authorization for all uses and below), covered entities are not required
of covered entities, to which the joint disclosures of protected health to obtain the individual’s authorization
consent applies and must otherwise information not otherwise permitted or to use or disclose protected health
meet the consent requirements. If an required under the proposed rule. Uses information to carry out treatment,
individual revokes a joint consent, the and disclosures that would have been payment, and health care operations.
covered entity that receives the permitted without individual (Covered entities may, however, be
revocation must inform the other authorization included uses and required to obtain the individual’s
entities covered by the joint consent of disclosures for national priority consent for these uses and disclosures.
the revocation as soon as practicable. purposes such as public health, law See the preamble regarding § 164.506 for
If any one of the covered entities enforcement, and research (see a discussion of ‘‘consent’’ versus
included in the joint consent obtains the proposed § 164.510) and uses and ‘‘authorization’’.) We also do not require
individual’s consent, as required above, disclosures of protected health covered entities to obtain the
the consent requirement is met for all of information, other than psychotherapy individual’s authorization for uses and
the other covered entities to which the notes and research information disclosures of protected health
consent applies. For example, a covered unrelated to treatment, for purposes of information permitted under §§ 164.510
hospital and the clinical laboratory and treatment, payment, and health care or 164.512, for disclosures to the
emergency departments with which it operations (see proposed § 164.506). We individual, or for required disclosures to
participates in an organized health care also proposed to require covered entities the Secretary under subpart C of part
arrangement may produce a joint notice to disclose protected health information 160 of this subchapter for enforcement
and obtain a joint consent. If the to the individual for inspection and of this rule.
covered hospital obtains the copying (see proposed § 164.514) and to In the final rule, we clarify that
individual’s joint consent upon the Secretary as required for covered entities are bound by the
statements provided on the Pre-Enrollment Underwriting under which covered entities must
authorization; use or disclosure by the As in the proposed rule, covered obtain the individual’s authorization to
covered entity for purposes inconsistent entities must obtain the individual’s use or disclose protected health
with the statements made in the authorization to use or disclose information for fundraising purposes.
authorization constitutes a violation of protected health information for the As provided in § 164.514(f) and
this rule. described in detail in the corresponding
purpose of making eligibility or
Unlike the proposed rule, we do not preamble, authorization is not required
enrollment determinations relating to an
when a covered entity uses or discloses
include in the regulation examples of individual or for underwriting or risk
demographic information and
the types of uses and disclosures that rating determinations, prior to the
information about the dates of health
require individual authorization. We individual’s enrollment in a health plan
care provided to an individual for the
eliminated two examples from the (that is, for purposes of pre-enrollment
purpose of raising funds for its own
proposed list due to potential confusion underwriting). For example, if an
benefit, nor when it discloses such
as to our intent: disclosure by sale, individual applies for new coverage
information to an institutionally related
rental, or barter and use and disclosure with a health plan in the non-group
foundation to raise funds for the
to non-health related divisions of the market and the health plan wants to covered entity.
covered entity. We recognize that review protected health information Any use or disclosure for fundraising
covered entities sometimes make these from the individual’s covered health purposes that does not meet the
types of uses and disclosures for care providers before extending an offer requirements of § 164.514(f) and does
purposes that are permitted under the of coverage, the individual first must not fall within the definition of health
rule without authorization. For authorize the covered providers to share care operations (see § 164.501), requires
example, a covered health care provider the information with the health plan. If authorization. Specifically, covered
may sell its accounts receivable to a the individual applies for renewal of entities must obtain the individual’s
collection agency for payment purposes existing coverage, however, the health authorization to use or disclose
and a health plan may disclose plan would not need to obtain an protected health information to raise
protected health information to its life authorization to review its existing funds for any entity other than the
insurance component for payment claims records about that individual, covered entity. For example, a covered
purposes. We do not intend to require because this activity would come within entity must have the individual’s
authorization for uses and disclosures the definition of health care operations authorization to use protected health
made by sale, rental, or barter or for and be permissible. We also note that information about the individual to
disclosures made to non-health related under § 164.504(f), a group health plan solicit funds for a non-profit
divisions of the covered entity, if those and a health insurance issuer that organization that engages in research,
uses or disclosures could otherwise be provides benefits with respect to a education, and awareness efforts about
made without authorization under this group health plan are permitted in a particular disease.
rule. As with any other use or certain circumstances to disclose
summary health information to the plan Psychotherapy Notes
disclosure, however, uses and
disclosures of protected health sponsor for the purpose of obtaining In the NPRM, we proposed different
information for these purposes do premium bids. Because these rules with respect to psychotherapy
require authorization if they are not disclosures fall within the definition of notes than we proposed with respect to
otherwise permitted under the rule. health care operations, they do not all other protected health information.
require authorization. The proposed rule would have required
We also eliminated the remaining covered entities to obtain an
proposed examples from the final rule Employment Determinations authorization for any use or disclosure
due to concern that these examples As in the proposed rule, covered of psychotherapy notes to carry out
might be misinterpreted as an entities must obtain the individual’s treatment, payment, or health care
exhaustive list of all of the uses and authorization to use or disclose operations, unless the use was by the
disclosures that require individual protected health information for person who created the psychotherapy
authorization. We discuss the examples employment determinations. For notes. With respect to all other
here, however, to clarify the interaction example, a covered health care provider protected health information, we
of the authorization requirements and must obtain the individual’s proposed to prohibit covered entities
the provisions of the rule that permit authorization to disclose the results of a from requiring authorization for uses
uses and disclosures without pre-employment physical to the and disclosures for these purposes.
authorization and/or with consent. Uses individual’s employer. The final rule We significantly revise our approach
and disclosures for which covered provides that a covered entity may to psychotherapy notes in the final rule.
entities must have the individual’s condition the provision of health care With a few exceptions, covered entities
authorization include, but are not that is solely for the purpose of creating must obtain the individual’s
limited to, the following activities. protected health information for authorization to use or disclose
Marketing disclosure to a third party on the psychotherapy notes to carry out
provision of authorization for the treatment, payment, or health care
As in the proposed rule, covered disclosure of the information to the operations. A covered entity must
entities must obtain the individual’s third party. obtain the individual’s consent, but not
authorization before using or disclosing an authorization, for the person who
protected health information for Fundraising created the psychotherapy notes to use
marketing purposes. In the final rule, we Under the proposed regulation, we the notes to carry out treatment and for
add a new definition of marketing (see would have required authorization the covered entity to use or disclose
§ 164.501). For more detail on what before a covered entity could have used psychotherapy notes for conducting
activities constitute marketing, see or disclosed protected health training programs in which students,
§ 164.501, definition of ‘‘marketing,’’ information for fundraising. In the final trainees, or practitioners in mental
and § 164.514(e). rule, we narrow the circumstances health learn under supervision to
practice or improve their skills in group, permission obtained from an individual expiration event is known by the
joint, family, or individual counseling. prior to the compliance date of this rule. covered entity to have occurred, the
A covered entity may also use authorization is defective. Second, we
Section 164.508(b)—Implementation
psychotherapy notes to defend a legal clarify that certain compound
Specifications for Authorizations
action or other proceeding brought by authorizations, as described below, are
the individual pursuant to a consent, Valid and Defective Authorizations defective. We also clarify that
without a specific authorization. We We proposed to require a minimum authorizations that are not completely
note that, while this provision allows set of elements for authorizations filled out with respect to the required
disclosure of these records to the requested by the individual and an elements are defective. Finally, we
covered entity’s attorney to defend additional set of elements for clarify that an authorization with
against the action or proceeding, authorizations requested by a covered information that the covered entity
disclosure to others in the course of a entity. We would have permitted knows to be false is defective only if the
judicial or administrative proceeding is covered entities to use and disclose information is material.
governed by § 164.512(e). This special protected health information pursuant As under the proposed regulation, an
provision is necessary because to authorizations containing the authorization that the covered entity
disclosure of protected health applicable required elements. We would knows has been revoked is not a valid
information for purposes of legal have prohibited covered entities from authorization. We note that, although an
representatives may be made under the acting on an authorization if the authorization must be revoked in
general consent as part of ‘‘health care submitted document had any of the writing, the covered entity may not
operations.’’ Because we require an following defects: always ‘‘know’’ that an authorization
authorization for disclosure of • The expiration date had passed; has been revoked. The writing required
psychotherapy notes for ‘‘health care • The form had not been filled out for an individual to revoke an
operations,’’ an exception is needed to completely; authorization may not always trigger the
allow covered entities to use protected • The covered entity knew the ‘‘knowledge’’ required for a covered
health information about an individual authorization had been revoked; entity to consider an authorization
to defend themselves against an action • The completed form lacked a defective. Conversely, a copy of the
threatened or brought by that individual required element; or written revocation is not required before
without asking that individual for • The covered entity knew the a provider ‘‘knows’’ that an
authorization to do so. Otherwise, a information on the form was false. authorization has been revoked.
consent under § 164.506 is not sufficient In § 164.508(b)(1) of the final rule, we
specify that an authorization containing Many authorizations will be obtained
for the use or disclosure of by persons other than the covered
psychotherapy notes to carry out the applicable required elements (as
described below) is a valid entity. If the individual revokes an
treatment, payment, or health care authorization by writing to that other
operations. Authorization is required. authorization. We clarify that a valid
authorization may contain additional, person, and neither the individual nor
We anticipate these authorizations will the other person informs the covered
rarely be necessary, since non-required elements, provided that
these elements are not inconsistent with entity of the revocation, the covered
psychotherapy notes do not include entity will not ‘‘know’’ that the
information that covered entities the required elements. Covered entities
are not required to use or disclose authorization has been revoked. For
typically need for treatment, payment, example, a government agency may
or other types of health care operations. protected health information pursuant
to a valid authorization. Our intent is to obtain an individual’s authorization for
In the NPRM, we proposed to permit clarify that a covered entity that uses or ‘‘all providers who have seen the
covered entities to use and disclose discloses protected health information individual in the past year’’ to disclose
psychotherapy notes for all other pursuant to an authorization meeting protected health information to the
purposes permitted or required under the applicable requirements will be in agency for purposes of determining
the rule without authorization. In the compliance with this rule. eligibility for benefits. The individual
final rule, we specify a more limited set We retain the provision prohibiting may revoke the authorization by writing
of uses and disclosures of covered entities from acting on an to the government agency requesting
psychotherapy notes that covered authorization if the submitted document such revocation. We cannot require the
entities are permitted to make without had any of the listed defects, with a few agency to inform all covered entities to
authorization. An authorization is not changes. First, in § 164.508(c)(1)(iv) we whom it has presented the authorization
required for use or disclosure of specify that an authorization may expire that the authorization has been revoked.
psychotherapy notes when required for upon a certain event or on a specific If a covered entity does not know of the
enforcement purposes, in accordance date. For example, a valid authorization revocation, the covered entity will not
with subpart C of part 160 of this may state that it expires upon violate this rule by acting pursuant to
subchapter; when mandated by law, in acceptance or rejection of an application the authorization. At the same time, if
accordance with § 164.512(a); when for insurance or upon the termination of the individual does inform the covered
needed for oversight of the health care employment (for example, in an entity of the revocation, even orally, the
provider who created the psychotherapy authorization for disclosure of protected covered entity ‘‘knows’’ that the
notes, in accordance with § 164.512(d); health information for fitness-for-duty authorization has been revoked and can
when needed by a coroner or medical purposes) or similar event. The no longer treat the authorization as valid
examiner, in accordance with expiration event must, however, be under this rule. Thus, in this example,
§ 164.512(g)(1); or when needed to avert related to the individual or the purpose if the individual tells a covered entity
a serious and imminent threat to health of the use or disclosure. An that the individual has revoked the
or safety, in accordance with authorization that purported to expire authorization, the covered entity
§ 164.512(j)(1)(i). We also provide on the date when the stock market ‘‘knows’’ of the revocation and must
transition provisions in § 164.532 reached a specified level would not be consider the authorization defective
regarding the effect of express legal valid. Under § 164.508(b)(2)(i), if the under § 164.508(b)(2).
Compound Authorizations authorization for the disclosure of We clarify the proposed research
Except for authorizations requested in information created for clinical research exception to this prohibition. Covered
connection with a clinical trial, we combined with a consent for the use or entities seeking authorization in
proposed to prohibit covered entities disclosure of other protected health accordance with § 164.508(f) to use or
from combining an authorization for use information to carry out treatment, disclose protected health information
or disclosure of protected health payment, and health care operations, created for the purpose of research that
information for purposes other than and the informed consent to participate includes treatment of the individual,
treatment, payment, or health care in the clinical research; an authorization including clinical trials, may condition
operations with an authorization or for disclosure of psychotherapy notes the research-related treatment on the
consent for treatment (e.g., an informed for both treatment and research individual’s authorization. Permitting
purposes; and an authorization for the use of protected health information is
consent to receive care) or payment
disclosure of the individual’s part of the decision to receive care
(e.g., an assignment of benefits).
We clarify the prohibition on demographic information for both through a clinical trial, and health care
compound authorizations in the final marketing and fundraising purposes. providers conducting such trials should
rule. Other than as described below, Examples of invalid compound be able to condition research-related
authorizations include: an authorization treatment on the individual’s
§ 164.508(b)(3) prohibits a covered
for the disclosure of protected health willingness to authorize the use or
entity from acting on an authorization
information for treatment, for research, disclosure of his or her protected health
required under this rule that is
and for determining payment of a claim information for research associated with
combined with any other document,
for benefits, when the covered entity the trial.
including any other written legal In addition, we permit health plans to
permission from the individual. For will refuse to pay the claim if the
individual does not sign the condition eligibility for benefits and
example, an authorization under this enrollment in the health plan on the
rule may not be combined with a authorization; or an authorization for
the disclosure of psychotherapy notes individual’s authorization for the use or
consent for use or disclosure of disclosure of protected health
protected health information under combined with an authorization to
disclose any other protected health information for purposes of eligibility or
§ 164.506, with the notice of privacy enrollment determinations relating to
practices under § 164.520, with any information.
the individual or for its underwriting or
other form of written legal permission Prohibition on Conditioning Treatment, risk-rating determinations. We also
for the use or disclosure of protected Payment, Eligibility, or Enrollment permit health plans to condition
health information, with an informed payment of a claim for specified benefits
consent to participate in research, or We proposed to prohibit covered
entities from conditioning treatment or on the individual’s authorization for the
with any other form of consent or disclosure of information maintained by
authorization for treatment or payment. payment on the provision by the
another covered entity to the health
There are three exceptions to this individual of an authorization, except
plan, if the disclosure is necessary to
prohibition. First, under § 164.508(f) when the authorization was requested
determine payment of the claim. These
(described in more detail, below), an in connection with a clinical trial. In the
exceptions do not apply, however, to
authorization for the use or disclosure of case of authorization for use or
authorization for the use or disclosure of
protected health information created for disclosure of psychotherapy notes or
psychotherapy notes. Health plans may
research that includes treatment of the research information unrelated to
not condition payment, eligibility, or
individual may be combined with a treatment, we proposed to prohibit
enrollment on the receipt of an
consent for the use or disclosure of that covered entities from conditioning
protected health information to carry treatment, payment, or enrollment in a
psychotherapy notes, even if the health
out treatment, payment, or health care health plan on obtaining such an plan intends to use the information for
operations under § 164.506 and with authorization. underwriting or payment purposes.
other documents as provided in We retain this basic approach but Finally, when a covered entity
§ 164.508(f). Second, authorizations for refine its application in the final rule. In provides treatment for the sole purpose
the use or disclosure of psychotherapy addition to the general prohibition on of providing information to a third
notes for multiple purposes may be conditioning treatment and payment, party, the covered entity may condition
combined in a single document, but covered entities are also prohibited the treatment on the receipt of an
may not be combined with (with certain exceptions described authorization to use or disclose
authorizations for the use or disclosure below) from conditioning eligibility for protected health information related to
of other protected health information. benefits or enrollment in a health plan that treatment. For example, a covered
Third, authorizations for the use or on obtaining an authorization. This health care provider may have a
disclosure of protected health prohibition extends to all contract with an employer to provide
information other than psychotherapy authorizations, not just authorizations fitness-for-duty exams to the employer’s
notes may be combined, provided that for use or disclosure of psychotherapy employees. The provider may refuse to
the covered entity has not conditioned notes. This prohibition is intended to conduct the exam if an individual
the provision of treatment, payment, prevent covered entities from coercing refuses to authorize the provider to
enrollment, or eligibility on obtaining individuals into signing an disclose the results of the exam to the
the authorization. If a covered entity authorization for a use or disclosure that employer. Similarly, a covered health
conditions any of these services on is not necessary to carry out the primary care provider may have a contract with
obtaining an authorization from the services that the covered entity provides a life insurer to provide pre-enrollment
individual, as permitted in to the individual. For example, a health physicals to applicants for life insurance
§ 164.508(b)(4) and described below, the care provider could not refuse to treat coverage. The provider may refuse to
covered entity must not combine the an individual because the individual conduct the physical if an individual
authorization with any other document. refused to authorize a disclosure to a refuses to authorize the provider to
The following are examples of valid pharmaceutical manufacturer for the disclose the results of the physical to
compound authorizations: an purpose of marketing a new product. the life insurer.
Revocation of Authorizations by a representative, a description of the know which information the

We proposed to allow individuals to representative’s authority or authorization references. For example,
revoke an authorization at any time, relationship to the individual; a the authorization may include a
except to the extent that the covered statement regarding the individual’s description of ‘‘laboratory results from
entity had taken action in reliance on right to revoke the authorization; and a July 1998’’ or ‘‘all laboratory results’’ or
statement that the information may no ‘‘results of MRI performed in July
the authorization.
longer be protected by the federal 1998.’’ The covered entity can then use
We retain this provision, but specify
privacy law. We proposed a model or disclose that information and only
that the individual must revoke the
authorization form that entities could that information. If the covered entity
authorization in writing. When an
have used to satisfy the authorization does not understand what information
individual revokes an authorization, a
requirements. If the model form was not is covered by the authorization, the use
covered entity that knows of such
used, we proposed to require covered or disclosure is not permitted unless the
revocation must stop making uses and
entities to use authorization forms covered entity clarifies the request.
disclosures pursuant to the There are no limitations on the
written in plain language.
authorization to the greatest extent We modify the proposed approach, by information that can be authorized for
practical. A covered entity may eliminating the distinction between disclosure. If an individual wishes to
continue to use and disclose protected authorizations requested by the authorize a covered entity to disclose
health information in accordance with individuals and authorizations his or her entire medical record, the
the authorization only to the extent the requested by others. Instead, we authorization can so specify. In order for
covered entity has taken action in prescribe a minimum set of elements for the covered entity to disclose the entire
reliance on the authorization. For authorizations and certain additional medical record, the authorization must
example, a covered entity is not elements when the authorization is be specific enough to ensure that the
required to retrieve information that it requested by a covered entity for its own individual has a clear understanding
has already disclosed in accordance use or disclosure of protected health that the entire record will be disclosed.
with the authorization. (See above for information it maintains or for receipt of For example, if the Social Security
discussion of how written revocation of protected health information from Administration seeks authorization for
an authorization and knowledge of that another covered entity to carry out release of all health information to
revocation may differ.) treatment, payment, or health care facilitate the processing of benefit
We also include an additional operations. applications, then the description on the
exception. Under § 164.508(b)(5), The core elements are required for all authorization form must specify ‘‘all
individuals do not have the right to authorizations, not just authorizations health information’’ or the equivalent.
revoke an authorization if the requested by individuals. Individuals In some instances, a covered entity
authorization was obtained as a seek disclosure of protected health may be reluctant to undertake the effort
condition of obtaining insurance information about them to others in to review the record and select portions
coverage and other applicable law many circumstances, such as when relevant to the request (or redact
provides the insurer that obtained the applying for life or disability insurance, portions not relevant). In such
authorization with the right to contest a when government agencies conduct circumstances, covered entities may
claim under the policy. We intend this suitability investigations, and in seeking provide the entire record to the
exception to permit insurers to obtain certain job assignments when health individual, who may then redact and
necessary protected health information status is relevant. Another common release the more limited information to
during contestability periods under state instance is tort litigation, when an the requestor. This rule does not require
law. For example, an individual may individual’s attorney needs individually a covered entity to disclose information
not revoke an authorization for the identifiable health information to pursuant to an individual’s
disclosure of protected health evaluate an injury claim and asks the authorization.
information to a life insurer for the individual to authorize disclosure of Second, the authorization must
purpose of investigating material records relating to the injury to the include the name or other specific
misrepresentation if the individual’s attorney. In each of these situations, the identification of the person(s) or class of
policy is still subject to the individual may go directly to the persons that are authorized to use or
contestability period. covered entity and ask it to send the disclose the protected health
relevant information to the intended information. If an authorization permits
Documentation a class of covered entities to disclose
recipient. Alternatively, the intended
In the final rule, we clarify that a recipient may ask the individual to information to an authorized person, the
covered entity must document and complete a form, which the recipient class must be stated with sufficient
retain any signed authorization as will submit to the covered entity on the specificity so that a covered entity
required by § 164.530(j) (see below). individual’s behalf, that authorizes the presented with the authorization will
covered entity to disclose the know with reasonable certainty that the
Section 164.508(c)—Core Elements and
information. Whether the authorization individual intended the covered entity
Requirements
is submitted to the covered entity by the to release protected health information.
We proposed to require authorizations individual or by another person on the For example, a covered licensed nurse
requested by individuals to contain a individual’s behalf, the covered entity practitioner presented with an
minimum set of elements: a description maintaining protected health authorization for ‘‘all physicians’’ to
of the information to be used or information may not use or disclose it disclose protected health information
disclosed; the name of the covered pursuant to an authorization unless the could not know with reasonable
entity, or class of entities or persons, authorization meets the following certainty that the individual intended
authorized to make the use or requirements. for the practitioner to be included in the
disclosure; the name or types of First, the authorization must include authorization.
recipient(s) of the information; an a description of the information to be Third, the authorization must include
expiration date; the individual’s used or disclosed, with sufficient the name or other specific identification
signature and date of signature; if signed specificity to allow the covered entity to of the person(s) or class of persons to
whom the covered entity is authorized pursuant to the authorization, it may be We retain the proposed approach, but
to make the use or disclosure. The subject to re-disclosure by the recipient apply these additional requirements
authorization must identify these and may no longer be protected by this when the covered entity requests the
persons with sufficient specificity to rule. individual’s authorization for the
reasonably permit a covered entity Seventh, the authorization must entity’s own use or disclosure of
responding to the authorization to include the individual’s signature and protected health information
identify the authorized user or recipient the date of the signature. Once we adopt maintained by the covered entity itself.
of the protected health information. the standards for electronic signature, For example, a health plan may ask
Often, individuals provide another of the required administrative individuals to authorize the plan to
authorizations to third parties, who simplification standards we are required disclose protected health information to
present them to one or more covered to adopt under HIPAA, an electronic a subsidiary to market life insurance to
entities. For example, an authorization signature that meets those standards the individual. A pharmaceutical
could be completed by an individual will be sufficient under this rule. We do company may also ask a covered
and given to a government agency, not require verification of the provider to recruit patients for drug
authorizing the agency to receive individual’s identity or authentication research; if the covered provider asks
medical information from any health of the individual’s signature. patients to sign an authorization for the
care provider that has treated the Finally, if the authorization is signed provider to disclose protected health
individual within a defined period of by a personal representative of the information to the pharmaceutical
time. Such an authorization is individual, the representative must company for this research, this is also
permissible (subject to the other indicate his or her authority to act for an authorization requested by a covered
requirements of this part) if it the individual. entity for disclosure of protected health
sufficiently identifies the government As in the proposed rule, the information maintained by the covered
entity that is authorized to receive the authorization must be written in plain entity. When covered entities initiate
disclosed protected health information. language. See the preamble discussion the authorization by asking individuals
Fourth, the authorization must state regarding notice of privacy practices to authorize the entity to use or disclose
an expiration date or event. This (§ 164.520) for a discussion of the plain protected health information that the
expiration date or event must either be language requirement. We do not entity maintains, the authorization must
a specific date (e.g., January 1, 2001), a provide a model authorization in this include all of the elements required
specific time period (e.g., one year from rule. We will provide further guidance above as well as several additional
the date of signature), or an event on this issue prior to the compliance elements.
directly relevant to the individual or the date. Authorizations requested by covered
purpose of the use or disclosure (e.g., for Section 164.508(d)—Authorizations entities for the covered entity’s own use
the duration of the individual’s Requested by a Covered Entity for Its or disclosure of protected health
enrollment with the health plan that is Own Uses and Disclosures information must state, as applicable
authorized to make the use or under § 164.508(b)(4), that the covered
disclosure). We note that the expiration We proposed to require covered entity will not condition treatment,
date or event is subject to otherwise entities to include additional elements payment, enrollment, or eligibility on
applicable and more stringent law. For in authorizations initiated by the the individual’s authorization for the
example, the National Association of covered entity. Before a covered entity use or disclosure. For example, if a
Insurance Commissioners’ Insurance could use or disclose protected health health plan asks an individual to sign an
Information and Privacy Protection information of an individual pursuant to authorization for the health plan to
Model Act, adopted in at least fifteen a request the covered entity made, we disclose protected health information to
states, specifies that authorizations proposed to require the entity to obtain a non-profit advocacy group for the
signed for the purpose of collecting an authorization containing the advocacy group’s fundraising purposes,
information in connection with an minimum elements described above and the authorization must contain a
application for a life, health, or the following additional elements: statement that the health plan will not
disability insurance policy are except for authorizations requested for condition treatment, payment,
permitted to remain valid for no longer clinical trials, a statement that the entity enrollment in the health plan, or
than thirty months. In those states, the will not condition treatment or payment eligibility for benefits on the individual
longest such an authorization may on the individual’s authorization; a providing the authorization.
remain in effect is therefore thirty description of the purpose of the Authorizations requested by covered
months, regardless of the expiration requested use or disclosure; a statement entities for their own uses and
date or event indicated on the form. that the individual may inspect or copy disclosures of protected health
Fifth, the authorization must state that the information to be used or disclosed information must also identify each
the individual has the right to revoke an and may refuse to sign the purpose for which the information is to
authorization in writing, except to the authorization; and, if the use or be used or disclosed. The required
extent that action has been taken in disclosure of the requested information statement of purpose(s) must provide
reliance on the authorization or, if will result in financial gain to the entity, individuals with the facts they need to
applicable, during a contestability a statement that such gain will result. make an informed decision whether to
period. The authorization must include We additionally proposed to require allow release of the information. We
instructions on how the individual may covered entities, when requesting an prohibit the use of broad or blanket
revoke the authorization. For example, individual’s authorization, to request authorizations requesting the use or
the person obtaining the authorization only the minimum amount of disclosure of protected health
from the individual can include an information necessary to accomplish the information for a wide range of
address where the individual can send purpose for which the request was unspecified purposes. Both the
a written request for revocation. made. We also proposed to require information that is to be used or
Sixth, the authorization must inform covered entities to provide the disclosed and the specific purpose(s) for
the individual that, when the individual with a copy of the executed such uses or disclosures must be stated
information is used or disclosed authorization. in the authorization.
Authorizations requested by covered the final rule, except to specify that a physician may also need medical
entities for their own uses and consent obtained by one covered entity records from the patient’s prior
disclosures must also advise individuals is not effective to permit another providers in order to treat the patient.
of certain rights available to them under covered entity to use or disclose Without an authorization that
this rule. The authorization must state protected health information. See demonstrates the patient’s intent for the
that the individual may inspect or copy § 164.506(a)(5) and the corresponding information to be shared, the covered
the information to be used or disclosed preamble discussion. entity that maintains the protected
as provided in § 164.524 regarding In the final rule, if a covered entity health information may be reluctant to
access for inspection and copying and seeks the individual’s written legal provide the information, even if that
that the individual may refuse to sign permission to obtain protected health covered entity’s consent permits such
the authorization. information about the individual from disclosure to occur.
We alter the proposed requirements another covered entity for any purpose, These authorizations may also be
with respect to authorizations for which it must obtain the individual’s useful to accomplish clinical
the covered entity will receive financial authorization for the covered entity that coordination and integration among
gain. When the covered entity initiates maintains the protected health covered entities that do not meet the
the authorization and the covered entity information to make the disclosure. If definitions of affiliated covered entities
will receive direct or indirect the authorization is for the purpose of or organized health care arrangements.
remuneration from a third party (rather obtaining protected health information For example, safety-net providers that
than financial gain, as proposed) in for purposes other than treatment, participate in the Community Access
exchange for using or disclosing the payment, or health care operations, the Program (CAP) may not qualify as
protected health information, the authorization need only contain the core organized health care arrangements but
authorization must include a statement elements required by § 164.508(c) and may want to share protected health
that such remuneration will result. For described above. information with each other in order to
example, a health plan may wish to sell If the authorization, however, is for develop and expand integrated systems
or rent its enrollee mailing list or a the purpose of obtaining protected of care for uninsured people. An
pharmaceutical company may offer a health information to carry out authorization under this section would
covered provider a discount on its treatment, payment, or health care permit such providers to receive
products if the provider obtains operations, the authorization must meet protected health information from other
authorization to disclose the the requirements of § 164.508(e). We CAP participants to engage in such
demographic information of patients expect such authorizations will rarely activities.
with certain diagnoses so that the be necessary, because we expect Because of such concerns, we permit
company can market new drugs to them covered entities that maintain protected a covered entity to request the
directly. In each case, the covered entity health information to obtain consents individual’s authorization to obtain
must obtain the individual’s that permit them to make anticipated protected health information from
authorization, and the authorization uses and disclosures for these purposes. another covered entity to carry out
must include a statement that the An authorization obtained by another treatment, payment, and health care
covered entity will receive covered entity that authorizes the operations. In these situations, the
remuneration. covered entity maintaining the authorization must contain the core
In § 164.508(d)(2), we continue to protected health information to make a elements described above and must also
require a covered entity that requests an disclosure for the same purpose, describe each purpose of the requested
authorization for its own use or therefore, would be unnecessary. disclosure.
disclosure of protected health We recognize, however, that these With one exception, the authorization
information to provide the individual authorizations may be useful to must also indicate that the authorization
with a copy of the signed authorization. demonstrate an individual’s intent and is voluntary. It must state that the
While we eliminate from this section relationship to the intended recipient of individual may refuse to sign the
the provision requiring covered entities the information when the intent or authorization and that the covered
to obtain authorization for use or relationship is not already clear. For entity requesting the authorization will
disclosure of the minimum necessary example, a long term care insurer may not condition the provision of
protected health information, need information from an individual’s treatment, payment, enrollment in the
§ 164.514(d)(4) requires covered entities health care providers about the health plan, or eligibility for benefits on
to request only the minimum necessary individual’s ability to perform activities obtaining the individual’s authorization.
protected health information to of daily living in order to determine If the authorization is for a disclosure of
accomplish the purpose for which the payment of a long term care claim. The information that is necessary to
request is made. This requirement providers that hold the information may determine payment of a claim for
applies to these authorizations, as well not be providing the long term care and specified benefits, however, the health
as other requests. may not, therefore, be aware of the plan requesting the authorization may
individual’s coverage under the policy condition the payment of the claim on
Section 164.508(e)—Authorizations or that the individual is receiving long obtaining the authorization from the
Requested by a Covered Entity for term care services. An authorization individual. See § 164.508(b)(4)(iii). In
Disclosures by Others obtained by the long term care insurer this case, the authorization does not
In the proposed rule, we would have will help to demonstrate these facts to have to state that the health plan will
prohibited all covered entities from the providers holding the information, not condition payment on obtaining the
requiring the individual’s written legal which will make them more confident authorization.
permission (as proposed, an that the individual intends for the The covered entity requesting the
‘‘authorization’’) for the use or information to be shared. Similarly, an authorization must provide the
disclosure of protected health insurer with subrogation obligations individual with a copy of the signed
information to carry out treatment, may need health information from the authorization. We note that the covered
payment, or health care operations. We enrollee’s providers to assess or entity requesting the authorization is
generally eliminate this prohibition in prosecute the claim. A patient’s new also subject to the requirements in
§ 164.514 to request only the minimum required above) a description of the the statements made in the research
necessary information needed for the extent to which some or all of the authorization. In these circumstances,
purpose of the authorization. protected health information created for the authorization must indicate that the
We additionally note that, when the the research will also be used or authorization, not the notice, controls.
covered entity that maintains the disclosed for purposes of treatment, The covered entity may not, however,
protected health information has payment, and health care operations. purport to preclude itself from making
already obtained a consent for For example, if the covered entity uses or disclosures that are required by
disclosure of protected health intends to seek reimbursement from the law or that are necessary to avert a
information to carry out treatment, individual’s health plan for the routine serious and imminent threat to health or
payment, and/or health care operations costs of care associated with the safety.
under § 164.506, and that consent research protocol, it must explain in the In some instances, the covered entity
conflicts with an authorization obtained authorization the types of information may wish to make a use or disclosure
by another covered entity under that it will provide to the health plan for of the research information that it did
§ 164.508(e), the covered entity this purpose. This information, and the not include in its general consent or
maintaining the protected health circumstances under which disclosures notice or for which authorization is
information is bound by the more will be made for treatment, payment, required under this rule. To the extent
restrictive document. See § 164.506(e) and health care operations, may be more the entity includes uses or disclosures
and the corresponding preamble limited than the information and in the research authorization that are
discussion for further explanation. circumstances described in the covered otherwise not permissible under the
entity’s general consent and notice of rule and the entity’s consent and notice
Section 164.508(f)—Authorizations for
privacy practices. To the extent the of information practices, the entity must
Uses and Disclosures of Protected
include all of the elements required by
Health Information Created for Research covered entity limits itself to a subset of
uses or disclosures that are otherwise §§ 164.508(c) and (d) in the research-
that Includes Treatment of Individuals
permissible under the rule and the related authorization. The covered
In the proposed rule, we would have covered entity’s consent and notice, the entity is bound by these statements.
required individual authorization for covered entity is bound by the Research that involves the delivery of
any use or disclosure of research statements made in the research-related treatment to participants sometimes
information unrelated to treatment. In authorization. In these circumstances, relies on existing health information,
the final rule, we eliminate the special the authorization must indicate that the such as to determine eligibility for the
rules for this category of information authorization, not the general consent trial. We note that under
and, instead, require covered entities to and notice, controls. § 164.508(b)(3)(iii), the covered entity
obtain an authorization for the use or If the covered entity’s primary may combine the research-related
disclosure of protected health interaction with the individual is authorization required under
information the covered entity creates through the research, the covered entity § 164.508(f) with any other
for the purpose of research that includes may combine the general consent for authorization for the use or disclosure of
treatment of individuals, except as treatment, payment, and health care protected health information (other than
otherwise permitted by § 164.512(i). operations required under § 164.506 psychotherapy notes), provided that the
The intent of this provision is to with this research authorization and covered entity does not condition the
permit covered entities that conduct need not obtain an additional consent provision of treatment on the individual
research involving treatment to bind under § 164.506. If the entity has signing the authorization. For example,
themselves to a more limited scope of already obtained, or intends to obtain, a a covered health care provider that had
uses and disclosures of research separate consent as required under a treatment relationship with an
information than they would otherwise § 164.506, the research authorization individual prior to the individual’s
be permitted to make with non-research must refer to that consent and state that enrollment in a clinical trial, but that is
information. Rather than creating a the practices described in the research- now providing research-related
single definition of ‘‘research related authorization are binding on the treatment to the individual, may elect to
information,’’ we allow covered entities covered entity as to the information request a compound authorization from
the flexibility to define that subset of covered by the research-related the individual: an authorization under
protected health information they create authorization. The research-related § 164.508(d) for the provider to use the
during clinical research that is not authorization may also be combined in protected health information it created
necessary for treatment, payment, or the same document as the informed prior to the initiation of the research
health care operations and that the consent for participation in the research. that involves treatment, combined with
covered entity will use or disclose This is an exception to the general rule an authorization under § 164.508(f)
under more limited circumstances than in § 164.508(b)(3) that an authorization regarding use and disclosure of
it uses or discloses other protected under this section may not be combined protected health information the
health information. In designing their with any other document (see above). covered provider will create for the
authorizations, we expect covered The covered entity must also include purpose of the clinical trial. This
entities to be mindful of the often highly in the authorization a description of the compound authorization would be
sensitive nature of research information extent to which it will not use or valid, provided the covered provider
and the impact of individuals’ privacy disclose the protected health did not condition the research-related
concerns on their willingness to information it obtains in connection treatment on obtaining the authorization
participate in research. with the research protocol for purposes required under § 164.508(f), as
Covered entities seeking authorization that are permitted without individual permitted in § 164.508(b)(4)(i).
to use or disclose protected health authorization under this rule (under However, we anticipate that covered
information they create for the purpose §§ 164.510 and 164.512). To the extent entities will almost always, if not
of research that includes treatment of that the entity limits itself to a subset of always, condition the provision of
individuals, including clinical trials, uses or disclosures that are otherwise research-related treatment on the
must include in the authorization (in permissible under the rule and the individual signing the authorization
addition to the applicable elements entity’s notice, the entity is bound by under § 164.508(f) for the covered
entity’s use or disclosure of protected protected health information for facility to seek out the person and repeat the
health information created for the directories and to others involved in an abuse); (2) whether disclosing a
research. Therefore, we expect that the individual’s care are included in patient’s location within a facility
vast majority of covered providers who § 164.510(a) and § 164.510(b), implicitly would give information about
wish to use or disclose protected health respectively. In the final rule, we the patient’s condition (e.g., whether a
information about an individual that include in § 164.510(b) provisions to patient’s room number revealed that he
will be created for research that address a type of disclosure not or she was in a psychiatric ward); (3)
includes treatment and wish to use addressed in the NPRM: disclosures to whether it was necessary or appropriate
existing protected health information entities providing relief and assistance to give information about patient status
about that individual for the research in disasters such as floods, fires, and to family or friends (e.g., if giving
that includes treatment, will be required terrorist attacks. Requirements for most information to a family member about
to obtain two authorizations from the of the remaining categories of an unconscious patient could help a
individual: (1) an authorization for the disclosures addressed in proposed physician administer appropriate
use and disclosure of protected health § 164.510 of the NPRM are included in medications); and (4) whether an
information to be created for the a new § 164.512 of the final rule, as individual had, prior to becoming
research that involves treatment of the discussed below. incapacitated, expressed a preference
individual (as required under Section 164.510 of the final rule not to be included in the directory. The
§ 164.508(f)), and (2) an authorization addresses situations in which the preamble stated that if a covered entity
for the use of existing protected health interaction between the covered entity learned of such a preference, it would
information for the research that and the individual is relatively informal be required to act in accordance with
includes treatment of the individual (as and agreements are made orally, the preference.
required under § 164.508(d)). without written authorizations for use The preamble to the NPRM said that
or disclosure. In general, under the final when individuals entered a facility in
Effect of Authorization rule, to disclose or use protected health an incapacitated state and subsequently
As noted in the discussion about information for these purposes, covered gained the ability to make their own
consents in the preamble to § 164.506, entities must inform individuals in decisions, health facilities should ask
authorizations under this rule should advance and must provide a meaningful them within a reasonable time period
not be construed to waive, directly or opportunity for the individual to for permission to include their
indirectly, any privilege granted under prevent or restrict the disclosure. In information in the facility’s directory.
federal, state, or local laws or exceptional circumstances, where even In the final rule, we change the
procedures. this informal discussion cannot NPRM’s opt-in authorization
practicably take place, covered entities requirement to an opt-out approach for
Section 164.510—Uses and Disclosures are permitted to make decisions inclusion of patient information in a
Requiring an Opportunity for the regarding disclosure or use based on the health care facility’s directory. The final
Individual To Agree or To Object exercise of professional judgment of rule allows covered health care
Introduction what is in the individual’s best interest. providers—which in this case are health
care facilities—to include patient
Section 164.510 of the NPRM Section 164.510(a)—Use and Disclosure information in their directory only if: (1)
proposed the uses and disclosures of for Facility Directories They inform incoming patients of their
protected health information that The NPRM proposed to allow covered policies regarding the directory; (2) they
covered entities could make for health care providers to disclose give patients a meaningful opportunity
purposes other than treatment, payment, through an inpatient facility’s directory to opt out of the directory listing or to
or health care operations and for which a patient’s name, location in the facility, restrict some or all of the uses and
an individual authorization would not and general health condition, provided disclosures that can be included in the
have been required. These allowable that the individual had agreed to the directory; and (3) the patient does not
uses and disclosures were designed to disclosure. The NPRM would have object to being included in the
permit and promote key national health allowed this agreement to be oral. directory. A patient must be allowed, for
care priorities, and to promote the Pursuant to the NPRM, when making example, to have his or her name and
smooth operation of the health care decisions about incapacitated condition included in the directory
system. In each of these areas, the individuals, a covered health care while not having his or her religious
proposal permitted, but would not have provider could have disclosed such affiliation included. The facility’s notice
required, covered entities to use or information at the entity’s discretion and the individual’s opt-out or
disclose protected health information. and consistent with good medical restriction may be oral.
We proposed to require covered practice and any prior expressions of Under the final rule, subject to the
entities to obtain the individual’s oral patient preference of which the covered individual’s right to object, or known
agreement before making a disclosure to entity was aware. prior expressed preferences, a covered
a health care facility’s directory or to the The preamble to the NPRM listed health care provider may disclose the
individual’s next-of-kin or to another several factors that we encouraged following information to persons who
person involved in the individual’s covered entities to take into account inquire about the individual by name:
health care. Because there is an when making decisions about whether (1) The individual’s general condition in
expectation in these two areas that to include an incapacitated patient’s terms that do not communicate specific
individuals will have some input into a information in the directory. These medical information about the
covered entity’s decision to use or factors included: (1) Whether disclosing individual (e.g., fair, critical, stable,
disclose protected health information, that an individual is in the facility could etc.); and (2) location in the facility.
we decided to place disclosures to reasonably cause harm or danger to the This approach represents a slight
health facility directories and to persons individual (e.g., if it appeared that an change to the NPRM, which did not
involved in an individual’s care in a unconscious patient had been abused require members of the general public to
separate section. In the final rule, and disclosing the information could ask for a patient by name in order to
requirements regarding disclosure of give the attacker sufficient information obtain directory information and which,
in fact, would have allowed covered U.S. Supreme Court, such as exceptions incapacitated or emergency treatment
entities to disclose the individual’s to laws banning the use of alcohol in circumstance who during the course of
name as part of directory information. religious ceremonies. their stay become capable of
Under the final rule, we also establish The final rule expands the decisionmaking, the final rule takes an
provisions for disclosure of directory circumstances under which health care approach similar to that described in the
information to clergy that are slightly facilities can disclose specified health NPRM. The final rule states that when
different from those which apply for information to the patient directory an individual who was incapacitated or
disclosure to the general public. Subject without the patient’s agreement. Besides in an emergency treatment circumstance
to the individual’s right to object or allowing such disclosures when patients upon admission to an inpatient facility
restrict the disclosure, the final rule are incapacitated, as the NPRM would and whose condition stabilizes such
permits a covered entity to disclose to have allowed, the final rule allows such that he or she is capable of
a member of the clergy: (1) The disclosures in emergency treatment decisionmaking, a covered health care
individual’s name; (2) the individual’s circumstances. For example, when a provider must, when it becomes
general condition in terms that do not patient is conscious and capable of practicable, inform the individual about
communicate specific medical making a decision, but is so seriously its policies regarding the facility’s
information about the individual; (3) the injured that asking permission to directory and provide the opportunity to
individual’s location in the facility; and include his or her information in the object to the use or disclosure of
(4) the individual’s religious affiliation. directory would delay treatment such protected health information about
A disclosure of directory information that the patient’s health would be themselves for the directory.
may be made to members of the clergy jeopardized, health facilities can make
even if they do not inquire about an decisions about including the patient’s Section 164.510(b)—Uses and
individual by name. We note that the information in the directory according Disclosures for Involvement in the
rule in no way requires a covered health to the same rules that apply when the Individual’s Care and Notification
care provider to inquire about the patient is incapacitated. The final rule Purposes
religious affiliation of an individual, nor modifies the NPRM requirements for In cases involving an individual with
must individuals supply that cases in which an incapacitated patient the capacity to make health care
information to the facility. Individuals is admitted to a health care facility. decisions, the NPRM would have
are free to determine whether they want Whereas the NPRM would have allowed allowed covered entities to disclose
their religious affiliation disclosed to health care providers to disclose an protected health information about the
clergy through facility directories. incapacitated patient’s information to individual to a next-of-kin, to other
We believe that allowing clergy to the facility’s directory ‘‘at its discretion family members, or to close personal
access patient information pursuant to and consistent with good medical friends of the individual if the
this section does not violate the practice and any prior expressions of individual had agreed orally to such
Establishment Clause of the First preference of which the covered entity disclosure. If such agreement could not
Amendment, which prohibits laws [was] aware,’’ the final rule states that practicably or reasonably be obtained
‘‘respecting an establishment of in these situations (and in other (e.g., when the individual was
religion.’’ Courts traditionally turn to emergency treatment circumstances), incapacitated), the NPRM would have
the Lemon test when evaluating laws covered health care providers must allowed disclosure of protected health
that might raise Establishment Clause make the decision on whether to information that was directly relevant to
concerns. A law does not violate the include the patient’s information in the the person’s involvement in the
Clause if it has a secular purpose, is not facility’s directory in accordance with individual’s health care, consistent with
primarily to advance religion, and does professional judgment as to the patient’s good health professional practices and
not cause excessive government best interest. In addition, when making ethics. The NPRM defined next-of-kin as
entanglement with religion. The privacy decisions involving incapacitated defined under state law.
regulation passes this test because its patients and patients in emergency Under the final rule, we specify that
purpose is to protect the privacy of situations, covered health care providers covered entities may disclose to a
individuals—regardless of their may decide to include some portions of person involved in the current health
religious affiliation—and it does not the patient’s information (such as name) care of the individual (such as a family
cause excessive government but not other information (such as member, other relative, close personal
entanglement. location in the facility) in order to friend, or any other person identified by
More specifically, although this protect patient interests. the individual) protected health
section provides a special rule for As in the preamble to the NPRM, we information directly related to the
members of the clergy, it does so as an encourage covered health care providers person’s involvement in the current
accommodation to patients who seek to to take into account the four factors health care of an individual or payment
engage in religious conduct. For listed above when making decisions related to the individual’s health care.
example, restricting the disclosure of an about whether to include patient Such persons involved in care and other
individual’s religious affiliation, room information in a health care facility’s contact persons might include, for
number, and health status to a priest directory when patients are example: blood relatives; spouses;
could cause significant delay that would incapacitated or are in an emergency roommates; boyfriends and girlfriends;
inhibit the ability of a Catholic patient treatment circumstance. In addition, we domestic partners; neighbors; and
to obtain sacraments provided during retain the requirement stated in the colleagues. Inclusion of this list is
the last rites. We believe this preamble of the NPRM that if a covered intended to be illustrative only, and it
accommodation does not violate the health care provider learns of an is not intended to change current
Establishment Clause, because it avoids incapacitated patient’s prior expression practices with respect to: (1)
a government-imposed restriction on the of preference not to be included in a Involvement of other persons in
disclosure of information that could facility’s directory, the facility must not individuals’ treatment decisions; (2)
disproportionately affect the practice of include the patient’s information in the informal information-sharing among
religion. In that way, it is no different directory. For cases involving patients individuals involved in a person’s care;
from accommodations upheld by the admitted to a health care facility in an or (3) sharing of protected health
information to contact persons during a pharmacy) or when the opportunity to present or is unable to agree to such
disaster. The final rule also includes agree or object to the use or disclosure disclosures due to incapacity or other
new language stating that covered cannot practicably be provided due to emergency circumstance, disclosures
entities may use or disclose protected the individual’s incapacity or an should be in accordance with the
health information to notify or assist in emergency circumstance, covered exercise of professional judgment as to
notification of family members, personal entities may, in the exercise of the patient’s best interest.
representatives, or other persons professional judgment, determine This section is not intended to
responsible for an individual’s care with whether the disclosure is in the provide a loophole for avoiding the
respect to an individual’s location, individual’s best interests and if so, rule’s other requirements, and it is not
condition, or death. These provisions disclose only the protected health intended to allow disclosures to a broad
allow, for example, covered entities to information that is directly relevant to range of individuals, such as journalists
notify a patient’s adult child that his the person’s involvement with the who may be curious about a celebrity’s
father has suffered a stroke and to tell individual’s health care. For example, health status. Rather, it should be
the person that the father is in the this provision allows covered entities to construed narrowly, to allow
hospital’s intensive care unit. inform relatives or others involved in a disclosures to those with the closest
The final rule includes separate patient’s care, such as the person who relationships with the patient, such as
provisions for situations in which the accompanied the individual to the family members, in circumstances when
individual is present and for when the emergency room, that a patient has a patient is unable to agree to disclosure
individual is not present at the time of suffered a heart attack and to provide of his or her protected health
disclosure. When the individual is updates on the patient’s progress and information. Furthermore, when a
present and has the capacity to make his prognosis when the patient is covered entity cannot practicably obtain
or her own decisions, a covered entity incapacitated and unable to make an individual’s agreement before
may disclose protected health decisions about such disclosures. In disclosing protected health information
information only if the covered entity: addition, this section allows covered to a relative or to a person involved in
(1) Obtains the individual’s agreement entities to disclose functional the individual’s care and is making
to disclose to the third parties involved information to individuals assisting in a decisions about such disclosures
in their care; (2) provides the individual patient’s care; for example, it allows consistent with the exercise of
with an opportunity to object to such hospital staff to give information about professional judgment regarding the
disclosure and the individual does not a person’s mobility limitations to a individual’s best interest, covered
express an objection; or (3) reasonably friend driving the patient home from the entities must take into account whether
infers from the circumstances, based on hospital. It also allows covered entities such a disclosure is likely to put the
the exercise of professional judgment, to use professional judgment and individual at risk of serious harm.
that the individual does not object to the Like the NPRM, the final rule does not
experience with common practice to
disclosure. Situations in which covered require covered entities to verify the
make reasonable inferences of the
providers may infer an individual’s identity of relatives or other individuals
individual’s best interest in allowing a
agreement to disclose protected health involved in the individual’s care.
person to act on an individual’s behalf
information pursuant to option (3) Rather, the individual’s act of involving
to pick up filled prescriptions, medical
include, for example, when a patient the other persons in his or her care
supplies, X-rays, or other similar forms
brings a spouse into the doctor’s office suffices as verification of their identity.
of protected health information. Thus,
when treatment is being discussed, and For example, the fact that a person
under this provision, pharmacists may
when a colleague or friend has brought brings a family member into the doctor’s
release a prescription to a patient’s office when treatment information will
the individual to the emergency room
friend who is picking up the be discussed constitutes verification of
for treatment.
We proposed that when a covered prescription for him or her. Section the involved person’s identity for
entity could not practicably obtain oral 164.510(b) is not intended to disrupt purposes of this rule. Likewise, the fact
agreement to disclose protected health most covered entities’ current practices that a friend arrives at a pharmacy and
information to next-of-kin, relatives, or or state law with respect to these types asks to pick up a specific prescription
those with a close personal relationship of disclosures. for an individual effectively verifies that
to the individual, the covered entity This provision is intended to allow the friend is involved in the individual’s
could make such disclosures consistent disclosures directly related to a patient’s care, and the rule allows the pharmacist
with good health professional practice current condition and should not be to give the filled prescription to the
and ethics. In such instances, we construed to allow, for example, friend.
proposed that covered entities could disclosure of extensive information We also clarify that the final rule does
disclose only the minimum information about the patient’s medical history that not allow covered entities to assume
necessary for the friend or relative to is not relevant to the patient’s current that an individual’s agreement at one
provide the assistance he or she was condition and that could prove point in time to disclose protected
providing. For example, health care embarrassing to the patient. In addition, health information to a relative or to
providers could not disclose to a friend if a covered entity suspects that an another person assisting in the
or relative simply driving a patient incapacitated patient is a victim of individual’s care implies agreement to
home from the hospital extensive domestic violence and that a person disclose protected health information
information about the patient’s surgery seeking information about the patient indefinitely in the future. We encourage
or past medical history when the friend may have abused the patient, covered the exercise of professional judgment in
or relative had no need for this entities should not disclose information determining the scope of the person’s
information. to the suspected abuser if there is reason involvement in the individual’s care
The final rule takes a similar to believe that such a disclosure could and the time period for which the
approach. Under the final rule, when an cause the patient serious harm. In all of individual is agreeing to the other
individual is not present (for example, these situations regarding possible person’s involvement. For example, if a
when a friend of a patient seeks to pick disclosures of protected health friend simply picks up a patient from
up the patient’s prescription at a information about an patient who is not the hospital but has played no other role
in the individual’s care, hospital staff Section 164.512—Uses and Disclosures information by covered entities that
should not call the friend to disclose lab for Which Consent, an Authorization, were also public health agencies, health
test results a month after the initial or Opportunity To Agree or Object Is oversight agencies, government entities
encounter with the friend. However, if Not Required conducting judicial or administrative
a patient routinely brings a spouse into proceedings, or government heath data
Introduction
the doctor’s office when treatment is systems. Such covered entities could
discussed, a physician can infer that the The final rule’s requirements use protected health information in all
spouse is playing a long-term role in the regarding disclosures for directory instances for which they could disclose
patient’s care, and the rule allows information and to family members or the information for these purposes. In
disclosure of protected health others involved in an individual’s care the final rule, as discussed below, we
information to the spouse consistent are in a section separate from that retain this language in the paragraphs
with his or her role in the patient’s care, covering disclosures allowed for other on public health activities and health
for example, discussion of treatment national priority purposes. In the final oversight. However, we eliminate this
options. rule, we place most of the other clause with respect to uses of protected
The NPRM did not specifically disclosures for national priority health information for judicial and
address situations in which disaster purposes in a new § 164.512. administrative proceedings, because we
As in the NPRM, in § 164.512 of the no longer believe that there would be
relief organizations may seek to obtain
final rule, we allow covered entities to any situations in which a covered entity
protected health information from
make these national priority uses and would also be a judicial or
covered entities to help coordinate the
disclosures without individual administrative tribunal. Proposed
individual’s care, or to notify family or
authorization. As in the NPRM, these § 164.510(e) of the NPRM, regarding
friends of an individual’s location or
uses and disclosures are discretionary. disclosure of protected health
general condition in a disaster situation.
Covered entities are free to decide information to coroners, did not include
In the final rule, we account for disaster
whether or not to use or disclose such a provision. In the final rule we
situations in this paragraph.
protected health information for any or have added it because we believe there
Specifically, we allow covered entities
all of the permitted categories. However, are situations in which a covered entity,
to use or disclose protected health
as in the NPRM, nothing in the final for example, a public hospital
information without individual
rule provides authority for a covered conducting post-mortem investigations,
agreement to federal, state, or local
entity to restrict or refuse to make a use may need to use protected health
government agencies engaged in disaster
or disclosure mandated by other law. information for the same purposes for
relief activities, as well as to private The new § 164.512 includes
disaster relief or disaster assistance which it would have disclosed the
paragraphs on: Uses and disclosures information to a coroner.
organizations (such as the Red Cross) required by law; uses and disclosures
authorized by law or by their charters to While the right to request restrictions
for public health activities; disclosures under § 164.522 and the consents
assist in disaster relief efforts, to allow about victims of abuse, neglect, or
these organizations to carry out their required under § 164.506 do not apply
domestic violence; uses and disclosures to the use and disclosure of protected
responsibilities in a specific disaster for health oversight activities;
situation. Covered entities may make health information under § 164.512, we
disclosures for judicial and do not intend to preempt any state or
these disclosures to disaster relief administrative proceedings; disclosures
organizations, for example, so that these other restrictions, or any right to enforce
for law enforcement purposes; uses and such agreements or consents under
organizations can help family members, disclosures about decedents; uses and
friends, or others involved in the other law.
disclosures for cadaveric donation of We note that a covered entity may use
individual’s care to locate individuals organs, eyes, or tissues; uses and or disclose protected health information
affected by a disaster and to inform disclosures for research purposes; uses as permitted by and in accordance with
them of the individual’s general health and disclosures to avert a serious threat one of the paragraphs of § 164.512,
condition. This provision also allows to health or safety (which we had called regardless of whether that use or
disclosure of information to disaster ‘‘emergency circumstances’’ in the disclosure fails to meet the requirements
relief or disaster assistance NPRM); uses and disclosures for for use or disclosure under a different
organizations so that these organizations specialized government functions paragraph in § 164.512 or elsewhere in
can help individuals obtain needed (referred to as ‘‘specialized classes’’ in the rule.
medical care for injuries or other health the NPRM); and disclosures to comply
conditions caused by a disaster. with workers’ compensation laws. Verification for Disclosures Under
We encourage disaster relief Section 164.512(c) in the final rule, § 164.512
organizations to protect the privacy of which addresses uses and disclosures In § 164.510(a) of the NPRM, we
individual health information to the regarding adult victims of abuse, neglect proposed that covered entities verify the
extent practicable in a disaster situation. and domestic violence, is new, although identity and authority of persons to
However, we recognize that the nature it incorporates some provisions from whom they made disclosure under the
of disaster situations often makes it proposed § 164.510 of the NPRM. In the section. In the final rule, we generally
impossible or impracticable for disaster final rule we also eliminate proposed have retained the proposed
relief organizations and covered entities § 164.510(g) on government health data requirements. Verification requirements
to seek individual agreement or systems and proposed § 164.510(i) on are discussed in § 164.514 of the final
authorization before disclosing banking and payment processes. These rule.
protected health information necessary changes are discussed below.
for providing disaster relief. Thus, we Section 164.512(a)—Uses and
note that we do not intend to impede Approach to Use of Protected Health Disclosures Required by Law
disaster relief organizations in their Information In the NPRM we would have allowed
critical mission to save lives and reunite Proposed § 164.510 of the NPRM covered entities to use or disclose
loved ones and friends in disaster included specific subparagraphs protected health information without
situations. addressing uses of protected health individual authorization where such use
or disclosure was required by other law, information required by the legal by allowing covered entities to disclose
as long as the use or disclosure met all demands or reporting requirements protected health information not only to
relevant requirements of such law. listed in the definition of ‘‘required by U.S. public health authorities but also,
However, a legally mandated use or law.’’ Covered entities will not be at the direction of a public health
disclosure which fell into one or more sanctioned under this rule for authority, to an official of a foreign
of the national priority purposes responding in good faith to such legal government agency that is acting in
expressly identified in proposed process and reporting requirements. collaboration with a public health
§ 164.510 of the NPRM would have been However, nothing in this rule affects, authority. For example, we allow
subject to the terms and conditions either by expanding or contracting, a covered entities to disclose protected
specified by the applicable paragraph of covered entity’s right to challenge such health information to a foreign
proposed § 164.510. Thus, a disclosure process or reporting requirements under government agency that is collaborating
required by law would have been other laws. The only disclosures of with the Centers for Disease Control and
allowed only to the extent it was not protected health information compelled Prevention to limit the spread of
otherwise prohibited or restricted by by this rule are disclosures to an infectious disease.
another provision in proposed individual (or the personal We narrow the conditions under
§ 164.510. For example, mandatory representative of an individual) or to the which covered entities may disclose
reporting to law enforcement officials Secretary for the purposes of enforcing protected health information to non-
would not have been allowed unless this rule. government entities. We allow covered
such disclosures conformed to the Uses and disclosures permitted under entities to disclose protected health
requirements of proposed § 164.510(f) of this paragraph must be limited to the information to a person subject to the
the NPRM, on uses and disclosures for protected health information necessary FDA’s jurisdiction, for the following
law enforcement purposes. As to meet the requirements of the law that activities: to report adverse events (or
explained in the NPRM, this provision compels the use or disclosure. For similar reports with respect to food or
was not intended to obstruct access to example, disclosures pursuant to an dietary supplements), product defects or
information deemed important enough administrative subpoena are limited to problems, or biological product
by federal, state or other government the protected health information deviations, if the disclosure is made to
authorities to require it by law. authorized to be disclosed on the face of the person required or directed to report
In § 164.512(a) of the final rule, we the subpoena. such information to the FDA; to track
retain the proposed approach, and we products if the disclosure is made to a
Section 164.512(b)—Uses and
permit covered entities to comply with person required or directed by the FDA
Disclosures for Public Health Activities
laws requiring the use or disclosure of to track the product; to enable product
protected health information, provided The NPRM would have allowed recalls, repairs, or replacement,
the use or disclosure meets and is covered entities to disclose protected including locating and notifying
limited to the relevant requirements of health information without individual individuals who have received products
such other laws. To more clearly authorization to: (1) A public health regarding product recalls, withdrawals,
address where the substantive and authority authorized by law to collect or or other problems; or to conduct post-
procedural requirements of other receive such information for the marketing surveillance to comply with
provisions in this section apply, we purpose of preventing or controlling requirements or at the direction of the
have deleted the general sentence from disease, injury, or disability, including, FDA.
the NPRM which stated that the but not limited to, the reporting of The terms included in
provision ‘‘does not apply to uses or disease, injury, vital events such as birth § 164.512(b)(iii) are intended to have
disclosures that are covered by or death, and the conduct of public both their commonly understood
paragraphs (b) through (m)’’ of proposed health surveillance, public health meanings, as well as any specialized
§ 164.510. Instead, in § 164.512 (a)(2) we investigations, and public health meanings, pursuant to the Food, Drug,
list the specific paragraphs that have interventions; (2) a public health and Cosmetic Act (21 U.S.C. 321 et seq.)
additional requirements with which authority or other appropriate authority or the Public Health Service Act (42
covered entities must comply. They are authorized by law to receive reports of U.S.C. 201 et seq.). For example, ‘‘post-
disclosures about victims of abuse, child abuse or neglect; (3) a person or marketing surveillance’’ is intended to
neglect or domestic violence entity other than a governmental mean activities related to determining
(§ 164.512(c)), for judicial and authority that could demonstrate or the safety or effectiveness of a product
administrative proceedings demonstrated that it was acting to after it has been approved and is in
(§ 164.512(e)), and for law enforcement comply with requirements or direction commercial distribution, as well as
purposes (§ 164.512(f)). We include a of a public health authority; or (4) a certain Phase IV (post-approval)
new definition of ‘‘required by law.’’ person who may have been exposed to commitments by pharmaceutical
See § 164.501. We clarify that the a communicable disease or may companies. With respect to devices,
requirements provided for in otherwise be at risk of contracting or ‘‘post-marketing surveillance’’ can be
§ 164.514(h) relating to verification spreading a disease or condition and construed to refer to requirements of
apply to disclosures under this was authorized by law to be notified as section 522 of the Food, Drug, and
paragraph. Those provisions require necessary in the conduct of a public Cosmetic Act regarding certain
covered entities to verify the identity health intervention or investigation. implanted, life-sustaining, or life-
and authority of persons to whom they In the final rule, we broaden the scope supporting devices. The term ‘‘track’’
make disclosures. We note that the of permissible disclosures pursuant to includes, for example, tracking devices
minimum necessary requirements of item (1) listed above. We narrow the under section 519(e) of the Food, Drug,
§ 164.514(d) do not apply to disclosures scope of disclosures permissible under and Cosmetic Act, units of blood or
made under this paragraph. item (3) of this list, and we add language other blood products, as well as trace-
We note that this rule does not affect to clarify the scope of permissible backs of contaminated food.
what is required by other law, nor does disclosures with respect to item (4) on In § 164.512(b)(iii), the term
it compel a covered entity to make a use the list. We broaden the scope of ‘‘required’’ refers to requirements in
or disclosure of protected health allowable disclosures regarding item (1) statute, regulation, order, or other
legally binding authority exercised by information to persons who may have part 50 require mine operators to report
the FDA. The term ‘‘directed,’’ as used been exposed to a communicable injuries and illnesses experienced by
in this section, includes other official disease or who may otherwise be at risk miners. Similarly, OSHA rules require
agency communications such as of contracting or spreading a disease or employers to monitor employees’
guidance documents. condition. Under the final rule, covered exposure to certain substances and to
We note that under this provision, a entities may disclose protected health remove employees from exposure when
covered entity may disclose protected information to such individuals when toxic thresholds have been met. To
health information to a non- the covered entity or public health obtain the relevant health information
governmental organization without authority is authorized by law to notify necessary to determine whether an
individual authorization for inclusion in these individuals as necessary in the injury or illness should be recorded, or
a private data base or registry only if the conduct of a public health intervention whether an employee must be medically
disclosure is otherwise for one of the or investigation. removed from exposure at work,
purposes described in this provision In addition, as in the NPRM, under employers must refer employees to
(e.g., for tracking products pursuant to the final rule, a covered entity that is health care providers for examination
FDA direction or requirements, for post- acting as a public health authority—for and testing.
marketing surveillance to comply with example, a public hospital conducting OSHA and MSHA rules do not
FDA requirements or direction.) infectious disease surveillance in its impose duties directly upon health care
To make a disclosure that is not for role as an arm of the public health providers to disclose health information
one of these activities, covered entities department—may use protected health pertaining to recordkeeping and medical
must obtain individual authorization or information in all cases for which it is monitoring requirements to employers.
must meet the requirements of another allowed to disclose such information for Rather, these rules operate on the
provision of this rule. For example, public health activities as described presumption that health care providers
covered entities may disclose protected above. who provide services at the request of
health information to employers for The proposed rule did not contain a an employer will be able to disclose to
inclusion in a workplace surveillance specific provision relating to disclosures the employer work-related health
database only: with individual by covered health care providers to
information necessary for the employer
authorization; if the disclosure is employers concerning work-related
to fulfill its compliance obligations.
required by law; if the disclosure meets injuries or illnesses or workplace
This new provision permits covered
the requirements of § 164.512(b)(v); or if medical surveillance. Under the
entities to make disclosures necessary
the disclosure meets the conditions of proposed rule, a covered entity would
for the effective functioning of OSHA
another provision of this regulation, have been permitted to disclose
and MSHA requirements, or those of
such as § 154.512(i) relating to research. protected health information without
similar state laws, by permitting a
Similarly, if a pharmaceutical company individual authorization for public
health care provider to make disclosures
seeks to create a registry containing health purposes to private person if the
without the authorization of the
protected health information about person could demonstrate that it was
individuals who had taken a drug that acting to comply with requirements or individual concerning work-related
the pharmaceutical company had at the direction of a public health injuries or illnesses or workplace
developed, covered entities may authority. medical surveillance in situations where
disclose protected health information As discussed above, in the final rule the employer has a duty under OSHA
without authorization to the we narrow the scope of this paragraph and MSHA requirements, or under a
pharmaceutical company pursuant to as it applies to disclosures to persons similar state laws, to keep records on or
FDA requirements or direction. If the other than public health authorities. To act on such information.
pharmaceutical company’s registry is ensure that covered health care We require health care providers who
not for any of these purposes, covered providers may make disclosures of make disclosures to employers under
entities may disclose protected health protected health information without this provision to provide notice to
information to it only with patient individual authorization to employers individuals that it discloses protected
authorization, if required by law, or if when appropriate under federal and health information to employers relating
disclosure meets the conditions of state laws addressing work-related to the medical surveillance of the
another provision of this rule. injuries and illnesses or workplace workplace and work-related illnesses
The final rule continues to permit medical surveillance, we include a new and injuries. The notice required under
covered entities to disclose protected provision in the final rule. The this provision is separate from the
health information without individual provision permits covered health care notice required under § 164.520. The
authorization directly to public health providers who provide health care as a notice required under this provision
authorities, such as the Food and Drug workforce member of or at the request may be met giving a copy of the notice
Administration, the Occupational Safety of an employer to disclose to that to the individual at the time it provides
and Health Administration, the Centers employer protected health information the health care services, or, if the health
for Disease Control and Prevention, as concerning work-related injuries or care services are provided on the work
well as state and local public health illnesses or workplace medical site of the employer, by posting the
departments, for public health purposes surveillance in situations where the notice in a prominent place at the
as specified in the NPRM. employer has a duty under the location where the health care services
The final rule retains the NPRM Occupational Safety and Health Act, the are provided.
provision allowing covered entities to Federal Mine Safety and Health Act, or This provision applies only when a
disclose protected health information to under a similar state law, to keep covered health care provider provides
public health authorities or other records on or act on such information. health care services as a workforce
appropriate government authorities For example, OSHA regulations in 29 member of or at the request of an
authorized by law to receive reports of CFR part 1904 require employers to employer and for the purposes
child abuse or neglect. In addition, we record work-related injuries and discussed above. The provision does not
clarify the NPRM’s provision regarding illnesses if medical treatment is affect the application of this rule to
disclosure of protected health necessary; MSHA regulations at 30 CFR other health care provided to
individuals or to their relationship with paragraph addresses reports to law is sought is not intended to be used
health care providers that they select. enforcement as well as to other against the individual, and that an
authorized public officials. The immediate enforcement activity that
Section 164.512(c)—Disclosures About
provisions of this paragraph supersede depends on the disclosure would be
Victims of Abuse, Neglect or Domestic
the provisions of § 164.512(a) and materially and adversely affected by
Violence
§ 164.512(f)(1)(i) to the extent that those waiting until the individual is able to
The NPRM included two provisions provisions address the subject matter of agree to the disclosure.
related to disclosures about persons this paragraph. We emphasize that disclosure under
who are victims of abuse. In the NPRM, Under the circumstances described this third part of the paragraph also may
we would have allowed covered entities below, the final rule allows covered be made only if it is expressly
to report child abuse to a public health entities to disclose protected health authorized by statute or regulation. We
authority or other appropriate authority information about an individual whom use this formulation, rather than the
authorized by law to receive reports of the covered entity reasonably believes to broader ‘‘required by law,’’ because of
child abuse or neglect. In addition, be a victim of abuse, neglect, or the heightened privacy and safety
under proposed § 164.510(f)(3) of the domestic violence. In this paragraph, concerns in these situations. We believe
NPRM, we would have allowed covered references to ‘‘individual’’ should be it appropriate to defer to other public
entities to disclose protected health construed to mean the individual determinations regarding reporting of
information about a victim of a crime, believed to be the victim. The rule this information only where a legislative
abuse or other harm to a law allows such disclosure to any or executive body has determined the
enforcement official under certain governmental authority authorized by reporting to be of sufficient importance
circumstances. The NPRM recognized law to receive reports of such abuse, to warrant enactment of a law or
that most, if not all, states had laws that neglect, or domestic violence. These promulgation of a regulation. Law and
mandated reporting of child abuse or entities may include, for example, adult regulations reflect a clear decision to
neglect to the appropriate authorities. protective or social services agencies, authorize the particular disclosure of
Moreover, HIPAA expressly carved out state survey and certification agencies, protected health information, and reflect
state laws on child abuse and neglect ombudsmen for the aging or those in greater public accountability (e.g.,
from preemption or any other long-term care facilities, and law through the required public comment
interference. The NPRM further enforcement or oversight. process or because enacted by elected
acknowledged that most, but not all, The final rule specifies three representatives).
states had laws mandating the reporting circumstances in which disclosures of For example, a Wisconsin law (Wis.
of abuse, neglect or exploitation of the protected health information is allowed Stat § 46.90(4)) states that any person
elderly or other vulnerable adults. We in order to report abuse, neglect or may report to a county agency or state
did not intend to impede reporting in domestic violence. First, this paragraph official that he or she believes that abuse
compliance with these laws. allows disclosure of protected health or neglect has occurred. Pursuant to
The final rule includes a new information related to abuse if required § 164.512(c)(1)(iii), a covered entity may
paragraph, § 164.512(c), which allows by law and the disclosure complies with make a report only if the specific type
covered entities to report protected and is limited to the relevant or subject matter of the report (e.g.,
health information to specified requirements of such law. As discussed abuse or neglect of the elderly) is
authorities in abuse situations other below, the final rule requires covered included in the law authorizing the
than those involving child abuse and entities that make such disclosures report, and such a disclosure may only
neglect. In the final rule, disclosures of pursuant to a state’s mandatory be made to a public authority
protected health information related to reporting law to inform the individual specifically identified in the law
child abuse continues to be addressed in of the report. authorizing the report. Furthermore, we
the paragraph allowing disclosure for Second, this paragraph allows note that disclosures under this part of
public health activities (§ 164.512(b)), as covered entities to disclose protected the paragraph are further limited to two
described above. Because HIPAA health information related to abuse if circumstances. In the first case, a
addresses child abuse specifically in the individual has agrees to such covered entity, in the exercise of
connection with a state’s public health disclosure. When considering the professional judgment, must believe that
activities, we believe it would not be possibility of disclosing protected the disclosure is necessary to prevent
appropriate to include child abuse- health information in an abuse situation serious harm to the individual or to
related disclosures in this separate pursuant to this section, we encourage other potential victims. The second case
paragraph on abuse. State laws continue covered entities to seek the individual’s addresses situations in which an
to apply with respect to child abuse, agreement whenever possible. individual who is a victim of abuse,
and the final rule does not in any way Third, this paragraph allows covered neglect or domestic violence is unable
interfere with a covered entity’s ability entities to disclose protected health to agree due to incapacity and a law
to comply with these laws. information about an individual without enforcement or other public official
In the final rule, we address the individual’s agreement if the authorized to receive the report
disclosures about other victims of abuse, disclosure is expressly authorized by represents that the protected health
neglect and domestic violence in statute or regulation and either: (1) The information for which disclosure is
§ 164.512(c) rather than in the law covered entity, in the exercise of its sought is not intended to be used
enforcement paragraph. Section professional judgment, believes that the against the individual and that an
164.512(c) establishes conditions for disclosure is necessary to prevent immediate law enforcement activity that
disclosure of protected health serious harm to the individual or to depends on the disclosure would be
information in cases involving domestic other potential victims; or (2) if the materially and adversely affected by
violence other than child abuse (e.g., individual is unable to agree due to waiting until the individual if able to
spousal abuse), as well as those incapacity, a law enforcement or other agree to the disclosure. We note that, in
involving abuse or neglect (e.g., abuse of public official authorized to received this second case, a covered entity may
nursing home residents or residents of the report represents that the protected exercise discretion, consistent with
facilities for the mentally retarded). This health information for which disclosure professional judgment as to the patient’s
best interest, in deciding whether to believes that informing the individual entities to disclose protected health
make the requested disclosure. would place the individual at risk of information to public oversight agencies
The rules governing disclosure in this serious harm. We believe that this and to private entities acting under
third set of circumstances are different exception is necessary to address the grant of authority from or under contract
from those governing disclosures potential for future harm, either with oversight agencies for oversight
pursuant to § 164.512(f)(3) regarding physical or emotional, that the purposes without individual
disclosure to law enforcement about individual may face from knowing that authorization for health oversight
victims of crime and other harm. We the report has been made. Second, a activities authorized by law. When a
believe that in abuse situations—to a covered entity may choose not to meet covered entity was also an oversight
greater extent than in situations the requirement for informing the agency, it also would have been
involving crime victims in general— victim, if the covered entity actually permitted to use protected health
there is clear potential for abusers to would be informing a personal information in all cases in which it
cause further serious harm to the victim representative (such as a parent of a would have been allowed to disclose
or to others, such as other family minor) and the covered entity such information for health oversight
members in a household or other reasonably believes that such person is purposes. The NPRM would not have
residents of a nursing home. The responsible for the abuse, neglect, or established any new administrative or
provisions allowing reporting of abuse other injury that has already occurred judicial process prior to disclosure for
when authorized by state law, as and that informing that person would health oversight, nor would it have
described above, are consistent with not be in the individual’s best interests. permitted disclosures forbidden by
principles articulated by the AMA’s other law. The proposed rule also would
Council on Ethical and Judicial Affairs, Section 164.512(d)—Uses and
not have created any new right of access
which state that when reporting abuse is Disclosures for Health Oversight
to health records by oversight agencies,
voluntary under state law, it is justified Activities
and it could not have been used as
when necessary to prevent serious harm Under § 164.510(c) of the NPRM, we authority to obtain records not
to a patient. Through the provisions of proposed to permit covered entities to otherwise legally available to the
§ 164.512(c), we recognize the unique disclose protected health information to oversight agency.
circumstances surrounding abuse and health oversight agencies for oversight The final rule retains this approach to
domestic violence, and we seek to activities authorized by law, including health oversight. As in the NPRM, the
provide an appropriate balance between audit, investigation, inspection, civil, final rule provides that when a covered
individual privacy interests and criminal, or administrative proceeding entity is also an oversight agency, it is
important societal interests such as or action, or other activity necessary for allowed to use protected health
preventing serious harm to other appropriate oversight of: (i) the health information in all cases in which it is
individuals. We note that here we are care system; (ii) government benefit allowed to disclose such information for
relying on covered entities, in the programs for which health information health oversight purposes. For example,
exercise of professional judgment, to is relevant to beneficiary eligibility; or if a state insurance department is acting
determine what is in the best interests (iii) government regulatory programs for as a health plan in operating the state’s
of the patient. which health information is necessary Medicaid managed care program, the
Finally, we require covered entities to for determining compliance with final rule allows the insurance
inform the individual in all of the program standards. department to use protected health
situations described above that the In § 164.512(d) of the final rule, we information in all cases for which the
covered entity has disclosed protected modify the proposed language to plan can disclose the protected health
health information to report abuse, include civil and criminal information for health oversight
neglect, or domestic violence. We allow investigations. In describing ‘‘other purposes. For example, the state
covered entities to provide this activities necessary for oversight’’ of insurance department in its capacity as
information orally. We do not require particular entities, we add the phrase the state Medicaid managed care plan
written notification, nor do we ‘‘entities subject to civil rights laws for can use protected health information in
encourage it, due to the sensitivity of which health information is necessary the process of investigating and
abuse situations and the potential for for determining compliance.’’ In disciplining a state Medicaid provider
the abuser to cause further harm to the addition, in the final rule, we add for attempting to defraud the Medicaid
individual if, for example, a covered ‘‘licensure or disciplinary actions’’ to system. As in the NPRM, the final rule
entity sends written notification to the the list of oversight activities authorized does not establish any new
home of the individual and the abuser. by law for which covered entities may administrative or judicial process prior
Whenever possible, covered entities disclose protected health information to to disclosure for health oversight, nor
should inform the individual at the health oversight agencies. The NPRM’s does it prohibit covered entities from
same time that they determine abuse has definition of ‘‘health oversight agency’’ making any disclosures for health
occurred and decide that the abuse (in proposed § 164.504) included this oversight that are otherwise required by
should be reported. In cases involving phrase, but it was inadvertently law. Like the NPRM, it does not create
patient incapacity, we encourage excluded from the regulation text at any new right of access to health records
covered entities to inform the individual proposed § 164.510(c). We make this by oversight agencies and it cannot be
of such disclosures as soon as it is change in the regulation text of the final used as authority to obtain records not
practicable to do so. rule to conform to the NPRM’s otherwise legally available to the
The rule provides two exceptions to definition of health oversight agency oversight agency.
the requirement to inform the victim and to reflect the full range of activities
about a report to a government for which we intend to allow covered Overlap Between Law Enforcement and
authority, one based on concern for entities to disclose protected health Oversight
future harm and one based on past information to health oversight Under the NPRM, the proposed
harm. First, a covered entity need not agencies. definitions of law enforcement and
inform the victim if the covered entity, The NPRM would have allowed, but oversight, and the rules governing
in the exercise of professional judgment, would not have required, covered disclosures for these purposes
overlapped. Specifically, this overlap health care fraud investigations (subject Section 164.512(e)—Disclosures and
occurred because: (1) The NPRM to the exception described above), in the Uses for Judicial and Administrative
preamble, but not the NPRM regulation final rule, we eliminate proposed Proceedings
text, indicated that agencies conducting § 164.510(f)(5)(i), which would have
both oversight and law enforcement established requirements for disclosure Section 164.512(e) addresses when a
activities would be subject to the related to health care fraud for law covered entity is permitted to disclose
oversight requirements when protected health information in
enforcement purposes. All disclosures
conducting oversight activities; and (2) response to requests for protected health
of protected health information that
the NPRM addressed some disclosures information that are made in the course
would have been permitted under
for investigations of health care fraud in of judicial and administrative
proposed § 164.510(f)(5)(i) are permitted proceedings—for example, when a non-
the law enforcement paragraph
under § 164.512(d). party health care provider receives a
(proposed § 164.510(f)(5)(i)), while
health care fraud investigations are In the final rule, we add new language subpoena (under Federal Rule of Civil
central to the purpose of health care (§ 164.512(d)(3)) to address situations in Procedure Rule 45 or similar provision)
oversight agencies (covered under which health oversight activities are for medical records from a party to a law
proposed § 164.510(c)). In the final rule, conducted in conjunction with an suit. In the NPRM we would have
we make substantial changes to these investigation regarding a claim for allowed covered entities to disclose
provisions, in an attempt to prevent public benefits not related to health protected health information in the
confusion. (e.g., claims for Food Stamps). In such course of any judicial or administrative
In § 164.512(d)(2), we include explicit situations, for example, when a state proceeding: (1) In response to an order
decision rules indicating when an Medicaid agency is working with the of a court or administrative tribunal; or
investigation is considered law Food Stamps program to investigate (2) where an individual was a party to
enforcement and when an investigation suspected fraud involving Medicaid and the proceeding and his or her medical
is considered oversight under this condition or history was at issue and the
Food Stamps, covered entities may
regulation. An investigation or activity disclosure was pursuant to lawful
disclose protected health information to
is not considered health oversight for process or otherwise authorized by law.
purposes of this rule if: (1) The the entities conducting the joint
investigation under the health oversight Under the NPRM, if the request for
individual is the subject of the disclosure of protected health
investigation or activity; and (2) The provisions of the rule.
information was accompanied by a
investigation or activity does not arise In the proposed rule, the definitions court order, a covered entity could have
out of and is not directly related to: (a) of ‘‘law enforcement proceeding’’ and disclosed that protected health
The receipt of health care; (b) a claim for ‘‘oversight activity’’ both included the information which the court order
public benefits related to health; or (c) phrase ‘‘criminal, civil, or authorized to be disclosed. If the request
qualification for, or receipt of public administrative proceeding.’’ For reasons for disclosure of protected health
benefits or services where a patient’s explained below, the final rule retains information were not accompanied by a
health is integral to the claim for this phrase in both definitions. The final court order, covered entities could not
benefits or services. In such cases, rule does not attempt to distinguish have disclosed the information
where the individual is the subject of between these activities based on the requested unless a request authorized by
the investigation and the investigation law had been made by the agency
agency undertaking them or the
does not relate to issues (a) through (c), requesting the information or by legal
applicable enforcement procedures.
the rules regarding disclosure for law counsel representing a party to
enforcement purposes (see § 164.512(f)) Rather, as described above, the final rule
carves out certain activities which must litigation, with a written statement
apply. For the purposes of this rule, we certifying that the protected health
intend for investigations regarding always be considered law enforcement
for purposes of disclosure of protected information requested concerned a
issues (a) through (c) above to mean litigant to the proceeding and that the
investigations of health care fraud. health information under this rule.
health condition of the litigant was at
Where the individual is not the Additional Considerations issue at the proceeding.
subject of the activity or investigation,
or where the investigation or activity We note that covered entities are In § 164.512(e) of the final rule, we
relates to the subject matter in (a) permitted to initiate disclosures that are permit covered entities to disclose
through (c) of the preceding sentence, a permitted under this paragraph. For protected health information in a
covered entity may make a disclosure judicial or administrative proceeding if
example, a covered entity could disclose
pursuant to § 164.512(d)(1). For the request for such protected health
protected health information in the
example, when the U.S. Department of information is made through or
course of reporting suspected health
Labor’s Pension and Welfare Benefits pursuant to an order from a court or
care fraud to a health oversight agency. administrative tribunal or in response to
Administration (PWBA) needs to
analyze protected health information We delete language in the NPRM that a subpoena or discovery request from, or
about health plan enrollees in order to would have allowed disclosure under other lawful process by a party to the
conduct an audit or investigation of the this section only to law enforcement proceeding. When a request is made
health plan (i.e., the enrollees are not officials conducting or supervising an pursuant to an order from a court or
subjects of the investigation) to investigation, official inquiry, or a administrative tribunal, a covered entity
investigate potential fraud by the plan, criminal, civil or administrative may disclose the information requested
the health plan may disclose protected proceeding authorized by law. In some without additional process. For
health information to the PWBA under instances, a disclosure by a covered example, a subpoena issued by a court
the health oversight rules. These rules entity under this section will initiate constitutes a disclosure which is
and distinctions are discussed in greater such an investigation or proceeding, but required by law as defined in this rule,
detail in our responses to comments. it will not already be ongoing at the time and nothing in this rule is intended to
To clarify further that health oversight the disclosure is made. interfere with the ability of the covered
disclosure rules apply generally in entity to comply with such subpoena.
However, absent an order of, or a from using or disclosing the protected being made, and we expect that public
subpoena issued by, a court or health information for any purpose agencies will identify their authority
administrative tribunal, a covered entity other than the litigation or proceeding when making such requests. We note
may respond to a subpoena or discovery for which the records are requested; and that covered entities may reasonably
request from, or other lawful process by, (2) requires the return to the covered rely on assertions of authority made by
a party to the proceeding only if the entity or destruction of the protected government agencies.
covered entity obtains either: (1) health information (including all copies
Satisfactory assurances that reasonable made) at the end of the litigation or Additional Considerations
efforts have been made to give the proceeding. Satisfactory assurances of
individual whose information has been reasonable efforts to secure a qualified Where a disclosure made pursuant to
requested notice of the request; or (2) protective order are a statement and this paragraph is required by law, such
satisfactory assurances that the party documentation that the parties to the as in the case of an order from a court
seeking such information has made dispute have agreed to a protective or administrative tribunal, the minimum
reasonable efforts to secure a protective order and that it has been submitted to necessary requirements in § 164.514(d)
order that will guard the confidentiality the court or administrative tribunal with do not apply to disclosures made under
of the information. In meeting the first jurisdiction, or that the party seeking this paragraph. A covered entity making
test, a covered entity is considered to the protected health information has a disclosure under this paragraph,
have received satisfactory assurances requested a qualified protective order however, may of course disclose only
from the party seeking the information from such court or tribunal. We that protected health information that is
if that party demonstrates that it has encourage the development of ‘‘model’’ within the scope of the permitted
made a good faith effort (such as by protective orders that will facilitate disclosure. For instance, in response to
sending a notice to the individual’s last adherence with this subpart. an order of a court or administrative
known address) to provide written In the final rule we also permit the tribunal, the covered entity may
notice to the individual whose covered entity itself to satisfy the disclose only the protected health
information is the subject of the request, requirement to make reasonable efforts information that is expressly authorized
that the written notice included to notify the individual whose
by such an order. Where a disclosure is
sufficient information about the information has been requested or to
not considered under this rule to be
proceeding to permit the individual to seek a qualified protective order. We
intend this to be a permissible activity required by law, the minimum
raise an objection, and that the time for
for covered entities: we do not require necessary requirements apply, and the
the individual to raise objections to the
court or administrative tribunal has covered entities to undertake these covered entity must make reasonable
elapsed and no objections were filed or efforts in response to a subpoena, efforts to limit the information disclosed
any objections filed by the individual discovery request, or similar process to that which is reasonably necessary to
have been resolved. (other than an order from a court or fulfill the request. A covered entity is
Unless required to do so by other law, administrative tribunal). If a covered not required to second guess the scope
the covered entity is not required to entity receives such a request without or purpose of the request, or take action
explain the procedures (if any) available receiving the satisfactory assurances to resist the request because they believe
for the individual to object to the described above from the party that it is over broad. In complying with
disclosure. Under the rule, the requesting the information, the covered the request, however, the covered entity
individual exercises the right to object entity is free to object to the disclosure must make reasonable efforts not to
before the court or other body having and is not required to undertake the disclose more information than is
jurisdiction over the proceeding, and reasonable efforts itself. requested. For example, a covered entity
not to the covered entity. The provisions We clarify that the provisions of this may not provide a party free access to
in this paragraph are not intended to paragraph do not supersede or its medical records under the theory
disrupt current practice whereby an otherwise invalidate other provisions of that the party can identify the
individual who is a party to a this rule that permit uses and
information necessary for the request. In
proceeding and has put his or her disclosures of protected health
some instances, it may be appropriate
medical condition at issue will not information. For example, the fact that
protected health information is the for a covered entity, presented with a
prevail without consenting to the
production of his or her protected subject of a matter before a court or relatively broad discovery request, to
health information. In such cases, we tribunal does not prevent its disclosure permit access to a relatively large
presume that parties will have ample under another provision of the rule, amount of information in order for a
notice and an opportunity to object in such as §§ 164.512(b), 164.512(d), or party to identify the relevant
the context of the proceeding in which 164.512(f), even if a public agency’s information. This is permissible as long
the individual is a party. method of requesting the information is as the covered entity makes reasonable
As described above, in this paragraph pursuant to an administrative efforts to circumscribe the access as
we also permit a covered entity to proceeding. For example, where a appropriate.
disclose protected health information in public agency commences a disciplinary The NPRM indicated that when a
response to a subpoena, discovery action against a health professional, and covered entity was itself a government
request, or other lawful process if the requests protected health information as agency, the covered entity could use
covered entity receives satisfactory part of its investigation, the disclosure
protected health information in all cases
assurances that the party seeking the made be made to the agency under
in which it would have been allowed to
information has made reasonable efforts paragraph (d) of this section (relating to
to seek a qualified protective order that health oversight) even if the method of disclose such information in the course
would protect the privacy of the making the request is through the of any judicial or administrative
information. A ‘‘qualified protective proceeding. As with any request for proceeding. As explained above, the
order’’ means an order of a court or of disclosure under this section, the final rule does not include this
an administrative tribunal or a covered entity will need to verify the provision.
stipulation that: (1) Prohibits the parties authority under which the request is
Section 164.512(f)—Disclosure for Law protected health information to a law practicable in light of the purpose for
Enforcement Purposes enforcement official conducting or which the information is sought.
Disclosures Pursuant to Process and as supervising a law enforcement inquiry
Limited Information for Identification
Otherwise Required by Law or proceeding authorized by law
and Location Purposes
pursuant to process, under three
In the NPRM we would have allowed circumstances. The NPRM would have allowed
covered entities to disclose protected First, we proposed to permit such covered entities to disclose ‘‘limited
health information without individual disclosures pursuant to a warrant, identifying information’’ for purposes of
authorization as required by other law. subpoena, or other order issued by a identifying a suspect, fugitive, material
However, as explained above, if a judicial officer that documented a witness, or missing person, in response
legally mandated use or disclosure fell finding by the officer. The NPRM did to a law enforcement request. We
into one or more of the national priority not specify requirements for the nature proposed to define ‘‘limited identifying
purposes expressly identified in other of the finding. In the final rule, we information’’ as (i) name; (ii) address;
paragraphs of proposed § 164.510, the eliminate the requirement for a (iii) Social Security number; (iv) date of
disclosure would have been subject to birth; (v) place of birth; (vi) type of
‘‘finding,’’ and we make changes to the
the terms and conditions specified by injury or other distinguishing
list of orders in response to which
the applicable paragraph of proposed characteristic; and (vii) date and time of
covered entities may disclose under this
§ 164.510. For example, mandatory treatment.
provision. Under the final rule, covered
reporting to law enforcement officials The final rules generally adopts this
entities may disclose protected health
would not have been allowed unless provision of the NPRM with a few
information in compliance with and as
such disclosures conformed to the modifications. In the final rule, we
limited by relevant requirements of: a
requirements of proposed § 164.510(f) of expand the circumstances under which
court order or court-ordered warrant, or
the NPRM. Proposed § 164.510(f) did limited information about suspects,
a subpoena or summons issued by a
not explicitly recognize disclosures fugitives, material witnesses, and
required by other laws, and it would not judicial officer. We made this change to
missing persons may be disclosed, to
have permitted covered entities to the list to conform to the definition of
include not only cases in which law
comply with some state and other ‘‘required by law’’ in § 164.501. enforcement officials are seeking to
mandatory reporting laws that require Second, we proposed to permit such identify such individuals, but also cases
covered entities to disclose protected disclosures pursuant to a state or federal in which law enforcement officials are
health information to law enforcement grand jury subpoena. In the final rule, seeking to locate such individuals. In
officials, such as the reporting of gun we leave this provision of the NPRM addition, the final rule modifies the list
shot wounds, stab wounds, and/or burn unchanged. of data elements that may be disclosed
injuries. Third, we proposed to permit such under this provision, in several ways.
We did not intend to preempt disclosures pursuant to an We expand the list of elements that may
generally state and other mandatory administrative request, including an be disclosed under these circumstances,
reporting laws, and in § 164.512(f)(1)(i) administrative subpoena or summons, a to include ABO blood type and Rh
of the final rule, we explicitly permit civil investigative demand, or similar factor, as well as date and time of death,
covered entities to disclose protected process, under somewhat stricter if applicable. We remove ‘‘other
health information for law enforcement standards than exist today for such distinguishing characteristic’’ from the
purposes as required by other law. This disclosures. We proposed to permit a list of items that may be disclosed for
provision permits covered entities to covered entity to disclose protected the location and identification purposes
comply with these state and other laws. health information pursuant to an described in this paragraph, and instead
Under this provision, to the extent that administrative request only if the allow covered entities to disclose only
a mandatory reporting law falls under request met three conditions, as follows: a description of distinguishing physical
the provisions of § 164.512(c)(1)(i) (i) The information sought was relevant characteristics, such as scars and
regarding reporting of abuse, neglect, or and material to a legitimate law tattoos, height, weight, gender, race, hair
domestic violence, the requirements of enforcement inquiry; (ii) the request was and eye color, and the presence or
those provisions supersede. as specific and narrowly drawn as absence of facial hair such as a beard or
In the final rule, we specify that reasonably practicable; and (iii) de- moustache. In addition, in the final rule,
covered entities may disclose protected identified information could not protected health information associated
health information pursuant to this reasonably have been used to meet the with the following cannot be disclosed
provision in compliance with and as purpose of the request. pursuant to § 164.512(f)(2): DNA data
limited by the relevant requirements of The final rules generally adopts this and analyses; dental records; or typing,
legal process or other law. In the NPRM, provision of the NPRM. In the final rule, samples or analyses of tissues or bodily
for the purposes of this portion of the we modify the list of orders in response fluids other than blood (e.g., saliva). If
law enforcement paragraph, we to which covered entities may disclose a covered entity discloses additional
proposed to define ‘‘law enforcement protected health information, to include information under this provision, the
inquiry or proceeding’’ as an administrative subpoenas or summons, covered entity will be out of compliance
investigation or official proceeding civil or authorized investigative and subject to sanction.
inquiring into a violation of or failure to demands, or similar process authorized We clarify our intent not to allow
comply with law; or a criminal, civil or by law. We made this change to the list covered entities to initiate disclosures of
administrative proceeding arising from a to conform with the definition of limited identifying information to law
violation of or failure to comply with ‘‘required by law’’ in § 164.501. In enforcement in the absence of a law
law. In the final rule, we do not include addition, we slightly modify the second enforcement request; a covered entity
this definition in § 164.512(f), because it of the three conditions under which may disclose protected health
is redundant with the definition of ‘‘law covered entities may respond to such information under this provision only in
enforcement official’’ in § 164.501. requests, to allow disclosure if the response to a request from law
Proposed § 164.510(f)(1) of the NPRM request is specific and is limited in enforcement. We allow a ‘‘law
would have authorized disclosure of scope to the extent reasonably enforcement official’s request’’ to be
made orally or in writing, and we intend such disclosure would be materially and investigation into the death more
for it to include requests by a person adversely affected by waiting until the rapidly, increasingly the likelihood of
acting on behalf of law enforcement, for individual is able to agree to the success.
example, requests by a media disclosure; and (3) the covered entity, in
Intelligence and National Security
organization making a television or the exercise of professional judgment,
Activities
radio announcement seeking the determines that the disclosure is in the
public’s assistance in identifying a individual’s best interests. We intend Section 164.510(f)(4) of the NPRM
suspect. Such a request also may that assessing the individual’s best would have allowed covered entities to
include a ‘‘Wanted’’ poster and similar interests includes taking into account disclose protected health information to
postings. any further risk of harm to the a law enforcement official without
individual. This provision does not individual authorization for the conduct
Disclosure About a Victim of Crime of lawful intelligence activities
allow covered entities to initiate
The NPRM would have allowed disclosures of protected health conducted pursuant to the National
covered entities to disclose protected information to law enforcement; the Security Act of 1947 (50 U.S.C. 401 et
health information about a victim of a disclosure must be in response to a seq.) or in connection with providing
crime, abuse or other harm to a law request from law enforcement. protective services to the President or
enforcement official, if the law We do not intend to create a new legal other individuals pursuant to section
enforcement official represented that: (i) duty on the part of covered entities with 3056 of title 18, United States Code. In
The information was needed to respect to the safety of their patients. the final rule, we move provisions
determine whether a violation of law by Rather, we intend to ensure that covered regarding disclosures of protected
a person other than the victim had entities can continue to exercise their health information for intelligence and
occurred; and (ii) immediate law professional judgment in these protective services activities to
enforcement activity that depended on circumstances, on a case-by-case basis, § 164.512(k) regarding uses and
obtaining the information may have as they do today. disclosures for specialized government
been necessary. In some cases, a victim may also be functions.
The final rule modifies the conditions a fugitive or suspect. For example, an
under which covered entities can Criminal Conduct on the Premises of a
individual may receive a gunshot
disclose protected health information Covered Entity
wound during a robbery and seek
about victims. In addition, as discussed treatment in a hospital emergency room. The NPRM would have allowed
above, the final rule includes a new In such cases, when law enforcement covered entities on their own initiative
§ 164.512(c), which establishes officials are requesting protected health to disclose to law enforcement officials
conditions for disclosure of protected information because the individual is a protected health information that the
health information about victims of suspect (and thus the information may covered entity believed in good faith
abuse, neglect or domestic violence. In be used against the individual), covered constituted evidence of criminal
addition, as discussed above, we have entities may disclose the protected conduct that arose out of and was
added § 164.512(f)(1)(i) to this health information pursuant to directly related to: (A) The receipt of
paragraph to explicitly recognize that in § 164.512(f)(2) regarding suspects and health care or payment for health care,
some cases, covered entities’ disclosure not pursuant to § 164.512(f)(3) regarding including a fraudulent claim for health
of protected health information is victims. Thus, in these situations, care; (B) qualification for or receipt of
mandated by state or other law. The covered entities may disclose only the benefits, payments, or services based on
rule’s requirements for disclosure in limited identifying information listed in a fraudulent statement or material
situations not covered under mandatory § 164.512(f)(2)—not all of the protected misrepresentation of the health of the
reporting laws are different from the health information that may be individual; that occurred on the covered
rule’s provisions regarding disclosure disclosed under § 164.512(f)(3). entity’s premises or was witnessed by a
pursuant to a mandatory reporting law. The proposed rule did not address member of the covered entity’s
The final rule requires covered whether a covered entity could disclose workforce.
entities to obtain individual agreement protected health information to a law In the final rule, we modify this
as a condition of disclosing the enforcement official to alert the official provision substantially, by eliminating
protected health information about of the individual’s death. language allowing disclosures already
victims to law enforcement, unless the permitted in other sections of the
disclosure is permitted under Disclosures About Decedents regulation. The proposed provision
§ 164.512(b) or (c) or § 164.512(f)(1) In the final rule, we add a new overlapped with other sections of the
above. The required agreement may be provision § 164.512(f)(4) in which we NPRM, in particular proposed
obtained orally, and does not need to permit covered entities to disclose § 164.510(c) regarding disclosure for
meet the requirements of § 164.508 of protected health information about an health oversight activities. In the final
this rule (regarding authorizations). The individual who has died to a law regulation, we clarify that this provision
rule waives the requirement for enforcement official for the purpose of applies only to disclosures to law
individual agreement if the victim is alerting law enforcement of the death if enforcement officials of protected health
unable to agree due to incapacity or the covered entity has a suspicion that information that the covered entity
other emergency circumstance and: (1) such death may have resulted from believes in good faith constitutes
The law enforcement official represents criminal conduct. In such circumstances evidence of a crime committed on the
that the protected health information is consent of the individual is not premises. We eliminate proposed
needed to determine whether a violation available and it may be difficult to § 164.510(f)(5)(i) regarding health care
of law by a person other than the victim determine the identity of a personal fraud from the law enforcement section,
has occurred and the information is not representative and gain consent for because all disclosures that would have
intended to be used against the victim; disclosure of protected health been allowed under that provision are
(2) the law enforcement official information. Permitting disclosures in allowed under § 164.512(d) of the final
represents that immediate law this circumstance will permit law rule (health oversight). Similarly, in the
enforcement activity that depends on enforcement officials to begin their final rule, we eliminate proposed
§ 164.510(f)(5)(iii) on disclosure of individual in need of emergency health additional provisions permitting

protected health information to law care. In such cases, disclosures to law covered entities to disclose protected
enforcement officials regarding criminal enforcement would be governed by health information to law enforcement
activity witnessed by a member of a paragraph (c) of this section. officials, see § 164.512(j)(1)(i) and (ii).
health plan workforce. All disclosures This added provision recognizes the Under the NPRM and under the final
that would have been permitted by that special role of emergency medical rule, to obtain protected health
provision are included in technicians and other providers who information, law enforcement officials
§ 164.512(f)(5), which allows disclosure respond to medical emergencies. In must comply with whatever other law is
of information to report a crime emergencies, emergency medical applicable. In certain circumstances,
committed on the covered entity’s personnel often arrive on the scene while this provision could authorize a
premises, and by § 164.502, which before or at the same time as police covered entity to disclose protected
provides that a covered entity is not in officers, firefighters, and other health information to law enforcement
violation of the rule when a member of emergency response personnel. In these officials, there could be additional
its workforce or person working for a cases, providers may be in the best applicable statutes or rules that further
business associate uses or discloses position, and sometimes be the only govern the specific disclosure. If the
protected health information while ones in the position, to alert law preemption provisions of this regulation
acting as a ‘‘whistle blower.’’ Thus, enforcement about criminal activity. For do not apply, the covered entity must
§ 164.512(f)(5) allows covered entities to instance, providers may be the first comply with the requirements or
disclose health information only on the persons aware that an individual has limitations established by such other
good faith belief that it constitutes been the victim of a battery or an law, regulation or judicial precedent.
evidence of a crime on their premises. attempted murder. They may also be in See §§ 160.201 through 160.205. For
The preamble to the NPRM said that if the position to report in real time, example, if state law permits disclosure
the covered entity disclosed protected through use of radio or other only after compulsory process with
health information in good faith but was mechanism, information that may court review, a provider or payor is not
wrong in its belief that the information immediately contribute to the allowed to disclose information to state
was evidence of a violation of law, the apprehension of a perpetrator of a law enforcement officials unless the
covered entity would not be subject to crime. officials have complied with that
sanction under this regulation. The final We note that disclosure under this requirement. Similarly, disclosure of
rule retains this approach. provision is at the discretion of the substance abuse patient records subject
health care provider. Disclosures in to, 42 U.S.C. 290dd–2, and the
Reporting Crime in Emergencies some instances may be governed more implementing regulations, 42 CFR part
The proposed rule did not address strictly, such as by applicable ethical 2, continue to be governed by those
disclosures by emergency medical standards and state and local laws. provisions.
personnel to a law enforcement official Finally, the NPRM also included a In some instances, disclosure of
intended to alert law enforcement about proposed § 164.510(f)(5), which protected health information to law
the commission of a crime. Because the duplicated proposed § 164.510(f)(3). The enforcement officials will be compelled
provisions of proposed rule were final rule does not include this by other law, for example, by
limited to individually identifiable duplicate provision. compulsory judicial process or
health information that was reduced to compulsory reporting laws (such as
Additional Considerations
electronic form, many communications laws requiring reporting of wounds from
that occur between emergency medical As stated in the NPRM, this paragraph violent crimes, suspected child abuse,
personnel and law enforcement officials is not intended to limit or preclude a or suspected theft of controlled
at the scene of a crime would not have covered entity from asserting any lawful substances). As discussed above,
been covered by the proposed defense or otherwise contesting the disclosure of protected health
provisions. nature or scope of the process when the information under such other
In the final rule we include a new procedural rules governing the mandatory law is permitted under
provision § 164.512(f)(6) that addresses proceeding so allow. At the same time, § 164.512(a).
‘‘911’’ calls for emergency medical it is not intended to create a basis for In the responses to comments we
technicians as well as other emergency appealing to federal court concerning a clarify that items such as cells and
health care in response to a medical request by state law enforcement tissues are not protected health
emergency. The final rule permits a officials. Each covered entity will information, but that analyses of them
covered health care provider providing continue to have available legal is. The same treatment would be given
emergency health care in response to a procedures applicable in the other physical items, such as clothing,
medical emergency, other than such appropriate jurisdiction to contest such weapons, or a bloody knife. We note,
emergency on the premises of the requests where warranted. however, that while these items are not
covered health care provider, to disclose As was the case with the NPRM, this protected health information and may
protected health information to a law rule does not create any new affirmative be disclosed, some communications that
enforcement official if such disclosure requirement for disclosure of protected could accompany the disclosure will be
appears necessary to alert law health information. Similarly, this protected health information under the
enforcement to (1) the commission and section is not intended to limit a rule. For example, if a person provides
nature of a crime, (2) the location of covered entity from disclosing protected cells to a researcher, and tells the
such crime or of the victim(s) of such health information to law enforcement researcher that these are an identified
crime, and (3) the identity, description, officials where other sections of the rule individual’s cancer cells, that
and location of the perpetrator of such permit such disclosure, e.g., as accompanying statement is protected
crime. A disclosure is not permitted permitted by § 164.512(j) to avert an health information about that
under this section if health care imminent threat to health or safety, for individual. Similarly, if a person
provider believes that the medical health oversight activities, to coroners provides a bullet to law enforcement,
emergency is the result of abuse, or medical examiners, and in other and tells law enforcement that the bullet
neglect, or domestic violence of the circumstances permitted by the rule. For was extracted from an identified
individual, the person has disclosed the Section 164.512(g) allows covered organizations or other entities engaged
fact that the individual was treated for entities to disclose protected health in the procurement, banking, or
a wound, and the additional statement information to funeral directors, transplantation of cadaveric organs,
is a disclosure of protected health consistent with applicable law, as eyes, or tissue for donation and
information. necessary to carry out their duties with transplantation. This provision is
To be able to make the additional respect to a decedent. For example, the intended to address situations in which
statement accompanying the provision rule allows hospitals to disclose to an individual has not previously
of the bullet, a covered entity must look funeral directors the fact that an indicated whether he or she seeks to
to the rule to find a provision under individual has donated an organ or donate organs, eyes, or tissues (and
which a disclosure may be made to law tissue, because this information has therefore authorized release of protected
enforcement. Section 164.512(f) of the implications for funeral home staff health information for this purpose). In
rule addresses disclosures for law duties associated with embalming. such situations, this provision is
enforcement purposes. Under When necessary for funeral directors to intended to allow covered entities to
§ 164.512(f)(1), the additional statement carry out their duties, covered entities initiate contact with organ and tissue
may be disclosed to a law enforcement may disclose protected health donation and transplantation
official if required by law or with information prior to and in reasonable organizations to facilitate
appropriate process. Under anticipation of the individual’s death. transplantation of cadaveric organs,
§ 164.512(f)(2), we permit covered Whereas the NPRM did not address eyes, and tissues.
entities to disclose limited identifying the issue of disclosure of psychotherapy
notes without individual authorization Disclosures and Uses for Government
information without legal process in Health Data Systems
response to a request from a law to coroners and medical examiners, the
final rule allows such disclosures. In the NPRM we proposed to permit
enforcement official for the purpose of
The NPRM did not include in covered entities to disclose protected
identifying or locating a suspect,
proposed § 164.510(e) language stating health information to a government
fugitive, material witness, or missing
that where a covered entity was itself a agency, or to a private entity acting on
person. Thus, in the case of bullet
coroner or medical examiner, it could behalf of a government agency, for
described above, the covered entity
use protected health information for the inclusion in a government health data
may, in response to a law enforcement
purposes of engaging in a coroner’s or system collecting health data for
request, provide the extracted bullet and
a medical examiner’s activities. The analysis in support of policy, planning,
such additional limited identifying
final rule includes such language to regulatory, or management functions
information as is permitted under
address situations such as where a authorized by law. The NPRM stated
§ 164.512(f)(2). public hospital performs medical that when a covered entity was itself a
Section 164.512(g)—Uses and examiner functions. In such cases, the government agency collecting health
Disclosures About Decedents hospital’s on-staff coroners can use data for these functions, it could use
protected health information while protected health information in all cases
In the NPRM we proposed to allow conducting post-mortem investigations, for which it was permitted to disclose
covered entities to disclose protected and other hospital staff can analyze any such information to government health
health information without individual information associated with these data systems.
authorization to coroners and medical investigations, for example, as part of In the final rule, we eliminate the
examiners, consistent with applicable the process of determining the cause of provision that would have allowed
law, for identification of a deceased the individual’s death. covered entities to disclose protected
person or to determine cause of death. health information to government health
In § 164.512(g) of the final rule, we Section 164.512(h)—Uses and
data systems without authorization.
permit covered entities to disclose Disclosures for Cadaveric Donation of
Thus, under the final rule, covered
protected health information to Organs, Eyes, or Tissues
entities cannot disclose protected health
coroners, medical examiners, and In the NPRM we proposed to include information without authorization to
funeral directors as part of a new the procurement or banking of blood, government health data systems—or to
paragraph on disclosures related to sperm, organs, or any other tissue for private health data systems—unless the
death. The final rule retains the NPRM administration to patients in the disclosure is permissible under another
approach regarding disclosure of definition of ‘‘health care’’ (described in provision of the rule.
protected health information to coroners proposed § 160.103). The NPRM’s
and medical examiners, and it allows proposed approach did not differentiate Disclosures for Payment Processes
the information disclosed to coroners between situations in which the donor In the NPRM we proposed to permit
and medical examiners to include was competent to consent to the covered entities to disclose, in
identifying information about other donation—for example, when an connection with routine banking
persons that may be included in the individual is donating blood, sperm, a activities or payment by debit, credit, or
individual’s medical record. Redaction kidney, or a liver or lung lobe—and other payment card, or other payment
of such names is not required prior to situations in which the donor was means, the minimum amount of
disclosing the individual’s record to deceased, for example, when cadaveric protected health information necessary
coroners or medical examiners. Since organs and tissues were being donated. to complete a banking or payment
covered entities may also perform duties We also proposed to allow use and activity to financial institutions or to
of a coroner or medical examiner, where disclosure of protected health entities acting on behalf of financial
a covered entity is itself a coroner or information for treatment without institutions to authorize, process, clear,
medical examiner, the final rule permits consent. settle, bill, transfer, reconcile, or collect
the covered entity to use protected In the final rule, we take a different payments for financial institutions.
health information in all cases in which approach. In § 164.512(h), we permit The preamble to the NPRM clarified
it is permitted to disclose such covered entities to disclose protected the proposed rule’s intent regarding
information for its duties as a coroner or health information without individual disclosure of diagnostic and treatment
medical examiner. authorization to organ procurement information along with payment
information to financial institutions. (i) The use or disclosure of protected met, the NPRM would have required
The preamble to the proposed rule said health information involves no more individuals’ authorization for the use or
that diagnostic and treatment than minimal risk to the subjects; disclosure of protected health
information never was necessary to (ii) The waiver will not adversely information for research, pursuant to the
process a payment transaction. The affect the rights and welfare of the authorization requirements in proposed
preamble said we believed that in most subjects; § 164.508. For research conducted with
cases, the permitted disclosure would (iii) The research could not patient authorization, documentation of
include only: (1) The name and address practicably be conducted without the IRB or privacy board approval would
of the account holder; (2) the name and waiver; not have been required.
address of the payor or provider; (3) the (iv) Whenever appropriate, the The final rule retains the NPRM’s
amount of the charge for health services; subjects will be provided with proposed framework for permitting uses
(4) the date on which health services additional pertinent information after and disclosures of protected health
were rendered; (5) the expiration date participation; information for research purposes,
for the payment mechanism, if (v) The research could not practicably although we are making several
applicable; and (6) the individual’s be conducted without access to and use important changes for the final rule.
signature. The preamble noted that the of the protected health information; These changes are discussed below:
proposed regulation text did not include (vi) The research is of sufficient
importance so as to outweigh the Documentation Requirements of IRB or
an exclusive list of information that Privacy Board Approval of Waiver
could lawfully be disclosed to process intrusion of the privacy of the
payments, and it solicited comments on individual whose information is subject The final rule retains these
whether more elements would be to the disclosure; documentation requirements, but
(vii) There is an adequate plan to modifies some of them and includes two
needed for banking and payment
protect the identifiers from improper additional documentation requirements.
transactions and on whether including a
use and disclosure; and The final rule’s modifications to the
specific list of protected health
(viii) There is an adequate plan to NPRM’s proposed documentation
information that could be disclosed was
destroy the identifiers at the earliest requirements are described first,
an appropriate approach.
opportunity consistent with the conduct followed by a description of the three
The preamble also noted that under of the research, unless there is a health documentation requirements added in
section 1179 of HIPAA, certain activities or research justification for retaining the the final rule.
of financial institutions were exempt identifiers; and The final rule makes the following
from this rule, to the extent that these (4) The written documentation was modifications to the NPRM’s proposed
activities constituted authorizing, signed by the chair of, as applicable, the documentation requirements for the
processing, clearing, settling, billing, IRB or the privacy board. waiver of individual authorization:
transferring, reconciling, or collecting The NPRM also proposed that IRBs 1. IRB and privacy board
payments for health care or health plan and privacy boards be permitted to membership. The NPRM stipulated that
premiums. adopt procedures for ‘‘expedited to meet the requirements of proposed
In the final rule, we eliminate the review’’ similar to those provided in the § 164.510(j), the documentation would
NPRM’s provision on ‘‘banking and Common Rule (Common Rule need to indicate that the IRB had been
payment processes.’’ All disclosures § ll.110) for records research that composed as required by the Common
that would have been allowed pursuant involved no more than minimal risk. Rule (§ ll.107), and the privacy board
to proposed § 164.510(i) are allowed However, this provision for expedited had been composed as follows: ‘‘(A) Has
under § 164.502(a) of the final rule, review was not included in the members with varying backgrounds and
regarding disclosure for payment proposed regulation text. appropriate professional competency as
purposes. The board that would determine necessary to review the research
whether the research protocol met the protocol; (B) Includes at least one
Section 164.512(i)—Uses and eight specified criteria for waiving the member who is not affiliated with the
Disclosures for Research Purposes patient authorization requirements entity conducting the research, or
The NPRM would have permitted (described above), could have been an related to a person who is affiliated with
covered entities to use and disclose IRB constituted as required by the such entity; and (C) Does not have any
protected health information for Common Rule, or a privacy board, member participating in a review of any
research—regardless of funding whose proposed composition is project in which the member has a
source—without individual described below. The NPRM proposed conflict of interest’’ (§ 164.510(j)(1)(ii)).
authorization, provided that the covered no requirements for the location or The final rule modifies the first of the
entity obtained documentation of the sponsorship of the IRB or privacy board. requirements for the composition of a
following: Under the NPRM, the covered entity privacy board to focus on the effect of
could have created such a board and the research protocol on the individual’s
(1) A waiver, in whole or in part, of
could have relied on it to review privacy rights and related interests.
research proposals for uses and Therefore, under the final rule, the
protected health information was
disclosures of protected health required documentation must indicate
approved by an Institutional Review
information for research. A covered that the privacy board has members
Board (IRB) or a privacy board that was
entity also could have relied on the with varying backgrounds and
composed as stipulated in the proposed
necessary documentation from an appropriate professional competency as
rule;
outside researcher’s own university IRB necessary to review the effect of the
(2) The date of approval of the waiver, or privacy board. In addition, a covered research protocol on the individual’s
in whole or in part, of authorization by entity could have engaged the services privacy rights and related interests.
an IRB or privacy board; of an outside IRB or privacy board to In addition, the final rule further
(3) The IRB or privacy board had obtain the necessary documentation. restricts the NPRM’s proposed
determined that the waiver, in whole or Absent documentation that the requirement that the privacy board
in part satisfied the following criteria: requirements described above had been include at least one member who was
not affiliated with the entity conducting In addition, the final rule (1) researcher’s further use or disclosure of
the research, or related to a person who eliminates proposed waiver criterion iv, protected health information that had
is affiliated with such entity. Under the (2) modifies proposed waiver criteria ii, been received under proposed
final rule, the board must include at iii, vi, and viii, and (3) adds a waiver § 164.510(j). The final rule requires that
least one member who is not affiliated criterion. the covered entity obtain written
with the covered entity, not affiliated Proposed waiver criterion ii (waiver agreement from the person or entity
with any entity conducting or criterion § 164.512(i)(2)(ii)(B) in the receiving protected health information
sponsoring the research, and not related final rule) is revised as follows to focus under § 164.512(i) not to re-use or
to any person who is affiliated with more narrowly on the privacy interests disclose protected health information to
such entities. of individuals, and to clarify that it also any other person or entity, except: (1)
The other documentation pertains to alterations of individual As required by law, (2) for authorized
requirements for the composition of an authorization: ‘‘the alteration or waiver oversight of the research project, or (3)
IRB and privacy board remain the same. will not adversely affect the privacy for other research for which the use or
2. Waiver of authorization criteria. rights and the welfare of the disclosure of protected health
The NPRM proposed to prohibit the use individuals.’’ Under criterion information would be permitted by this
or disclosure of protected health § 164.512(i)(2)(ii)(B), the question is subpart. For instance, in assessing
information for research without whether the alteration or waiver of whether this criterion has been met, we
individual authorization as stipulated in individual authorization would encourage IRBs and privacy boards to
proposed § 164.508 unless the covered adversely affect the privacy rights and obtain adequate assurances that the
entity had documentation indicating the welfare of individuals, not whether protected health information will not be
that an IRB or privacy board had the research project itself would disclosed to an individual’s employer
determined that the following waiver adversely affect the privacy rights or the for employment decisions without the
criteria had been met: welfare of individuals. individual’s authorization.
(i) The use or disclosure of protected Proposed waiver criterion iii (waiver 3. Required signature. The rule
health information involves no more criterion § 164.512(i)(2)(ii)(C) in the broadens the types of individuals who
than minimal risk to the subjects; final rule) is revised as follows to clarify are permitted to sign the required
(ii) The waiver will not adversely that it also pertains to alterations of documentation of IRB or privacy board
affect the rights and welfare of the individual authorization: ‘‘the research approval. The final rule requires the
subjects; could not practicably be conducted documentation of the alteration or
(iii) The research could not without the alteration or waiver.’’ waiver of authorization to be signed by
practicably be conducted without the Proposed waiver criterion vi (waiver (1) the chair of, as applicable, the IRB
waiver; criterion § 164.512(i)(2)(ii)(E) in the or the privacy board, or (2) a member of
(iv) Whenever appropriate, the final rule) is revised as follows to be the IRB or privacy board, as applicable,
subjects will be provided with more consistent with one of the who is designated by the chair to sign
additional pertinent information after Common Rule’s requirements for the the documentation.
participation; approval of human subjects research Furthermore, the final rule makes the
(v) The research could not be (Common Rule, § ll.111(a)(2)): ‘‘the following three additions to the
practicably be conducted without access privacy risks to individuals whose proposed documentation requirements
to and use of the protected health protected health information is to be for the alteration or waiver of
information; used or disclosed are reasonable in authorization:
(vi) The research is of sufficient relation to anticipated benefits if any to 1. Identification of the IRB or privacy
importance so as to outweigh the individuals, and the importance of the board. The NPRM did not propose that
intrusion of the privacy of the knowledge that may reasonably be the documentation of waiver include a
individual whose information is subject expected to result from the research.’’ statement identifying the IRB or privacy
to the disclosure; Under criterion § 164.512(i)(2)(ii)(E), the board that approved the waiver of
(vii) There is an adequate plan to question is whether the risks to an authorization. In the final rule we
protect the identifiers from improper individual’s privacy from participating require that such a statement be
use and disclosure; and in the research are reasonable in relation included in the documentation of
(viii) There is an adequate plan to to the anticipated benefits from the alteration or waiver of individual
destroy the identifiers at the earliest research. This criterion is unlike waiver authorization. By this requirement we
opportunity consistent with the conduct criterion § 164.512(i)(2)(ii)(B) in that it mean that the name of the IRB or
of the research, unless there is a health focuses on the privacy risks and benefits privacy board must be included in such
or research justification for retaining the of the research project more broadly, not documentation, not the names of
identifiers. on the waiver of individual individual members of the board.
The final rule continues to permit the authorization. 2. Description of protected health
documentation of IRB or privacy board Proposed waiver criterion viii (waiver information approved for use or
approval of a waiver of an authorization criterion § 164.512(i)(2)(ii)(G) in the disclosure. The NPRM did not propose
as required by § 164.508, to indicate that final rule) is revised as follows: ‘‘there that the documentation of waiver
only some or all of the § 164.508 is an adequate plan to destroy the include a description of the protected
authorization requirements have been identifiers at the earliest opportunity health information that the IRB or
waived. In addition, the final rule consistent with the conduct of the privacy board had approved for use or
clarifies that the documentation of IRB research, unless there is a health or disclosure without individual
or privacy board approval may indicate research justification for retaining the authorization. In considering waiver of
that the authorization requirements identifiers, or such retention is authorization criterion
have been altered. Also, for all of the otherwise required by law.’’ § 164.512(i)(2)(ii)(D), we expect the IRB
proposed waiver of authorization In addition, the final rule includes or privacy board to consider the amount
criteria that used the term ‘‘subject,’’ we another waiver criterion: waiver of information that is minimally needed
replace this term with the term criterion § 164.512(i)(2)(ii)(H). The for the study. The final rule requires
‘‘individual’’ in the final rule. NPRM proposed no restriction on a that the documentation of IRB or
privacy board approval of the alteration review by a single member of the IRB or board has altered or waived individual
or waiver of authorization describe the privacy board, but continues to require authorization.
protected health information for which that the covered entity obtain
Research on Protected Health
use or access has been determined to be documentation that all of the specified
Information of the Deceased
necessary for the research by the IRB or waiver criteria have been met.
privacy board. For example, if the IRB The NPRM would have permitted the
or privacy board approves only the use Reviews Preparatory to Research use and disclosure of protected health
or disclosure of certain information Under the NPRM, if a covered entity information of deceased persons for
from patients’ medical records, and not used or disclosed protected health research without the authorization of a
patients’ entire medical record, this information for research, but the legal representative, and without the
must be stated on the document researcher did not record the protected requirement for written documentation
certifying IRB or privacy board health information in a manner that of IRB or privacy board approval in
approval. persons could be identified, such an proposed § 164.510(j). In the final rule,
3. Review and approval procedures. activity would have constituted a we retain the exception for uses and
The NPRM would not have required research use or disclosure that would disclosures for research purposes but in
documentation of IRBs’ or privacy have been subject to either the addition require that the covered entity
boards’ review and approval individual authorization requirements take certain protective measures prior to
procedures. In the final rule, the of proposed § 164.508 or the release of the decedent’s protected
documentation of the alteration or documentation of the waiver of health information for such purposes.
waiver of authorization must state that authorization requirements of proposed Specifically, the final rule requires that
the alteration or waiver has been § 164.510(j). the covered entity obtain representation
reviewed and approved by: (1) an IRB that the use or disclosure is sought
The final rule permits the use and solely for research on the protected
that has followed the voting
disclosure of protected health health information of decedent, and
requirements stipulated in the Common
information for research without representation that the protected health
Rule (§ ll.108(b)), or the expedited
requiring authorization or information for which use or disclosure
review procedures as stipulated in
documentation of the alteration or is sought is necessary for the research
§ ll.110(b); or (2) a privacy board that
waiver of authorization, if the research purposes. In addition, the final rule
has reviewed the proposed research at
is conducted in such a manner that only allows covered entities to request from
convened meetings at which a majority
of the privacy board members are de-identified protected health the researcher documentation of the
present, including at least one member information is recorded by the death of the individuals about whom
who is not affiliated with the covered researchers and the protected health protected health information is being
entity, not affiliated with any entity information is not removed from the sought.
conducting or sponsoring the research, premises of the covered entity. For such
uses and disclosures of protected health Good Faith Reliance
and not related to any person who is
affiliated with any such entities, and the information, the final rule requires that The final rule clarifies that covered
alteration or waiver of authorization is the covered entity obtain from the entities are allowed to rely on the IRB’s
approved by the majority of privacy researcher representations that use or or privacy board’s representation that
board members present at the meeting, disclosure is sought solely to review the research proposal meets the
unless an expedited review procedure is protected health information as documentation requirements of
used. necessary to prepare a research protocol § 164.512(i)(1)(i) and the minimum
For documentation of IRB approval or for similar purposes preparatory to necessary requirements of § 164.514.
that used an expedited review research, no protected health In addition, when using or disclosing
procedure, the covered entity must information is to be removed from the protected health information for reviews
ensure that the documentation indicates covered entity by the researcher in the preparatory to research
that the IRB followed the expedited course of the review, and the protected (§ 164.512(i)(1)(ii)) or for research solely
review requirements of the Common health information for which use or on the protected health information of
Rule (§ ll.110). For documentation of access is sought is necessary for the decedents (§ 164.512)(1)(iii)), the final
privacy board approval that used an research purposes. The intent of this rule clarifies that the covered entity may
expedited review procedure, the provision is to permit covered entities to rely on the requesting researcher’s
covered entity must ensure that the use and disclose protected health representation that the purpose of the
documentation indicates that the information to assist in the development request is for one of these two purpose,
privacy board met the expedited review of a research hypothesis and aid in the and that the request meets the minimum
requirements of the privacy rule. In the recruitment of research participants. We necessary requirements of § 164.514.
final rule, a privacy board may use an understand that researchers sometimes Therefore, the covered entity has not
expedited review procedure if the require access to protected health violated the rule if the requesting
research involves no more than minimal information to develop a research researcher misrepresents his or her
risk to the privacy of the individuals protocol, and to determine whether a intended use of the protected health
who are the subject of the protected specific covered entity has protected information to the covered entity.
health information for which disclosure health information of prospective Additional Research Provisions
is being sought. If a privacy board elects research participants that would meet
to use an expedited review procedure, the eligibility criteria for enrollment Research Including Treatment
the review and approval of the into a research study. Therefore, this To the extent that a researcher
alteration or waiver of authorization provision permits covered entities to provided treatment to persons as part of
may be carried out by the chair of the use and disclose protected health a research study, the NPRM would have
privacy board, or by one or more information for these preliminary covered such researchers as health care
members of the privacy board as research activities without individual providers for purposes of that treatment,
designated by the chair. Use of the authorization and without and required that the researcher comply
expedited review mechanism permits documentation that an IRB or privacy with all of the provisions of the rule that
would be applicable to health care regulations would have needed to be physical safety of a specific person, the
providers. The final rule retains this followed. This statement remains true in therapist had an obligation to use
requirement. the final rule. In addition, we clarify reasonable care to protect the intended
that FDA’s human subjects regulations victim of his patient against danger,
Individual Access to Research
must also be followed if applicable. including warning the victim of the
Information
danger. Many states have adopted,
Under proposed § 164.514, the NPRM Section 164.512(j)—Uses and
through either statutory or case law,
would have applied the proposed Disclosures to Avert a Serious Threat to
versions of the Tarasoff duty to warn.
provision regarding individuals’ access Health or Safety
The rule is not intended to create a duty
to records to research that includes the In the NPRM we proposed to allow to warn or disclose. Rather, it permits
delivery of treatment. The NPRM covered entities to use or disclose disclosure to avert a serious and
proposed an exception to individuals’ protected health information without imminent threat to health or safety
right to access protected health individual authorization—consistent consistent with other applicable legal or
information for clinical trials, where (1) with applicable law and ethics ethical standards. If disclosure in these
protected health information was standards—based on a reasonable belief circumstances is prohibited by state
obtained by a covered entity in the that use or disclosure of the protected law, this rule would not allow the
course of clinical trial, (2) the individual health information was necessary to disclosure.
agreed to the denial of access when prevent or lessen a serious and As indicated above, in some
consenting to participate in the trial (if imminent threat to health or safety of an situations (for example, when a person
the individual’s consent to participate individual or of the public. Pursuant to is both a fugitive and a victim and thus
was obtained), and (3) the trial was still the NPRM, covered entities could have covered entities could disclose
in progress. used or disclosed protected health protected health information pursuant
Section 164.524 of the final rule information in these emergency either to § 164.512(f)(2) regarding
retains this exception to access for circumstances to a person or persons fugitives or to § 164.512(f)(3)
research that includes treatment. In reasonably able to prevent or lessen the establishing conditions for disclosure
addition, the final rule requires that threat, including the target of the threat. about victims), more than one section of
participants in such research be The NPRM stated that covered entities this rule potentially could apply with
informed that their right of access to that made disclosures in these respect to a covered entity’s potential
protected health information about them circumstances were presumed to have disclosure of protected health
will be reinstated once the research is acted under a reasonable belief if the information. Similarly, in situations
complete. disclosure was made in good faith, involving a serious and imminent threat
based on credible representation by a to public health or safety, law
Obtaining the Individual’s person with apparent knowledge or enforcement officials may be seeking
Authorization for Research authority. The NPRM did not include protected health information from
The NPRM would have required verification requirements specific to this covered entities to locate a fugitive. In
covered entities obtaining individuals’ paragraph. the final rule, we clarify that if a
authorization for the use or disclosure of In § 164.512(j) of the final rule, we situation fits one section of the rule (for
information for research to comply with retain the NPRM’s approach to uses and example, § 164.512(j) on serious and
the requirements applicable to disclosures made to prevent or lessen imminent threats to health or safety),
individual authorization for the release serious and imminent threats to health covered entities may disclose protected
of protected health information or safety, as well as its language health information pursuant to that
(proposed § 164.508(a)(2)). If an regarding the presumption of good faith. section, regardless of whether the
individual had initiated the use or We also clarify that: (1) Rules governing disclosure also could be made pursuant
disclosure of his/her protected health these situations, which the NPRM to another section (e.g., § 164.512(f)),
information for research, or any other referred to as ‘‘emergency regarding disclosure to law enforcement
purpose, the covered entity would have circumstances,’’ are not intended to officials).
been required to obtain a completed apply to emergency care treatment, such The proposed rule did not address
authorization for the use or disclosure of as health care delivery in a hospital situations in which covered entities
protected health information as emergency room; and (2) the could make disclosures to law
proposed in § 164.508(c). ‘‘presumption of good faith belief’’ is enforcement officials about oral
The final rule retains these intended to apply only to this provision statements admitting participation in
requirements for research conducted and not to all disclosures permitted violent conduct or about escapees.
with authorization, as required by without individual authorization. The In the final rule we permit, but do not
§ 164.508. In addition, for the use and final rule allows covered entities to use require, covered entities to use or
disclosure of protected health or disclose protected health information disclose protected health information,
information created by a covered entity without an authorization on their own consistent with applicable law and
for the purpose, in whole or in part, of initiative in these circumstances, when standards of ethical conduct, in specific
research that includes treatment of the necessary to prevent or lessen a serious situations in which the covered entity,
individual, the covered entity must and imminent threat, consistent with in good faith, believes the use or
meet the requirements of § 164.508(f). other applicable ethical or legal disclosure is necessary to permit law
standards. enforcement authorities to identify or
Interaction with the Common Rule The rule’s approach is consistent with apprehend an individual. Under
The NPRM stated that the proposed the ‘‘duty to warn’’ third persons at risk, paragraph (j)(1)(ii)(A) of this section, a
rule would not override the Common which has been established through covered entity may take such action
Rule. Where both the NPRM and the case law. In Tarasoff v. Regents of the because of a statement by an individual
Common Rule would have applied to University of California (17 Cal. 3d 425 admitting participation in a violent
research conducted by the covered (1976)), the Supreme Court of California crime that the covered entity reasonably
entity—either with or without found that when a therapist’s patient believes may have resulted in serious
individuals’ authorization—both sets of had made credible threats against the physical harm to the victim. The
protected health information that is effect as the proposed rule—the which the protected health information
disclosed in this case is limited to the statement could be disclosed to law may be used or disclosed.’’
statement and to the protected health enforcement, so long as the other An additional modification concerns
information included under the limited aspects of the regulation are followed. the rule’s application to foreign military
identifying and location information in Similarly, where it appears from all the and diplomatic personnel. The NPRM
§ 164.512(f)(2), such as name, address, circumstances that the individual has would have excluded foreign diplomatic
and type of injury. Under paragraph escaped from prison, the expanded and military personnel, as well as their
(j)(1)(ii)(B) of this section, a covered definition of protected health dependents, from the proposed
entity may take such action where it information should not prevent the definition of ‘‘individual,’’ thereby
appears from all the circumstances that covered entity from deciding to report excluding any protected health
the individual has escaped from a this information to law enforcement. information created about these
correctional institution or from lawful personnel from the NPRM’s privacy
The disclosures that covered entities protections. Foreign military and
custody.
A disclosure may not be made under may elect to make under this paragraph diplomatic personnel affected by this
paragraph (j)(1)(ii)(A) for a statement are entirely at their discretion. These provision include, for example, allied
admitting participation in a violent disclosures to law enforcement are in military personnel who are in the
crime if the covered entity learns the addition to other disclosure provisions United States for training. The final rule
information in the course of counseling in the rule. For example, under applies a more limited exemption to
or therapy. Similarly, such a disclosure paragraph § 164.512(f)(2) of this section, foreign military personnel only (Foreign
is not permitted if the covered entity a covered entity may disclose limited diplomatic personnel will have the
learns the information in the course of categories of protected health same protections granted to all other
treatment to affect the propensity to information in response to a request individuals under the rule). Under the
commit the violent crimes that are from a law enforcement official for the final rule, foreign military personnel are
described in the individual’s statements. purpose of identifying or locating a not excluded from the definition of
We do not intend to discourage suspect, fugitive, material witness, or ‘‘individual.’’ Covered entities will be
individuals from speaking accurately in missing person. Paragraph able to use and disclose protected health
the course of counseling or therapy § 164.512(f)(1) of this section permits a information of foreign military
sessions, or to discourage other covered entity to make disclosures that personnel to their appropriate foreign
treatment that specifically seeks to are required by other laws, such as state military authority for the same purposes
reduce the likelihood that someone who mandatory reporting laws, or are for which uses and disclosures are
has acted violently in the past will do required by legal process such as court permitted for U.S. Armed Forces
so again in the future. This prohibition orders or grand jury subpoena. personnel under the notice to be
on disclosure is triggered once an Section 164.512(k)—Uses and published in the Federal Register.
individual has made a request to initiate Disclosures for Specialized Government Foreign military personnel do have the
or be referred to such treatment, Functions same rights of access, notice, right to
therapy, or counseling. request privacy protection, copying,
The provision permitting use and Application to Military Services amendment, and accounting as do other
disclosure has been added in light of the individuals pursuant to §§ 164.520–
broadened definition in the final rule of In the NPRM we would have 164.526 (sections on access, notice, right
protected health information. Under the permitted a covered entity providing to request privacy protection for
NPRM, protected health information health care to Armed Forces personnel protected health information,
meant individually identifiable health to use and disclose protected health amendment, inspection, copying) of the
information that is or has been information for activities deemed rule.
electronically transmitted or necessary by appropriate military The NPRM likewise would have
electronically maintained by a covered command authorities to assure the exempted overseas foreign national
entity. Under the final rule, protected proper execution of the military beneficiaries from the proposed rule’s
health information includes information mission, where the appropriate military requirements by excluding them from
transmitted by electronic media as well authority had published by notice in the the definition of ‘‘individual.’’ Under
as such information transmitted or Federal Register (In the NPRM, we the final rule, these beneficiaries no
maintained in any other form or proposed that the Department of longer are exempt from the definition of
medium. The new definition includes Defense would publish this Federal ‘‘individual.’’ However, the rule’s
oral statements to covered entities as Register notice in the future.) The final provisions do not apply to the
well as individually identifiable health rule takes a similar approach while individually identifiable health
information transmitted ‘‘in any other making some modifications to the information of overseas foreign
form.’’ NPRM. One modification concerns the nationals who receive care provided by
The definition of protected health information that will be required in the the Department of Defense, other federal
information, for instance, would now Federal Register notice. The NPRM agencies, or by non-governmental
apply to a statement by a patient that is would have required a listing of (i) organizations incident to U.S. sponsored
overheard by a hospital security guard appropriate military command missions or operations.
in a waiting room. Such a statement authorities; (ii) the circumstances for The final rule includes a new
would have been outside the scope of which use or disclosure without provision to address separation or
the proposed rule (unless it was individual authorization would be discharge from military service. The
memorialized in an electronic record), required; and (iii) activities for which preamble to the NPRM noted that upon
but is within the scope of the final rule. such use or disclosure would occur in completion of individuals’ military
For the example with the hospital order to assure proper execution of the service, DOD and the Department of
guard, the new provision permitting military mission. In the final rule, we Transportation routinely transfer entire
disclosure of a statement by an eliminate the third category and also military service records, including
individual admitting participation in a slightly modify language in the second protected health information to the
violent crime would have the same category to read: ‘‘the purposes for Department of Veterans Affairs so that
the file can be retrieved quickly if the dependents, if such dependents were requirements of determining worldwide
individuals or their dependents apply being considered for posting abroad. availability or availability for mandatory
for veterans benefits. The NPRM would The final rule does not include such an service abroad under Sections 101(a)(4)
have required consent for such transfers. exemption. Rather, the final rule does and 504 of the Foreign Service Act; and
The final rule no longer requires not except intelligence community (3) for a family member to accompany
consent in such situations. Thus, under employees and their dependents from a Foreign Service Officer abroad,
the final rule, a covered entity that is a the general rule requiring an consistent with Section 101(b)(5) and
component of DOD or the Department of authorization in order for protected 904 of the Foreign Service Act.
Transportation may disclose to DVA the health information to be used and Regarding security clearances,
protected health information of an disclosed. nothing prevents any employer from
Armed Forces member upon separation requiring that individuals provide
National Security and Intelligence authorization for the purpose of
or discharge from military service for
Activities obtaining a security clearance. For the
the purpose of a determination by DVA
of the individual’s eligibility for or The NPRM included a provision, in Department of State, however, the final
entitlement to benefits under laws § 164.510(f)—Disclosure for Law rule provides a limited exemption that
administered by the Secretary of Enforcement Purposes—that would allows a component of the Department
Veterans Affairs. allow covered entities to disclose of State without an authorization to (1)
protected health information without use protected health information to
Department of Veterans Affairs consent for the conduct of lawful make medical suitability determinations
Under the NPRM, a covered entity intelligence activities under the and (2) to disclose whether or not the
that is a component of the Department National Security Act, and in individual was determined to be
of Veterans Affairs could have used and connection with providing protective medically suitable to authorized
disclosed protected health information services to the President or to foreign officials in the Department of State for
to other components of the Department heads of state pursuant to 18 U.S.C. the purpose of a security clearance
that determine eligibility for, or 3056 and 22 U.S.C. 2709(a)(3) investigation conducted pursuant to
entitlement to, or that provide benefits respectively. The final rule preserves Executive Order 10450 and 12698.
under the laws administered by the these exemptions, with slight Sections 101(a)(4) and 504 of the
Secretary of Veterans Affairs. In the modifications, but moves them from Foreign Service Act require that Foreign
final rule, we retain this approach. proposed § 164.510(f) to § 164.512(k). It Service members be available to serve in
also divides this area into two assignments throughout the world. The
Application to Intelligence Community
paragraphs—one called ‘‘National final rule permits disclosures to officials
The NPRM would have provided an Security and Intelligence Activities’’ who need protected health information
exemption from its proposed and the second called ‘‘Protective to determine availability for duty
requirements to the intelligence services for the President and Others.’’ worldwide.
community. As defined in section 4 of The final rule, with modifications, Section 101(b)(5) of the Foreign
the National Security Act, 50 U.S.C. allows a covered entity to disclose Service Act requires the Department of
401a, the intelligence community protected health information to an State to mitigate the impact of
includes: the Office of the Director of authorized federal official for the hardships, disruptions, and other
Central Intelligence Agency; the Office conduct of lawful intelligence, counter- unusual conditions on families of
of the Deputy Director of Central intelligence, and other national security Foreign Service Officers. Section 904
Intelligence; the National Intelligence activities authorized by the National requires the Department to establish a
Council and other such offices as the Security Act and implementing health care program to promote and
Director may designate; the Central authority (e.g., Executive Order 1233). maintain the physical and mental health
Intelligence Agency; the National The references to ‘‘counter-intelligence of Foreign Service member family
Security Agency; the Defense and other national security activities’’ members. The final rule permits
Intelligence Agency; the National are new to the final rule. The reference disclosure of protected health
Imagery and Mapping Agency ; the to ‘‘implementing authority (e.g. information to officials who need
National Reconnaissance Office; other Executive Order 12333)’’ is also new. protected health information for a
offices within the DOD for the collection The final rule also adds specificity to family member to accompany a Foreign
of specialized national intelligence the provision on protective services. It Service member abroad.
through reconnaissance programs; the states that a covered entity may disclose This exemption does not permit the
intelligence elements of the Army, the protected health information to disclosure of specific medical
Navy, the Air Force, the Marine Corps, authorized federal officials for the conditions, diagnoses, or other specific
the Federal Bureau of Investigation, the provision of protective services to the medical information. It permits only the
Department of the Treasury, and the President or other persons as authorized disclosure of the limited information
Department of Energy; the Bureau of by 18 U.S.C. 3056, or to foreign heads needed to determine whether the
Intelligence and Research of the of state or other persons as authorized individual should be granted a security
Department of State; and such other by 22 U.S.C. 2709(a)(3), or for the clearance or whether the Foreign
elements of any other department or conduct of investigations authorized by Service member of his or her family
agency as may be designated by the 18 U.S.C. 871 and 879. members should be posted to a certain
President, or designated jointly by the overseas assignment.
Director of Central Intelligence and the Application to the State Department
head of the department or agency The final rule creates a narrower Application to Correctional Facilities
concerned, as an element of the exemption for Department of State for The NPRM would have excluded the
intelligence community. It would have uses and disclosures of protected health individually identifiable health
allowed a covered entity to use without information (1) for purposes of a information of correctional facility
individual authorization protected required security clearance conducted inmates and detention facility detainees
health information of employees of the pursuant to Executive Orders 10450 and from the definition of protected health
intelligence community, and of their 12698; (2) as necessary to meet the information. Thus, none of the NPRM’s
proposed privacy protections would correctional facility or in the lawful interests is to allow information sharing
have applied to correctional facility custody of a law enforcement official, for these limited purposes, we do not
inmates or to detention facility covered entities (for example, the upset that determination. For example,
detainees while they were in these prison’s clinic) can use or disclose section 1137 of the Social Security Act
facilities or after they had been released. protected health information about requires a variety of public programs,
The final rule takes a different these individuals without authorization including the Social Security program,
approach. First, to clarify that we are to the correctional facility or the law state medicaid programs, the food stamp
referring to individuals who are enforcement official having custody as program, certain unemployment
incarcerated in correctional facilities necessary for: (1) The provision of compensation programs, and others, to
that are part of the criminal justice health care to such individuals; (2) the participate in a joint income and
system or in the lawful custody of a law health and safety of such individual or eligibility verification system. Similarly,
enforcement official—and not to other inmates; (3) the health and safety section 222 of the Social Security Act
individuals who are ‘‘detained’’ for non- of the officers of employees of or others requires the Social Security
criminal reasons, for example, in at the correctional institution; and (4) Administration to provide information
psychiatric institutions—§ 164.512(k) the health and safety of such to certain state vocational rehabilitation
covers disclosure of protected health individuals and officers or other persons programs for eligibility purposes. In
information to correctional institutions responsible for the transporting of some instances, it is a covered entity
or law enforcement officials having such inmates or their transfer from one that first collects or creates the
lawful custody. In addition, where a institution or facility to another; (5) law information that is then disclosed for
covered health care provider is also a enforcement on the premises of the these systems. We do not prohibit those
health care component of a correctional correctional institution; and (6) the disclosures.
institution, the final rule permits the administration and maintenance of the This does not authorize these entities
covered entity to use protected health safety, security, and good order of the to share information for claims
information in all cases in which it is correctional institution. This section is determinations or ongoing
permitted to disclose such information. intended to allow, for example, a administration of these public programs.
We define correctional institution as prison’s doctor to disclose to a van This provision is limited to the agencies
defined pursuant to 42 U.S.C. driver transporting a criminal that the and activities described above.
13725(b)(1), as a ‘‘prison, jail, individual is a diabetic and frequently Second, § 164.512(k)(6) permits a
reformatory, work farm, detention has seizures, as well as information covered entity that is a government
center, or halfway house, or any other about the appropriate action to take if agency administering a government
similar institution designed for the the individual has a seizure while he or program providing public benefits to
confinement or rehabilitation of she is being transported. disclose protected health information
criminal offenders.’’ The rules regarding We permit covered entities to disclose relating to the program to another
disclosure and use of protected health protected health information about covered entity that is a government
information specified in § 164.512(k) these individuals if the correctional agency administering a government
cover individuals who are in institution or law enforcement official program providing public benefits if the
transitional homes, and other facilities represents that the protected health programs serve the same or similar
in which they are required by law to information is necessary for these populations and the disclosure of
remain for correctional reasons and purposes. Under 164.514(h), a covered protected health information is
from which they are not allowed to entity may reasonably rely on the necessary to coordinate the covered
leave. This section also covers representation of such public officials. functions of such programs.
individuals who are confined to The second provision permits covered
psychiatric institutions for correctional Application to Public Benefits Programs entities that are government program
reasons and who are not allowed to Required to Share Eligibility providing public benefits that serve the
leave; however, it does not apply to Information same or similar populations to share
disclosure of information about We create a new provision for covered protected health information for the
individuals in psychiatric institutions entities that are a government program purposes of coordinating covered
for treatment purposes only, who are providing public benefits. This functions of the programs and for
not there due to a crime or under a provision allows the following general management and administration
mandate from the criminal justice disclosures of protected health relating to the covered functions of the
system. The disclosure rules described information. programs. Often, similar government
in this section do not cover release of First, where other law requires or health programs are administered by
protected health information about expressly authorizes information different government agencies. For
individuals in pretrial release, relating to the eligibility for, or example, in some states, the Medicaid
probation, or on parole, such persons enrollment in more than one public program and the State Children’s Health
are not considered to be incarcerated in program to be shared among such public Insurance Program are administered by
a correctional facility. programs and/or maintained in a single different agencies, although they serve
As described in § 164.512(k), or combined data system, a public similar populations. Many states
correctional facility inmates’ agency that is administering a health coordinate eligibility for these two
individually identifiable health plan may maintain such a data base and programs, and sometimes offer services
information is not excluded from the may disclose information relating to through the same delivery systems and
definition of protected health such eligibility or enrollment in the contracts. This provision would permit
information. When individuals are health plan to the extent authorized by the covered entities administering these
released from correctional facilities, such other law. programs to share protected health
they will have the same privacy rights Where another public entity has information of program participants to
that apply to all other individuals under determined that the appropriate balance coordinate enrollment and services and
this rule. between the need for efficient to generally improve the health care
Section 164.512(k) of the final rule administration of public programs and operations of the programs. We note that
states that while individuals are in a public funds and individuals’ privacy this provision does not authorize the
agencies to use or disclose the protected information was disclosed for purposes identifiable health information,’’ and
health information that is shared for other than treatment, payment or health not to information that does not identify
purposes other than as provided for in care operations. the subject individual. The statute
this paragraph. In the final rule, we include a new defines individually identifiable health
provision in this section that clarifies information as certain health
Section 164.512(l)—Disclosures For
the ability of covered entities to disclose information:
Workers’ Compensation
protected health information without (i) Which identifies the individual, or
The NPRM did not contain special authorization to comply with workers’ (ii) With respect to which there is a
provisions permitting covered entities to compensation and similar programs reasonable basis to believe that the
disclose protected health information established by law that provide benefits information can be used to identify the
for the purpose of complying with for work-related illnesses or injuries individual.
workers’ compensation and similar without regard to fault. Although most As we pointed out in the NPRM,
laws. Under HIPAA, workers’ disclosures for workers’ compensation difficulties arise because, even after
compensation and certain other forms of would be permissible under other removing obvious identifiers (e.g.,
insurance (such as automobile or provisions of this rule, particularly the name, social security number, address),
disability insurance) are ‘‘excepted provisions that permit disclosures for there is always some probability or risk
benefits.’’ Insurance carriers that payment and as required by law, we are that any information about an
provide this coverage are not covered aware of the significant variability individual can be attributed to that
entities even though they provide among workers’ compensation and individual.
coverage for health care services. To similar laws, and include this provision The NPRM proposed two alternative
carry out their insurance functions, to ensure that existing workers’ methods for determining when
these non-covered insurers typically compensation systems are not disrupted sufficient identifying information has
seek individually identifiable health by this rule. We note that the minimum
information from covered health care been removed from a record to render
necessary standard applies to the information de-identified and thus
providers and group health plans. In disclosures under this paragraph.
drafting the proposed rule, the Secretary not subject to the rule. First, the NPRM
Under this provision, a covered entity proposed the establishment of a ‘‘safe
was faced with the challenge of trying may disclose protected health
to carry out the statutory mandate of harbor’’: if all of a list of 19 specified
information regarding an individual to a items of information had been removed,
safeguarding the privacy of individually party responsible for payment of
identifiable health information by and the covered entity had no reason to
workers’ compensation benefits to the believe that the remaining information
regulating the flow of such information individual, and to an agency responsible
from covered entities while at the same could be used to identify the subject of
for administering and/or adjudicating the information (alone or in
time respecting the Congressional intent the individual’s claim for workers’
to shield workers’ compensation carriers combination with other information),
compensation benefits. For purposes of the covered entity would have been
and other excepted benefit plans from this paragraph, workers’ compensation
regulation as covered entities. presumed to have created de-identified
benefits include benefits under information. Second, the NPRM
In the proposed rule we allowed
programs such as the Black Lung proposed an alternative method so that
covered entities to disclose protected
health information without individual Benefits Act, the federal Employees’ covered entities with sufficient
consent for purposes of treatment, Compensation Act, the Longshore and statistical experience and expertise
payment or health care operations— Harbor Workers’ Compensation Act, and could remove or encrypt a combination
even when the disclosure was to a non- the Energy Employees’ Occupational of information different from the
covered entity such as a workers’ Illness Compensation Program Act. enumerated list, using commonly
compensation carrier. In addition, we Additional Considerations accepted scientific and statistical
allowed protected health information to standards for disclosure avoidance.
We have included a general Such covered entities would have been
be disclosed if required by state law for
authorization for disclosures under able to include information from the
purposes of determining eligibility for
workers’ compensation systems to be enumerated list of 19 items if they (1)
coverage or fitness for duty. The
consistent with the intent of Congress, believed that the probability of re-
proposed rule also required that
which defined workers’ compensation identification was very low, and (2)
whenever a covered entity disclosed
carriers as excepted benefits under removed additional information if they
protected health information to a non-
HIPAA. We recognize that there are had a reasonable basis to believe that
covered entity, even though authorized
significant privacy issues raised by how the resulting information could be used
under the rule, the individual who was
individually identifiable health to re-identify someone.
the subject of the information must be
information is used and disclosed in We proposed that covered entities and
informed that the protected health
workers’ compensation systems, and their business partners be permitted to
information was no longer subject to
believe that states or the federal use protected health information to
privacy protections.
Like other disclosures under the government should enact standards that create de-identified health information
proposed rule, the information provided address those concerns. using either of these two methods.
to workers’ compensation carriers for Section 164.514—Other Procedural Covered entities would have been
treatment, payment or health care Requirements Relating To Uses and permitted to further use and disclose
operations was subject to the minimum Disclosures of Protected Health such de-identified information in any
necessary standard. However, to the Information way, provided that they did not disclose
extent that protected health information the key or other mechanism that would
was disclosed to the carrier because it Section 164.514(a)–(c)—De- have enabled the information to be re-
was required by law, it was not subject identification identified, and provided that they
to the minimum necessary standard. In In § 164.506(d) of the NPRM, we reasonably believed that such use or
addition, individuals were entitled to an proposed that the privacy standards disclosure of de-identified information
accounting when protected health would apply to ‘‘individually would not have resulted in the use or
disclosure of protected health identifiers were removed. In the final either to allow the individual access to
information. rule, we have changed the standard to protected health information about him
A number of examples were provided one of actual knowledge in order to or her or pursuant to an authorization
of how valuable such de-identified provide greater certainty to covered initiated by the individual. The
information would be for various entities using the safe harbor approach. requirement also did not apply to uses
purposes. We expressed the hope that In the safe harbor, we explicitly allow and disclosures made: pursuant to the
covered entities, their business partners, age and some geographic location compliance and enforcement provisions
and others would make greater use of information to be included in the de- of the rule; as required by law and
de-identified health information than identified information, but all dates permitted by the regulation without
they do today, when it is sufficient for directly related to the subject of the individual authorization; by a covered
the purpose, and that such practice information must be removed or limited health care provider to a health plan,
would reduce the burden and the to the year, and zip codes must be when the information was requested for
confidentiality concerns that result from removed or aggregated (in the form of audit and related purposes. Finally, the
the use of individually identifiable most 3-digit zip codes) to include at standard did not apply to the HIPAA
health information for some of these least 20,000 people. Extreme ages of 90 administrative simplification
purposes. and over must be aggregated to a transactions.
In §§ 164.514(a)-(c) of this final rule, category of 90+ to avoid identification of The proposed implementation
we make several modifications to the very old individuals. Other specifications would have required a
provisions for de-identification. First, demographic information, such as covered entity to have procedures to: (i)
we explicitly adopt the statutory gender, race, ethnicity, and marital Identify appropriate persons within the
standard as the basic regulatory status are not included in the list of entity to determine what information
standard for whether health information identifiers that must be removed. should be used or disclosed consistent
is individually identifiable health The intent of the safe harbor is to with the minimum necessary standard;
information under this rule. Information provide a means to produce some de- (ii) ensure that those persons make the
is not individually identifiable under identified information that could be minimum necessary determinations,
this rule if it does not identify the used for many purposes with a very when required; and (iii) within the
individual, or if the covered entity has small risk of privacy violation. The safe limits of the entity’s technological
no reasonable basis to believe it can be harbor is intended to involve a capabilities, provide for the making of
used to identify the individual. Second, minimum of burden and convey a such determinations individually. The
in the implementation specifications we maximum of certainty that the rules proposal allowed a covered entity, when
reformulate the two ways in which a have been met by interpreting the making disclosures to public officials
covered entity can demonstrate that it statutory ‘‘reasonable basis to believe that were permitted without individual
has met the standard. that the information can be used to authorization but not required by other
One way a covered entity may identify the individual’’ to produce an law, to reasonably rely on the
demonstrate that it has met the standard easily followed, cook book approach. representations of such officials that the
is if a person with appropriate Covered entities may use codes and information requested was the
knowledge and experience applying similar means of marking records so that minimum necessary for the stated
generally accepted statistical and they may be linked or later re-identified, purpose(s).
scientific principles and methods for if the code does not contain information The preamble provided further
rendering information not individually about the subject of the information (for guidance. The preamble explained that
identifiable makes a determination that example, the code may not be a covered entities could not have general
the risk is very small that the derivative of the individual’s social policies of approving all requests (or all
information could be used, either by security number), and if the covered requests of a particular type) without
itself or in combination with other entity does not use or disclose the code carefully considering certain criteria
available information, by anticipated for any other purpose. The covered (see ‘‘Criteria,’’ below) as well as other
recipients to identify a subject of the entity is also prohibited from disclosing information specific to the request. The
information. The covered entity must the mechanism for re-identification, minimum necessary determination
also document the analysis and results such as tables, algorithms, or other tools would have needed to be consistent
that justify the determination. We that could be used to link the code with with and directly related to the purpose
provide guidance regarding this the subject of the information. of the use or disclosure. Where there
standard in our responses to the Language to clarify that covered was ambiguity regarding the
comments we received on this entities may contract with business information to be used or disclosed, the
provision. associates to perform the de- preamble directed covered entities to
We also include an alternate, safe identification has been added to the interpret the ‘‘minimum necessary’’
harbor, method by which covered section on business associates. standard to ‘‘require’’ the covered entity
entities can demonstrate compliance to make some effort to limit the amount
with the standard. Under the safe Section 164.514(d)—Minimum of protected health information used/
harbor, a covered entity is considered to Necessary disclosed.
have met the standard if it has removed The proposed rule required a covered The proposal would have required the
all of a list of enumerated identifiers, entity to make all reasonable efforts not minimum necessary determination to
and if the covered entity has no actual to use or disclose more than the take into consideration the ability of a
knowledge that the information could minimum amount of protected health covered entity to delimit the amount of
be used alone or in combination to information necessary to accomplish the information used or disclosed. The
identify a subject of the information. We intended purpose of the use or preamble noted that these
note that in the NPRM, we had disclosure (proposed § 164.506(b)). determinations would have to be made
proposed that to meet the safe harbor, a The proposed minimum necessary under a reasonableness standard:
covered entity must have ‘‘no reason to standard did not apply to uses or covered entities would be required to
believe’’ that the information remained disclosures that were made by covered make reasonable efforts and to incur
identifiable after the enumerated entities at the request of the individual, reasonable expense to limit the use or
disclosure. The ‘‘reasonableness’’ of Disclosures to or requests by a health classes need access, and the conditions,
limiting particular uses or disclosures care provider for treatment purposes are as appropriate, that would apply to such
was to be determined based on the not subject to the standard (see access. Covered entities must also
following factors (which were not § 164.502). implement policies and procedures to
included in the regulatory text): Specifically (and as further described limit access to only the identified
a. The extent to which the use or below), the proposed requirement for persons, and only to the identified
disclosure would extend the number of individual review of all uses of protected health information. The
persons with access to the protected protected health information is replaced policies and procedures must be based
health information. with a requirement for covered entities on reasonable determinations regarding
b. The likelihood that further uses or to implement policies and procedures the persons or classes of persons who
disclosures of the protected health that restrict access and uses based on require protected health information,
information could occur. the specific roles of members of the and the nature of the health information
c. The amount of protected health covered entity’s workforce. Routine they require, consistent with their job
information that would be used or disclosures also are not subject to responsibilities.
disclosed. individual review; instead, covered For example, a hospital could
d. The importance of the use or entities must implement policies and implement a policy that permitted
disclosure. procedures to limit the protected health nurses access to all protected health
e. The potential to achieve information in routine disclosures to the information of patients in their ward
substantially the same purpose with de- minimum necessary to achieve the while they are on duty. A health plan
identified information. For disclosures, purpose of that type of disclosure. The could permit its underwriting analysts
each covered entity would have been proposed exclusion of disclosures to unrestricted access to aggregate claims
required to have policies for health plans for audit purposes is information for rate setting purposes,
determining when protected health deleted and replaced with a general but require documented approval from
information must be stripped of requirement that covered entities must its department manager to obtain
identifiers. limit requests to other covered entities specific identifiable claims records of a
f. The technology available to limit for individually identifiable health member for the purpose of determining
the amount of protected health information to what is reasonably the cause of unexpected claims that
information used/disclosed. necessary for the use or disclosure could influence renewal premium rate
g. The cost of limiting the use/ intended. The other exclusions from the setting.
disclosure. standard are unchanged from the The ‘‘minimum necessary’’ standard
h. Any other factors that the covered proposed rule (e.g., for individuals’ is intended to reflect and be consistent
entity believed were relevant to the access to information about themselves, with, not override, professional
determination. pursuant to an authorization initiated by judgment and standards. For example,
The proposal shifted the ‘‘minimum the individual, for enforcement of this we expect that covered entities will
necessary’’ burden off of covered rule, as required by law). implement policies that allow persons
providers when they were being audited The language of the basic ‘‘standard’’ involved in treatment to have access to
by a health plan. The preamble itself is largely unchanged; covered the entire record, as needed.
explained that the duty would have entities must make reasonable efforts to
been shifted to the payor to request the Disclosures of Protected Health
use or disclose or to request from
minimum necessary information for the Information
another covered entity, only the
audit purpose, although the regulatory minimum amount of protected health For any type of disclosure that is
text did not include such a requirement. information required to achieve the made on a routine, recurring basis, a
Outside of the audit context, the purpose of a particular use or covered entity must implement policies
preamble stated that a health plan disclosure. We delete the word ‘‘all’’ and procedures (which may be standard
would be required, when requesting a from the ‘‘reasonable efforts’’ that protocols) that permit only the
disclosure, to limit its requests to the covered entities must take in making a disclosure of the minimum protected
information required to achieve the ‘‘minimum necessary’’ determination. health information reasonably necessary
purpose of the request; the regulation The implementation specifications are to achieve the purpose of the disclosure.
text did not include this requirement. significantly modified, and differ based Individual review of each disclosure is
The preamble stated that disclosure of on whether the activity is a use or not required. Instead, under
an entire medical record, in response to disclosure. § 164.514(d)(3), these policies and
a request for something other than the Similarly, a ‘‘minimum necessary’’ procedures must identify the types of
entire medical record, would disclosure for oversight purposes in protected health information to be
presumptively violate the minimum accordance with § 164.512(d) could disclosed, the types of persons who
necessary standard. include large numbers of records to would receive the protected health
This final rule significantly modifies allow oversight agencies to perform information, and the conditions that
the proposed requirements for statistical analyses to identify deviations would apply for such access. We
implementing the minimum necessary in payment or billing patterns, and other recognize that specific disclosures
standard. For all uses and many data analyses. within a type may vary, and require that
disclosures and requests for disclosures the policies address what is the norm
from other covered entities, we require Uses of Protected Health Information for the type of disclosure involved. For
covered entities to implement policies A covered entity must implement example, a covered entity may decide to
and procedures for ‘‘minimum policies and procedures to identify the participate in research studies and
necessary’’ uses and disclosures. persons or classes of persons in the therefore establish a protocol to
Implementation of such policies and entity’s workforce who need access to minimize the information released for
procedures is required in lieu of making protected health information to carry such purposes, e.g., by requiring
the ‘‘minimum necessary’’ out their duties, the category or researchers requesting disclosure of data
determination for each separate use or categories of protected health contained in paper-based records to
disclosure as discussed in the proposal. information to which such persons or review the paper records on-site and to
abstract only the information relevant to made except pursuant to policies which not required to apply the minimum
the research. Covered entities must specifically justify why the entire necessary standard to the required or
develop policies and procedures (which medical record is needed. For instance, situational data elements specified in
may be standard protocols) to apply to a health plan’s request for all protected the implementation guides for HIPAA
disclosures to routinely hired types of health information from an applicant for administrative simplification standard
business associates. For instance, a insurance would not necessarily violate transactions in the Transactions Rule.
standard protocol could describe the the regulation, because the entire record The standard does apply for uses or
subset of information that may be may be the ‘‘minimum necessary’’ for its disclosures in standard transactions that
disclosed to medical transcription purpose. Covered entities may establish are made at the option of the covered
services. policies allowing for and justifying such entity.
For non-routine disclosures, a covered a request. A request for the entire
entity must develop reasonable criteria Section 164.514(e)—Marketing
medical record absent such documented
for determining, and limiting disclosure justification is a presumptive violation In the proposed rule, we would have
to, only the minimum amount of of this rule. required covered entities to obtain the
protected health information necessary individual’s authorization in order to
to accomplish the purpose of the Reasonable Reliance use or disclose protected health
disclosure. They also must establish and A covered entity may reasonably rely information to market health and non-
implement procedures for reviewing on the assertion of a requesting covered health items and services.
such requests for disclosures on an entity that it is requesting the minimum We have made a number of changes
individual basis in accordance with protected health information necessary in the final rule that relate to marketing.
these criteria. for the stated purpose. A covered entity In the final rule, we retain the general
Disclosures to health care providers may also rely on the assertions of a rule that covered entities must obtain
for treatment purposes are not subject to professional (such as attorneys and the individual’s authorization before
these requirements. accountants) who is a member of its making uses or disclosures of protected
Covered entities’ policies and workforce or its business associate health information for marketing.
procedures must provide that disclosure regarding what protected health However, we add a new definition of
of an entire medical record will not be information he or she needs in order to ‘‘marketing’’ that clarifies that certain
made except pursuant to policies which provide professional services to the activities, such as communications
specifically justify why the entire covered entity when such person made by a covered entity for the
medical record is needed. For instance, represents that the information purpose of describing the products and
disclosure of all protected health requested is the minimum necessary. As services it provides, are not marketing.
information to an accreditation group we proposed in the NPRM, covered See § 164.501 and the associated
would not necessarily violate the entities making disclosures to public preamble regarding the definition of
regulation, because the entire record officials that are permitted under marketing. In the final rule we also
may be the ‘‘minimum necessary’’ for its § 164.512 may rely on the representation permit covered entities to use and
purpose; covered entities may establish of a public official that the information disclose protected health information
policies allowing for and justifying such requested is the minimum necessary. for certain marketing activities without
a disclosure. Disclosure of the entire individual authorization, subject to
medical record absent such documented Uses and Disclosures for Research conditions enumerated at § 164.514(e).
justification is a presumptive violation In making a minimum necessary First, § 164.514(e) permits a covered
of this rule. determination regarding the use or entity to use or disclose protected health
disclosure of protected health information without individual
Requests for Protected Health information for research purposes, a authorization to make a marketing
Information covered entity may reasonably rely on communication if the communication
For requests for protected health documentation from an IRB or privacy occurs in a face-to-face encounter with
information from other covered entities board describing the protected health the individual. This provision would
made on a routine, recurring basis, the information needed for research and permit a covered entity to discuss any
requesting covered entities’ policies and consistent with the requirements of services and products, including those
procedures may establish standard § 164.512(i), ‘‘Uses and Disclosures for of a third-party, without restriction
protocols describing what information is Research Purposes.’’ A covered entity during a face-to-face communication. A
reasonably necessary for the purposes may also reasonably rely on a covered entity also could give the
and limiting their requests to only that representation made by the requestor individual sample products or other
information, in lieu of making this that the information is necessary to information in this setting.
determination individually for each prepare a research protocol or for Second, we permit a covered entity to
request. For all other requests, the research on decedents. The covered use or disclose protected health
policies and procedures must provide entity must ensure that the information without individual
for review of the requests on an representation or documentation of IRB authorization to make marketing
individualized basis. A request by a or privacy board approval it obtains communications involving products or
covered entity may be made in order to from a researcher describes with services of only nominal value. This
obtain information that will sufficient specificity the protected provision ensures that covered entities
subsequently be disclosed to a third health information necessary for the do not violate the rule when they
party, for example, to obtain research. Covered entities must use or distribute calendars, pens and other
information that will then be disclosed disclose such protected health merchandise that generally promotes
to a business associate for quality information in a manner that minimizes the covered entity.
assessment purposes; such requests are the scope of the use or disclosure. Third, we permit a covered entity to
subject to this requirement. use or disclose protected health
Covered entities’ policies and Standards for Electronic Transactions information without individual
procedures must provide that requests We clarify that under authorization to make marketing
for an entire medical record will not be § 164.502(b)(2)(v), covered entities are communications about the health-
related products or services of the similar device) how the individual may its own behalf the specified protected
covered entity or of a third party if the prevent further communications about health information to a nonprofit
communication: (1) Identifies the health-related products and services. foundation established for the specific
covered entity as the party making the This provision enhances individuals’ purpose of raising funds for the hospital
communication; (2) to the extent that control over how their information is or to a foundation that has as its mission
the covered entity receives direct or being used. Finally, where a covered the support of the members of a
indirect remuneration from a third-party entity targets communications to particular hospital chain that includes
for making the communication, individuals on the basis of their health the covered hospital. The term does not
prominently states that fact; (3) except status or condition, we require that the include an organization with a general
in the case of a general communication entity make a determination that the charitable purpose, such as to support
(such as a newsletter), contains product or service being communicated research about or to provide treatment
instructions describing how the may be beneficial to the health of the for certain diseases, that may give
individual may opt-out of receiving type of individuals targeted, and that money to a covered entity, because its
future communications about health- the communication to the targeted charitable purpose is not specific to the
related products and services; and (4) individuals explain why they have been covered entity.
where protected health information is targeted and how the product or service
relates to their health. This final Section 164.514(g)—Underwriting
used to target the communication about
a product or service to individuals provision balances the advantages that As described under the definition of
based on their health status or health accrue from health care entities ‘‘health care operations’’ (§ 164.501),
condition, explains why the individual informing their patients and enrollees of protected health information may be
has been targeted and how the product new or valuable health products with used or disclosed for underwriting and
or service relates to the health of the individuals’ expectations that their other activities relating to the creation,
individual. The final rule also requires protected health information will be
renewal, or replacement of a contract of
a covered entity to make a used to promote their health.
health insurance or health benefits. This
determination, prior to using or Section 164.514(f)—Fundraising final rule includes a requirement, not
disclosing protected health information included in the NPRM, that health plans
to target a communication to We proposed in the NPRM to require
covered entities to obtain authorization receiving such information for these
individuals based on their health status purposes may not use or disclose it for
from an individual in order to use the
or condition, that the product or service any other purpose, except as may be
individual’s protected health
may be beneficial to the health of the required by law, if the insurance or
information for fundraising activities.
type or class of individual targeted to As noted in § 164.501, in the final rule benefits contract is not placed with the
receive the communication. we define fundraising on behalf of a health plan.
This third provision accommodates covered entity to be a health care Section 164.514(h)—Verification of
the needs of health care entities to be operation. In § 164.514, we permit a Identity and Authority of Persons
able to discuss their own health-related covered entity to use protected health Requesting Protected Health
products and services, or those of third information without individual Information
parties, as part of their everyday authorization for fundraising on behalf
business and as part of promoting the of itself, provided that it limits the Disclosure of Protected Health
health of their patients and enrollees. information that it uses to demographic Information
The provision is restricted to uses by information about the individual and
covered entities or disclosures to their We reorganize the provision regarding
the dates that it has provided service to
business associates pursuant to a verification of identity of individuals
the individual (see the § 164.501
contract that requires confidentiality, requesting protected health information
discussion of ‘‘health care operations’’).
ensuring that protected health In addition, we require fundraising to improve clarity, but we retain the
information is not distributed to third materials to explain how the individual substance of requirements proposed in
parties. To provide individuals with a may opt out of any further fundraising the NPRM in § 164.518(c), as follows.
better understanding of how their communications, and covered entities The covered entity must establish and
protected health information is being are required to honor such requests. We use written policies and procedures
used for marketing, the provision permit a covered entity to disclose the (which may be standard protocols) that
requires that the communication limited protected health information to are reasonably designed to verify the
identify that the covered entity is the a business associate for fundraising on identity and authority of the requestor
source of the communication; a covered its own behalf. We also permit a covered where the covered entity does not know
entity may not send out information entity to disclose the information to an the person requesting the protected
about the product of a third party institutionally related foundation. health information. The knowledge of
without disclosing to the individual By ‘‘institutionally related the person may take the form of a
where the communication originated. foundation,’’ we mean a foundation that known place of business, address,
We also require covered entities to qualifies as a nonprofit charitable phone or fax number, as well a known
disclose any direct or indirect foundation under section 501(c)(3) of human being. Where documentation,
remuneration from third parties. This the Internal Revenue Code and that has statements or representations, whether
requirement permits individuals to in its charter statement of charitable oral or written, from the person
better understand why they are purposes an explicit linkage to the requesting the protected health
receiving a communication, and to covered entity. An institutionally information is a condition of disclosure
weigh the extent to which their related foundation may, as explicitly under this rule or other law, this
information is being used to promote stated in its charter, support the covered verification must involve obtaining such
their health or to enrich the covered entity as well as other covered entities documentation statement, or
entity. Covered entities also are required or health care providers in its representation. In such a case,
to include in their communication community. For example, a covered additional verification is only required
(unless it is a general newsletter or hospital may disclose for fundraising on where this regulation (or other law)
requires additional proof of authority In some circumstances, identity or Use of Protected Health Information
and identity. authority will be verified as part of The proposed rule’s verification
The NPRM proposed that covered meeting the underlying requirements for requirements applied to any person
entities would be permitted to rely on disclosure. For example, a disclosure requesting protected health information,
the required documentation of IRB or under § 164.512(j)(1)(i) to avert an whether for a use or a disclosure. In the
privacy board approval to constitute imminent threat to safety is lawful only final regulation, the verification
sufficient verification that the person if made in the good faith belief that the provisions apply only to disclosures of
making the request was a researcher and disclosure is necessary to prevent or protected health information. The
that the research is authorized. The final lessen a serious and imminent threat to requirements in § 164.514(d), for
rule retains this provision. the health or safety of a person or the implementation of policies and
For most disclosures, verifying the public, and to a person reasonably able procedures for ‘‘minimum necessary’’
authority for the request means taking to prevent or lessen the threat. If these uses of protected health information, are
reasonable steps to verify that the conditions are met, no further sufficient to ensure that only
request is lawful under this regulation. verification is needed. In such appropriate persons within a covered
Additional proof is required by other emergencies, the covered entity is not entity will have access to protected
provisions of this regulation where the required to demand written proof that health information.
request is made pursuant to § 164.512 the person requesting the protected
health information is legally authorized. Section 164.520—Notice of Privacy
for national priority purposes. Where
Reasonable reliance on verbal Practices for Protected Health
the person requesting the protected
representations are appropriate in such Information
health information is a public official,
covered entities must verify the identity situations. Section 164.520(a)—Right to Notice
of the requester by examination of Similarly, disclosures permitted
under § 164.510(a) for facility We proposed to establish a right for
reasonable evidence, such as a written individuals to receive adequate notice of
statement of identity on agency directories may be made to the general
public; the covered entity’s policies and how covered health care providers and
letterhead, an identification badge, or health plans use and disclose protected
procedures do not need to address
similar proof of official status. Similarly, health information, and of the
verifying the identity and authority for
covered entities are required to verify individual’s rights with respect to that
these disclosures. In § 164.510(b) we do
the legal authority supporting the information.
not require verification of identity for
request by examination of reasonable In the final regulation, we retain the
persons assisting in an individual’s care
evidence, such as a written request general right for individuals to receive
or for notification purposes. For
provided on agency letterhead that and the requirement for covered entities
disclosures when the individual is not
describes the legal authority for to produce a notice of privacy practices,
present, such as when a friend is
requesting the release. Where § 164.512 with significant modifications to the
picking up a prescription, we allow the
explicitly requires written evidence of covered entity to use professional content and distribution requirements.
legal process or other authority before a judgment and experience with common We also modify the requirements with
disclosure may be made, a public practice to make reasonable inferences. respect to certain covered entities. First,
official’s proof of identity and the Under § 164.524, a covered entity is in § 164.500(b)(2), we clarify that a
official’s oral statement that the request required to give individuals access to health care clearinghouse that creates or
is authorized by law are not sufficient protected health information about them receives protected health information
to constitute the required reasonable (under most circumstances). Under the other than as a business associate of a
evidence of legal authority; under these general verification requirements of covered entity must produce a notice. If
provisions, only the required written § 164.514(h), the covered entity is a health care clearinghouse creates or
evidence will suffice. required to take reasonable steps to receives protected health information
In some circumstances, a person or verify the identity of the individual only as a business associate of other
entity acting on behalf of a government making the request. We do not mandate covered entities, it is not required to
agency may make a request for particular identification requirements produce a notice.
disclosure of protected health (e.g., drivers licence, photo ID), but Second, in § 164.520(a)(2), we clarify
information under these subsections. rather leave this to the discretion of the the notice requirements with respect to
For example, public health agencies covered entity. The covered entity must group health plans. Individuals who
may contract with a nonprofit agency to also establish and document procedures receive health benefits under a group
collect and analyze certain data. In such for verification of identity and authority health plan other than through
cases, the covered entity is required to of personal representatives, if not insurance are entitled to a notice from
verify the requestor’s identity and known to the entity. For example, a the group health plan; self-insured
authority through examination of health care provider can require a copy group health plans must maintain a
reasonable documentation that the of a power of attorney, or can ask notice that meets the requirements of
requestor is acting on behalf of the questions to determine that an adult this section and must provide the notice
government agency. Reasonable acting for a young child has the in accordance with the requirements of
evidence includes a written request requisite relationship to the child. § 164.520(c). At a minimum, the self-
provided on agency letterhead that In Subpart C of Part 160, we require insured group health plan’s notice must
describes the legal authority for disclosure to the Secretary for purposes describe the group health plan’s privacy
requesting the release and states that the of enforcing this regulation. When a practices with respect to the protected
person or entity is acting under the covered entity is asked by the Secretary health information it creates or receives
agency’s authority, or other to disclose protected health information through its self-insured arrangements.
documentation, including a contract, a for compliance purposes, the covered For example, if a group health plan
memorandum of understanding, or entity must verify the same information maintains both fully-insured and self-
purchase order that confirms that the that it is required to verify for any other insured arrangements, the group health
requestor is acting on behalf of the law enforcement or oversight request for plan must, at a minimum, maintain and
government agency. disclosure. provide a notice that describes its
privacy practices with respect to entity is not required to produce a documentation of the designated record
protected health information it creates notice. No person, including a current sets subject to access, who is authorized
or receives through the self-insured or former inmate, has the right to notice to determine when information will be
arrangements. This notice would be of such a covered entity’s privacy withheld from an individual, and
distributed to all participants in the self- practices. similar details, the notice need only
insured arrangements (in accordance explain generally that individuals have
Section 164.520(b)—Content of Notice
with § 164.520(c)(1)) and would also be the right to inspect and copy
available on request to other persons, We proposed to require the notice to information about them, and tell
including participants in the fully- be written in plain language and contain individuals how to exercise that right.
insured arrangements. each of the following elements: a
A covered entity that adopts and
Individuals who receive health description of the uses and disclosures
follows the notice content and
benefits under a group health plan expected to be made without individual
authorization; statements that other uses distribution requirements described
through an insurance contract (i.e., a
and disclosures would be made only below will have provided adequate
fully-insured group health plan) are
with the individual’s authorization and notice. However, the requirements for
entitled to a notice from the issuer or
that the individual could revoke such the content of the notice are not
HMO through which they receive their
authorization; descriptions of the rights intended to be exclusive. As with the
health benefits. The health insurance
to request restrictions, inspect and copy rest of the rule, we specify minimum
issuer or HMO must maintain and
protected health information, amend or requirements, not best practices.
provide the notice in accordance with
correct protected health information, Covered entities may want to include
§ 164.520(c)(1). In addition, some fully-
and receive an accounting of disclosures more detail. We note that all federal
insured group health plans are required
of protected health information; agencies must still comply with the
to maintain and provide a notice of the
group health plan’s privacy practices. If statements about the entity’s legal Privacy Act of 1974. This means that
a group health plan provides health requirements to protect privacy, provide federal agencies that are covered entities
benefits solely through an insurance notice, and adhere to the notice; a or have covered health care components
contract with a health insurance issuer statement about how individuals would must comply with the notice
or HMO, and the group health plan be informed of changes to the entity’s requirements of the Privacy Act as well
creates or receives protected health policies and procedures; instructions on as those included in this rule.
information in addition to summary how to make complaints with the entity In addition, covered entities may
information (as defined in § 164.504(a)) or Secretary; the name and telephone want or be required to produce more
and information about individuals’ number of a contact person or office; than one notice in order to satisfy the
enrollment in or disenrollment from a and the date the notice was produced. notice content requirements under this
health insurance issuer or HMO offered We provided a model notice of rule. For example, a covered entity that
by the group health plan, the group information policies and procedures for conducts business in multiple states
health plan must maintain a notice that covered health care providers. with different laws regarding the uses
meets the requirements of this section In § 164.520(b), and immediately and disclosures that the covered entity
and must provide the notice upon below in this preamble, we describe the is permitted to make without
request of any person. The group health notice content requirements for the final authorization may be required to
plan is not required to meet the other rule. As described in detail, below, we produce a different notice for each state.
distribution requirements of make substantial changes to the uses A covered entity that conducts business
§ 164.520(c)(1). Individuals enrolled in and disclosures of protected health both as part of an organized health care
such group health plans have the right information that must be described in arrangement or affiliated covered entity
to notice of the health insurance issuer the notice. Unlike the proposed rule, we and as an independent enterprise (e.g.,
or HMO’s privacy practices and, on do not include a model notice. We a physician who sees patients through
request, to notice of the group health intend to develop further guidance on an on-call arrangement with a hospital
plan’s privacy practices. If the group notice requirements prior to the and through an independent private
health plan, however, provides health compliance date of this rule. In this practice) may want to adopt different
benefits solely through an insurance section of the final rule, we also refer to privacy practices with respect to each
contract with a health insurance issuer the covered entity’s privacy ‘‘practices,’’ line of business; such a covered entity
or HMO, and the only protected health rather than its ‘‘policies and would be required to produce a different
information the group health plan procedures.’’ The purpose of this change notice describing the practices for each
creates or receives is summary in vocabulary is to clarify that a covered line of business. Covered entities must
information (as defined in § 164.504(a)) entity’s ‘‘policies and procedures’’ is a produce notices that accurately describe
and information about individuals’ detailed documentation of all of the the privacy practices that are relevant to
enrollment in or disenrollment from a entity’s privacy practices as required the individuals receiving the notice.
health insurance issuer or HMO offered under this rule, not just those described
by the group health plan, the group in the notice. For example, we require Required Elements
health plan is not required to maintain covered entities to have policies and Plain Language
or provide a notice under this section. procedures implementing the
In this case, the individuals enrolled in requirements for ‘‘minimum necessary’’ As in the proposed rule, we require
the group health plan would receive uses and disclosures of protected health the notice to be written in plain
notice of the health insurance issuer or information, but these policies and language. A covered entity can satisfy
HMO’s privacy practices, but would not procedures need not be reflected in the the plain language requirement if it
be entitled to notice of the group health entity’s notice. Similarly, we require makes a reasonable effort to: organize
plan’s privacy practices. covered entities to have policies and material to serve the needs of the reader;
Third, in § 164.520(a)(3), we clarify procedures for assuring individuals write short sentences in the active voice,
that inmates do not have a right to access to protected health information using ‘‘you’’ and other pronouns; use
notice under this section and a about them. While such policies and common, everyday words in sentences;
correctional institution that is a covered procedures will need to include and divide material into short sections.
We do not require particular incorporated into a video presentation payment, and health care operations,
formatting specifications, such as easy- that is played in the waiting area. the description must include at least
to-read design features (e.g., lists, tables, one example of the types of uses and
Header
graphics, contrasting colors, and white disclosures that the covered entity is
space), type face, and font size. Unlike the proposed rule, covered permitted to make. This requirement is
However, the purpose of the notice is to entities must include prominent and intended to inform individuals of all the
inform the recipients about their rights specific language in the notice that uses and disclosures that the covered
and how protected health information indicates the importance of the notice. entity is legally required or permitted to
collected about them may be used or This is the only specific language we make under applicable law, even if the
disclosed. Recipients who cannot require covered entities to include in covered entity does not anticipate
understand the covered entity’s notice the notice. The header must read, ‘‘THIS actually making such uses and
will miss important information about NOTICE DESCRIBES HOW MEDICAL disclosures. We do not require covered
their rights under this rule and about INFORMATION ABOUT YOU MAY BE entities to distinguish in their notices
how the covered entity is protecting USED AND DISCLOSED AND HOW between those uses and disclosures
health information about them. One of YOU CAN GET ACCESS TO THIS required by law and those permitted but
the goals of this rule is to create an INFORMATION. PLEASE REVIEW IT not required by law.
environment of open communication CAREFULLY.’’ Unlike the proposed rule, we
and transparency with respect to the use Uses and Disclosures additionally require covered entities
and disclosure of protected health that wish to contact individuals for any
We proposed to require covered of the following activities to list these
information. A lack of clarity in the
entities to describe in plain language the activities in the notice: providing
notice could undermine this goal and uses and disclosures of protected health
create misunderstandings. Covered appointment reminders, describing or
information, and the covered entity’s recommending treatment alternatives,
entities have an incentive to make their policies and procedures with respect to
notice statements clear and concise. We providing information about health-
such uses and disclosures, that the related benefits and services that may be
believe that the more understandable health plan or covered provider
the notice is, the more confidence the of interest to the individual, or soliciting
expected to make without individual funds to benefit the covered entity. If
public will have in the covered entity’s authorization. The covered provider or
commitment to protecting the privacy of the covered entity does not include
health plan would have had to these statements in its notice, it is
health information. distinguish between those uses and prohibited from using or disclosing
It is important that the content of the disclosures required by law and those protected health information for these
notice be communicated to all permitted but not required by law. activities without authorization. See
recipients and therefore we encourage We also proposed to require covered § 164.502(i).
the covered entity to consider health care providers and health plans In addition, if a group health plan, or
alternative means of communicating to state in the notice that all other uses a health insurance issuer or HMO with
with certain populations. We note that and disclosures would be made only respect to a group health plan, wants the
any covered entity that is a recipient of with the individual’s authorization and option to disclose protected health
federal financial assistance is generally that such authorization could be information to a group health plan
obligated under Title VI of the Civil revoked. The notice would also have sponsor without authorization as
Rights Act of 1964 to provide material been required to state that the permitted under § 164.504(f), the group
ordinarily distributed to the public in individual could request restrictions on health plan, health insurance issuer or
the primary languages of persons with certain uses and disclosures and that the HMO must describe that practice in its
limited English proficiency in the covered entity would not be required to notice.
recipients’ service areas. Specifically, agree to such a request. As in the proposed rule, the notice
this Title VI obligation provides that, We significantly modify these must state that all other uses and
where a significant number or requirements in the final rule. Covered disclosures will be made only with the
proportion of the population eligible to entities must describe all uses and individual’s authorization and that the
be served or likely to be directly affected disclosures of protected health individual has the right to revoke such
by a federally assisted program needs information that they are permitted or authorization.
service or information in a language required to make under this rule We anticipate this requirement will
other than English in order to be without authorization, including those lead to significant standardization of the
effectively informed of or participate in uses and disclosures subject to the notice. This language could be the same
the program, the recipient shall take consent requirements under § 164.506. for every covered entity of a particular
reasonable steps, considering the scope If other applicable law prohibits or type within a state, territory, or other
of the program and the size and materially limits the covered entity’s locale. We encourage states, state
concentration of such population, to ability to make any uses or disclosures professional associations, and other
provide information in languages that would otherwise be permitted organizations to develop model
appropriate to such persons. For under the rule, the covered entity must language to assist covered entities in
covered entities not subject to Title VI, describe only the uses and disclosures preparing their notices.
the Title VI standards provide helpful permitted under the more stringent law.
guidance for effectively communicating Covered entities must separately Individual Rights
the content of their notices to non- describe each purpose for which they As in the proposed rule, covered
English speaking populations. are permitted to use or disclose entities must describe individuals’
We also encourage covered entities to protected health information under this rights under the rule and how
be attentive to the needs of individuals rule without authorization, and must do individuals may exercise those rights
who cannot read. For example, an so in sufficient detail to place the with respect to the covered entity.
employee of the covered entity could individual on notice of those uses and Covered entities must describe each of
read the notice to individuals upon disclosures. With respect to uses and the following rights, as provided under
request or the notice could be disclosures to carry out treatment, the rule: the right to request restrictions
on certain uses and disclosures, date the notice was produced. The and health plans to update the notice to
including a statement that the covered effective date cannot be earlier than the reflect material changes to the
entity is not required to agree to a date on which the notice was first information policies and procedures
requested restriction (§ 164.522(a)); the printed or otherwise published. Covered described in the notice. Changes to the
right to receive confidential entities may wish to highlight or notice would have applied to all
communications of protected health otherwise emphasize any material protected health information held by the
information (§ 164.522(b)); the right to modifications that it has made, in order covered entity, including information
inspect and copy protected health to help the individual recognize such collected under prior notices. That is,
information (§ 164.524); the right to changes. we would not have require covered
amend protected health information entities to segregate their records
Optional Elements
(§ 164.526); and the right to an according to the notice in effect at the
accounting of disclosures of protected As described above, we proposed to time the record was created. We
health information (§ 164.528). We require covered entities to describe the proposed to prohibit covered entities
additionally require the notice to uses and disclosures of protected health from implementing a change to an
describe the right of an individual, information that the covered entity in information policy or procedure
including an individual that has agreed fact expected to make without the described in the notice until the notice
to receive the notice electronically, to individual’s authorization. We did not was updated to reflect the change,
obtain a paper copy of the notice upon specify any optional elements. unless a compelling reason existed to
request. While the final rule requires covered make a use or disclosure or take other
entities to describe all of the types of action that the notice would not have
Covered Entity’s Duties uses and disclosures permitted or permitted. In these situations, we
As in the proposed rule, covered required by law (not just those that the proposed to require covered entities to
entities must state in the notice that covered entity intends to make), we also document the compelling reason and,
they are required by law to maintain the permit and encourage covered entities within 30 days of the use, disclosure, or
privacy of protected health information, to include optional elements that other action, change its notice to permit
to provide a notice of their legal duties describe the actual, more limited, uses the action.
and privacy practices, and to abide by and disclosures they intend to make As in the proposed rule, covered
the terms of the notice currently in without authorization. We anticipate entities are required to adhere to the
effect. In the final rule, we additionally that some covered entities will want to terms of the notice currently in effect.
require the covered entity, if it wishes distinguish themselves on the basis of See § 164.502(i). When a covered entity
to reserve the right to change its privacy their more stringent privacy practices. materially changes any of the uses or
practices and apply the revised For example, covered health care disclosures, the individual’s rights, the
practices to protected health providers who routinely treat patients covered entity’s legal duties, or other
information previously created or with particularly sensitive conditions privacy practices described in its notice,
received, to make a statement to that may wish to assure their patients that, it must promptly revise its notice
effect and describe how it will provide even though the law permits them to accordingly. See § 164.520(b)(3).
individuals with a revised notice. (See disclose information for a wide array of (Pursuant to § 164.530(i), it must also
below for a more detailed discussion of purposes, the covered health care revise its policies and procedures.)
a covered entity’s responsibilities when provider will only disclose information Except when required by law, a material
it changes its privacy practices.) in very specific circumstances, as change to any term in the notice may
required by law, and to avert a serious not be implemented prior to the
Complaints and imminent threat to health or safety. effective date of the notice in which
As in the proposed rule, a covered A covered entity may not include such material change is reflected. In the
entity’s notice must inform individuals statements in the notice that purport to final rule, however, we revise the
about how they can lodge complaints limit the entity’s ability to make uses or circumstances under and extent to
with the covered entity if they believe disclosures that are required by law or which the covered entity may revise the
their privacy rights have been violated. necessary to avert a serious and practices stated in the notice and apply
See § 164.530(d) and the corresponding imminent threat to health or safety. the new practices to protected health
preamble discussion for the As described above, if the covered information it created or received under
requirements on covered entities for entity wishes to reserve the right to prior notice.
receiving complaints. The notice must change its privacy practices with respect Under § 164.530(i), a covered entity
also state that individuals may file to the more limited uses and disclosures that wishes to change its practices over
complaints with the Secretary. In the and apply the revised practices to time without segregating its records
final rule, we additionally require the protected health information previously according to the notice in effect at the
notice to include a statement that the created or received, it must make a time the records were created must
individual will not suffer retaliation for statement to that effect and describe reserve the right to do so in its notice.
filing a complaint. how it will provide individuals with a For example, a covered hospital that
revised notice. (See below for a more states in its notice that it will only make
Contact detailed discussion of a covered entity’s public health disclosures required by
As in the proposed rule, the notice responsibilities when it changes its law, and that does not reserve the right
must identify a point of contact where privacy practices.) to change this practice, is prohibited
the individual can obtain additional from making any discretionary public
Revisions to the Notice health disclosures of protected health
information about any of the matters
identified in the notice. We proposed to require a covered information created or received during
entity to adhere to the terms of its the effective period of that notice. If the
Effective Date notice, and would have permitted it to covered hospital wishes at some point
The notice must include the date the change its information policies and in the future to make discretionary
notice went into effect, rather than the procedures at any time. We would have disclosures for public health purposes,
proposed requirement to include the required covered health care providers it must revise its notice to so state, and
must segregate its records so that once every three years about the relationship with an individual, rather
protected health information created or availability of the notice and how to than whether the covered health care
received under the prior notice is not obtain a copy. provider has face-to-face contact with an
disclosed for discretionary public health We also clarify that, in each of these individual. See § 164.501 and the
purposes. This hospital may then make circumstances, if a named insured and corresponding discussion in this
discretionary public health disclosures one or more dependents are covered by preamble regarding the definition of
of protected health information created the same policy, the health plan can indirect treatment relationship.
or received after the effective date of the satisfy the distribution requirement with Covered health care providers that
revised notice. respect to the dependents by sending a have direct treatment relationships with
If a second covered hospital states in single copy of the notice to the named individuals must provide the notice to
its notice that it will only make public insured. For example, if an employee of such individuals as of the first service
health disclosures required by law, but a firm and her three dependents are all delivery after the compliance date. This
does reserve the right to change its covered under a single health plan requirement applies whether the first
practices, it is prohibited from making policy, that health plan can satisfy the service is delivered electronically or in
any discretionary public health initial distribution requirement by person. Covered providers may satisfy
disclosures of protected health sending a single copy of the notice to this requirement by sending the notice
information created or received during the employee rather than sending four to all of their patients at once, by giving
the effective period of that notice. If this copies, each addressed to a different the notice to each patient as he or she
hospital wishes at some point in the member of the family. comes into the provider’s office or
future to make discretionary disclosures We further clarify that if a health plan facility or contacts the provider
for public health purposes, it must has more than one notice, it satisfies its electronically, or by some combination
revise its notice to so state, but need not distribution requirement by providing of these approaches. Covered providers
segregate its records. As of the effective the notice that is relevant to the that maintain a physical service delivery
date of the revised notice, it may individual or other person requesting site must prominently post the notice
disclose any protected health the notice. For example, a health where it is reasonable to expect
information, including information insurance issuer may have contracts individuals seeking service from the
created or received under the prior with two different group health plans. provider to be able to read the notice.
notice, for discretionary public health One contract specifies that the issuer The notice must also be available on site
purposes. may use and disclose protected health for individuals to take on request. In the
Section 164.530(i) and the information about the participants in event of a revision to the notice, the
corresponding discussion in this the group health plan for research covered provider must promptly post
preamble describes requirements for purposes without authorization (subject the revision and make it available on
revision of a covered entity’s privacy to the requirements of this rule) and one site.
policies and procedures, including the contract specifies that the issuer must Covered health care providers that
privacy practices reflected in its notice. always obtain authorizations for these have indirect treatment relationships
uses and disclosures. The issuer with individuals are only required to
Section 164.520(c)—Provision of Notice accordingly develops two notices produce the notice upon request, as
As in the proposed rule, all covered reflecting these different practices and described above.
entities that are required to produce a satisfies its distribution requirements by The proposed rule was silent
notice must provide the notice upon providing the relevant notice to the regarding electronic distribution of the
request of any person. The requestor relevant group health plan participants. notice. Under the final rule, a covered
does not have to be a current patient or We proposed to require covered entity that maintains a web site
enrollee. We intend the notice to be a health care providers with face-to-face describing the services and benefits it
public document that people can use in contact with individuals to provide the offers must make its privacy notice
choosing between covered entities. notice to all such individuals at the first prominently available through the site.
For health plans, we proposed to service delivery to the individual during A covered entity may satisfy the
require health plans to distribute the the one year period after the compliance applicable distribution requirements
notice to individuals covered by the date. After this one year period, covered described above by providing the notice
health plan as of the compliance date; providers with face-to-face contact with to the individual electronically, if the
after the compliance date, at enrollment individuals would have been required individual agrees to receiving materials
in the health plan; after enrollment, to distribute the notice to all new from the covered entity electronically
within 60 days of a material revision to patients at the first service delivery. and the individual has not withdrawn
the content of the notice; and no less Covered providers without face-to-face his or her agreement. If the covered
frequently than once every three years. contact with individuals would have entity knows that the electronic
As in the proposed rule, under the been required to provide the notice in transmission has failed, the covered
final rule health plans must provide the a reasonable period of time following entity must provide a paper copy of the
notice to all health plan enrollees as of first service delivery. notice to the individual.
the compliance date. After the We proposed to require all covered If an individual’s first service delivery
compliance date, health plans must providers to post the notice in a clear from a covered provider occurs
provide the notice to all new enrollees and prominent location where it would electronically, the covered provider
at the time of enrollment and to all be reasonable to expect individuals must provide electronic notice
enrollees within 60 days of a material seeking services from the covered automatically and contemporaneously
revision to the notice. Of course, the provider to be able to read the notice. in response to the individual’s first
term ‘‘enrollees’’ includes participants We would have required revisions to be request for service. For example, the
and beneficiaries in group health plans. posted promptly. first time an individual requests to fill
Unlike the proposed rule, we do not In the final rule, we vary the a prescription through a covered
require health plans to distribute the distribution requirements according to internet pharmacy, the pharmacy must
notice every three years. Instead, health whether the covered health care automatically and contemporaneously
plans must notify enrollees no less than provider has a direct treatment provide the individual with the
pharmacy’s notice of privacy practices. where physicians and other providers In the final rule, we retain the general
An individual that receives a covered who have offices elsewhere also provide right of an individual to request that
entity’s notice electronically retains the services at the facility (e.g. hospital staff uses and disclosures of protected health
right to request a paper copy of the privileges, physicians visiting their information be restricted and the
notice as described above. This right patients at a residential facility). In requirement for covered entities to
must be described in the notice. these cases, a single notice may cover adhere to restrictions to which they
We note that the Electronic Signatures both the physician and the facility, if have agreed. However, we include some
in Global and National Commerce Act the above conditions are met. The significant changes and clarifications.
(Pub. L. 106–229) may apply to physician is required to have a separate Under the final rule, we extend the
documents required under this rule to notice covering the privacy practices at right to request restrictions to health
be provided in writing. We do not the physician’s office if those practices plans and to health care clearinghouses
intend to affect the application of that are different than the practices that create or receive protected health
law to documents required under this described in the joint notice. information other than as a business
rule. If any one of the covered entities associate of another covered entity. All
included in the joint notice distributes covered entities must permit
Section 164.520(d)—Joint Notice by
the notice to an individual, as required individuals to request that uses and
Separate Covered Entities
above, the distribution requirement is disclosures of protected health
The proposed rule was silent met for all of the covered entities information to carry out treatment,
regarding the ability of legally separate included in the joint notice. payment, and health care operations be
covered entities to produce a single restricted and must adhere to
notice. Section 164.520(e)—Documentation restrictions to which they have agreed.
In the final rule, we allow covered As in the proposed rule, we establish A covered entity is not required to agree
entities that participate in an organized documentation requirements for to a restriction. We note that restrictions
health care arrangement to comply with covered entities subject to this between an individual and a covered
this section by producing a single notice provision. In the final rule, we specify entity for these or other purposes may
that describes their combined privacy that covered entities must retain copies be otherwise enforceable under other
practices. See § 164.501 and the of the notice(s) they issue in accordance law.
corresponding preamble discussion with § 164.530(j). See § 164.530(j) and Under § 164.522(a)(1)(i)(B), the right
regarding the definition of organized the corresponding preamble discussion to request restrictions applies to
health care arrangement. (We note that, for further description of the disclosures to persons assisting in the
under § 164.504(d), covered entities that documentation requirements. individual’s care under § 164.510(b). An
are under common ownership or control individual may request that a covered
may designate themselves as a single Section 164.522—Rights To Request entity agree not to disclose protected
affiliated covered entity. Joint notice Privacy Protection for Protected Health health information to persons assisting
requirements do not apply to such Information with the individual’s care, even if such
entities. Single affiliated covered disclosure is permissible in accordance
Section 164.522(a)—Right of An
entities must produce a single notice, with § 164.510(b). For example, if an
Individual To Request Restriction of
consistent with the requirements individual requests that a covered entity
Uses and Disclosures
described above for any other covered never disclose protected health
entity. Covered entities under common We proposed that individuals have information to a particular family
ownership or control that elect not to the right to request that a covered health member, and the covered entity agrees
designate themselves as a single care provider restrict the use or to that restriction, the covered entity is
affiliated covered entity, however, may disclosure of protected health prohibited from disclosing protected
elect to produce a joint notice if they information for treatment, payment, or health information to that family
meet the definition of an organized health care operations. Providers would member, even if the disclosure would
health care arrangement.) not have been required to agree to otherwise be permissible under
The joint notice must meet all of the requested restrictions. However, a § 164.510(b). We note that individuals
requirements described above. The covered provider that agreed to a additionally have the opportunity to
covered entities must agree to abide by restriction could not use or disclose agree or object to disclosures to persons
the terms of the notice with respect to protected health information assisting in the individual’s care under
protected health information created or inconsistent with the restriction. The § 164.510(b)(2). The individual retains
received by the covered entities as part requirement would not have applied to the right to agree or object to such
of their participation in the organized permissible uses or disclosures under disclosures under § 164.510(b)(2), in
health care arrangement. In addition, proposed § 164.510, including uses and accordance with the standards of that
the joint notice must reasonably identify disclosures in emergency circumstances provision, regardless of whether the
the covered entities, or class of covered under proposed § 164.510(k); when the individual has requested a restriction
entities, to which the joint notice health care services provided were under § 164.522(a). See § 164.510(b) and
applies and the service delivery sites, or emergency services; or to required the corresponding preamble discussion
classes of service delivery sites, to disclosures to the Secretary under regarding the individual’s right to agree
which the joint notice applies. If the proposed § 164.522. We would have or object to disclosures to persons
covered entities participating in the required covered providers to have assisting in the individual’s care.
organized health care arrangement will procedures for individuals to request In §§ 164.522(a)(1)(iii) and (iv) we
share protected health information with restrictions, for agreed-upon restrictions clarify the requirements with respect to
each other as necessary to carry out to be documented, for the provider to emergency treatment situations. In
treatment, payment, or health care honor such restrictions, and for emergency treatment situations, a
operations relating to the arrangement, notification of the existence of a covered entity that has agreed to a
that fact must be stated in the notice. restriction to others to whom such restriction may use, or disclose to a
Typical examples where this policy protected health information is health care provider, restricted
may be useful are health care facilities disclosed. protected health information that is
necessary to provide the emergency it creates or receives after it informs the communications from the covered entity
treatment. If the covered entity discloses individual of the termination. The to the individual, and also
restricted protected health information restriction continues to apply to communications from the covered entity
to a health care provider for emergency protected health information created or that would otherwise be sent to the
treatment purposes, it must request that received prior to informing the named insured of an insurance policy
the provider not further use or disclose individual of the termination. That is, that covers the individual as a
the information. We expect covered any protected health information that dependent of the named insured.
entities to consider the need for access had been collected before the Individuals may request that the
to protected health information for termination may not be used or covered entity send such
treatment purposes when considering a disclosed in a way that is inconsistent communications by alternative means or
request for a restriction, to discuss this with the restriction, but any information at alternative locations. For example, an
need with the individual making the that is collected after informing the individual who does not want his or her
request for restriction, and to agree to individual of the termination of the family members to know about a certain
restrictions that will not foreseeably restriction may be used or disclosed as treatment may request that the provider
impede the individual’s treatment. otherwise permitted under the rule. communicate with the individual about
Therefore, we expect covered entities In § 164.522(a)(3), we clarify that a that treatment at the individual’s place
will rarely need to use or disclose covered entity must document a of employment, by mail to a designated
restricted protected health information restriction to which it has agreed. We do address, or by phone to a designated
in emergency treatment situations. We not require a specific form of phone number. Similarly, an individual
do not intend, however, to adversely documentation; a note in the medical may request that the provider send
impact the delivery of health care. We record or similar notation is sufficient. communications in a closed envelope
therefore provide a means for the use The documentation must be retained for rather than a post card, as an
and disclosure of restricted protected six years from the date it was created or ‘‘alternative means.’’ Covered health
health information in emergency the date it was last in effect, whichever care providers must accommodate all
treatment situations, where an is later, in accordance with § 164.530(j). reasonable requests. Health plans must
unexpected need for the information We eliminate the requirement from accommodate all reasonable requests, if
could arise and there is insufficient time the NPRM for covered entities to inform the individual clearly states that the
to secure the individual’s permission to persons to whom they disclose disclosure of all or part of the protected
use or disclose the restricted protected health information of the health information could endanger the
information. existence of any restriction on that individual. For example, if an
In § 164.522(a)(1)(v) we clarify that information. A restriction is only individual requests that a health plan
restrictions are not effective under this binding on the covered entity that send explanations of benefits about
rule to prevent uses and disclosures agreed to the restriction. We encourage particular services to the individual’s
required by § 164.502(a)(2)(ii) or covered entities to inform others of the work rather than home address because
permitted under § 164.510(a) (regarding existence of a restriction when it is the individual is concerned that a
facility directories) or § 164.512 appropriate to do so. We note, however, member of the individual’s household
(regarding uses and disclosures for that disclosure of the existence of a (e.g., the named insured) might read the
which consent, individual restriction often amounts to a de facto explanation of benefits and become
authorization, or opportunity to agree or disclosure of the restricted information abusive towards the individual, the
object is not required). Covered entities itself. If a restriction does not permit a health plan must accommodate the
are permitted to agree to such covered entity to disclose protected request.
restrictions, but if they do so, the health information to a particular The reasonableness of a request made
restrictions are not enforceable under person, the covered entity must under this paragraph must be
this rule. For example, a provider who carefully consider whether disclosing determined by a covered entity solely
makes a disclosure under the existence of the restriction to that on the basis of the administrative
§ 164.512(j)(1)(i) relating to serious and person would also violate the difficulty of complying with the request
imminent threats will not be in restriction. and as otherwise provided in this
violation of this rule even if the section. A covered health care provider
Section 164.522(b)—Confidential
disclosure is contrary to a restriction or health plan cannot refuse to
Communications Requirements
agreed to under this paragraph. accommodate a request based on its
In § 164.522(a)(2) we clarify a covered In the NPRM, we did not directly perception of the merits of the
entity’s ability to terminate a restriction address the issue of whether an individual’s reason for making the
to which it has agreed. A covered entity individual could request that a covered request. A covered health care provider
may terminate a restriction with the entity restrict the manner in which it may not require the individual to
individual’s written or oral agreement. If communicated with the individual. As provide a reason for the request as a
the individual’s agreement is obtained described above, the NPRM would have condition of accommodating the
orally, the covered entity must provided individuals with the right to request. As discussed above, a health
document that agreement. A note in the request that health care providers plan is not required to accommodate a
medical record or similar notation is restrict uses and disclosures of request unless the individual indicates
sufficient documentation. If the protected health information for that the disclosure could endanger the
individual agrees to terminate the treatment, payment and health care individual. If the individual indicates
restriction, the covered entity may use operations, but would not have required such endangerment, however, the
and disclose protected health providers to agree to such a restriction. covered entity cannot further consider
information as otherwise permitted In the final rule, we require covered the individual’s reason for making the
under the rule. If the covered entity entities to permit individuals to request request in determining whether it must
wants to terminate the restriction that the covered entity provide accommodate the request.
without the individual’s agreement, it confidential communications of A covered health care provider or
may only terminate the restriction with protected health information about the health plan may refuse to accommodate
respect to protected health information individual. The requirement applies to a request, however, if the individual has
not provided information as to how access any protected health information is not an authorized person, this
payment, if applicable, will be handled, maintained in a designated record set. restriction effectively prohibits the
or if the individual has not specified an Though we proposed to permit covered clinical laboratory from providing an
alternative address or method of entities to deny access in certain individual access to this information.
contact. situations relating to the particular We do not intend to preempt CLIA and,
individual requesting access, we did not therefore, do not require covered
Section 164.524—Access of Individuals
specifically exclude any protected clinical laboratories to provide an
to Protected Health Information
health information from the right of individual access to this information if
Section 164.524(a)—Right of Access access. CLIA prohibits them from doing so. We
In the NPRM, we proposed to In the final rule, we specify three note, however, that individuals have the
establish a right for individuals to types of information to which right of access to this information if it
access (i.e., inspect and obtain a copy of) individuals do not have a right of is maintained by a covered health care
protected health information about them access, even if the information is provider, clearinghouse, or health plan
maintained by a covered provider or maintained in a designated record set. that is not subject to CLIA.
health plan, or its business partners, in They are psychotherapy notes, Finally, unlike the proposed rule,
a designated record set. information compiled in reasonable individuals do not have access to
As in the proposed rule, in the final anticipation of, or for use in, a civil, protected health information held by
rule we provide that individuals have a criminal, or administrative action or certain research laboratories that are
right of access to protected health proceeding, and certain protected health exempt from the CLIA regulations. The
information that is maintained in a information maintained by a covered CLIA regulations specifically exempt
designated record set. This right applies entity that is subject to or exempted the components or functions of
to health plans, covered health care from the Clinical Laboratory ‘‘research laboratories that test human
providers, and health care Improvements Amendments of 1988 specimens but do not report patient
clearinghouses that create or receive (CLIA). Covered entities may, but are specific results for the diagnosis,
protected health information other than not required to, provide access to this prevention or treatment of any disease
as a business associate of another information. or impairment of, or the assessment of
covered entity (see § 164.500(b)). In the First, unlike the proposed rule, we the health of individual patients.’’ 42
final rule, however, we modify the specify that individuals do not have a CFR 493.3(a)(2). If subject to the access
definition of designated record set. For right of access to psychotherapy notes. requirements, these laboratories, or the
Second, individuals do not have a applicable components of them, would
a discussion of the significant changes
right of access to information compiled be forced to comply with the CLIA
made to the definition of designated
in reasonable anticipation of, or for use regulations once they provided an
record set, see § 164.501 and the
in, a civil, criminal, or administrative individual with the access under this
corresponding preamble.
Under the revised definition, action or proceeding. In the NPRM, we privacy rule. Therefore, to alleviate this
individuals have a right of access to any would have permitted covered entities additional regulatory burden, we have
protected health information that is to deny a request for access to protected exempted these laboratories, or the
used, in whole or in part, to make health information complied in relevant components of them, from the
decisions about individuals. This reasonable anticipation of, or for use in, access requirements of this regulation.
information includes, for example, a legal proceeding. We change the
language in the final rule to clarify that Grounds for Denial of Access
information used to make health care
decisions or information used to a legal proceeding includes civil, In the NPRM we proposed to permit
determine whether an insurance claim criminal, and administrative actions and covered health care providers and
will be paid. Covered entities often proceedings. In the final rule, we clarify health plans to deny an individual
incorporate the same protected health that an individual does not have a right access to inspect and copy protected
information into a variety of different to this information by including it in the health information about them for five
data systems, not all of which will be list of exceptions rather than stating that reasons: (1) a licensed health care
utilized to make decisions about a covered entity may deny access to this professional determined the inspection
individuals. For example, information information. Under this exception, the and copying was reasonably likely to
systems that are used for quality control covered entity may deny access to any endanger the life or physical safety of
or peer review analyses may not be used information that relates specifically to the individual or another person; (2) the
to make decisions about individuals. In legal preparations but may not deny information was about another person
that case, the information systems access to the individual’s underlying (other than a health care provider) and
would not fall within the definition of health information. We do not intend to a licensed health care professional
designated record set. We do not require require covered entities to provide determined the inspection and copying
entities to grant an individual access to access to documents protected by was reasonably likely to cause
protected health information attorney work-product privilege nor do substantial harm to that other person;
maintained in these types of we intend to alter rules of discovery. (3) the information was obtained under
information systems. Third, unlike the proposed rule, a promise of confidentiality from
individuals do not have a right of access someone other than a health care
Duration of the Right of Access to protected health information held by provider and the inspection and
As in the proposed rule, covered clinical laboratories if CLIA prohibits copying was likely to reveal the source
entities must provide access to such access. CLIA states that clinical of the information; (4) the information
individuals for as long as the protected laboratories may provide clinical was obtained by a covered provider in
health information is maintained in a laboratory test records and reports only the course of a clinical trial, the
designated record set. to ‘‘authorized persons,’’ as defined individual agreed to the denial of access
primarily by state law. The individual in consenting to participate in the trial,
Exceptions to the Right of Access who is the subject of the information is and the trial was in progress; and (5) the
In the NPRM, we proposed to not always included in this set of information was compiled in reasonable
establish a right for individuals to authorized persons. When an individual anticipation of, or for use in, a legal
proceeding. In the NPRM, covered these conditions is not met, the harm the individual or others. In the
entities would not have been permitted individual has the right to inspect and final rule, we specify that a covered
to use these grounds to deny individuals copy the information (subject to the entity may only deny access for these
access to protected health information other exceptions we provide here). In all reasons if the covered entity provides
that was also subject to the Privacy Act. cases, the individual has the right to the individual with a right to have the
In the final rule, we retain all of these inspect and copy the information after denial reviewed. (See below for a
grounds for denial, with some the research is complete. discussion of the right to review.)
modifications. One of the proposed As with all the grounds for denial, There are three types of denials for
grounds for denial (regarding legal covered entities are not required to deny which covered entities must provide the
proceedings) is retained as an exception access under the research exception. We individual with a right to review. A
to the right of access. (See discussion expect all researchers to maintain a high denial under these provisions requires a
above.) We also include additional level of ethical consideration for the determination by a licensed health care
grounds for denial and create a right for welfare of research participants and professional (such as a physician,
individuals to request review of certain provide access in appropriate physician’s assistant, or nurse) based on
denials. circumstances. For example, if a an assessment of the particular
There are five types of denials participant has a severe adverse circumstances and current professional
covered entities may make without reaction, disclosure of information medical standards of harm. Therefore,
providing the individual with a right to during the course of the research may be when the request is made to a health
have the denial reviewed. necessary to give the participant plan or clearinghouse, the covered
First, a covered entity may deny an adequate information for proper entity will need to consult with a
individual access to any information treatment decisions. licensed health care professional before
that is excepted from the right of access Fourth, we clarify the ability of a denying access under this provision.
under § 164.524(a)(1). (See discussion covered entity to deny individuals First, as in the proposed rule, covered
above.) access to protected health information entities may deny individuals access to
Second, we add a new provision that that is also subject to the Privacy Act. protected health information about them
permits a covered entity that is a In the final rule, we specify that a if a licensed health care professional has
correctional institution or covered covered entity may deny an individual determined, in the exercise of
health care provider acting under the access to protected health information professional judgment, that the access
direction of a correctional institution to that is contained in records that are requested is reasonably likely to
deny an inmate’s request to obtain a subject to the Privacy Act if such denial endanger the life or physical safety of
copy of protected health information if is permitted under the Privacy Act. This the individual or another person. The
obtaining a copy would jeopardize the ground for denial exists in addition to most commonly cited example is when
health, safety, security, custody, or the other grounds for denial available an individual exhibits suicidal or
rehabilitation of the individual or other under this rule. If an individual requests homicidal tendencies. If a licensed
inmates or the safety of any officer, access to protected health information health care professional determines that
employee or other person at the that is also subject to the Privacy Act, an individual exhibits such tendencies
correctional institution or responsible a covered entity may deny access to that and that permitting inspection or
for the transporting of the inmate. This information for any of the reasons copying of some of the individual’s
ground for denial is restricted to an permitted under the Privacy Act and for protected health information is
inmate’s request to obtain a copy of any of the reasons permitted under this reasonably likely to result in the
protected health information. If an rule. individual committing suicide, murder,
inmate requests inspection of protected Fifth, as in the proposed rule, a or other physical violence, then the
health information, the request must be covered entity may deny an individual health care professional may deny the
granted unless one of the other grounds access to protected health information if individual access to that information.
for denial applies. The purpose for this the covered entity obtained the Under this reason for denial, covered
exception, and the reason that the requested information from someone entities may not deny access on the
exception is limited to denying an other than a health care provider under basis of the sensitivity of the health
inmate a copy and not to denying a right a promise of confidentiality and such information or the potential for causing
to inspect, is to give correctional access would be reasonably likely to emotional or psychological harm.
institutions the ability to maintain order reveal the source of the information. Second, as in the proposed rule,
in these facilities and among inmates This provision is intended to preserve a covered entities may deny an individual
without denying an inmate the right to covered entity’s ability to maintain an access to protected health information if
review his or her protected health implicit or explicit promise of the information requested makes
information. confidentiality. A covered entity may reference to someone other than the
Third, as in the proposed rule, a not, however, deny access to protected individual (and other than a health care
covered entity may deny an individual health information when the provider) and a licensed health care
access to protected health information information has been obtained from a professional has determined, in the
obtained by a covered provider in the health care provider. An individual is exercise of professional judgment, that
course of research that includes entitled to have access to all information the access requested is reasonably likely
treatment of the research participants, about him or her generated by the health to cause serious harm to that other
while such research is in progress. For care system (apart from the other person. On some occasions when health
this exception to apply, the individual exceptions we provide here). information about one person is relevant
must have agreed to the denial of access Confidentiality promises to health care to the care of another, a physician may
in conjunction with the individual’s providers should not interfere with that incorporate it into the latter’s record,
consent to participate in the research access. such as information from group therapy
and the covered provider must have As in the proposed rule, a covered sessions and information about illnesses
informed the individual that the right of entity may deny access to protected with a genetic component. This
access will be reinstated upon health information under certain provision permits a covered entity to
completion of the research. If either of circumstances in which the access may withhold information in such cases if
the release of such information is individual’s request, and make a procedures in place for handling such
reasonably likely to cause substantial determination as to whether that request requests. The time limitation is
physical, emotional, or psychological should be granted or denied, in whole intended to be an outside deadline,
harm. or in part, in accordance with one of the rather than an expectation.
Third, we add a new provision reasons for denial under this rule. We In the final rule, covered entities must
regarding denial of access requested by intend to create narrow exceptions to act on a request for access within 30
personal representatives. Under the right of access and we expect days of receiving the request if the
§ 164.502(g), a person that is a personal covered entities to employ these information is maintained or accessible
representative of an individual may exceptions rarely, if at all. Covered on-site. Covered entities must act on a
exercise the rights of the individual, entities may only deny access for the request for access within 60 days of
including the right to inspect and copy reasons specifically provided in the receiving the request if the information
protected health information about the rule. is not maintained or accessible on-site.
individual that is relevant to such If the covered entity is unable to act on
person’s representation. The provision Review of a Denial of Access a request within the applicable
permits covered entities to refuse to In the NPRM, we proposed to require deadline, it may extend the deadline by
treat a personal representative as the covered entities, when denying an no more than 30 days by providing the
individual, generally, if the covered individual’s request for access, to individual with a written statement of
entity has a reasonable belief that the inform the individual of how to make a the reasons for the delay and the date by
individual has been or will be subjected complaint to the covered entity and the which the covered entity will complete
to domestic violence, abuse or neglect Secretary. its action on the request. This written
by the personal representative, or that We retain in the final rule the statement describing the extension must
treating the personal representative as proposed approach (see below). In be provided within the standard
the individual may endanger the addition, if the covered entity denies the deadline. A covered entity may only
individual and, in its professional request on the basis of one of the extend the deadline once per request for
judgment, the covered entity decides reviewable grounds for denial described access. This provision permits a covered
that it is not in the best interest of the above, the individual has the right to entity to take a total of up to 60 days to
individual to treat such person as the have the denial reviewed by a licensed act on a request for access to
personal representative. health care professional who is information maintained on-site and up
In addition to that provision, we add designated by the covered entity to act to 90 days to act on a request for access
a new provision at § 164.524(a)(3)(iii) to as a reviewing official and who did not to information maintained off-site.
clarify that a covered entity may deny participate in the original decision to The requirements for a covered entity
a request to inspect or copy protected deny access. The covered entity must to comply with or deny a request for
health information if the information is provide access in accordance with the access, in whole or in part, are
requested by a personal representative reviewing official’s determination. ( See described below.
of the individual and a licensed health below for further description of the
Section 164.524(c)—Provision of Access
care professional has determined that, covered entity’s requirements under
in the exercise of professional judgment, § 164.524(d)(4) if the individual requests In the NPRM, we proposed to require
such access is reasonably likely to cause a review of denial of access.) covered health care providers and
substantial harm to the individual who health plans, upon accepting a request
is the subject of the information or to Section 164.524(b)—Requests for Access for access, to notify the individual of the
another person. The health care and Timely Action decision and of any steps necessary to
professional need not have a reasonable In the NPRM, we proposed to require fulfill the request; to provide the
belief that the personal representative covered health care providers and information requested in the form or
has abused or neglected the individuals health plans to provide a means for format requested, if readily producible
and the harm that is likely to result need individuals to request access to in such form or format; and to facilitate
not be limited to the individual who is protected health information about the process of inspection and copying.
the subject of the requested protected them. We proposed to require covered We generally retain the proposed
health information. Therefore, a covered health care providers and health plans approach in the final rule. If a covered
entity can recognize a person as a to take action on a request for access as entity accepts a request, in whole or in
personal representative but deny such soon as possible, but not later than 30 part, it must notify the individual of the
person access to protected health days following the request. decision and provide the access
information as a personal As in the proposed rule, the final rule requested. Individuals have the right
representative. requires covered entities to permit an both to inspect and to copy protected
We do not intend these provisions to individual to request access to inspect health information in a designated
create a legal duty for the covered entity or to obtain a copy of the protected record set. The individual may choose
to review all of the relevant protected health information about the individual whether to inspect the information, to
health information before releasing it. that is maintained in a designated copy the information, or to do both.
Rather, we are preserving the flexibility record set. We additionally permit In the final rule, we clarify that if the
and judgment of covered entities to covered entities to require individuals same protected health information is
deny access under appropriate to make requests for access in writing, maintained in more than one designated
circumstances. Denials are not if the individual is informed of this record set or at more than one location,
mandatory; covered entities may always requirement. the covered entity is required to
elect to provide requested health In the final rule, we eliminate the produce the information only once per
information to the individual. For each requirement for the covered entity to act request for access. We intend this
request by an individual, the covered on a request as soon as possible. We provision to reduce covered entities’
entity may provide all of the recognize that circumstances may arise burden in complying with requests
information requested or evaluate the in which an individual will request without reducing individuals’ access to
requested information, consider the access on an expedited basis. We protected health information. We note
circumstances surrounding the encourage covered entities to have that summary information and reports
are not the same as the underlying entity may charge a reasonable, cost- information, to the extent it is possible
information on which the summary or based fee for the copying, including the to do so.
report was based. Individuals have the labor and supply costs of copying. If We also proposed to require covered
right to obtain access both to summaries hard copies are made, this would providers and health plans, upon
and to the underlying information. An include the cost of paper. If electronic denying a request for access in whole or
individual retains the right of access to copies are made to a computer disk, this in part, to provide the individual with
the underlying information even if the would include the cost of the computer a written statement in plain language of
individual requests access to, or disk. Covered entities may not charge the basis for the denial and how the
production of, a summary. (See below any fees for retrieving or handling the individual could make a complaint to
regarding requests for summaries.) information or for processing the the covered entity or the Secretary.
The covered entity must provide the request. If the individual requests the
information requested in the form or information to be mailed, the fee may We retain the proposed approach. A
format requested if it is readily include the cost of postage. Fees for covered entity that denies access, in
producible in such form or format. For copying and postage provided under whole or in part, must provide the
example, if the covered entity maintains state law, but not for other costs individual with a written denial in plain
health information electronically and excluded under this rule, are presumed language that explains the basis for the
the individual requests an electronic reasonable. If such per page costs denial. The written denial could include
copy, the covered entity must include the cost of retrieving or a direct reference to the section of the
accommodate such request, if possible. handling the information, such costs are regulation relied upon for the denial,
Additionally, we specify that if the not acceptable under this rule. but the regulatory citation alone does
information is not available in the form not sufficiently explain the reason for
If the individual requests an
or format requested, the covered entity the denial. The written denial must also
explanation or summary of the
must produce a readily readable hard describe how the individual can
information provided, and agrees in
copy of the information or another form complain to the covered entity and the
advance to any associated fees, the
or format to which the individual and Secretary and must include the name or
covered entity may charge for preparing
covered entity can agree. If the title and the telephone number of the
the explanation or summary as well.
individual agrees, including agreeing to covered entity’s contact person or office
The inclusion of a fee for copying is
any associated fees (see below), the that is responsible for receiving
not intended to impede the ability of
covered entity may provide access to a complaints.
individuals to copy their records.
summary of information rather than all In the final rule, we impose two
Rather, it is intended to reduce the
protected health information in additional requirements when the
burden on covered entities. If the cost is
designated record sets. Similarly, a covered entity denies access, in whole
excessively high, some individuals will
covered entity may provide an or in part. First, if a covered entity
not be able to obtain a copy. We
explanation in addition to the protected denies a request on the basis of one of
encourage covered entities to limit the
health information, if the individual the reviewable grounds for denial, the
fee for copying so that it is within reach
agrees in advance to the explanation written denial must describe the
of all individuals.
and any associated fees. individual’s right to a review of the
The covered entity must provide the We do not intend to affect the fees
that covered entities charge for denial and how the individual may
access requested in a timely manner, as exercise this right. Second, if the
described above, and arrange for a providing protected health information
to anyone other than the individual. For covered entity denies the request
mutually convenient time and place for because it does not maintain the
the individual to inspect the protected example, we do not intend to affect
current practices with respect to the fees requested information, and the covered
health information or obtain a copy. If
one health care provider charges for entity knows where the requested
the individual requests that the covered
forwarding records to another health information is maintained, the covered
entity mail a copy of the information,
care provider for treatment purposes. entity must inform the individual where
the covered entity must do so, and may
to direct the request for access.
charge certain fees for copying and Section 164.524(d)—Denial of Access
mailing. For requests to inspect Finally, we specify a covered entity’s
information that is maintained We proposed in the NPRM to require responsibilities when an individual
electronically, the covered entity may a covered health care provider or health requests a review of a denial. If the
print a copy of the information and plan that elects to deny a request for individual requests a review of a denial
allow the individual to view the print- inspection or copying to make any other made under § 164.524(a)(3), the covered
out on-site. Covered entities may protected health information requested entity must designate a licensed health
discuss the request with the individual available to the individual to the extent care professional to act as the reviewing
as necessary to facilitate the timely possible, consistent with the denial. official. This reviewing official must not
provision of access. For example, if the In the final rule, we clarify the have been involved in the original
individual requested a copy of the proposed approach. A covered entity decision to deny access. The covered
information by mail, but the covered that denies access, in whole or in part, entity must promptly refer a request for
entity is able to provide the information must, to the extent possible, give the review to the designated reviewing
faster by providing it electronically, the individual access to any other protected official. The reviewing official must
covered entity may discuss this option health information requested after determine, within a reasonable period of
with the individual. excluding the protected health time, whether or not to deny the access
We proposed in the NPRM to permit information to which the covered entity requested based on the standards in
the covered entity to charge a has a ground to deny access. We intend § 164.524(a)(3). The covered entity must
reasonable, cost-based fee for copying covered entities to redact or otherwise promptly provide the individual with
the information. exclude only the information that falls written notice of the reviewing official’s
We clarify this provision in the final within one or more of the denial criteria decision and otherwise carry out the
rule. If the individual requests a copy of described above and to permit decision in accordance with the
protected health information, a covered inspection and copying of all remaining requirements of this section.
Section 164.524(e)—Policies, though the covered entity had created Section 164.526(b)—Requests for
Procedures, and Documentation the information. Amendment and Timely Action
As in the proposed rule, we establish As in the proposed rule, a covered We proposed to require covered
documentation requirements for entity also may deny a request for health care providers and health plans
covered entities that are subject to this amendment if the protected health to provide a means for individuals to
provision. In accordance with information that is the subject of the request amendment of protected health
§ 164.530(j), the covered entity must request for amendment is not part of a information about them. Under the
retain documentation of the designated designated record set or would not NPRM, we would have required covered
record sets that are subject to access by otherwise be available for inspection health care providers and health plans
individuals and the titles of the persons under § 164.524. We eliminate the to take action on a request for
or offices responsible for receiving and ability to deny a request for amendment amendment or correction within 60
processing requests for access by if the information or record that is the days of the request.
individuals. As in the proposed rule, covered
subject of the request would not be
Section 164.526—Amendment of entities must permit individuals to
available for copying under the rule.
Protected Health Information request that the covered entity amend
Under § 164.524(a)(2)(ii), an inmate may
protected health information about
Section 164.526(a)—Right to Amend be denied a copy of protected health
them. We also permit certain
information about the inmate. We specifications for the form and content
In proposed § 164.516, we proposed intend to preserve an inmate’s ability to
to establish the individual’s right to of the request. If a covered entity
request amendments to information, informs individuals of such
request a covered health care provider
even if a copy of the information would requirements in advance, a covered
or health plan to amend or correct
not be available to the inmate, subject to entity may require individuals to make
protected health information about the
individual for as long as the covered the other exceptions provided in this requests for amendment in writing and
entity maintains the information. section. to provide a reason to support a
In § 164.526 of the final rule, we Finally, as in the proposed rule, a requested amendment. If the covered
retain the general proposed approach, covered entity may deny a request for entity imposes such a requirement and
but establish an individual’s right to amendment if the covered entity informs individuals of the requirement
have the covered entity amend, rather determines that the information in in advance, the covered entity is not
than amend or correct, protected health dispute is accurate and complete. We required to act on an individual’s
information. This right applies to draw this concept from the Privacy Act request that does not meet the
protected health information and of 1974, governing records held by requirements.
records in a designated record set for as federal agencies, which permits an We retain the requirement for covered
long as the information is maintained in entities to act on a request for
individual to request correction or
the designated record set. In the final amendment within 60 days of receipt of
amendment of a record ‘‘which the
rule, covered health care providers, the request. In the final rule, we specify
individual believes is not accurate, the nature of the action the covered
health plans, and health care relevant, timely, or complete.’’ (5 U.S.C.
clearinghouses that create or receive entity must take within the time frame.
552a(d)(2)). We adopt the standards of The covered entity must inform the
protected health information other than
‘‘accuracy’’ and ‘‘completeness’’ and individual, as described below, that the
as a business associate must comply
with these requirements. draw on the clarification and analysis of request has been either accepted or
these terms that have emerged in denied, in whole or in part. It must also
Denial of Amendment administrative and judicial take certain actions pursuant to its
We proposed to permit a covered interpretations of the Privacy Act during decision to accept or deny the request,
health care provider or health plan to the last 25 years. We note that for as described below. If the covered entity
deny a request for amendment if it federal agencies that are also covered is unable to meet the deadline, the
determined that the protected health entities, this rule does not diminish covered entity may extend the deadline
information that was the subject of the their present obligations under the by no more than 30 days. The covered
request was not created by the covered Privacy Act of 1974. entity must inform the individual in
provider or health plan, would not be This right is not intended to interfere writing, within the initial 60-day period,
available for inspection and copying with medical practice or to modify of the reason for the delay and the date
under proposed § 164.514, or was standard business record keeping by which the covered entity will
accurate and complete. A covered entity complete its action on the request. A
practices. Perfect records are not
would have been permitted, but not covered entity may only extend the
required. Instead, a standard of
required, to deny a request if any of deadline one time per request for
reasonable accuracy and completeness
these conditions were met. amendment.
As in the proposed rule, the final rule should be used. In addition, this right is
permits a covered entity to deny a not intended to provide a procedure for Section 164.526(c)—Accepting the
request for amendment if the covered substantive review of decisions such as Amendment
entity did not create the protected coverage determinations by payors. It is If a covered health care provider or
health information or record that is the intended only to affect the content of health plan accepted a request for
subject of the request for amendment. records, not the underlying truth or amendment, in whole or in part, we
We add one exception to this provision: correctness of materials recounted proposed to require the covered entity
if the individual provides a reasonable therein. Attempts under the Privacy Act to make the appropriate change. The
basis to believe that the originator of the of 1974 to use this mechanism as a basis covered entity would have had to
protected health information is no for collateral attack on agency identify the challenged entries as
longer available to act on the requested determinations have generally been amended or corrected and indicate the
amendment, the covered entity must rejected by the courts. The same results location of the amended or corrected
address the request for amendment as are intended here. information.
We also proposed to require the to provide the individual with a written entity’s denial of the request, the
covered provider or health plan to make statement in plain language of the basis individual’s statement of disagreement
reasonable efforts to notify certain for the denial, a description of how the (if any), and the covered entity’s rebuttal
entities of the amendment: 1) entities individual could submit a written (if any). If the individual submits a
the individual identified as needing to statement of disagreement with the written statement of disagreement, all of
be notified and 2) entities the covered denial, and a description of how the the appended or linked information, or
provider or health plan knew had individual could make a complaint with an accurate summary of it, must be
received the erroneous or incomplete the covered entity and the Secretary. included with any subsequent
information and who may have relied, We proposed to require covered disclosure of the protected health
or could foreseeably rely, on such health care providers and health plans information to which the disagreement
information to the detriment of the to have procedures to permit the relates. If the individual does not submit
individual. individual to file a written statement of a written statement of disagreement, the
The covered provider or health plan disagreement with the denial and to covered entity must include the
would also have been required to notify include the covered entity’s statement of appended or linked information only if
the individual of the decision to amend denial and the individual’s statement of the individual requests that the covered
the information. disagreement with any subsequent entity do so.
As in the proposed rule, if a covered disclosure of the disputed information. In the final rule, we clarify that when
entity accepts an individual’s request Covered entities would have been a subsequent disclosure is a standard
for amendment or correction, it must permitted to establish a limit to the transaction adopted under the
make the appropriate amendment. In length of the individual’s statement of Transactions Rule that cannot
the final rule, we clarify that, at a disagreement and to summarize the accommodate the additional materials
minimum, the covered entity must statement if necessary. We also described above, the covered entity may
identify the records in the designated proposed to permit covered entities to separately disclose the additional
record set that are affected by the provide a rebuttal to the individual’s material to the recipient of the
amendment and must append or statement with future disclosures. transaction.
otherwise provide a link to the location As in the proposed rule, if a covered
of the amendment. We do not require entity denies a request for amendment, Section 164.526(e)—Actions on Notices
covered entities to expunge any it must provide the individual with a of Amendment
protected health information. Covered statement of denial written in plain We proposed to require any covered
entities may expunge information if language. The written denial must entity that received a notification of
doing so is consistent with other include the basis for the denial, how the amendment to have procedures in place
applicable law and the covered entity’s individual may file a written statement to make the amendment in any of its
record keeping practices. disagreeing with the denial, and how designated record sets and to notify its
We alter some of the required the individual may make a complaint to business associates, if appropriate, of
procedures for informing the individual the covered entity and the Secretary. amendments.
and others of the accepted amendment. In the final rule, we additionally
We retain the proposed approach in
As in the proposed rule, the covered require the covered entity to inform
the final rule. If a covered entity
entity must inform individuals about individuals of their options with respect
receives a notification of amended
accepted amendments. In the final rule, to future disclosures of the disputed
protected health information from
the covered entity must obtain the information in order to ensure that an
another covered entity as described
individual’s agreement to have the individual is aware of his or her rights.
above, the covered entity must make the
amended information shared with The written denial must state that if the
necessary amendment to protected
certain persons. If the individual agrees, individual chooses not to file a
health information in designated record
the covered entity must make statement of disagreement, the
sets it maintains. In addition, covered
reasonable efforts to provide a copy of individual may request that the covered
entities must require their business
the amendment within a reasonable entity include the individual’s request
associates who receive such
time to: (1) Persons the individual for amendment and the covered entity’s
notifications to incorporate any
identifies as having received protected denial of the request with any future
necessary amendments to designated
health information about the individual disclosures of the protected health
record sets maintained on the covered
and needing the amendment; and (2) information that is the subject of the
entity’s behalf. (See § 164.504 regarding
persons, including business associates, requested amendment.
As in the proposed rule, the covered business associate requirements.)
that the covered entity knows have the
unamended information and who may entity must permit the individual to Section 164.526(f)—Policies,
have relied, or could foreseeably rely, submit a written statement disagreeing Procedures, and Documentation
on the information to the detriment of with the denial and the basis of such
As in the proposed rule, we establish
the individual. For example, a covered disagreement. The covered entity may
documentation requirements for
entity must make reasonable efforts to reasonably limit the length of a
covered entities subject to this
inform a business associate that uses statement of disagreement and may
provision. In accordance with
protected health information to make prepare a written rebuttal to the
§ 164.530(j), the covered entity must
decisions about individuals about individual’s statement of disagreement.
document the titles of the persons or
amendments to protected health If the covered entity prepares a rebuttal,
offices responsible for receiving and
information used for such decisions. it must provide a copy to the individual.
The covered entity must identify the processing requests for amendment.
Section 164.526(d)—Denying the record or protected health information § 164.528—Accounting of Disclosures of
Amendment that is the subject of the disputed Protected Health Information
If a covered health care provider or amendment and append or otherwise
health plan denied a request for link the following information to the Right to an Accounting of Disclosures
amendment, in whole or in part, we designated record set: the individual’s We proposed in the NPRM to grant
proposed to require the covered entity request for amendment, the covered individuals a right to receive an
accounting of all disclosures of official from the accounting for the time disclosures. For multiple disclosures to
protected health information about them period specified by the applicable the same recipient pursuant to a single
by a covered entity for purposes other agency or official if the agency or authorization under § 164.508 or for a
than treatment, payment, and health official provides the covered entity with single purpose under §§ 164.502(a)(2)(ii)
care operations. We proposed this right a statement that inclusion of the or 164.512, the covered entity may
to exist for as long as the covered entity disclosure(s) in the accounting to the provide a summary accounting
maintained the protected health individual during that time period addressing the series of disclosures
information. would be reasonably likely to impede rather than a detailed accounting of
We also proposed that individuals the agency or official’s activities. The each disclosure in the series. In this
would not have a right to an accounting agency or official’s statement must circumstance, a covered entity may
of disclosures to health oversight or law specifically state how long the limit the accounting of the series of
enforcement agencies if the agency information must be excluded. At the disclosures to the following
provided a written request for exclusion expiration of that period, the covered information: the information otherwise
for a specified time period and the entity is required to include the required above for the first disclosure in
request stated that access by the disclosure(s) in an accounting for the the series during the accounting period;
individual during that time period individual. If the agency or official’s the frequency, periodicity, or number of
would be reasonably likely to impede statement is made orally, the covered disclosures made during the accounting
the agency’s activities. entity must document the identity of the period; and the date of the most recent
We generally retain the proposed agency or official who made the disclosure in the series. For example, if
approach in the final rule. As in the statement and must exclude the under § 164.512(b), a covered entity
proposed rule, individuals have a right disclosure(s) for no longer than 30 days discloses the same protected health
to receive an accounting of disclosures from the date of the oral statement, information to a public health authority
made by a covered entity, including unless a written statement is provided for the same purpose every month, it
disclosures by or to a business associate during that time. If the agency or official can account for those disclosures by
of the covered entity, for purposes other provides a written statement, the including in the accounting the date of
than treatment, payment, and health covered entity must exclude the the first disclosure, the public health
care operations, subject to certain disclosure(s) for the time period authority to whom the disclosures were
exceptions as discussed below. specified in the written statement. made and the public health authority’s
We revise the duration of this right address, a brief description of the
under the final rule. Individuals have a Content of the Accounting
information disclosed, a brief
right to an accounting of the applicable We proposed in the NPRM to require description of the purpose of the
disclosures that have been made in the the accounting to include all disclosures disclosures, the fact that the disclosures
6 year period prior to the date of a as described above, including were made every month during the
request for an accounting. We disclosures authorized by the accounting period, and the date of the
additionally clarify in § 164.528(b)(1) individual. The accounting would have most recent disclosure.
that an individual may request, and a been required to contain the date of
covered entity may then provide, an each disclosure; the name and address Provision of the Accounting
accounting of disclosures for a period of of the organization or person who We proposed in the NPRM to require
time less than 6 years from the date of received the protected health covered entities to provide individuals
the request. For example, an individual information; a brief description of the with an accounting of disclosures as
could request an accounting only of information disclosed; and copies of all soon as possible, but not later than 30
disclosures that occurred during the requests for disclosures. For disclosures days following receipt of the request for
year prior to the request. other than those made at the request of the accounting.
In the final rule, we exclude several the individual, the accounting would In the final rule, we eliminate the
additional types of disclosures from the have also included the purpose for requirement for the covered entity to act
accounting requirement. Covered which the information was disclosed. as soon as possible. We recognize that
entities are not required to include in We generally retain the proposed circumstances may arise in which an
the accounting disclosures to the approach in the final rule, but do not individual will request an accounting
individual as provided in § 164.502; require covered entities to make copies on an expedited basis. We encourage
disclosures for facility directories, of authorizations or other requests for covered entities to implement
disclosures to persons involved in the disclosures available with the procedures for handling such requests.
individual’s care, or other disclosures accounting. Instead, we require the The time limitation is intended to be an
for notification purposes as provided in accounting to contain a brief statement outside deadline, rather than an
§ 164.510; disclosures for national of the purpose of the disclosure. The expectation. We expect covered entities
security or intelligence purposes as statement must reasonably inform the always to be attentive to the
provided in § 164.512(k)(2); disclosures individual of the basis for the circumstances surrounding each request
to correctional institutions or law disclosure. In lieu of the statement of and to respond in an appropriate time
enforcement officials as provided in purpose, a covered entity may include frame.
§ 164.512(k)(5); or any disclosures that a copy of the individual’s authorization In the final rule, covered entities must
were made by the covered entity prior under § 164.508 or a copy of a written provide a requested accounting no later
to the compliance date of the rule for request for disclosure, if any, under than 60 days after receipt of the request.
that covered entity. § 164.502(a)(2)(ii) or § 164.512. We also If the covered entity is unable to meet
We retain the time-limited exclusion clarify that covered entities are only the deadline, the covered entity may
for disclosures to health oversight and required to include the address of the extend the deadline by no more than 30
law enforcement agencies, but require recipient of the disclosed protected days. The covered entity must inform
rather than permit the exclusion for the health information if the covered entity the individual in writing, within the
specified time period. Covered entities knows the address. standard 60-day deadline, of the reason
must exclude disclosures to a health We add a provision allowing for a for the delay and the date by which the
oversight agency or law enforcement summary accounting of recurrent covered entity will provide the request.
A covered entity may only extend the include the name of a contact person for determine the most effective means of
deadline one time per request for privacy matters. achieving this training requirement for
accounting. The final regulation retains the their workforce. We also proposed that,
The NPRM did not address whether a requirements for a privacy official and at least every three years after the initial
covered entity could charge a fee for the contact person as specified in the training, covered entities would be
accounting of disclosures. NPRM. These designations must be required to have each member of the
In the final rule, we provide that documented. The designation of privacy workforce sign a new statement
individuals have a right to receive one official and contact person positions certifying that he or she would honor all
free accounting per 12 month period. within affiliated entities will depend on of the entity’s privacy policies and
For each additional request by an how the covered entity chooses to procedures. The covered entity would
individual within the 12 month period, designate the covered entity(ies) under have been required to document its
the covered entity may charge a § 164.504(b). If a subsidiary is defined as policies and procedures for complying
reasonable, cost-based fee. If it imposes a covered entity under this regulation, with the training requirements.
such a fee, the covered entity must then a separate privacy official and The final regulation requires covered
inform the individual of the fee in contact person is required for that entities to train all members of their
advance and provide the individual covered entity. If several subsidiaries workforce on the policies and
with an opportunity to withdraw or are designated as a single covered procedures with respect to protected
modify the request in order to avoid or entity, pursuant to § 164.504(b), then health information required by this rule,
reduce the fee. together they need have only a single as necessary and appropriate for the
privacy officer and contact person. If members of the workforce to carry out
Procedures and Documentation several covered entities share a notice their functions within the covered
As in the proposed rule, we establish for services provided on the same entity. We do not change the proposed
documentation requirements for premises, pursuant to § 164.520(d), that time lines for training existing and new
covered entities subject to this notice need designate only one privacy members of the workforce, or for
provision. In accordance with official and contact person for the training due to material changes in the
§ 164.530(j), for disclosures that are information collected under that notice. covered entity’s policies and
subject to the accounting requirement, These requirements are consistent procedures. We eliminate both the
the covered entity must retain with the approach recommended by the requirement for employees to sign a
documentation of the information Joint Commission on Accreditation of certification following training and the
required to be included in the Healthcare Organizations, and the triennial re-certification requirement.
accounting. The covered entity must National Committee for Quality Covered entities are responsible for
also retain a copy of any accounting Assurance, in its paper ‘‘Protecting implementing policies and procedures
provided and must document the titles Personal Health Information; A to meet these requirements and for
of the persons or offices responsible for framework for Meeting the Challenges documenting that training has been
receiving and processing requests for an in a Managed Care Environment.’’ This provided.
accounting. paper notes that ‘‘accountability is
enhanced by having focal points who Safeguards
Section 164.530—Administrative are responsible for assessing compliance In § 164.518(c) of the NPRM, we
Requirements with policies and procedures * * * ’’ proposed to require covered entities to
(p. 29) put in place administrative, technical,
Designation of a Privacy Official and
and physical safeguards to protect the
Contact Person Training privacy of protected health information.
In § 164.518(a) of the NPRM, we In § 164.518(b) of the NPRM we We made reference in the preamble to
proposed that covered entities be proposed to require that covered entities similar requirements proposed for
required to designate an individual as provide training on the entities’ policies certain electronic information in the
the covered entity’s privacy official, and procedures to all members of the Notice of Proposed Rulemaking entitled
responsible for the implementation and workforce likely to have access to the Security and Electronic Signature
development of the entity’s privacy protected health information. Each Standards (HCFA–0049–P). We stated
policies and procedures. We also entity would be required to provide that we were proposing parallel and
proposed that covered entities be initial training by the date on which this consistent requirements for safeguarding
required to designate a contact person to rule became applicable. After that date, the privacy of protected health
receive complaints about privacy and each covered entity would have to information. In § 164.518(c)(3) of the
provide information about the matters provide training to new members of the NPRM, we required covered entities to
covered by the entity’s notice. We workforce within a reasonable time after have safeguards to ensure that
indicated that the contact person could joining the entity. In addition, we information was not used in violation of
be, but was not required to be, the proposed that when a covered entity the requirements of this subpart or by
person designated as the privacy made material changes in its privacy people who did not have proper
official. We proposed to leave policies or procedures, it would be authorization to access the information.
implementation details to the discretion required to retrain those members of the We do not change the basic proposed
of the covered entity. We expected workforce whose duties were related to requirements that covered entities have
implementation to vary widely the change within a reasonable time of administrative, technical and physical
depending on the size and nature of the making the change. safeguards to protect the privacy of
covered entity, with small offices The NPRM would have required that, protected health information. We
assigning this as an additional duty to upon completion of the training, the combine the proposed requirements into
an existing staff person, and large trainee would be required to sign a a single standard that requires covered
organizations creating a full-time statement certifying that he or she entities to safeguard protected health
privacy official. In proposed § 164.512, received the privacy training and would information from accidental or
we also proposed to require the covered honor all of the entity’s privacy policies intentional use or disclosure that is a
plan or provider’s privacy notice to and procedures. Entities would violation of the requirements of this rule
and to protect against the inadvertent Complaints to the Covered Entity language also stated that covered
disclosure of protected health In § 164.518(d) of the NPRM, we entities would be required to apply
information to persons other than the proposed to require covered entities to sanctions against business associates
intended recipient. Limitations on have a mechanism for receiving that violated the proposed rule.
access to protected health information complaints from individuals regarding In the final rule, we retain the
by the covered entities workforce will the health plan’s or provider’s requirement for sanctions against
also be covered by the policies and compliance with the requirements of members of a covered entity’s
procedures for ‘‘minimum necessary’’ this proposed rule. We did not require workforce. We also require a covered
use of protected health information, that the health plan or provider develop entity to have written policies and
pursuant to § 164.514(d). We expect procedures for the application of
a formal appeals mechanism, nor that
these provisions to work in tandem. appropriate sanctions for violations of
‘‘due process’’ or any similar standard
We do not prescribe the particular this subpart and to document those
measures that covered entities must take be applied. Additionally, there was no
requirement to respond in any sanctions. These sanctions do not apply
to meet this standard, because the to whistleblower activities that meet the
nature of the required policies and particular manner or time frame.
We proposed two basic requirements provisions of § 164.502(j) or complaints,
procedures will vary with the size of the investigations, or opposition that meet
covered entity and the type of activities for the complaint process. First, the
covered health plan or health care the provisions of § 164.530(g)(2). We
that the covered entity undertakes. (That eliminate language regarding business
is, as with other provisions of this rule, provider would be required to identify
in the notice of information practices a associates from this section.
this requirement is ‘‘scalable.’’) Requirements with respect to business
Examples of appropriate safeguards contact person or office for receiving
complaints. Second, the health plan or associates are stated in § 164.504.
include requiring that documents
containing protected health information provider would be required to maintain Duty To Mitigate
be shredded prior to disposal, and a record of the complaints that are filed
and a brief explanation of their In proposed § 164.518(f), we would
requiring that doors to medical records have required covered entities to have
departments (or to file cabinets housing resolution, if any.
In the final rule, we retain the policies and procedures for mitigating,
such records) remain locked and to the extent practicable, any deleterious
limiting which personnel are authorized requirement for an internal complaint
process for compliance with this rule, effect of a use or disclosure of protected
to have the key or pass-code. We intend health information in violation of the
this to be a common sense, scalable, including the two basic requirements of
identifying a contact person and requirements of this subpart. The NPRM
standard. We do not require covered preamble also included specific
entities to guarantee the safety of documenting complaints received and
their dispositions, if any. We expand the language applying this requirement to
protected health information against all harm caused by members of the covered
assaults. Theft of protected health scope of complaints that covered
entities must have a means of receiving entity’s workforce and business
information may or may not signal a associates.
violation of this rule, depending on the to include complaints concerning
violations of the covered entity’s With respect to business associates,
circumstances and whether the covered
privacy practices, not just violations of the NPRM preamble but not the NPRM
entity had reasonable policies to protect
the rule. For example, a covered entity rule text, stated that covered entities
against theft. Organizations such as the
must have a mechanism for receiving a would have a duty to take reasonable
Association for Testing and Materials
complaint that patient information is steps in response to breaches of contract
(ASTM) and the American Health
used at a nursing station in a way that terms. Covered entities generally would
Information Management Association
it can also be viewed by visitors to the not be required to monitor the activities
(AHIMA) have developed a body of
hospital, regardless of whether the of their business associates, but would
recommended practices for handling of
practices at the nursing stations might be required to take steps to address
protected health information that
constitute a violation of this rule. problems of which they become aware,
covered entities may find useful.
We note that the proposed HIPAA and, where the breach was serious or
Sanctions repeated, would also be required to
Security Standards would require
covered entities to safeguard the privacy In § 164.518(e) of the NPRM, we monitor the business associate’s
and integrity of health information. For proposed to require all covered entities performance to ensure that the wrongful
electronic information, compliance with to develop, and apply when behavior had been remedied.
both regulations will be required. appropriate, sanctions against members Termination of the arrangement would
In § 164.518(c)(2) of the NPRM we of its workforce who failed to comply be required only if it became clear that
proposed requirements for verification with privacy policies or procedures of a business associate could not be relied
procedures to establish identity and the covered entity or with the upon to maintain the privacy of
authority for permitted disclosures of requirements of the rule. Covered protected health information provided
protected health information. entities would be required to develop to it.
In the final rule, this material has and impose sanctions appropriate to the In the final rule, we clarify this
been moved to § 164.514(h). nature of the violation. The preamble requirement by imposing a duty for
stated that the type of sanction applied covered entities to mitigate any harmful
Use or Disclosure of Protected Health would vary depending on factors such effect of a use or disclosure of protected
Information by Whistleblowers as the severity of the violation, whether health information that is known to the
In § 164.518(c)(4) of the NPRM, this the violation was intentional or covered entity. We apply the duty to
provision was entitled ‘‘Implementation unintentional, and whether the mitigate to a violation of the covered
Specification: Disclosures by violation indicated a pattern or practice entity’s policies and procedures, not just
whistleblowers.’’ It is now retitled of improper use or disclosure of a violation of the requirements of the
‘‘Disclosures by whistleblowers,’’ with protected health information. Sanctions subpart. We resolve the ambiguities in
certain changes, and moved to could range from a warning to the NPRM by imposing this duty on
§ 164.502(j)(1). termination. The NPRM preamble covered entities for harm caused by
either members of their workforce or by applies it to any person, only if the and establish requirements for making
their business associates. person ‘‘has a good faith belief that the this change. We also establish the
We eliminate the language regarding practice opposed is unlawful, the conditions for making changes if the
potential breaches of business associate manner of the opposition is reasonable covered entity has not reserved the right
contracts from this section. All other and does not involve a disclosure of to change its practices.
requirements with respect to business protected health information in We require covered entities to modify
associates are stated in § 164.504. violation of this subpart.’’ The final rule in a prompt manner their policies and
provides additional protections, which procedures to comply with changes in
Refraining from Intimidating or
had been included in the preamble to relevant law and, where the change also
Retaliatory Acts
the proposed rule. Specifically, we affects the practices stated in the notice,
In § 164.522(d)(4) of the NPRM, in the prohibit retaliatory actions against to change the notice. We make clear that
Compliance and Enforcement section, individuals who exercise any right, or nothing in our requirements regarding
we proposed that one of the participate in any process established by changes to policies and procedures or
responsibilities of a covered entity the privacy rule (Part 164 Subpart E), changes to the notice may be used by a
would be to refrain from intimidating or and include as an example the filing of covered entity to excuse a failure to
retaliatory acts. Specifically, the rule a complaint with the covered entity. comply with applicable law.
provided that ‘‘[a] covered entity may In § 164.530(j), we require that the
not intimidate, threaten, coerce, Waiver of Rights policies and procedures required
discriminate against, or take other In the final regulation, but not in the throughout the regulation be maintained
retaliatory action against any individual proposed regulation, we provide that a in writing, and that any other
for the filing of a complaint under this covered entity may not require communication, action, activity, or
section, for testifying, assisting, individuals to waive their rights to file designation that must be documented
participating in any manner in an a complaint with the Secretary or their under this regulation be documented in
investigation, compliance review, other rights under this rule as a writing. We note that ‘‘writing’’ includes
proceeding or hearing under this Act, or condition of the provision of treatment, electronic storage; paper records are not
opposing any act or practice made payment, enrollment in a health plan or required. We also note that, if a covered
unlawful by this subpart.’’ eligibility for benefits. This provision entity is required to document the title
In the final rule, we continue to ensures that covered entities do not take of a person, we mean the job title or
require that entities refrain from away the rights that individuals have similar description of the relevant
intimidating or retaliatory acts; been provided in Parts 160 and 164. position or office.
however, the provisions have been We require covered entities to retain
moved to the Administrative Requirements for Policies and
any documentation required under this
Requirements provisions in § 164.530. Procedures, and Documentation
rule for at least six years (the statute of
This change is not just clerical; in Requirements
limitations period for the civil penalties)
making this change, we apply this In § 164.520 of the NPRM, we from the date of the creation of the
provision to the privacy rule alone proposed to require covered entities to documentation, or the date when the
rather than to all the HIPAA develop and document their policies document was last in effect, which ever
administrative simplification rules. (The and procedures for implementing the is later. This generalizes the NPRM
compliance and enforcement provisions requirements of the rule. In the final provision to cover all documentation
that were in § 164 are now in Part 160, regulation we retain this approach, but required under the rule. The language
Subpart C.) specify which standards must be on ‘‘last was in effect’’ is a change from
We continue to prohibit retaliation documented in each of the relevant the NPRM which was worded ‘‘unless a
against individuals for filing a sections. In this section, we state the longer period applies under this
complaint with the Secretary, but also general administrative requirements subpart.’’
prohibit retaliation against any other applicable to all policies and procedures This approach is consistent with the
person who files such a complaint. This required throughout the regulation. approach recommended by the Joint
is the case because the term In § 164.530(i), (j), and (k) of the final Commission on Accreditation of
‘‘individual’’ is generally limited to the rule, we amend the NPRM language in Healthcare Organizations, and the
person who is the subject of the several respects. In § 164.530(i) we National Committee for Quality
information. The final rule prohibits require that the policies and procedures Assurance, in its paper ‘‘Protecting
retaliation against persons, not just be reasonably designed to comply with Personal Health Information; A
individuals, for testifying, assisting, or the standards, implementation framework for Meeting the Challenges
participating in an investigation, specifications, and other requirements in a Managed Care Environment.’’ This
compliance review, proceeding or of the relevant part of the regulation, paper notes that ‘‘MCOs [Managed Care
hearing under Part C of Title XI. The taking into account the size of the Organizations] should have clearly
proposed regulation referenced the covered entity and the nature of the defined policies and procedures for
‘‘Act,’’ which is defined in Part 160 as activities undertaken by the covered dealing with confidentiality issues.’’ (p.
the Social Security Act. Because we entity that relate to protected health 29).
only intend to protect activities such as information. However, we clarify that
participation in investigations and the requirements that policies and Standards for Certain Group Health
hearings under the Administrative procedures be reasonably designed may Plans
Simplification provisions of HIPAA, the not be interpreted to permit or excuse We add a new provision (§ 164.530(k))
final rule references Part C of Title XI of any action that violates the privacy to clarify the administrative
the Social Security Act. regulation. Where the covered entity has responsibilities of group health plans
The proposed rule would have stated in its notice that it reserves the that offer benefits through issuers and
prohibited retaliatory actions against right to change information practices, HMOs. Specifically, a group health plan
individuals for opposing any act or we allow the new practice to apply to that provides benefits solely through an
practice made unlawful by this subpart. information created or collected prior to issuer or HMO, and that does not create,
The final rule retains this provision, but the effective date of the new practice receive or maintain protected health
information other than summary health the covered entity must comply with all for a specific research project that
information or information regarding limitations expressed in the consent, includes the treatment of individuals,
enrollment and disenrollment, is not authorization, or permission. Thus, we such as clinical trials. These consents,
subject to the requirements of this do not require a covered entity to obtain authorizations, or permissions may
section regarding designation of a a consent that meets the requirements of specifically permit a use or disclosure of
privacy official and contact person, § 164.506 to use or disclose this individually identifiable health
workforce training, safeguards, previously obtained protected health information for purposes of the project.
complaints, mitigation, or policies and information as long as the use or Alternatively, they may be general
procedures. Such a group health plan is disclosure is consistent with the consents to participate in the project. A
only subject to the requirements of this requirements of this section. However, a covered entity may use or disclose
section regarding documentation with covered entity will need to obtain a protected health information it created
respect to its plan documents. Issuers consent that meets the requirements of or received before or after to the
and HMOs are covered entities under § 164.506 to the extent that it is required applicable compliance date of this rule
this rule, and thus have independent to obtain a consent under § 164.506 for purposes of the project provided that
obligations to comply with this section from an individual before it may use or the covered entity complies with all
with respect to the protected health disclose any protected health limitations expressed in the consent,
information they maintain about the information it creates or receives after authorization, or permission.
enrollees in such group health plans. the date by which it must comply with If, pursuant to this section, a covered
The group health plans subject to this this rule. entity relies upon a previously obtained
provision will have only limited Similarly, we recognize that a covered consent, authorization, or other express
protected health information. Therefore, entity may wish to rely upon a consent, legal permission and agrees to a request
imposing these requirements on the authorization, or other express legal for a restriction by an individual under
group health plan would impose permission obtained from an individual § 164.522(a), any subsequent use or
burdens not outweighed by a prior to the applicable compliance date disclosure under that consent,
corresponding enhancement in privacy of this regulation that specifically authorization, or permission must
protections. permits the covered entity to use or comply with the agreed upon restriction
disclose individually identifiable health as well.
Section 164.532—Transition Provisions information for activities other than to We believe it is necessary to
In the NPRM, we did not address the carry out treatment, payment, or health grandfather in previously obtained
effect of the regulation on consents and care operations. In the final rule, we consents, authorizations, or other
authorizations covered entities obtained permit a covered entity to rely upon express legal permissions in these
prior to the compliance date of the such a consent, authorization, or circumstances to ensure that important
regulation. permission to use or disclose protected functions of the health care system are
In the final rule, we clarify that, in health information that it created or not impeded. We link the effectiveness
certain circumstances, a covered entity received before the applicable of such consents, authorizations, or
may continue to rely upon consents, compliance date of the regulation for the permissions in these circumstances to
authorizations, or other express legal specific activities described in the the applicable compliance date to give
permissions obtained prior to the consent, authorization, or permission as covered entities sufficient notice of the
compliance date of this regulation to use long as the covered entity complies with requirements set forth in §§ 164.506 and
or disclose protected health information two requirements. First, the covered 164.508.
even if these consents, authorizations, entity may not make any use or The rule does not change the past
or permissions do not meet the disclosure that is expressly excluded effectiveness of consents,
requirements set forth in §§ 164.506 or from the consent, authorization, or authorizations, or other express legal
164.508. permission. Second, the covered entity permissions that do not come within
We realize that a covered entity may must comply with all limitations this section. This means that uses or
wish to rely upon a consent, expressed in the consent, authorization, disclosures of individually identifiable
authorization, or other express legal or permission. Thus, we do not required health information made prior to the
permission obtained from an individual a covered entity to obtain an compliance date of this regulation are
prior to the compliance date of this authorization that meets the not subject to sanctions, even if they
regulation which permits the use or requirements of § 164.508 to use or were made pursuant to documents or
disclosure of individually identifiable disclose this previously obtained permissions that do not meet the
health information for activities that protected health information so long as requirements of this rule or were made
come within treatment, payment, or the use or disclosure is consistent with without permission. This rule alters
health care operations (as defined in the requirements of this section. only the future effectiveness of the
§ 164.501), but that do not meet the However, a covered entity will need to previously obtained consents,
requirements for consents set forth in obtain an authorization that meets the authorizations, or permissions. Covered
§ 164.506. In the final rule, we permit a requirements of § 164.508, to the extent entities are not required to rely upon
covered entity to rely upon such that it is required to obtain an these consents, authorizations, or
consent, authorization, or permission to authorization under this rule, from an permissions and may obtain new
use or disclose protected health individual before it may use or disclose consents or authorizations that meet the
information that it created or received any protected health information it applicable requirements of §§ 164.506
before the applicable compliance date of creates or receives after the date by and 164.508.
the regulation to carry out the treatment, which it must comply with this rule. When reaching this decision, we
payment, or health care operations as Additionally, the final rule considered requiring all covered entities
long as it meets two requirements. First, acknowledges that covered entities may to obtain new consents or authorizations
the covered entity may not make any wish to rely upon consents, consistent with the requirements of
use or disclosure that is expressly authorizations, or other express legal §§ 164.506 and 164.508 before they
excluded from the consent, permission obtained from an individual would be able to use or disclose
authorization, or permission. Second, prior to the applicable compliance date protected health information obtained
after the compliance date of these rules. the corresponding section of the final Response: This regulation does not,
We rejected this option because we rule, not the NPRM. and cannot, reduce current privacy
recognize that covered entities may not protections. The statutory language of
General Comments
always be able to obtain new consents the HIPAA specifically mandates that
or authorizations consistent with the We received many comments on the this regulation does not preempt state
requirements of §§ 164.506 and 164.508 rule overall, not to a particular laws that are more protective of privacy.
from all individuals upon whose provision. We respond to those As discussed in more detail in later
information they rely. We also refrained comments here. Similar comments, but this preamble, while many people
from impeding the rights of covered directed to a specific provision in the believe that they must be asked
entities to exercise their interests in the proposed rule, are answered below in permission prior to any release of health
records they have created. We do not the corresponding section of this information about them, current laws
require covered entities with existing preamble. generally do not impose such a
records or databases to destroy or requirement. Similarly, as discussed in
Comments on the Need for Privacy
remove the protected health information more detail later in this preamble,
Standards, and Effects of this
for which they do not have valid judicial review is required today only
Regulation on Current Protections
consents or authorizations that meet the for a small proportion of releases of
requirements of §§ 164.506 and 164.508. Comment: Many commenters health information.
Covered entities may rely upon the expressed the opinion that federal Comment: Many commenters asserted
consents, authorizations, or permissions legislation is necessary to protect the that today, medical records ‘‘belong’’ to
they obtained from individuals prior to privacy of individuals’ health patients. Others asserted that patients
the applicable compliance date of this information. One comment advocated own their medical information and
regulation consistent with the Congressional efforts to provide a health care providers and insurance
constraints of those documents and the comprehensive federal health privacy companies who maintain health records
requirements discussed above. law that would integrate the substance should be viewed as custodians of the
We note that if a covered entity abuse regulations with the privacy patients’ property.
obtains before the applicable regulation. Response: We do not intend to change
compliance date of this regulation a Response: We agree that current law regarding ownership of or
consent that meets the requirements of comprehensive privacy legislation is responsibility for medical records. In
§ 164.506, an authorization that meets urgently needed. This administration developing this rule we reviewed
the requirements of § 164.508, or an IRB has urged the Congress to pass such current law on this and related issues,
or privacy board waiver of authorization legislation. While this regulation will and built on that foundation.
that meets the requirements of improve the privacy of individuals’ Under state laws, medical records are
§ 164.512(i), the consent, authorization, health information, only legislation can often the property of the health care
or waiver is effective for uses or provide the full array of privacy provider or medical facility that created
disclosures that occur after the protection that individuals need and them. Some state laws also provide
compliance date and that are consistent deserve. patients with access to medical records
with the terms of the consent, Comment: Many commenters noted or an ownership interest in the health
authorization, or waiver. that they do not go to a physician, or do information in medical records.
not completely share health information However, these laws do not divest the
Section 164.534—Compliance Dates for
with their physician, because they are health care provider or the medical
Initial Implementation of the Privacy
concerned about who will have access facility of its ownership interest in
Standards
to that information. Many physicians medical records. These statutes
In the NPRM, we provided that a commented on their patients’ reluctance typically provide a patient the right to
covered entity must be in compliance to share information because of fear that inspect or copy health information from
with this subpart not later than 24 their information will later be used the medical record, but not the right to
months following the effective date of against them. take the provider’s original copy of an
this rule, except that a covered entity Response: We agree that strong federal item in the medical record. If a
that is a small health plan must be in privacy protections are necessary to particular state law provides greater
compliance with this subpart not later enhance patients’ trust in the health ownership rights, this regulation leaves
than 36 months following the effective care system. such rights in place.
date of the rule. Comment: Many commenters Comment: Some commenters argued
The final rule did not make any expressed concerns that this regulation that the use and disclosure of sensitive
substantive changes. The format is will allow access to health information personal information must be strictly
changed so as to more clearly present by those who today do not have such regulated, and violation of such
the various compliance dates. The final access, or would allow their physician regulations should subject an entity to
rule lists the types of covered entities to disclose information which may not significant penalties and sanctions.
and then the various dates that would lawfully be disclosed today. Many of Response: We agree, and share the
apply to each of these entities. these commenters stated that today, commenters’ concern that the penalties
they consent to every disclosure of in the HIPAA statute are not sufficient
III. Section-by-Section Discussion of
health information about them, and that to fully protect individuals’ privacy
Comments
absent their consent the privacy of their interests. The need for stronger
The following describes the health information is ‘‘absolute.’’ Others penalties is among the reasons we
provisions in the final regulation, and stated that, today, health information is believe Congress should pass
the changes we make to the proposed disclosed only pursuant to a judicial comprehensive privacy legislation.
provisions section-by-section. Following order. Several commenters were Comment: Many commenters
each section are our responses to the concerned that this regulation would expressed the opinion that the proposed
comments to that section. This section override stronger state privacy ruled should provide stricter privacy
of the preamble is organized to follow protection. protections.
Response: We received nearly 52,000 would impose substantial new privacy is urgent and that this
comments on the proposed regulation, restrictions on private sector use and regulation is in the public’s interest.
and make substantial changes to the disclosure of protected health Comment: Many commenters express
proposal in response to those information, but would make the opinion that their consent should be
comments. Many of these changes will government access to protected health required for all disclosure of their health
strengthen the protections that were information easy. One consumer information.
proposed in the NPRM. advocacy group made the same Response: We agree that consent
Comment: Many comments express observation. should be required prior to release of
concerns that their health information Response: We acknowledge that many health information for many purposes,
will be given to their employers. of the national priority purposes for and impose such a requirement in this
Response: We agree that employer which we allow disclosure of protected regulation. Requiring consent prior to
access to health information is a health information without consent or all release of health information,
particular concern. In this final authorization are for government however, would unduly jeopardize
regulation, we make significant changes functions, and that many of the public safety and make many operations
to the NPRM that clarify and provide governmental recipients of such of the health care system impossible.
additional safeguards governing when information are not governed by this For example, requiring consent prior to
and how the health plans covered by rule. It is the role of government to release of health information to a public
this regulation may disclose health undertake functions in the broader health official who is attempting to track
information to employers. public interest, such as public health the source of an outbreak or epidemic
Comment: Several commenters argued activities, law enforcement, could endanger thousands of lives.
that individuals should be able to sue identification of deceased individuals Similarly, requiring consent before an
for breach of privacy. through coroners’ offices, and military oversight official could audit a health
Response: We agree, but do not have activities. It is these public purposes plan would make detection of health
the legislative authority to grant a which can sometimes outweigh an care fraud all but impossible; it could
private right of action to sue under this individual’s privacy interest. In this take health plans months or years to
statute. Only Congress can grant that locate and obtain the consent of all
rule, we specify the circumstances in
right. current and past enrollees, and the
which that balance is tipped toward the
health plan would not have a strong
Objections to Government Access to public interest with respect to health
incentive to do so. These uses of
Protected Health Information information. We discuss the rationale
medical information are clearly in the
Comment: Many commenters urged behind each of these permitted
public interest.
the Department not to create a disclosures in the relevant preamble In this regulation, we must balance
government database of health sections below. individuals’ privacy interests against the
information, or a tracking system that Miscellaneous Comments legitimate public interests in certain
would enable the government to track uses of health information. Where there
Comment: Many commenters objected is an important public interest, this
individuals health information.
Response: This regulation does not to the establishment of a unique regulation imposes procedural
create such a database or tracking identifier for health care or other safeguards that must be met prior to
system, nor does it enable future purposes. release of health information, in lieu of
creation of such a database. This Response: This regulation does not a requirement for consent. In some
regulation describes the ways in which create an identifier. We assume these instances the procedural safeguards
health plans, health care clearinghouses, comments refer to the unique health consist of limits on the circumstances in
and certain health care providers may identifier that Congress directed the which information may be disclosed, in
use and disclose identifiable health Secretary to promulgate under others the safeguards consist of limits
information with and without the section1173(b) of the Social Security on what information may be disclosed,
individual’s consent. Act, added by section 262 of the HIPAA. and in other cases we require some form
Comment: Many commenters objected Because of the public concerns about of legal process (e.g., a warrant or
to government access to or control over such an identifier, in the summer of subpoena) prior to release of health
their health information, which they 1998 Vice President Gore announced information. We also allow disclosure of
believe the proposed regulation would that the Administration would not health information without consent
provide. promulgate such a regulation until where other law mandates the
Response: This regulation does not comprehensive medical privacy disclosures. Where such other law
increase current government access to protections were in place. In the fall of exists, another public entity has made
health information. This rule sets that year, Congress prohibited the the determination that the public
minimum privacy standards. It does not Department from promulgating such an interests outweigh the individual’s
require disclosure of health information, identifier, and that prohibition remains privacy interests, and we do not upset
other than to the subject of the records in place. The Department has no plans that determination in this regulation. In
or for enforcement of this rule. Health to promulgate a unique health identifier. short, we tailor the safeguards to match
plans and health care providers are free Comment: Many commenters asked the specific nature of the public
to use their own professional ethics and that we withdraw the proposed purpose. The specific safeguards are
judgement to adopt stricter policies for regulation and not publish a final rule. explained in each section of this
disclosing health information. Response: Under section 264 of the regulation below.
Comment: Some commenters viewed HIPAA, the Secretary is required by Comment: Many comments address
the NPRM as creating fewer hurdles for Congress to promulgate a regulation matters not relevant to this regulation,
government access to protected health establishing standards for health such as alternative fuels, hospital
information than for access to protected information privacy. Further, for the reimbursement, and gulf war syndrome.
health information by private reasons explained throughout this Response: These and similar matters
organizations. Some health care preamble above, we believe that the are not relevant to this regulation and
providers commented that the NPRM need to protect health information will not be addressed further.
Comment: A few commenters standards. In particular, this comment covered entities for purposes of this
questioned why this level of detail is focused on the belief that the Security rule. One commenter recommended that
needed in response to the HIPAA Standards should be compatible with Pharmacy Benefit Management (PBM)
Congressional mandate. the existing and emerging health care companies be considered covered
Response: This level of detail is and information technology industry entities so that they may use and
necessary to ensure that individuals’ standards. disclose protected health information
rights with respect to their health Response: We agree that both this without authorization.
information are clear, while also regulation and the final Security In addition, a few commenters asked
ensuring that information necessary for Regulation should be compatible with the Department to clarify that the
important public functions, such as existing and emerging technology definition includes providers who do
protecting public health, promoting industry standards. This regulation is not directly conduct electronic
biomedical research, fighting health care ‘‘technology neutral.’’ We do not transactions if another entity, such as a
fraud, and notifying family members in mandate the use of any particular billing service or hospital, does so on
disaster situations, will not be impaired technologies, but rather set standards their behalf.
by this regulation. We designed this rule which can be met through a variety of Response: We understand that many
to reflect current practices and change means. entities may use and disclose
some of them. The comments and our Comment: Several commenters individually identifiable health
fact finding revealed the complexity of claimed that the statutory authority information. However, our jurisdiction
current health information practices, given under HIPAA cannot provide under the statute is limited to health
and we believe that the complexity meaningful privacy protections because plans, health care clearinghouses, and
entailed in reflecting those practices is many entities with access to protected health care providers who transmit any
better public policy than a perhaps health information, such as employers, health information electronically in
simpler rule that disturbed important worker’s compensation carriers, and life connection with any of the standard
information flows. insurance companies, are not covered financial or administrative transactions
Comment: A few comments stated entities. These commenters expressed in section 1173(a) of the Act. These are
that the goal of administrative support for comprehensive legislation to the entities referred to in section
simplification should never override the close many of the existing loopholes. 1173(a)(1) of the Act and thus listed in
privacy of individuals. Response: We agree with the § 160.103 of the final rule.
Response: We believe that privacy is commenters that comprehensive Consequently, once protected health
a necessary component of legislation is necessary to provide full information leaves the purview of one of
administrative simplification, not a privacy protection and have called for these covered entities, their business
competing interest. members of Congress to pass such
Comment: At least one commenter associates, or other related entities (such
legislation to prevent unauthorized and as plan sponsors), the information is no
said that the goal of administrative potentially harmful uses and disclosures
simplification is not well served by the longer afforded protection under this
of information. rule. We again highlight the need for
proposed rule.
Response: Congress recognized that Part 160—Subpart A—General comprehensive federal legislation to
privacy is a necessary component of Provisions eliminate such gaps in privacy
administrative simplification. The protection.
Section 160.103—Definitions
standardization of electronic health We also provide the following
information mandated by the HIPAA Business Associate clarifications with regard to specific
that make it easier to share that The response to comments on the entities.
information for legitimate purposes also definition of ‘‘business partner,’’ We clarify that employers and
make the inappropriate sharing of that renamed in this rule as ‘‘business marketing firms are not covered entities.
information easier. For this reason, associate,’’ is included in the response However, employers may be plan
Congress included a mandate for to comments on the requirements for sponsors of a group health plan that is
privacy standards in this section of the business associates in the preamble a covered entity under the rule. In such
HIPAA. Without appropriate privacy discussion of § 164.504. a case, specific requirements apply to
protections, public fear and instances of the group health plan. See the preamble
Covered Entity on § 164.504 for a discussion of specific
abuse would make it impossible for us
to take full advantage of the Comment: A number of commenters ‘‘firewall’’ and other organizational
administrative and costs benefits urged the Department to expand or requirements for group health plans and
inherent in the administrative clarify the definition of ‘‘covered entity’’ their employer sponsors. The final rule
simplification standards. to include certain entities other than also contains provisions addressing
Comment: At least one commenter health care clearinghouses, health plans, when an insurance issuer providing
asked us to require psychotherapists to and health care providers who conduct benefits under a group health plan may
assert any applicable legal privilege on standard transactions. For example, disclose summary health information to
patients’ behalf when protected health several commenters asked that the a plan sponsor.
information is requested. Department generally expand the scope With regard to life and casualty
Response: Whether and when to of the rule to cover all entities that insurers, we understand that such
assert a claim of privilege on a patient’s receive or maintain individually benefit providers may use and disclose
behalf is a matter for other law and for identifiable health information; others individually identifiable health
the ethics of the individual health care specifically urged the Department to information. However, Congress did not
provider. This is not a decision that can cover employers, marketing firms, and include life insurers and casualty
or should be made by the federal legal entities that have access to insurance carriers as ‘‘health plans’’ for
government. individually identifiable health the purposes of this rule and therefore
Comment: One commenter called for information. Some commenters asked they are not covered entities. See the
HHS to consider the privacy regulation that life insurance and casualty discussion regarding the definition of
in conjunction with the other HIPAA insurance carriers be considered ‘‘health plan’’ and excepted benefits.
In addition, we clarify that a PBM is reinsurance, including stop-loss health care provider ‘‘component’’ of
a covered entity only to the extent that insurance, are health care operations in the agency is the covered entity if that
it meets the definition of one or more of the final rule. As such, reinsurers and component conducts standard
the entities listed in § 160.102. When stop-loss insurers may obtain protected transactions. See discussion of ‘‘health
providing services to patients through health information from covered care components’’ below. As to the data
managed care networks, it is likely that entities. collection activities of a public health
a PBM is acting as a business associate Also, in response to the comment agency, the final rule in § 164.512(b)
of a health plan, and may thus use and regarding religious practitioners, the permits a covered entity to disclose
disclose protected health information Department clarifies that ‘‘health care’’ protected health information to public
pursuant to the relevant provisions of as defined under the rule does not health authorities under specified
this rule. PBMs may also be business include methods of healing that are circumstances, and permits public
associates of health care providers. See solely spiritual. Therefore, clergy or health agencies that are also covered
the preamble sections on §§ 164.502, other religious practitioners that provide entities to use protected health
164.504, and 164.506 for discussions of solely religious healing services are not information for these purposes. See
the specific requirements related to health care providers within the § 164.512(b) for further details.
business associates and consent. meaning of this rule, and consequently Comment: A few commenters
Lastly, we clarify that health care not covered entities for the purposes of requested that the Department clarify
providers who do not submit HIPAA this rule. that device manufacturers are not
transactions in standard form become Comment: A few commenters covered entities. They stated that the
covered by this rule when other entities, expressed general uncertainty and proposal did not provide enough
such as a billing service or a hospital, requested clarification as to whether guidance in cases where the
transmit standard electronic certain entities were covered entities for ‘‘manufacturer supplier’’ has only one
transactions on their behalf. The the purposes of this rule. One part of its business that acts as the
provider could not circumvent these commenter was uncertain as to whether ‘‘supplier,’’ and additional detail is
requirements by assigning the task to a the rule applies to certain social service needed about the relationship of the
contractor. entities, in addition to clinical social ‘‘supplier component’’ of the company
Comment: Many commenters urged workers that the commenter believes are to the rest of the business. Similarly,
the Department to restrict or clarify the providers. Other commenters asked another commenter asserted that drug,
definition of ‘‘covered entity’’ to whether researchers or non- biologics, and device manufacturers
exclude certain entities, such as governmental entities that collect and should not be covered entities simply by
department-operated hospitals (public analyze patient data to monitor and virtue of their manufacturing activities.
hospitals); state Crime Victim evaluate quality of care are covered Response: We clarify that if a supplier
Compensation Programs; employers; entities. Another commenter requested manufacturer is a Medicare supplier,
and certain lines of insurers, such as clarification regarding the definition’s then it is a health care provider, and it
workers’ compensation insurers, application to public health agencies is a covered entity if it conducts
property and casualty insurers, that also are health care providers as standard transactions. Further, we
reinsurers, and stop-loss insurers. One well as how the rule affects public clarify that a manufacturer of supplies
commenter expressed concern that health agencies in their data collection related to the health of a particular
clergy, religious practitioners, and other from covered entities. individual, e.g., prosthetic devices, is a
faith-based service providers would Response: Whether the professionals health care provider because the
have to abide by the rule and asked that described in these comments are manufacturer is providing ‘‘health care’’
the Department exempt prayer healing covered by this rule depends on the as defined in the rule. However, that
and non-medical health care. activities they undertake, not on their manufacturer is a covered entity only if
Response: The Secretary provides the profession or degree. The definitions in it conducts standard transactions. We
following clarifications in response to this rule are based on activities and do not intend that a manufacturer of
these comments. To the extent that a functions, not titles. For example, a supplies that are generic and not
‘‘department-operated hospital’’ meets social service worker whose activities customized or otherwise specifically
the definition of a ‘‘health care meet this rule’s definition of health care designed for particular individuals, e.g.,
provider’’ and conducts any of the will be a health care provider. If that ace bandages for a hospital, is a health
standard transactions, it is a covered social service worker also transmits care provider. Such a manufacturer is
entity for the purposes of this rule. We information in a standard HIPAA not providing ‘‘health care’’ as defined
agree that a state Crime Victim transaction, he or she will be a covered in the rule and is therefore not a covered
Compensation Program is not a covered health entity under this rule. Another entity. We note that, even if such a
entity if it is not a health care provider social service worker may provide manufacturer is a covered entity, it may
that conducts standard transactions, services that do not meet the rule’s be an ‘‘indirect treatment provider’’
health plan, or health care definition of health care, or may not under this rule, and thus not subject to
clearinghouse. Further, as described transmit information in a standard all of the rule’s requirements.
above, employers are not covered transaction. Such a social service With regard to a ‘‘supplier
entities. worker is not a covered entity under this component,’’ the final rule addresses the
In addition, we agree that workers’ rule. Similarly, researchers in and of status of the unit or unit(s) of a larger
compensation insurers, property and themselves are not covered entities. entity that constitute a ‘‘health care
casualty insurers, reinsurers, and stop- However, researchers may also be health component.’’ See further discussion
loss insurers are not covered entities, as care providers if they provide health under § 164.504 of this preamble.
they do not meet the statutory definition care. In such cases, the persons, or Finally, we clarify that drug,
of ‘‘health plan.’’ See further discussion entities in their role as health care biologics, and device manufacturers are
in the preamble on § 160.103 regarding providers may be covered entities if not health care providers simply by
the definition of ‘‘health plan.’’ they conduct standard transactions. virtue of their manufacturing activities.
However, activities related to ceding, With regard to public health agencies The manufacturer must be providing
securing, or placing a contract for that are also health care providers, the health care consistent with the final
rule’s definition in order to be care components of the entity. entity, we point out that if the research
considered a health care provider. Similarly, others recommended that activities fall outside of the health care
Comment: A few commenters asked only the component of a government component they would not be subject to
that the Department clarify that agency that is a provider, health plan, or the rule. One organization may have one
pharmaceutical manufacturers are not clearinghouse should be considered a or several ‘‘health care component(s)’’
covered entities. It was explained that covered entity. that each perform one or more of the
pharmaceutical manufacturers provide Other commenters requested that we health care functions of a covered
support and guidance to doctors and revise proposed § 160.102 to apply only entity, i.e., health care provider, health
patients with respect to the proper use to the component of an entity that plan, health care clearinghouse. In
of their products, provide free products engages in the transactions specified in addition, the final rule permits covered
for doctors to distribute to patients, and the rule. Commenters stated that entities that are affiliated, i.e., share
operate charitable programs that provide companies should remain free to common ownership or control, to
pharmaceutical drugs to patients who employ licensed health care providers designate themselves, or their health
cannot afford to buy the drugs they and to enter into corporate relationships care components, together to be a single
need. with provider institutions without fear covered entity for purposes of the rule.
Response: A pharmaceutical of being considered to be a covered It appears from the comments that
manufacturer is only a covered entity if entity. Another commenter suggested there is not a common understanding of
the manufacturer provides ‘‘health care’’ that the regulation not apply to the the meaning of ‘‘integrated delivery
according to the rule’s definition and provider-employee or employer when system.’’ Arrangements that apply this
conducts standard transactions. In the neither the provider nor the company label to themselves operate and share
above case, a pharmaceutical are a covered entity. information many different ways, and
manufacturer that provides support and Some commenters specifically argued may or may not be financially or
guidance to doctors and patients that the definition of ‘‘covered entity’’ clinically integrated. In some cases,
regarding the proper use of their did not contemplate an integrated multiple entities hold themselves out as
products is providing ‘‘health care’’ for health care system and one commenter one enterprise and engage together in
the purposes of this rule, and therefore, stated that the proposal would disrupt clinical or financial activities. In others,
is a health care provider to the extent the multi-disciplinary, collaborative separate entities share information but
that it provides such services. The approach that many take to health care do not provide treatment together or
pharmaceutical manufacturer that is a today by treating all components as share financial risk. Many health care
health care provider is only a covered separate entities. Commenters, providers participate in more than one
entity, however, if it conducts standard therefore, recommended that the rule such arrangement.
transactions. We note that this rule treat the integrated entity, not its Therefore, we do not include a
permits a covered entity to disclose constituent parts, as the covered entity. separate category of ‘‘covered entity’’
protected health information to any A few commenters asked that the under this rule for ‘‘integrated delivery
person for treatment purposes, without Department further clarify the definition systems’’ but instead accommodate the
specific authorization from the with respect to the unique operations of these varied arrangements
individual. Therefore, a covered health organizational models and relationships through the functional provisions of the
care provider is permitted to disclose of academic medical centers and their rule. For example, covered entities that
protected health information to a parent universities and the rules that operate as ‘‘organized health care
pharmaceutical manufacturer for govern information exchange within the arrangements’’ as defined in this rule
treatment purposes. Providing free institution. One commenter asked may share protected health information
samples to a health care provider does whether faculty physicians who are for the operation of such arrangement
not in itself constitute health care. For paid by a medical school or faculty without becoming business associates of
further analysis of pharmacy assistance practice plan and who are on the one another. Similarly, the regulation
programs, see response to comment on medical staff of, but not paid directly does not require a business associate
§ 164.501, definition of ‘‘payment.’’ by, a hospital are included within the arrangement when protected health
Comment: Several commenters asked covered entity. Another commenter information is shared for purposes of
about the definition of ‘‘covered entity’’ stated that it appears that only the providing treatment. The application of
and its application to health care health center at an academic institution this rule to any particular ‘‘integrated
entities within larger organizations. is the covered entity. Uncertainty was system’’ will depend on the nature of
Response: A detailed discussion of also expressed as to whether other the common activities the participants
the final rule’s organizational components of the institution that might in the system perform. When the
requirements and firewall restrictions create protected health information only participants in such an arrangement are
for ‘‘health care components’’ of larger incidentally through the conduct of ‘‘affiliated’’ as defined in this rule, they
entities, as well as for affiliated, and research would also be covered. may consider themselves a single
other entities is found at the discussion Response: The Department covered entity (see § 164. 504).
of § 164.504 of this preamble. The understands that in today’s health care The arrangements between academic
following responses to comments industry, the relationships among health health centers, faculty practice plans,
provide additional information with care entities and non-health care universities, and hospitals are similarly
respect to particular ‘‘component organizations are highly complex and diverse. We cannot describe a blanket
entity’’ circumstances. varied. Accordingly, the final rule gives rule that covers all such arrangements.
Comment: Several commenters asked covered entities some flexibility to The application of this rule will depend
that we clarify the definition of covered segregate or aggregate its operations for on the purposes for which the
entity to state that with respect to purposes of the application of this rule. participants in such arrangements share
persons or organizations that provide The new component entity provision protected health information, whether
health care or have created health plans can be found at §§ 164.504(b)-(c). In some or all participants are under
but are primarily engaged in other response to the request for clarification common ownership or control, and
unrelated businesses, the term ‘‘covered on whether the rule would apply to a similar matters. We note that physicians
entity’’ encompasses only the health research component of the covered who have staff privileges at a covered
hospital do not become part of that Medicaid, which are both listed in the does not apply to financial institutions
hospital covered entity by virtue of statute as health plans. Medicare or to entities acting on behalf of such
having such privileges. managed care organizations are also institutions that are covered by the
We reject the recommendation to covered entities under this regulation. section 1179 exemption. Thus, under
apply the rule only to components of an As noted elsewhere in this preamble, the definition of covered entity, they
entity that engage in the transactions. covered entities that jointly administer comment that financial institutions and
This would omit as covered entities, for a health plan, such as Medicare + other entities that come within the
example, the health plan components Choice, are both covered entities, and scope of the section 1179 exemption are
that do not directly engage in the are not business associates of each other appropriately not covered entities.
transactions, including components that by virtue of such joint administration. Other commenters maintained that
engage in important health plan We do not exclude state Medicaid section 1179 of the Act means that the
functions such as coverage programs. Congress explicitly included Act’s privacy requirements do not apply
determinations and quality review. the Medicaid program as a covered to the request for, or the use or
Indeed, we do not believe that the health plan in the HIPAA statute. disclosure of, information by a covered
statute permits this result with respect Comment: A commenter asked the entity with respect to payment: (a) For
to health plans or health care Department to provide detailed transferring receivables; (b) for auditing;
clearinghouses as a matter of negative guidance as to when providers, plans, (c) in connection with—(i) a customer
implication from section 1172(a)(3). We and clearinghouses become covered dispute; or (ii) an inquiry from or to a
clarify that only a health care provider entities. The commenter provided the customer; (d) in a communication to a
must conduct transactions to be a following example: if a provider submits customer of the entity regarding the
covered entity for purposes of this rule. claims only in paper form, and a customer’s transactions payment card,
We also clarify that health care coordination of benefits (COB) account, check, or electronic funds
providers (such as doctors or nurses) transaction is created due to other transfer; (e) for reporting to consumer
who work for a larger organization and insurance coverage, will the original reporting agencies; or (f) for complying
do not conduct transactions on their provider need to be notified that the with: (i) a civil or criminal subpoena; or
own behalf are workforce members of claim is now in electronic form, and (ii) a federal or state law regulating the
the covered entity, not covered entities that it has become a covered entity? entity. These companies expressed
themselves. Another commenter voiced concern as concern that the proposed rule did not
Comment: A few commenters asked to whether physicians who do not include the full text of section 1179
the Department to clarify the definition conduct electronic transactions would when discussing the list of activities
to provide that a multi-line insurer that become covered entities if another that were exempt from the rule’s
sells insurance coverages, some of entity using its records downstream requirements. Accordingly, they
which do and others which do not meet transmits information in connection recommended including in the final
the definition of ‘‘health plan,’’ is not a with a standard transaction on their rule either a full listing of or a reference
covered entity with respect to actions behalf. to section 1179’s full list of exemptions.
taken in connection with coverages that Response: We clarify that health care Furthermore, these firms opposed
are not ‘‘health plans.’’ providers who submit the transactions applying the proposed rule’s minimum
Response: The final rule clarifies that in standard electronic form, health necessary standard for disclosure of
the requirements below apply only to plans, and health care clearinghouses protected health information to
the organizational unit or units of the are covered entities if they meet the financial institutions because of section
organization that are the ‘‘health care respective definitions. Health care 1179.
component’’ of a covered entity, where providers become subject to the rule if These commenters suggest that in
the ‘‘covered functions’’ are not the they conduct standard transactions. In light of section 1179, HHS lacks the
primary functions of the entity. the above example, the health care authority to impose restrictions on
Therefore, for a multi-line insurer, the provider would not be a covered entity financial institutions and other entities
‘‘health care component’’ is the if the coordination of benefits when they engage in activities described
insurance line(s) that conduct, or transaction was generated by a payor. in that section. One commenter
support the conduct of, the health care We also clarify that health care expressed concern that even though
function of the covered entity. Also, it providers who do not submit proposed § 164.510(i) would have
should be noted that excepted benefits, transactions in standard form become permitted covered entities to disclose
such as life insurance, are not included covered by this rule when other entities, certain information to financial
in the definition of ‘‘health plan.’’ (See such as a billing service or a hospital, institutions for banking and payment
preamble discussion of § 164.504). transmit standard electronic processes, it did not state clearly that
Comment: A commenter questioned transactions on the providers’ behalf. financial institutions and other entities
whether the Health Care Financing However, where the downstream described in section 1179 are exempt
Administration (HCFA) is a covered transaction is not conducted on behalf from the rule’s requirements.
entity and how HCFA will share data of the health care provider, the provider Response: We interpret section 1179
with Medicare managed care does not become a covered entity due to of the Act to mean that entities engaged
organizations. The commenter also the downstream transaction. in the activities of a financial
questioned why the regulation must Comment: Several commenters institution, and those acting on behalf of
apply to Medicaid since the existing discussed the relationship between a financial institution, are not subject to
Medicaid statute requires that states section 1179 of the Act and the privacy this regulation when they are engaged in
have privacy standards in place. It was regulations. One commenter suggested authorizing, processing, clearing,
also requested that the Department that HHS retain the statement that a settling, billing, transferring,
provide a definition of ‘‘health plan’’ to covered entity means ‘‘the entities to reconciling, or collecting payments for a
clarify that state Medicaid Programs are which part C of title XI of the Act financial institution. The statutory
considered as such. applies.’’ In particular, the commenter reference to 12 U.S.C. 3401 indicates
Response: HCFA is a covered entity observed that section 1179 of the Act that Congress chose to adopt the
because it administers Medicare and provides that part C of title XI of the Act definition of financial institutions found
in the Right to Financial Privacy Act, Comment: One commenter Group Health Plan
which defines financial institutions as recommended that HHS include a For response to comments relating to
any office of a bank, savings bank, card definition of ‘‘entity’’ in the final rule ‘‘group health plan,’’ see the response to
issuer, industrial loan company, trust because HIPAA did not define it. The comments on ‘‘health plan’’ below and
company, savings association, building commenter explained that in a modern the response to comments on § 164.504.
and loan, homestead association, health care environment, the
cooperative bank, credit union, or organization acting as the health plan or Health Care
consumer finance institution located in health care provider may involve many Comment: A number of commenters
the United States or one of its interrelated corporate entities and that asked that we include disease
Territories. Thus, when we use the term this could lead to difficulties in management activities and other similar
‘‘financial institution’’ in this determining what ‘‘entities’’ are actually health improvement programs, such as
regulation, we turn to the definition subject to the regulation. preventive medicine, health education
with which Congress provided us. We Response: We reject the commenter’s services and maintenance, health and
interpret this provision to mean that suggestion. We believe it is clear in the case management, and risk assessment,
when a financial institution, or its agent final rule that the entities subject to the in the definition of ‘‘health care.’’
on behalf of the financial institution, regulation are those listed at § 160.102. Commenters maintained that the rule
conducts the activities described in However, we acknowledge that how the should avoid limiting technological
section 1179, the privacy regulation will rule applies to integrated or other advances and new health care trends
not govern the activity. complex health systems needs to be intended to improve patient ‘‘health
If, however, these activities are
addressed; we have done so in § 164.504 care.’’
performed by a covered entity or by
and in other provisions, such as those Response: Review of these and other
another entity, including a financial
addressing organized health care comments, and our fact-finding,
institution, on behalf of a covered
arrangements. indicate that there are multiple,
entity, the activities are subject to this
Comment: The preamble should different, understandings of the
rule. For example, if a bank operates the
accounts payable system or other ‘‘back clarify that self-insured group health definition of these terms. Therefore,
office’’ functions for a covered health and workmen’s compensation plans are rather than create a blanket rule that
care provider, that activity is not not covered entities or business includes such terms in or excludes such
described in section 1179. In such partners. terms from the definition of ‘‘health
instances, because the bank would meet care,’’ we define health care based on
Response: In the preamble to the
the rule’s definition of ‘‘business the underlying activities that constitute
proposed rule we stated that certain
associate,’’ the provider must enter into health care. The activities described by
types of insurance entities, such as
a business associate contract with the these commenters are considered
workers’ compensation, would not be
bank before disclosing protected health ‘‘health care’’ under this rule to the
covered entities under the rule. We do
information pursuant to this extent that they meet this functional
not change this position in this final
relationship. However, if the same definition. Listing activities by label or
rule. The statutory definition of health
provider maintains an account through title would create the risk that important
plan does not include workers’
which he/she cashes checks from activities would be left out and, given
compensation products, and the
patients, no business associate contract the lack of consensus on what these
regulatory definition of the term
would be necessary because the bank’s terms mean, could also create
specifically excludes them. However,
activities are not undertaken for or on confusion.
HIPAA specifically includes most group
behalf of the covered entity, and fall Comment: Several commenters urged
health plans within the definition of
within the scope of section 1179. In part that the Department clarify that the
‘‘health plan.’’
to give effect to section 1179, in this rule activities necessary to procure and
Comment: A health insurance issuer distribute eyes and eye tissue will not
we do not consider a financial
asserted that health insurers and third be hampered by the rule. Some of these
institution to be acting on behalf of a
party administrators are usually commenters explicitly requested that we
covered entity when it processes
required by employers to submit reports include ‘‘eyes and eye tissue’’ in the list
consumer-conducted financial
describing the volume, amount, payee, of procurement biologicals as well as
transactions by debit, credit or other
basis for services rendered, types of ‘‘eye procurement’’ in the definition of
payment card, clears checks, initiates or
claims paid and services for which ‘‘health care.’’ In addition, it was argued
processes electronic funds transfers, or
payment was requested on behalf of it that ‘‘administration to patients’’ be
conducts any other activity that directly
covered employees. They recommended excluded in the absence of a clear
facilitates or effects the transfer of funds
for compensation for health care. that the rule permit the disclosure of definition. Also, commenters
We do not agree with the comment protected health information for such recommended that the definition
that section 1179 of the Act means that purposes. include other activities associated with
the privacy regulation’s requirements Response: We agree that health plans the transplantation of organs, such as
cannot apply to the activities listed in should be able to disclose protected processing, screening, and distribution.
that section; rather, it means that the health information to employers Response: We delete from the
entities expressly mentioned, financial sponsoring health plans under certain definition of ‘‘health care’’ activities
institutions (as defined in the Right to circumstances. Section 164.504(f) related to the procurement or banking of
Financial Privacy Act), and their agents explains the conditions under which blood, sperm, organs, or any other tissue
that engage in the listed activities for the protected health information may be for administration to patients. We do so
financial institution are not within the disclosed to plan sponsors. We believe because persons who make such
scope of the regulation. Nor do we that this provision gives sponsors access donations are not seeking to be treated,
interpret section 1179 to support an to the information they need, but diagnosed, or assessed or otherwise
exemption for disclosures to financial protects individual’s information to the seeking health care for themselves, but
institutions from the minimum extent possible under our legislative are seeking to contribute to the health
necessary provisions of this regulation. authority. care of others. In addition, the nature of
these activities entails a unique kind of Health Care Clearinghouse and patient’s direct access rights to
information sharing and tracking Comment: The largest set of inspect, copy and amend records
necessary to safeguard the nation’s comments relating to health care (§§ 164.524 and 164.526), on the
organ and blood supply, and those clearinghouses focused on our proposal grounds that a health care clearinghouse
seeking to donate are aware that this to exempt health care clearinghouses is engaged in business-to-business
information sharing will occur. from the patient notice and access rights operations, and is not dealing directly
Consequently, such procurement or provisions of the regulation. In our with individuals. Moreover, as business
banking activities are not considered NPRM, we proposed to exempt health associates of plans and providers, health
health care and the organizations that care clearinghouses from certain care clearinghouses are bound by the
perform such activities are not provisions of the regulation that deal notices of information practices of the
considered health care providers for covered entities with whom they
with the covered entities’ notice of
purposes of this rule. contract.
information practices and consumers’
Where a health care clearinghouse
With respect to disclosure of rights to inspect, copy, and amend their creates or receives protected health
protected health information by covered records. The rationale for this information other than as a business
entities to facilitate cadaveric organ and exemption was based on our belief that associate, however, it must comply with
tissue donation, the final rule explicitly health care clearinghouses engage all the standards, requirements, and
permits a covered entity to disclose primarily in business-to-business implementation specifications of the
protected health information without transactions and do not initiate or rule. We describe and delimit the exact
authorization, consent, or agreement to maintain direct relationships with nature of the exemption in the
organ procurement organizations or individuals. We proposed this position regulatory text. See § 164.500(b). We
other entities engaged in the with the caveat that the exemptions will monitor developments in this
procurement, banking, or would be void for any health care sector should the basic business-to-
transplantation of cadaveric organs, clearinghouse that had direct contact business relationship change.
eyes, or tissue for the purpose of with individuals in a capacity other Comment: A number of comments
facilitating donation and than that of a business partner. In relate to the proposed definition of
transplantation. See § 164.512(h). We do addition, we indicated that, in most health care clearinghouse. Many
not include blood or sperm banking in instances, clearinghouses also would be commenters suggested that we expand
this provision because, for those considered business partners under this the definition. They suggested that
activities, there is direct contact with rule and would be bound by their additional types of entities be included
the donor, and thus opportunity to contracts with covered plans and in the definition of health care
obtain the individual’s authorization. providers. They also would be subject to clearinghouse, specifically medical
the notice of information practices transcription services, billing services,
Comment: A large number of developed by the plans and providers
commenters urged that the term coding services, and ‘‘intermediaries.’’
with whom they contract. One commenter suggested that the
‘‘assessment’’ be included in the list of Commenters stated that, although definition be expanded to add entities
services in the definition, as health care clearinghouses do not have that receive standard transactions,
‘‘assessment’’ is used to determine the direct contact with individuals, they do process them and clean them up, and
baseline health status of an individual. have individually identifiable health then send them on, without converting
It was explained that assessments are information that may be subject to them to any standard format. Another
conducted in the initial step of misuse or inappropriate disclosure. commenter suggested that the health
diagnosis and treatment of a patient. If They expressed concern that we were care clearinghouse definition be
assessment is not included in the list of proposing to exempt health care expanded to include entities that do not
services, they pointed out that the clearinghouses from all or many aspects perform translation but may receive
services provided by occupational of the regulation. These commenters protected health information in a
health nurses and employee health suggested that we either delete the standard format and have access to that
information may not be covered. exemption or make it very narrow, information. Another commenter stated
Response: We agree and have added specific and explicit in the final that the list of covered entities should
the term ‘‘assessment’’ to the definition regulatory text. include any organization that receives
to clarify that this activity is considered Clearinghouse commenters, on the or maintains individually identifiable
‘‘health care’’ for the purposes of the other hand, were in agreement with our health information. One organization
rule. proposal, including the exemption recommended that we expand the
provision and the provision that the health care clearinghouse definition to
Comment: One commenter asked that
exemption is voided when the entity include the concept of a research data
we revise the definition to explicitly
does have direct contact with clearinghouse, which would collect
exclude plasmapheresis from paragraph
individuals. They also stated that a individually identifiable health
(3) of the definition. It was explained
health care clearinghouse that has a information from other covered entities
that plasmapheresis centers do not have
direct contact with individuals is no to generate research data files for release
direct access to health care recipients or
longer a health care clearinghouse as as de-identified data or with appropriate
their health information, and that the defined and should be subject to all confidentiality safeguards. One
limited health information collected requirements of the regulation. commenter stated that HHS had gone
about plasma donors is not used to Response: In the final rule, where a beyond Congressional intent by
provide health care services as indicated clearinghouse creates or receives including billing services in the
by the definition of health care. protected health information as a definition.
Response: We address the business associate of another covered Response: We cannot expand the
commenters’ concerns by removing the entity, we maintain the exemption for definition of ‘‘health care
provision related to procurement and health care clearinghouses from certain clearinghouse’’ to cover entities not
banking of human products from the provisions of the regulation dealing covered by the definition of this term in
definition. with the notice of information practices the statute. In the final regulation, we
make a number of changes to address their trade associations, suggested that form. For more detailed information, see
public comments relating to definition. we not treat health care clearinghouses the preamble discussion of § 164.504(d).
We modify the definition of health care as playing a dual role as covered entity We understand the need for
clearinghouse to conform to the and business partner in the final rule additional guidance on whether specific
definition published in the Transactions because such a dual role causes entities or persons are health care
Rule (with the addition of a few words, confusion as to which rules actually providers under the final rule. We
as noted above). We clarify in the apply to clearinghouses. In their view, provide guidance below and will
preamble that, while the term ‘‘health the definition of health care provide additional guidance as the rule
care clearinghouse’’ may have other clearinghouse is sufficiently clear to is implemented.
meanings and connotations in other stand alone and identify a health care Comment: One commenter observed
contexts, for purposes of this regulation clearinghouse as a covered entity, and that sections 1171(3), 1861(s) and
an entity is considered a health care allows health care clearinghouses to 1861(u) of the Act do not include
clearinghouse only to the extent that it operate under one consistent set of pharmacists in the definition of health
actually meets the criteria in our rules. care provider or pharmacist services in
definition. Entities performing other Response: For reasons explained in the definition of ‘‘medical or other
functions but not meeting the criteria for § 164.504 of this preamble, we do not health services,’’ and questioned
a health care clearinghouse are not create an exception to the business whether pharmacists were covered by
clearinghouses, although they may be associate requirements when the the rule.
business associates. Billing services are Response: The statutory definition of
business associate is also a covered
included in the regulatory definition of ‘‘health care provider’’ at section
entity. We retain the concept that a
‘‘health care clearinghouse,’’ if they 1171(3) includes ‘‘any other person or
health care clearinghouse may be a
perform the specified clearinghouse organization who furnishes, bills, or is
covered entity and a business associate
functions. Although we have not added paid for health care in the normal
of a covered entity under the regulation.
or deleted any entities from our original course of business.’’ Pharmacists’
As business associates, they would be
definition, we will monitor industry services are clearly within this statutory
bound by their contracts with covered
practices and may add other entities in definition of ‘‘health care.’’ There is no
plans and providers.
the future as changes occur in the health basis for excluding pharmacists who
system. Health Care Provider meet these statutory criteria from this
Comment: Several commenters regulation.
Comment: One commenter pointed Comment: Some commenters
suggested that we clarify that an entity out that the preamble referred to the
acting solely as a conduit through which recommended that the scope of the
obligations of providers and did not use definition be broadened or clarified to
individually identifiable health the term, ‘‘covered entity,’’ and thus
information is transmitted or through cover additional persons or
created ambiguity about the obligations organizations. Several commenters
which protected health information of health care providers who may be
flows but is not stored is not a covered argued for expanding the reach of the
employed by persons other than covered health care provider definition to cover
entity, e.g., a telephone company or entities, e.g., pharmaceutical companies.
Internet Service Provider. Other entities such as state and local public
It was suggested that a better reading of health agencies, maternity support
commenters indicated that once a
the statute and rule is that where neither services (provided by nutritionists,
transaction leaves a provider or plan
the provider nor the company is a social workers, and public health nurses
electronically, it may flow through
covered entity, the rule does not impose and the Special Supplemental Nutrition
several entities before reaching a
an obligation on either the provider- Program for Women, Infants and
clearinghouse. They asked that the
employee or the employer. Children), and those companies that
regulation protect the information in
that interim stage, just as the security Response: We agree. We use the term conduct cost-effectiveness reviews, risk
NPRM established a chain of trust ‘‘covered entity’’ whenever possible in management, and benchmarking
arrangement for such a network. Others the final rule, except for the instances studies. One commenter queried
noted that these ‘‘conduit’’ entities are where the final rule treats the entities whether auxiliary providers such as
likely to be business partners of the differently, or where use of the term child play therapists, and speech and
provider, clearinghouse or plan, and we ‘‘health care provider’’ is necessary for language therapists are considered to be
should clarify that they are subject to purposes of illustrating an example. health care providers. Other
business partner obligations as in the Comment: Several commenters stated commenters questioned whether
proposed Security Rule. that the proposal’s definition was broad, ‘‘alternative’’ or ‘‘complementary’’
Response: We clarify that entities unclear, and/or confusing. Further, we providers, such as naturopathic
acting as simple and routine received many comments requesting physicians and acupuncturists would be
communications conduits and carriers clarification as to whether specific considered health care providers
of information, such as telephone entities or persons were ‘‘health care covered by the rule.
companies and Internet Service providers’’ for the purposes of our rule. Response: As with other aspects of
Providers, are not clearinghouses as One commenter questioned whether this rule, we do not define ‘‘health care
defined in the rule unless they carry out affiliated members of a health care provider’’ based on the title or label of
the functions outlined in our definition. group (even though separate legal the professional. The professional
Similarly, we clarify that value added entities) would be considered as one activities of these kinds of providers
networks and switches are not health primary health care provider. vary; a person is a ‘‘health care
care clearinghouses unless they carry Response: We permit legally distinct provider’’ if those activities are
out the functions outlined in the covered entities that share common consistent with the rule’s definition of
definition, and clarify that such entities ownership or control to designate ‘‘health care provider.’’ Thus, health
may be business associates if they meet themselves together to be a single care providers include persons, such as
the definition in the regulation. covered entity. Such organizations may those noted by the commenters, to the
Comment: Several commenters, promulgate a single shared notice of extent that they meet the definition. We
including the large clearinghouses and information practices and a consent note that health care providers are only
subject to this rule if they conduct ‘‘health clinic or licensed health care the Secretary did not intend that
certain transactions. See the definition professional located at a school or manufacturers, such as pharmaceutical,
of ‘‘covered entity.’’ business in the preamble’s discussion of biologics, and device manufacturers,
However companies that conduct ‘‘health care provider.’’ It was stated health care suppliers, medical-surgical
cost-effectiveness reviews, risk that including ‘‘licensed health care supply distributors, health care vendors
management, and benchmarking studies professionals located at a school or that offer medical record documentation
are not health care providers for the business’’ highlights the need for these templates and that typically do not deal
purposes of this rule unless they individuals to understand they have the directly with the patient, be considered
perform other functions that meet the authority to disclose information to the health care providers and thus covered
definition. These entities would be Social Security Administration (SSA) entities. However, in contrast, one
business associates if they perform such without authorization. commenter argued that, as an in vitro
activities on behalf of a covered entity. However, several commenters urged diagnostics manufacturer, it should be
Comment: Another commenter HHS to create an exception for or delete covered as a health care provider.
recommended that the Secretary expand that reference in the preamble Response: We disagree with the
the definition of health care provider to discussion to primary and secondary comments that urged that direct
cover health care providers who schools because of employer or business dealings with an individual be a
transmit or ‘‘or receive’’ any health care partner relationships. One federal prerequisite to meeting the definition of
information in electronic form. agency suggested that the reference health care provider. Many providers
Response: We do not accept this ‘‘licensed health care professionals included in the statutory definition of
suggestion. Section 1172(a)(3) states that located at a [school]’’ be deleted from provider, such as clinical labs, do not
providers that ‘‘transmit’’ health the preamble because the definition of have direct contact with patients.
information in connection with one of health care provider does not include a Further, the use and disclosure of
the HIPAA transactions are covered, but reference to schools. The commenter protected health information by indirect
does not use the term ‘‘receive’’ or a also suggested that the Secretary treatment providers can have a
similar term. consider: adding language to the significant effect on individuals’
Comment: Some comments related to preamble to clarify that the rules do not privacy. We acknowledge, however, that
online companies as health care apply to clinics or school health care providers who treat patients only
providers and covered entities. One providers that only maintain records indirectly need not have the full array
commenter argued that there was no that have been excepted from the of responsibilities as direct treatment
reason ‘‘why an Internet pharmacy definition of protected health providers, and modify the NPRM to
should not also be covered’’ by the rule information, adding an exception to the make this distinction with respect to
as a health care provider. Another definition of covered entities for those several provisions (see, for example
commenter stated that online health schools, and limiting paperwork § 164.506 regarding consent). We also
care service and content companies, requirements for these schools. Another clarify that manufacturers and health
including online medical record commenter argued for deleting care suppliers who are considered
companies, should be covered by the references to schools because the providers by Medicare are providers
definition of health care provider. proposed rule appeared to supersede or under this rule.
Another commenter pointed out that the create ambiguity as to the Family Comment: Some commenters
definitions of covered entities cover Educational Rights and Privacy Act suggested that blood centers and plasma
‘‘Internet providers who ‘bill’ or are (FERPA), which gives parents the right donor centers that collect and distribute
‘paid’ for health care services or to access ‘‘education’’ and health source plasma not be considered
supplies, but not those who finance records of their unemancipated minor covered health care providers because
those services in other ways, such as children. However, in contrast, one the centers do not provide ‘‘health care
through sale of identifiable health commenter supported the inclusion of services’’ and the blood donors are not
information or advertising.’’ It was health care professionals who provide ‘‘patients’’ seeking health care.
pointed out that thousands of Internet services at schools or businesses. Similarly, commenters expressed
sites use information provided by Response: We realize that our concern that organ procurement
individuals who access the sites for discussion of schools in the NPRM may organizations might be considered
marketing or other purposes. have been confusing. Therefore, we health care providers.
Response: We agree that online address these concerns and set forth our Response: We agree and have deleted
companies are covered entities under policy regarding protected health from the definition of ‘‘health care’’ the
the rule if they otherwise meet the information in educational agencies and term ‘‘procurement or banking of blood,
definition of health care provider or institutions in the ‘‘Relationship to sperm, organs, or any other tissue for
health plan and satisfy the other Other Federal Laws’’ discussion of administration to patients.’’ See prior
requirements of the rule, i.e., providers FERPA, above. discussion under ‘‘health care.’’
must also transmit health information in Comment: Many commenters urged Comment: Several commenters
electronic form in connection with a that direct contact with the patient be proposed to restrict coverage to only
HIPAA transaction. We restate here the necessary for an entity to be considered those providers who furnished and were
language in the preamble to the a health care provider. Commenters paid for services and supplies. It was
proposed rule that ‘‘An individual or suggested that persons and argued that a salaried employee of a
organization that bills and/or is paid for organizations that are remote to the covered entity, such as a hospital-based
health care services or supplies in the patient and have no direct contact provider, should not be covered by the
normal course of business, such as should not be considered health care rule because that provider would be
* * * an ‘‘online’’ pharmacy accessible providers. Several commenters argued subject both directly to the rule as a
on the Internet, is also a health care that the definition of health care covered entity and indirectly as an
provider for purposes of this statute’’ provider covers a person that provides employee of a covered entity.
(64 FR 59930). health care services or supplies only Response: The ‘‘dual’’ direct and
Comment: We received many when the provider furnishes to or bills indirect situation described in these
comments related to the reference to the patient directly. It was stated that comments can arise only when a health
care provider conducts standard HIPAA standard transactions, that researcher/ Comment: Several commenters sought
transactions both for itself and for its provider is subject to the rule with to distinguish a health care provider
employer. For example, when the regard to its provider activities. from a business partner as proposed in
services of a provider such as a hospital- As to applicability to a researcher/ the NPRM. For example, a number of
based physician are billed through a provider versus the researcher’s home commenters argued that disease
standard HIPAA transaction conducted institution, we provide the following managers that provide services ‘‘on
for the employer, in this example the guidance. The rule applies to the behalf of’’ health plans and health care
hospital, the physician does not become researcher as a covered entity if the providers, and case managers (a
a covered provider. Only when the researcher is a health care provider who variation of a disease management
provider uses a standard transaction on conducts standard transactions for service) are business partners and not
its own behalf does he or she become a services on his or her own behalf, ‘‘health care providers.’’ Another
covered health care provider. Thus, the regardless of whether he or she is part commenter argued that a disease
result is typically as suggested by this of a larger organization. However, if the manager should be recognized
commenter. When a hospital-based services and transactions are conducted (presumably as a covered entity)
provider is not paid directly, that is, on behalf of the home institution, then because of its involvement from the
when the standard HIPAA transaction is the home institution is the covered physician-patient level through complex
not on its behalf, it will not become a entity for purposes of the rule and the interactions with health care providers.
covered provider. researcher/provider is a workforce
Comment: Other commenters argued member, not a covered entity. Response: To the extent that a disease
that an employer who provides health Comment: One commenter expressed or case manager provides services on
care services to its employees for whom confusion about those instances when a behalf of or to a covered entity as
it neither bills the employee nor pays health care provider was a covered described in the rule’s definition of
for the health care should not be entity one day, and one who ‘‘works business associate, the disease or case
considered health care providers under a contract’’ for a manufacturer the manager is a business associate for
covered by the proposed rule. next day. purposes of this rule. However, if
Response: We clarify that the Response: If persons are covered services provided by the disease or case
employer may be a health care provider under the rule in one role, they are not manager meet the definition of
under the rule, and may be covered by necessarily covered entities when they treatment and the person otherwise
the rule if it conducts standard participate in other activities in another meets the definition of ‘‘health care
transactions. The provisions of role. For example, that person could be provider,’’ such a person is a health care
§ 164.504 may also apply. a covered health care provider in a provider for purposes of this rule.
Comment: Some commenters were hospital one day but the next day read Comment: One commenter argued
confused about the preamble statement: research records for a different
that pharmacy employees who assist
‘‘in order to implement the principles in employer. In its role as researcher, the
pharmacists, such as technicians and
the Secretary’s Recommendations, we person is not covered, and protections
cashiers, are not business partners.
must impose any protections on the do not apply to those research records.
health care providers that use and Comment: One commenter suggested Response: We agree. Employees of a
disclose the information, rather than on that the Secretary modify proposed pharmacy that is a covered entity are
the researcher seeking the information,’’ § 160.102, to add the following clause at workforce members of that covered
with respect to the rule’s policy that a the end (after (c)) (regarding health care entity for purposes of this rule.
researcher who provides care to subjects provider), ‘‘With respect to any entity Comment: A number of commenters
in a trial will be considered a health whose primary business is not that of a requested that we clarify the definition
care provider. Some commenters were health plan or health care provider of health care provider (‘‘* * * who
also unclear about whether the licensed under the applicable laws of furnishes, bills, or is paid for health care
individual researcher providing health any state, the standards, requirements, services or supplies in the normal
care to subjects in a trial would be and implementation specifications of course of business’’) by defining the
considered a health care provider or this subchapter shall apply solely to the various terms ‘‘furnish’’, ‘‘supply’’, and
whether the researcher’s home component of the entity that engages in ‘‘in the normal course of business.’’ For
institution would be considered a health the transactions specified in [§] instance, it was stated that this would
care provider and thus subject to the 160.103.’’ (Emphasis added.) Another help employers recognize when services
rule. commenter also suggested that the such as an employee assistance program
Response: We clarify that, in general, definition of ‘‘covered entity’’ be revised constituted health care covered by the
a researcher is also a health care to mean entities that are ‘‘primarily or
rule.
provider if the researcher provides exclusively engaged in health care-
health care to subjects in a clinical related activities as a health plan, health Response: Although we understand
research study and otherwise meets the care provider, or health care the concern expressed by the
definition of ‘‘health care provider’’ clearinghouse.’’ commenters, we decline to follow their
under the rule. However, a health care Response: The Secretary rejects these suggestion to define terms at this level
provider is only a covered entity and suggestions because they will of specificity. These terms are in
subject to the rule if that provider impermissibly limit the entities covered common use today, and an attempt at
conducts standard transactions. With by the rule. An entity that is a health specific definition would risk the
respect to the above preamble statement, plan, health care provider, or health inadvertent creations of conflict with
we meant that our jurisdiction under the care clearinghouse meets the statutory industry practices. There is a significant
statute is limited to covered entities. definition of covered entity regardless of variation in the way employers structure
Therefore, we cannot apply any how much time is devoted to carrying their employee assistance programs
restrictions or requirements on a out health care-related functions, or (EAPs) and the type of services that they
researcher in that person’s role as a regardless of what percentage of their provide. If the EAP provides direct
researcher. However, if a researcher is total business applies to health care- treatment to individuals, it may be a
also a health care provider that conducts related functions. health care provider.
Health Information Thus, since the statutory definition of a plans are administered by a third party.
The response to comments on health health plan both on its face and through The proposed regulation will not
information is included in the response legislative history evidence Congress’ regulate the employer plans but will
to comments on individually intention to exclude such programs, we regulate the third party administrators
identifiable health information, in the do not have the authority to require that of the plan.’’ The commenter urged us
preamble discussion of § 164.501. these programs comply with the not to repeat the statutory definition,
standards. We have added explicit and to adopt the policy implied in the
Health Plan language to the final rule which footnote.
Comment: One commenter suggested excludes the excepted benefit programs, Response: We agree with the
that to eliminate any ambiguity, the as defined in section 2971(c)(1) of the commenter’s observation that footnote
Secretary should clarify that the catch- PHS Act, 42 U.S.C. 300gg-91(c)(1). 18 (64 FR 60014) was inconsistent with
all category under the definition of Comment: Some commenters urged the proposed definition. We erred in
HHS to include entities such as stop drafting that note. The definition of
health plan includes ‘‘24-hour coverage
loss insurers and reinsurers in the ‘‘group health plan’’ is adopted from the
plans’’ (whether insured or self-insured)
definition of ‘‘health plan.’’ It was statutory definition at section
that integrate traditional employee
observed that such entities have come to 1171(5)(A), and excludes from the rule
health benefits coverage and workers’
play important roles in managed care as ‘‘health plans’’ only the few insured
compensation coverage for the treatment
delivery systems. They asserted that or self-insured ERISA plans that have
of on-the-job injuries and illnesses
increasingly, capitated health plans and less than 50 participants and are self
under one program. It was stated that
providers contract with their reinsurers administered. We reject the
this clarification was essential if the
and stop loss carriers to medically commenter’s proposed change to the
Secretary persisted in excluding
manage their high cost outlier cases definition as inconsistent with the
workers’ compensation from the final such as organ and bone marrow statute.
rule. transplants, and therefore should be Comment: A number of insurance
Response: We understand concerns specifically cited as subject to the companies asked that long term care
that such plans may use and disclose regulations. insurance policies be excluded from the
individually identifiable health Response: Stop-loss and reinsurers do definition of ‘‘health plan.’’ It was
information. We therefore clarify that to not meet the statutory definition of argued that such policies do not provide
the extent that 24-hour coverage plans health plan. They do not provide or pay sufficiently comprehensive coverage of
have a health care component that for the costs of medical care, as the cost of medical care, and are limited
meets the definition of ‘‘health plan’’ in described in the statute, but rather benefit plans that provide or pay for the
the final rule, such components must insure health plans and providers cost of custodial and other related
abide by the provisions of the final rule. against unexpected losses. Therefore, services in connection with a long term,
In the final rule, we have added a new we cannot include them as health plans chronic illness or disability.
provision to § 164.512 that permits in the regulation. These commenters asserted that
covered entities to disclose information Comment: A commenter asserted that HIPAA recognizes this nature of long
under workers’ compensation and there is a significant discrepancy term care insurance, observing that,
similar laws. A health plan that is a 24- between the effect of the definition of with respect to HIPAA’s portability
hour plan is permitted to make ‘‘group health plan’’ as proposed in requirements, Congress enacted a series
disclosures as necessary to comply with § 160.103, and the anticipated impact in of exclusions for certain defined types
such laws. the cost estimates of the proposed rule of health plan arrangements that do not
Comment: A number of commenters at 64 FR 60014. Paragraph (1) of the typically provide comprehensive
urged that certain types of insurance proposed definition of ‘‘health plan’’ coverage. They maintained that
entities, such as workers’ compensation defined a ‘‘group health plan’’ as an Congress recognized that long term care
and automobile insurance carriers, ERISA-defined employee welfare benefit insurance is excluded, so long as it is
property and casualty insurance health plan that provides medical care and not a part of a group health plan. Where
plans, and certain forms of limited that: ‘‘(i) Has 50 or more participants, or a long term care policy is offered
benefits coverage, be included in the (ii) Is administered by an entity other separately from a group health plan it is
definition of ‘‘health plan.’’ It was than the employer that established and considered an excepted benefit and is
argued that consumers deserve the same maintains the plan[.]’’ (emphasis added) not subject to the portability and
protection with respect to their health According to this commenter, under this guarantee issue requirements of HIPAA.
information, regardless of the entity definition, the only insured or self- Although this exception does not appear
using it, and that it would be insured ERISA plans that would not be in the Administrative Simplification
inequitable to subject health insurance regulated ‘‘health plans’’ would be those provisions of HIPAA, it was asserted
carriers to more stringent standards than that have less than 50 participants and that it is guidance with respect to the
other types of insurers that use are self administered. treatment of long term care insurance as
individually identifiable health The commenter presumed that the we a limited benefit coverage and not as
information. had intended to exclude from the coverage that is so ‘‘sufficiently
Response: The Congress did not definition of ‘‘health plan’’ (and from comprehensive’’ that it is to be treated
include these programs in the definition coverage under the proposed rule) all in the same manner as a typical,
of a ‘‘health plan’’ under section 1171 of ERISA plans that are small (less than 50 comprehensive major medical health
the Act. Further, HIPAA’s legislative participants) or are administered by a plan arrangement.
history shows that the House Report’s third party, whether large or small, Another commenter offered a
(H. Rep. 104–496) definition of ‘‘health based on the statement at 64 FR 60014, different perspective observing that
plan’’ originally included certain benefit note 18. That footnote stated that the there are some long-term care policies—
programs, such as workers’ Department had ‘‘not included the 3.9 that do not pay for medical care and
compensation and liability insurance, million ‘other’ employer-health plans therefore are not ‘‘health plans.’’ It was
but was later amended to clarify the listed in HCFA’s administrative noted that most long-term care policies
definition and remove these programs. simplification regulations because these are reimbursement policies—that is,
they reimburse the policyholder for the they can obtain health care, including requirements imposed on ‘‘health
actual expenses that the insured incurs prescription drugs, at reduced prices. plans.’’ They asserted that this would
for long-term care services. To the The commenter asserted that if these promote consistency in the federal
extent that these constitute ‘‘medical discount and membership incentive regulatory structure for health plans.
care,’’ this commenter presumed that programs were covered by the It was suggested that HHS clarify
these policies would be considered regulation, many smaller employers whether the definition of health plan,
‘‘health plans.’’ Other long-term care might discontinue offering them to their particularly the ‘‘group health plan’’ and
policies, they pointed out, simply pay a employees, rather than deal with the ‘‘health insurance issuer’’ components,
fixed dollar amount when the insured administrative burdens and costs of includes a disability plan or disability
becomes chronically ill, without regard complying with the rule. insurer. It was noted that a disability
to the actual cost of any long-term care Response: Only those special plan or disability insurer may cover
services received, and thus are similar employee discounts or membership only income lost from disability and, as
to fixed indemnity critical illness incentives that are ‘‘employee welfare mentioned above, some rehabilitation
policies. The commenter suggested that benefit plans’’ as defined in section 3(1) services, or a combination of lost
while there was an important of the Employee Retirement Income income, rehabilitation services and
distinction between indemnity based Security Act of 1974, 29 U.S.C. 1002(1), medical care. The commenter suggested
long-term care policies and expenses and provide ‘‘medical care’’ (as defined that in addressing this coverage issue, it
based long-term care policies, it may be in section 2791(a)(2) of the Public may be useful to refer to the definitions
wise to exclude all long-term care Health Service Act, 42 U.S.C. 300gg- of group health plan, health insurance
policies from the scope of the rule to 91(a)(2)), are health plans for the issuer and medical care set forth in Part
achieve consistency with HIPAA. purposes of this rule. Discount or I of HIPAA, which the statutory
Response: We disagree. The statutory membership incentive programs that are provisions of the Administrative
language regarding long-term care not group health plans are not covered Simplification subtitle expressly
policies in the portability title of HIPAA by the rule. reference. See 42 U.S.C. 1320d(5)(A)
is different from the statutory language Comment: Several commenters agreed and (B).
regarding long-term care policies in the with the proposal to exclude ‘‘excepted Response: We agree that the NPRM
Administrative Simplification title of benefits’’ such as disability income may have been ambiguous regarding the
HIPAA. Section 1171(5)(G) of the Act insurance policies, fixed indemnity types of plans the rule covers. To
means that issuers of long-term care critical illness policies, and per diem remedy this confusion, we have added
policies are considered health plans for long-term care policies from the language that specifically excludes from
purposes of administrative definition of ‘‘health plan,’’ but were the definition any policy, plan, or
simplification. We also interpret the concerned that the language of the program providing or paying the cost of
statute as authorizing the Secretary to proposed rule did not fully reflect this the excepted benefits, as defined in
exclude nursing home fixed-indemnity intent. They asserted that clarification section 2971(c)(1) of the PHS Act, 42
policies, not all long-term care policies, was necessary in order to avoid U.S.C. 300gg–91(c)(1). As defined in the
from the definition of ‘‘health plan,’’ if confusion and costs to both consumers statute, this includes but is not limited
she determines that these policies do and insurers. to benefits under one or more (or any
not provide ‘‘sufficiently comprehensive One commenter stated that, while combination thereof) of the following:
coverage of a benefit’’ to be treated as a HHS did not intend for the rule to apply coverage only for accident, or disability
health plan (see section 1171 of the to every type of insurance coverage that income insurance, or any combination
Act). We interpret the term paid for medical care, the language of thereof; liability insurance, including
‘‘comprehensive’’ to refer to the breadth the proposed rule did not bear this out. general liability insurance and
or scope of coverage of a policy. The problem, it was asserted, is that automobile liability insurance; and
‘‘Comprehensive’’ policies are those that under the proposed rule any insurance workers’ compensation or similar
cover a range of possible service policy that pays for ‘‘medical care’’ insurance.
options. Since nursing home fixed would technically be a ‘‘health plan.’’ It However, the other excepted benefits
indemnity policies are, by their own was argued that despite the statements as defined in section 2971(c)(2) of the
terms, limited to payments made solely in the narrative, there are no provisions PHS Act, 42 U.S.C. 300gg–91(c)(2), such
for nursing facility care, we have that would exempt any of the ‘‘excepted as limited scope dental or vision
determined that they should not be benefits, not explicitly excepted from
benefits’’ from the definition of ‘‘health
included as health plans for the the regulation could be considered
care.’’ It was stated that:
purposes of the HIPAA regulations. The ‘‘health plans’’ under paragraph (1)(xvii)
Secretary, therefore, explicitly excluded Although (with the exception of long-term of the definition of ‘‘health plan’’ in the
care insurance), the proposed rule does not final rule if and to the extent that they
nursing home fixed-indemnity policies include the ‘excepted benefits’ in its list of
from the definition of ‘‘health plan’’ in sixteen examples of a health plan (proposed
meet the criteria for the definition of
the Transactions Rule, and this 45 CFR 160.104), it does not explicitly ‘‘health plan.’’ Such plans, unlike the
exclusion is thus reflected in this final exclude them either. Because these types of programs and plans listed at section
rule. Issuers of other long-term care policies in some instances pay benefits that 2971(c)(1), directly and exclusively
policies are considered to be health could be construed as payments for medical provide health insurance, even if
plans under this rule and the care, we are concerned by the fact that they limited in scope.
Transactions Rule. are not explicitly excluded from the Comment: One commenter
Comment: One commenter was definition of ‘health plan’ or the recommended that the Secretary clarify
concerned about the potential impact of requirements of the proposed rule.’’ that ‘‘health plan’’ does not include
the proposed regulations on ‘‘unfunded Several commenters proposed that property and casualty benefit providers.
health plans,’’ which the commenter HHS adopt the same list of ‘‘excepted The commenter stated that the clarifying
described as programs used by smaller benefits’’ contained in 29 U.S.C. 1191b, language is needed given the ‘‘catchall’’
companies to provide their associates suggesting that they could be adopted category of entities defined as ‘‘any
with special employee discounts or either as exceptions to the definition of other individual plan or group health
other membership incentives so that ‘‘health plan’’ or as exceptions to the plan, or combination thereof, that
provides or pays for the cost of medical that are not health plans. They said that providers and may be covered entities if
care,’’ and asserted that absent examples include the WIC program they conduct standard transactions.
clarification there could be serious (Special Supplemental Nutrition We further clarify that, where a public
confusion as to whether property and Program for Women, Infants, and program meets the definition of ‘‘health
casualty benefit providers are ‘‘health Children) which pays for nutritional plan,’’ the government agency that
plans’’ under the rule. assessment and counseling, among other administers the program is the covered
Response: We agree and as described services; the AIDS Client Services entity. Where two agencies administer a
above have added language to the final Program (including AIDS prescription program jointly, they are both a health
rule to clarify that the ‘‘excepted drug payment) under the federal Ryan plan. For example, both the Health Care
benefits’’ as defined under 42 U.S.C. White Care Act and state law; the Financing Administration and the
300gg–91(c)(1), which includes liability distribution of federal family planning insurers that offers a Medicare+Choice
programs such as property and casualty funds under Title X of the Public Health plan are ‘‘health plans’’ with respect to
benefit providers, are not health plans Services Act; and the breast and cervical Medicare beneficiaries. An agency that
for the purposes of this rule. health program which pays for cancer does not administer a program but
Comment: Some commenters screening in targeted populations. which provides services for such a
recommended that the Secretary replace Commenters argued that these are not program is not a covered entity by virtue
the term ‘‘medical care’’ with ‘‘health insurance plans and do not fall within of providing such services. Whether an
care.’’ It was observed that ‘‘health care’’ the ‘‘health plan’’ definition’s list of agency providing services is a business
was defined in the proposal, and that examples, all of which are either associate of the covered entity depends
this definition was used to define what insurance or broad-scope programs of on whether its functions for the covered
a health care provider does. However, care under a contract or statutory entity meet the definition of business
they observed that the definition of entitlement. However, paragraph (16) in associate in § 164.501 and, in the
‘‘health plan’’ refers to the provision of that list opens the door to broader example described by this comment, in
or payment for ‘‘medical care,’’ which is interpretation through the catchall particular on whether the arrangement
not defined. Another commenter phrase, ‘‘any other individual or group falls into the exception in
recommended that HHS add the plan that provides or pays for the cost § 164.504(e)(1)(ii)(C) for government
parenthetical phrase ‘‘as such term is of medical care.’’ Commenters assert agencies that collect eligibility or
defined in section 2791 of the Public that clarification is needed. enrollment information for covered
Health Service Act’’ after the phrase government programs.
A few commenters stated that other
‘‘medical care.’’ Comment: Some commenters
Response: We disagree with the first state agencies often work in partnership
expressed support for retaining the
recommendation. We understand that with the state Medicaid program to category in paragraph (16) of the
the term ‘‘medical care’’ can be easily implement certain Medicaid benefits, proposal’s definition: ‘‘Any other
confused with the term ‘‘health care.’’ such as maternity support services and individual or group health plan, or
However, the two terms are not prenatal genetics screening. They combination thereof, that provides or
synonymous. The term ‘‘medical care’’ concluded that while this probably pays for the cost of medical care.’’
is a statutorily defined term and its use makes parts of the agency the ‘‘business Others asked that the Secretary clarify
is critical in making a determination as partner’’ of a covered entity, they were this category. One commenter urged that
to whether a health plan is considered uncertain whether it also makes the the final rule clearly define which plans
a ‘‘health plan’’ for purposes of same agency parts a ‘‘health plan’’ as would meet the criteria for this category.
administrative simplification. In well. Response: As described in the
addition, since the term ‘‘medical care’’ Response: We agree with the proposed rule, this category implements
is used in the regulation only in the commenters that clarification is needed the language at the beginning of the
context of the definition of ‘‘health as to the rule’s application to statutory definition of the term ‘‘health
plan’’ and we believe that its inclusion government programs that pay for plan’’: ‘‘The term ‘health plan’ means an
in the regulatory text may cause health care services. Accordingly, in the individual or group plan that provides,
confusion, we did not add a definition final rule we have excepted from the or pays the cost of, medical care * * *
of ‘‘medical care’’ in the final rule. definition of ‘‘health plan’’ a Such term includes the following, and
However, consistent with the second government funded program which does any combination thereof * * *’’ This
recommendation above, the statutory not have as its principal purpose the statutory language is general, not
cite for ‘‘medical care’’ was added to the provision of, or payment for, the cost of specific, and as such, we are leaving it
definition of ‘‘health plan’’ in the health care or which has as its principal general in the final rule. However, as
Transactions Rule, and thus is reflected purpose the provision, either directly or described above, we add explicit
in this final rule. by grant, of health care. For example, language which excludes certain
Comment: A number of commenters the principal purpose of the WIC ‘‘excepted benefits’’ from the definition
urged that the Secretary define more program is not to provide or pay for the of ‘‘health plan’’ in an effort to clarify
narrowly what characteristics would cost of health care, and thus, the WIC which plans are not health plans for the
make a government program that pays program is not a health plan for purposes of this rule. Therefore, to the
for specific health care services a purposes of this rule. The program of extent that a certain benefits plan or
‘‘health plan.’’ Commenters argued that health care services for individuals program otherwise meets the definition
there are many ‘‘payment’’ programs detained by the INS provides health of ‘‘health plan’’ and is not explicitly
that should not be included, as care directly, and so is not a health plan. excepted, that program or plan is
discussed below, and that if no Similarly, the family planning program considered a ‘‘health plan’’ under
distinctions were made, ‘‘health plan’’ authorized by Title X of the Public paragraph (1)(xvii) of the final rule.
would mean the same as ‘‘purchaser’’ or Health Service Act pays for care Comment: A commenter explained
even ‘‘payor.’’ exclusively through grants, and so is not that HIPAA defines a group health plan
Commenters asserted that there are a a health plan under this rule. These by expressly cross-referencing the
number of state programs that pay for programs (the grantees under the Title X statutory sections in the PHS Act and
‘‘health care’’ (as defined in the rule) but program) may be or include health care the Employee Retirement Income
Security Act of 1974 (ERISA), 29 U.S.C. definition of a health plan refers to ‘‘50 Comment: One commenter asked that
1001, et seq., which define the terms or more participants,’’ and that using a the rule clarify that employees
‘‘group health plan,’’ ‘‘employee welfare dollar factor to define a ‘‘small health administering a group health or other
benefit plan’’ and ‘‘participant.’’ See 29 plan’’ would be inconsistent with this employee welfare benefit plan on their
U.S.C. 1002(l) (definition of ‘‘employee definition. employers’ behalf are considered part of
welfare benefit plan,’’ which is the core Response: We disagree. The Small the covered entity’s workforce.
of the definition of group health plan Business Administration (SBA) Response: As long as the employees
under both ERISA and the PHS Act); 29 promulgates size standards that indicate have been identified by the group health
U.S.C. 100217) (definition of the maximum number of employees or plan in plan documents as performing
participant); 29 U.S.C. 1193(a) annual receipts allowed for a concern functions related to the group health
(definition of ‘‘group health plan,’’ (13 CFR 121.105) and its affiliates to be plan (consistent with the requirements
which is identical to that in section considered ‘‘small.’’ The size standards of § 164.504(f)), those employees may
2791(a) of the PHS Act). themselves are expressed either in have access to protected health
It was pointed out that the preamble number of employees or annual receipts information. However, they are not
and the text of the proposed rule both (13 CFR 121.201). The size standards for permitted to use or disclose protected
limit the definition of all three terms to compliance with programs of other health information for employment-
their current definitions. The agencies are those for SBA programs related purposes or in connection with
commenter reasoned that since the which are most comparable to the any other employee benefit plan or
ERISA definitions may change over time programs of such other agencies, unless employee benefit of the plan sponsor.
through statutory amendment, otherwise agreed by the agency and the Part 160—Subpart B—Preemption of
Department of Labor regulations or SBA (13 CFR 121.902). With respect to State Law
judicial interpretation, it would not be the insurance industry, the SBA has
clear what point in time is to be We summarize and respond below to
specified that annual receipts of $5 comments received in the Transactions
considered current. Therefore, they million is the maximum allowed for a
suggested deleting references to rulemaking on the issue of preemption,
concern and its affiliates to be as well as those received on this topic
‘‘current’’ or ‘‘currently’’ in the considered small (13 CFR 121.201).
preamble and in the regulation with in the Privacy rulemaking. Because no
Consequently, we retain the proposal’s process was proposed in the
respect to these three ERISA definitions. definition in the final rule to be
In addition, the commenter stated that Transactions rulemaking for granting
consistent with SBA requirements. exceptions under section 1178(a)(2)(A),
as the preamble to the NPRM correctly
reflected, HIPAA expressly cross- We understand there may be some a process for making exception
references ERISA’s definition of confusion as to the meaning of ‘‘annual determinations was not adopted in the
‘‘participant’’ in section 3(7) of ERISA, receipts’’ when applied to a health plan. Transactions Rule. Instead, since a
29 U.S.C. 1002(7). 42 U.S.C. For our purposes, therefore, we consider process for making exception
1320d(5)(A). The text of the privacy ‘‘pure premiums’’ to be equivalent to determinations was proposed in the
regulation, however, omits this cross- ‘‘annual receipts.’’ Privacy rulemaking, we decided that the
reference. It was suggested that the Workforce comments received in the Transactions
reference to section 3(7) of ERISA, rulemaking should be considered and
defining ‘‘participant,’’ be included in Comment: Some commenters addressed in conjunction with the
the regulation. requested that we exclude ‘‘volunteers’’ comments received on the process
Finally, HIPAA incorporates the from the definition of workforce. They proposed in the Privacy rulemaking. See
definition of a group health plan as set stated that volunteers are important 65 FR 50318 for a fuller discussion.
forth in section 2791(a) of the PHS Act, contributors within many covered Accordingly, we discuss the preemption
42 U.S.C. 300gg–91(a)(l). That definition entities, and in particular hospitals. comments received in the Transactions
refers to the provision of medical care They argued that it was unfair to ask rulemaking where relevant below.
‘‘directly or through insurance, that these people donate their time and Comment: The majority of comments
reimbursement, or otherwise.’’ The at the same time subject them to the on preemption addressed the subject in
word ‘‘reimbursement’’ is omitted in penalties placed upon the paid general terms. Numerous comments,
both the preamble and the text of the employees by these regulations, and that particularly from plans and providers,
regulation; the commenter suggested it would discourage people from argued that the proposed preemption
restoring it to both. volunteering in the health care setting. provisions were burdensome,
Response: We agree. These changes Response: We disagree. We believe ineffective, or insufficient, and that
were made to the definition of ‘‘health that differentiating those persons under complete federal preemption of the
plan’’ as promulgated in the the direct control of a covered entity ‘‘patchwork’’ of state privacy laws is
Transactions Rule, and are reflected in who are paid from those who are not is needed. They also argued that the
this final rule. irrelevant for the purposes of protecting proposed preemption provisions are
the privacy of health information, and likely to invite litigation. Various
Small Health Plan for a covered entity’s management of its practical arguments in support of this
Comment: One commenter workforce. In either case, the person is position were made. Some of these
recommended that we delete the working for the covered entity. With comments recognized that the
reference to $5 million in the definition regard to implications for the Secretary’s authority under section 1178
and instead define a ‘‘small health plan’’ individual, persons in a covered entity’s of the Act is limited and acknowledged
as a health plan with fewer than 50 workforce are not held personally liable that the Secretary’s proposals were
participants. It was stated that using a for violating the standards or within her statutory authority. One
dollar limitation to define a ‘‘small requirements of the final rule. Rather, commenter suggested that the exception
health plan’’ is not meaningful for self- the Secretary has the authority to determination process would result in a
insured plans and some other types of impose civil monetary penalties and in very costly and laborious and
health plan coverage arrangements. A some cases criminal penalties for such sometimes inconsistent analysis of the
commenter pointed out that the general violations on only the covered entity. occasions in which state law would
survive federal preemption, and thus these areas, and the Department is not decision. First, the assumption by
suggested the final privacy regulations free to disregard this Congressional commenters that an advisory opinion
preempt state law with only limited choice. As is more fully explained would establish what law applied in a
exceptions, such as reporting child below, we have interpreted the statutory given situation and thereby simplify the
abuse. Many other comments, however, criteria for exceptions under section task of ascertaining what legal
recommended changing the proposed 1178(a)(2)(A) to balance the need for requirements apply to a covered entity
preemption provisions to preempt state relative uniformity with respect to the or entities is incorrect. Any such
privacy laws on as blanket a basis as HIPAA standards with state needs to set opinion would be advisory only.
possible. certain policies in the statutorily Although an advisory opinion issued by
One comment argued that the defined areas. the Department would indicate to
assumption that more stringent privacy The situation is different with respect covered entities how the Department
laws are better is not necessarily true, to state laws relating to the privacy of would resolve the legal conflict in
citing a 1999 GAO report finding protected health information. Many of question and would apply the law in
evidence that the stringent state the comments arguing for uniform determining compliance, it would not
confidentiality laws of Minnesota halted standards were particularly concerned bind the courts. While we assume that
the collection of comparative with discrepancies between the federal most courts would give such opinions
information on health care quality. privacy standards and various state deference, the outcome could not be
Several comments in this vein were privacy requirements. Unlike the guaranteed.
also received in the Transactions situation with respect to the Second, the thousands of questions
rulemaking. The majority of these transactions standards, where states raised in the public comment about the
comments took the position that have generally not entered the field, all interpretation, implications, and
exceptions to the federal standards states regulate the privacy of some consequences of all of the proposed
should either be prohibited or medical information to a greater or regulatory provisions have led us to
discouraged. It was argued that granting lesser extent. Thus, we understand the conclude that significant advice and
exceptions to the standards, particularly private sector’s concern at having to technical assistance about all of the
the transactions standards, would be reconcile differing state and federal regulatory requirements will have to be
inconsistent with the statute’s objective privacy requirements. provided on an ongoing basis. We
of promoting administrative This is, however, likewise an area recognize that the preemption concerns
simplification through the use of where the policy choice has been made that would have been addressed by the
uniform transactions. by Congress. Under section proposed advisory opinions were likely
Many other commenters, however, 1178(a)(2)(B) of the Act and section to be substantial. However, there is no
endorsed the ‘‘federal floor’’ approach of 264(c)(2) of HIPAA, provisions of state reason to assume that they will be the
the proposed rules. (These comments privacy laws that are contrary to and most substantial or urgent of the
were made in the context of the more stringent than the corresponding questions that will most likely need to
proposed privacy regulations.) These federal standard, requirement, or be addressed. It is our intent to provide
comments argued that this approach implementation specification are not as much technical advice and assistance
was preferable because it would not preempted. The effect of these to the regulated community as we can
impair the effectiveness of state privacy provisions is to let the law that is most with the resources available. Our
laws that are more protective of privacy, protective of privacy control (the concern is that setting up an advisory
while raising the protection afforded ‘‘federal floor’’ approach referred to by opinion process for just one of the many
medical information in states that do many commenters), and this policy types of issues that will have to be
not enact laws that are as protective as choice is one with which we agree. addressed will lead to a non-optimal
the rules below. Some comments Thus, the statute makes it impossible for allocation of those resources. Upon
argued, however, that the rules should the Secretary to accommodate the careful consideration, therefore, we
give even more deference to state law, requests to establish uniformly have decided that we will be better able
questioning in particular the definitions controlling federal privacy standards, to prioritize our workload and be better
and the proposed addition to the ‘‘other even if doing so were viewed as able to be responsive to the most urgent
purposes’’ criterion for exception desirable. and substantial questions raised to the
determinations in this regard. Comment: Numerous comments Department, if we do not provide for a
Response: With respect to the stated support for the proposal at formal advisory opinion process on
exception process provided for by proposed Subpart B to issue advisory preemption as proposed.
section 1178(a)(2)(A), the contention opinions with respect to the preemption Comment: A few commenters argued
that the HIPAA standards should of state laws relating to the privacy of that the Privacy Rule should preempt
uniformly control is an argument that individually identifiable health state laws that would impose more
should be addressed to the Congress, information. A number of these stringent privacy requirements for the
not this agency. Section 1178 of the Act comments appeared to assume that the conduct of clinical trials. One
expressly gives the Secretary authority Secretary’s advisory opinions would be commenter asserted that the existing
to grant exceptions to the general rule dispositive of the issue of whether or federal regulations and guidelines for
that the HIPAA standards preempt not a state law was preempted. Many of patient informed consent, together with
contrary state law in the circumstances these commenters suggested what they the proposed rule, would adequately
she determines come within the saw as improvements to the proposed protect patient privacy.
provisions at section 1178(a)(2)(A). We process, but supported the proposal to Response: The Department does not
agree that the underlying statutory goal have the Department undertake this have the statutory authority under
of standardizing financial and function. HIPAA to preempt state laws that would
administrative health care transactions Response: Despite the general support impose more stringent privacy
dictates that exceptions should be for the advisory opinion proposal, we requirements on covered entities.
granted only on narrow grounds. decided not to provide specifically for HIPAA provides that the rule
Nonetheless, Congress clearly intended the issuance of such opinions. The promulgated by the Secretary may not
to accommodate some state laws in following considerations led to this preempt state laws that are in conflict
with the regulatory requirements and preemption.’’ Since preemption is a State Law
that provide greater privacy protections. judicially developed doctrine, it is Comment: Comments noted that the
reasonable to interpret this term as definition of ‘‘state law’’ does not
Section 160.201—Applicability
indicating that the statutory analysis explicitly include common law and
Comment: Several commenters should tie in to the analytical recommended that it be revised to do so
indicated that the guidance provided by formulations employed by the courts. or to clarify that the term includes
the definitions at proposed § 160.202 Also, while the court-developed tests evidentiary privileges recognized at
would be of substantial benefit both to may not be as clear as commenters state law. Guidance concerning the
regulated entities and to the public. would like, they represent a long-term,
impact of state privileges was also
However, these commenters argued that thoughtful consideration of the problem
requested.
the applicability of such definitions of defining when a state/federal conflict
Response: As requested, we clarify
would be too limited as drafted, since exists. They will also, we assume,
that the definition of ‘‘state law’’
proposed § 160.201 provided that the generally be employed by the courts
includes common law by including the
definitions applied only to when conflict issues arise under the
term ‘‘common law.’’ In our view, this
‘‘determinations and advisory opinions rules below. We thus see no practical
phrase encompasses evidentiary
issued by the Secretary pursuant to 42 alternative to the proposed definition
privileges recognized at state law
U.S.C. 1320d–7.’’ The commenters and have retained it unchanged. With
(which may also, we note, be embodied
stated that it would be far more helpful respect to various suggestions for
in state statutes).
to make the definitions in proposed shorthand versions of the proposed
Comment: One comment criticized
§ 160.202 more broadly applicable, to tests, such as the arguably broader term
this definition as unwieldy, in that
provide general guidance on the issue of ‘‘inconsistent with,’’ we see no
locating state laws pertaining to privacy
preemption. operational advantages to such terms.
Comment: One comment asked that is likely to be difficult. It was noted that
Response: We agree with the
the Department clarify that if state law Florida, for example, has more than 60
comments on this issue, and have
is not preempted, then the federal law statutes that address health privacy.
revised the applicability provision of
would not also apply. Response: To the extent that state
subpart B below accordingly. Section
Response: This comment raises two laws currently apply to covered entities,
160.201 below sets out that Subpart B
issues, both of which deserve they have presumably determined what
implements section 1178. This means,
discussion. First, a state law may not be those laws require in order to comply
in our view, that the definitions of the
preempted because there is no conflict with them. Thus, while determining
statutory terms at § 160.202 are
with the analogous federal requirement; which laws are ‘‘contrary’’ to the federal
legislative rules that apply when those
in such a situation, both laws can, and requirements will require additional
statutory terms are employed, whether
must, be complied with. We thus do not work in terms of comparing state law
by HHS, covered entities, or the courts.
accept this suggestion, to the extent that with the federal requirements, entities
Section 160.202—Definitions it suggests that the federal law would should already have acquired the
give way in this situation. Second, a knowledge of state law needed for this
Contrary
state law may also not be preempted task in the ordinary course of doing
Comment: Some commenters asserted because it comes within section business.
that term ‘‘contrary’’ as defined at 1178(a)(2)(B), section 1178(b), or section Comment: The New York City
§ 160.202 was overly broad and that its 1178(c); in this situation, a contrary Department of Health noted that in
application would be time-consuming federal law would give way. many cases, provisions of New York
and confusing for states. These Comment: One comment urged the State law are inapplicable within New
commenters argued that, under the Department to take the position that York City, because the state legislature
proposed definition, a state would be where state law exists and no analogous has recognized that the local code is
required to examine all of its laws federal requirement exists, the state tailored to the particular needs of the
relating to health information privacy in requirement would not be ‘‘contrary to’’ City. It urged that the New York City
order to determine whether or not its the federal requirement and would Code be treated as state law, for
law were contrary to the requirements therefore not trigger preemption. preemption purposes.
proposed. It was also suggested that the Response: We agree with this Response: We agree that, to the extent
definition contain examples of how it comment. a state treats local law as substituting for
would work in practical terms. Comment: One commenter criticized state law it could be considered to be
A few commenters, however, argued the definition as unhelpful in the multi- ‘‘state law’’ for purposes of this
that the definition of ‘‘contrary’’ as state transaction context. For example, it definition. If, however, a local law is
proposed was too narrow. One was asked whether the issue of whether local in scope and effect, and a tier of
commenter argued that the Secretary a state law was ‘‘contrary to’’ should be state law exists over the same subject
erred in her assessment of the case law determined by the law of the state matter, we do not think that the local
analyzing what is known as ‘‘conflict where the treatment is provided, where law could or should be treated as ‘‘state
preemption’’ and which is set forth in the claim processor is located, where law’’ for preemption purposes. We do
shorthand in the tests set out at the payment is issued, or the data not have sufficient information to assess
§ 160.202. maintained, assuming all are in different the situation raised by this comment
Response: We believe that the states. with respect to this principle, and so
definition proposed represents a policy Response: This is a choice of law express no opinion thereon.
that is as clear as is feasible and which issue, and, as is discussed more fully
can be applied nationally and below, is a determination that is More Stringent
uniformly. As was noted in the routinely made today in connection Comment: Many commenters
preamble to the proposed rules (at 64 FR with multi-state transactions. See supported the policy in the proposed
59997), the tests in the proposed discussion below under Exception definition of ‘‘individual’’ at proposed
definition of ‘‘contrary’’ are adopted Determinations (Criteria for Exception § 164.502, which would have permitted
from the jurisprudence of ‘‘conflict Determinations). unemancipated minors to exercise, on
their own behalf, rights granted to Response: These concerns are however, the statute dictates a
individuals in cases where they fundamentally addressed to the ‘‘federal provision-by-provision comparison of
consented to the underlying health care. floor’’ approach of the statute, not to the state and federal requirements, not the
Commenters stated, however, that the definition proposed: even if the overall comparison suggested by these
proposed preemption provision would definition of ‘‘more stringent’’ were comments. We also note that the
leave in place state laws authorizing or narrowed, these concerns would still approach suggested would be
prohibiting disclosure to parents of the exist. As discussed above, since the practically and analytically problematic,
protected health information of their ‘‘federal floor’’ approach is statutory, it in that it would be extremely difficult,
minor children and would negate the is not within the Secretary’s authority to if not impossible, to determine what is
proposed policy for the treatment of change the dynamics that are of a legitimate stopping point for the
minors under the rule. The comments concern. provisions to be weighed on either the
stated that such state laws should be Comment: One comment stated that state side or the federal side of the scale
treated like other state laws, and the proposed rule seemed to indicate in determining which set of laws was
preempted to the extent that they are that the ‘‘more stringent’’ and ‘‘contrary the ‘‘more stringent.’’ We accordingly do
less protective of the privacy of minors. to’’ definitions implied that these not accept the approach suggested by
Other commenters supported the standards would apply to ERISA plans these comments.
proposed preemption provision—not to as well as to non-ERISA plans. With respect to the comment of the
preempt a state law to the extent it Response: The concern underlying Vermont group, nothing in the rules
authorizes or prohibits disclosure of this comment is that ERISA plans, below prohibits or places any limits on
protected health information regarding a which are not now subject to certain states enacting stronger or more
minor to a parent. state laws because of the ‘‘field’’ comprehensive privacy laws. To the
Response: Laws regarding access to preemption provision of ERISA but extent that states enact privacy laws that
health care for minors and which are subject to the rules below, are stronger or more comprehensive
will become subject to state privacy than contrary federal requirements, they
confidentiality of their medical records
laws that are ‘‘more stringent’’ than the will presumably not be preempted
vary widely; this regulation recognizes
federal requirements, due to the under section 1178(a)(2)(B). To the
and respects the current diversity of
operation of section 1178(a)(2)(B), extent that such state laws are not
state law in this area. Where states have
together with section 264(c)(2). We contrary to the federal requirements,
considered the balance involved in
disagree that this is the case. While the they will act as an overlay on the federal
protecting the confidentiality of minors’
courts will have the final say on these requirements and will have effect.
health information and have explicitly
questions, it is our view that these Comment: One comment raised the
acted, for example, to authorize
sections simply leave in place more issue of whether a private right of action
disclosure, defer the decision to disclose
stringent state laws that would is a greater penalty, since the proposed
to the discretion of the health care otherwise apply; to the extent that such federal rule has no comparable remedy.
provider, or prohibit disclosure of state laws do not apply to ERISA plans Response: We have reconsidered the
minor’s protected health information to because they are preempted by ERISA, proposed ‘‘penalty’’ provision of the
a parent, the rule defers to these we do not think that section 264(c)(2) proposed definition of ‘‘more stringent’’
decisions to the extent that they regulate overcomes the preemption effected by and have eliminated it. The HIPAA
such disclosures. section 514(a) of ERISA. For more statute provides for only two types of
Comment: The proposed definition of discussion of this point, see 64 FR penalties: fines and imprisonment. Both
‘‘more stringent’’ was criticized as 60001. types of penalties could be imposed in
affording too much latitude to for Comment: The Lieutenant Governor’s addition to the same type of penalty
granting exceptions for state laws that Office of the State of Hawaii requested imposed by a state law, and should not
are not protective of privacy. It was a blanket exemption for Hawaii from the interfere with the imposition of other
suggested that the test should be ‘‘most federal rules, on the ground that its types of penalties that may be available
protective of the individual’s privacy.’’ recently enacted comprehensive health under state law. Thus, we think it is
Response: We considered adopting privacy law is, as a whole, more unlikely that there would be a conflict
this test. However, for the reasons set stringent than the proposed federal between state and federal law in this
out at 64 FR 59997, we concluded that standards. It was suggested that, for respect, so that the proposed criterion is
this test would not provide sufficient example, special weight should be given unnecessary and confusing. In addition,
guidance. The comments did not to the severity of Hawaii’s penalties. It the fact that a state law allows an
address the concerns we raised in this was suggested that a new definition individual to file a lawsuit to protect
regard in the preamble to the proposed (‘‘comprehensive’’) be added, and that privacy does not conflict with the
rules, and we continue to believe that ‘‘more stringent’’ be defined in that HIPAA penalty provisions.
they are valid. context as whether the state act or code
Comment: A drug company expressed Relates to the Privacy of Individually
as a whole provides greater protection.
concern with what it saw as the An advocacy group in Vermont Identifiable Health Information
expansive definition of this term, argued that the Vermont legislature was Comment: One comment criticized
arguing that state governments may poised to enact stronger and more the definition of this term as too narrow
have less experience with the special comprehensive privacy laws and stated in scope and too uncertain. The
needs of researchers than federal that the group would resent a federal commenter argued that determining the
agencies and may unknowingly adopt prohibition on that. specific purpose of a state law may be
laws that have a deleterious effect on Response: The premise of these difficult and speculative, because many
research. A provider group expressed comments appears to be that the state laws have incomplete,
concern that allowing stronger state provision-by-provision approach of inaccessible, or non-existent legislative
laws to prevail could result in Subpart B, which is expressed in the histories. It was suggested that the
diminished ability to get enough definition of the term ‘‘contrary’’, is definition be revised by deleting the
patients to complete high quality wrong. As we explained in the preamble word ‘‘specific’’ before the word
clinical trials. to the proposed rules (at 64 FR 59995), ‘‘purpose.’’ Another commenter argued
that the definition of this term should be little incentive for the states to request implementation would be difficult since
narrowed to minimize reverse clarification. It would also cause large much of the law is a product of common
preemption by more stringent state administrative burdens which, it was law, and such state-specific research
laws. One commenter generally stated, would be costly and confusing. should only be attempted by
supported the proposed definition of It was also suggested that the request for experienced health care attorneys in
this term. the exception be made to the applicable each jurisdiction.
Response: We are not accepting the state’s attorney general or chief legal Response: These comments seem to
first comment. The purpose of a given officer, as well as the Secretary. Various be principally concerned with potential
state enactment should be ascertainable, changes to the language were suggested, conflicts between state privacy laws and
if not from legislative history or a such as adding that ‘‘a covered entity, or the privacy standards, because, as is
purpose statement, then from the statute any other entity impacted by this rule’’ more fully explained below, preemption
viewed as a whole. The same should be be allowed to submit the written of contrary state laws not relating to
true of state regulations or rulings. In request. privacy is automatic unless the
any event, it seems appropriate to Response: We agree, and have Secretary affirmatively acts under
restrict the field of state laws that may changed § 164.204(a) below accordingly. section 1178(a)(2)(A) to grant an
potentially trump the federal standards The decision to eliminate advisory exception. We recognize that the
to those that are clearly intended to opinions makes this issue moot with provisions of sections 1178(b) (state
establish state public policy and operate respect to those opinions. public health laws), and 1178(c) (state
in the same area as the federal Comment: Several commenters noted regulation of health plans) similarly
standards. To the extent that the that it was unclear under the proposed preserve state laws in those areas, but
definition in the rules below does this, rule which state officials would be very little of the public comment
we have accommodated the second authorized to request a determination. appeared to be concerned with these
comment. We note, however, that we do Response: We agree that the proposed latter statutory provisions. Accordingly,
not agree that the definition should be rule was unclear in this respect. The we respond below to what we see as the
further restricted to minimize ‘‘reverse final rule clarifies who may make the commenters’ main concern.
preemption,’’ as suggested by this request for a state, with respect to The Department will not do the kind
comment, as we believe that state laws exception determinations. See, of global analysis requested by many of
that are more protective of privacy than § 160.204(a). The language adopted these comments. What these comments
contrary federal standards should should ensure that the Secretary are in effect seeking is a global advisory
remain, in order to ensure that the receives an authoritative statement from opinion as to when the federal privacy
privacy of individuals’ health the state. At the same time, this standards will control and when they
information receives the maximum legal language provides states with flexibility, will not. We understand the desire for
protection available. in that the governor or other chief certainty underlying these comments.
elected official may choose to designate Nonetheless, the reasons set out above
Sections 160.203 and 160.204— other state officials to make such as the basis for our decision not to
Exception Determinations and Advisory requests. establish a formal advisory opinion
Opinions Comment: Many commenters process apply equally to these requests.
Most of the comments received on recommended that a process be We also do not agree that the task of
proposed Subpart B lumped together the established whereby HHS performs an evaluating the requirements below in
proposed process for exception initial state-by-state critical analysis to light of existing state law is unduly
determinations under section provide guidance on which state laws burdensome or unreasonable. Rather, it
1178(a)(2)(A) with the proposed process will not be preempted; most suggested is common for new federal requirements
for issuing advisory opinions under that such an analysis (alternatively to necessitate an examination by the
section 1178(a)(2)(B), either because the referred to as a database or regulated entities of the interaction
substance of the comment applied to clearinghouse) should be completed between existing state law and the
both processes or because the before providers would be required to federal requirements incident to coming
commenters did not draw a distinction come into compliance. Many of these into compliance.
between the two processes. We address comments argued that the Secretary We agree, however, that the case is
these general comments in this section. should bear the cost for the analyses of different where the Secretary has
Comment: Numerous commenters, state law, disagreeing with the premise affirmatively acted, either through
particularly providers and provider stated in the preamble to the proposed granting an exception under section
groups, recommended that exception rules that it is more efficient for the 1178(a)(2)(A) or by making a specific
determinations and advisory opinions private market to complete the state-by- determination about the effect of a
not be limited to states and advocated state review. Several comments also particular state privacy law in, for
allowing all covered entities (including requested that HHS continue to example, the course of determining an
individuals, providers and insurers), or maintain and monitor the exception entity’s compliance with the privacy
private sector organizations, to request determination process, and update the standards. As is discussed below, the
determinations and opinions with database over time in order to provide Department intends to make notice of
respect to preemption of state laws. guidance and certainty on the exception determinations that it makes
Several commenters argued that limiting interaction of the federal rules with routinely available.
requests to states would deny third newly enacted or amended state laws We do not agree with the comments
party stakeholders, such as life and that are produced after the final rule. suggesting that compliance by covered
disability income insurers, any means of Some comments recommended that entities be delayed pending completion
resolving complex questions as to what each state be required to certify of an analysis by the Secretary and that
rule they are subject to. One commenter agreement with the HHS analyses. states be required to certify agreement
noted that because it is an insurer who In contrast, one hospital association with the Secretary’s analysis, as we are
will be liable if it incorrectly analyzes noted concerns that the Secretary would not institutionalizing the advisory
the interplay between laws and reaches conduct a nationwide analysis of state opinion/analysis process upon which
an incorrect conclusion, there would be laws. The comment stated that these comments are predicated.
Furthermore, with respect to the Another commenter, however, urged guidance in making the determination
suggestion regarding delaying the that ‘‘instead of the presumption of as to which law prevails. Ambiguity in
compliance date, Congress provided in preemption, the state laws in question the state of the law might also be a factor
section 1175(b) of the Act for a delay in would be presumed to be subject to the to be taken into account in determining
when compliance is required to exception unless or until the Secretary whether a penalty should be applied.
accommodate the needs of covered makes a determination to the contrary.’’ Comment: Several comments
entities to address implementation Response: It is true that the effect of recommended that exception
issues such as those raised by these section 1178(a)(2)(A) is that the federal determinations or advisory opinions
comments. With respect to the standards will preempt contrary state encompass a state act or code in its
suggestion regarding requiring states to law and that such preemption will not entirety (in lieu of a provision-specific
certify their agreement with the be removed unless and until the evaluation) if it is considered more
Secretary’s analysis, we have no Secretary acts to grant an exception stringent as a whole than the regulation.
authority to do this. under that section (assuming, of course, It was argued that since the provisions
Comment: Several commenters that another provision of section 1178 of a given law are typically
criticized the proposed provision for does not apply). We do not agree, interconnected and related, adopting or
annual publication of determinations however, that confusion should result, overriding them on a provision-by-
and advisory opinions in the Federal where the issue is whether a given state provision basis would result in
Register as inadequate. They suggested law has been preempted under section distortions and/or unintended
that more frequent notices should be 1178(a)(2)(A). Because preemption is consequences or loopholes. For
made and the regulation be changed automatic with respect to state laws that example, when a state law includes
accordingly, to provide for publication do not come within the other provisions authorization provisions, some of which
either quarterly or within a few days of of section 1178 (i.e., sections are consistent with the federal
a determination. A few commenters 1178(a)(2)(B), 1178(b), and 1178(c)), requirements and some which are not,
suggested that any determinations such state laws are preempted until the the cleanest approach is to view the
made, or opinions issued, by the Secretary affirmatively acts to preserve state law as inconsistent with the
Secretary be published on the them from preemption by granting an federal requirements and thus
Department’s website within 10 days or exception under section 1178(a)(2)(A). preempted in its entirety. Similarly,
a few days of the determination or We cannot accept the suggestion that another comment suggested that state
opinion. a presumption of validity attach to state confidentiality laws written to address
Response: We agree that the proposed laws, and that states not be required to the specific needs of individuals served
provision for annual publication was request exceptions except in very within a discreet system of care be
inadequate and have accordingly narrow circumstances. The statutory considered as a whole in assessing
deleted it. Subpart B contains no scheme is the opposite: The statute whether they are as stringent or more
express requirement for publication, as effects preemption in the section stringent than the federal requirements.
the Department is free to publish its 1178(a)(2)(A) context unless the Another comment requested explicit
determinations absent such a Secretary affirmatively acts to except the clarification that state laws with a
requirement. It is our intention to contrary state law in question. broader scope than the regulation will
publish notice of exception With respect to preemption under be viewed as more stringent and be
determinations on a periodic basis in sections 1178(b) and 1178(c) (the carve- allowed to stand.
the Federal Register. We will also outs for state public health laws and Response: We have not adopted the
consider other avenues of making such state regulation of health plans), we do approach suggested by these comments.
decisions publicly available as we move not agree that preemption is likely to be As discussed above with respect to the
into the implementation process. a major cause of uncertainty. We have definition of the term ‘‘more stringent,’’
Comment: A few commenters argued deferred to Congressional intent by it is our view that the statute precludes
that the process for obtaining an crafting the permissible releases for the approach suggested. We also suggest
exception determination or an advisory public health, abuse, and oversight that this approach ignores the fact that
opinion from the Secretary will result in broadly. See, §§ 164.512(b)—(d) below. each separate provision of law usually
a period of time in which there is Since there must first be a conflict represents a nuanced policy choice to,
confusion as to whether state or federal between a state law and a federal for example, permit this use or prohibit
law applies. The proposed regulations requirement in order for an issue of that disclosure; the aggregated approach
say that the federal provisions will preemption to even arise, we think that, proposed would fail to recognize and
remain effective until the Secretary as a practical matter, few preemption weigh such policy choices.
makes a determination concerning the questions should arise with respect to Comment: One comment
preemption issue. This means that, for sections 1178(b) and 1178(c). recommended that the final rule: permit
example, a state law that was enacted With respect to preemption of state requests for exception determinations
and enforced for many years will be privacy laws under section and advisory opinions as of the date of
preempted by federal law for the period 1178(a)(2)(B), however, we agree that publication of the final rule, require the
of time during which it takes the the situation may be more difficult to Secretary to notify the requestor within
Secretary to make a determination. Then ascertain, because the Secretary does a specified short period of time of all
if the Secretary determines that the state not determine the preemption status of additional information needed, and
law is not preempted, the state law will a state law under that section, unlike the prohibit enforcement action until the
again become effective. Such situations situation with respect to section Secretary issues a response.
will result in confusion and unintended 1178(a)(2)(A). We have tried to define Response: With respect to the first
violations of the law. One of the the term ‘‘more stringent’’ to identify recommendation, we clarify that
commenters suggested that requests for and particularize the factors to be requests for exception determinations
exceptions be required only when a considered by courts to those relevant to may be made at any time; since the
challenge is brought against a particular privacy interests. The more specific process for issuing advisory opinions
state law, and that a presumption of (than the statute) definition of this term has not been adopted, this
validity should lie with state laws. at § 160.202 below should provide some recommendation is moot as it pertains
to advisory opinions. With respect to exceptions will be clearly tied to amend their state laws as a precondition
the second recommendation, we will statements of priorities made by to requesting exceptions under section
undertake to process exception requests publicly accountable bodies (e.g., 1178(a)(2)(A). Rather, the question
as expeditiously as possible, but, for the through the public comment process for should be whether the state has made a
reasons discussed below in connection regulations, and by elected officials convincing case that the state law in
with the comments relating to setting through statutes). With respect to the question is sufficiently necessary for
deadlines for those determinations, we criterion at section 1178(a)(2)(A)(ii), we one of the statutory purposes that it
cannot commit at this time to a have further delineated what ‘‘addresses should trump the contrary federal
‘‘specified short period of time’’ within controlled substances’’ means. The policy.
which the Secretary may request language provided, which builds on Comment: One commenter stated that
additional information. We see no concepts at 21 U.S.C. 821 and the exceptions for state laws that are
reason to agree to the third Medicare regulations at 42 CFR 1001.2, contrary to the federal standards should
recommendation. Because contrary state delineates the area within which the not be preempted where the state and
laws for which an exception is available government traditionally regulates federal standards are found to be equal.
only under section 1178(a)(2)(A) will be controlled substances, both civilly and Response: This suggestion has not
preempted by operation of law unless criminally; it is our view that HIPAA been adopted, as it is not consistent
and until the Secretary acts to grant an was not intended to displace such with the statute. With respect to the
exception, there will be an ascertainable regulation. administrative simplification standards
compliance standard for compliance Comment: Several commenters urged in general, it is clear that the intent of
purposes, and enforcement action that the request for determination by the Congress was to preempt contrary state
would be appropriate where such Secretary under proposed § 160.204(a) laws except in the limited areas
compliance did not occur. be limited to cases where an exception specified as exceptions or carve-outs.
is absolutely necessary, and that in See, section 1178. This statutory
Sections 160.203(a) and 160.204(a)— making such a determination, the approach is consistent with the
Exception Determinations Secretary should be required to make a underlying goal of simplifying health
Section 160.203(a)—Criteria for determination that the benefits of care transactions through the adoption
Exception Determinations granting an exception outweigh the of uniform national standards. Even
potential harm and risk of disclosure in with respect to state laws relating to the
Comment: Numerous comments violation of the regulation. privacy of medical information, the
criticized the proposed criteria for their Response: We have not further statute shields such state laws from
substance or lack thereof. A number of defined the statutory term ‘‘necessary’’, preemption by the federal standards
commenters argued that the as requested. We believe that the only if they are ‘‘more’’ stringent than
effectiveness language that was added to determination of what is ‘‘necessary’’ the related federal standard or
the third statutory criterion made the will be fact-specific and context implementation specification.
exception so massive that it would dependent, and should not be further Comment: One commenter noted that
swallow the rule. These comments circumscribed absent such specifics. determinations would apply only to
generally expressed concern that laws The state will need to make its case that transactions that are wholly intrastate.
that were less protective of privacy the state law in question is sufficiently Thus, any element of a health care
would be granted exceptions under this ‘‘necessary’’ to accomplish the transaction that would implicate more
language. Other commenters criticized particular statutory ground for than one state’s law would
the criteria generally as creating a large exception that it should trump the automatically preclude the Secretary’s
loophole that would let state laws that contrary federal standard, requirement, evaluation as to whether the laws were
do not protect privacy trump the federal or implementation specification. more or less stringent than the federal
privacy standards. Comment: One commenter noted that requirement. Other commenters
Response: We agree with these a state should be required to explain expressed confusion about this
comments. The scope of the statutory whether it has taken any action to proposed requirement, noting that
criteria is ambiguous, but they could be correct any less stringent state law for providers and plans operate now in a
read so broadly as to largely swallow the which an exception has been requested. multi-state environment.
federal protections. We do not think that This commenter recommended that a Response: We agree with the
this was Congress’s intent. Accordingly, section be added to proposed commenters and have dropped the
we have added language to most of the § 160.204(a) stating that ‘‘a state must proposed requirement. As noted by the
statutory criteria clarifying their scope. specify what, if any, action has been commenters, health care entities now
With respect to the criteria at taken to amend the state law to comply typically operate in a multi-state
1178(a)(2)(A)(i), this clarifying language with the federal regulations.’’ Another environment, so already make the
generally ties the criteria more comment, received in the Transactions choice of law judgements that are
specifically to the concern with rulemaking, took the position that necessary in multi-state transactions. It
protecting and making more efficient exception determinations should be is the result of that calculus that will
the health care delivery and payment granted only if the state standards in have to be weighed against the federal
system that underlies the question exceeded the national standards, requirements, and
Administrative Simplification standards. implementation specifications in the
provisions of HIPAA, but, with respect Response: The first and last comments preemption analysis.
to the catch-all provision at section appear to confuse the ‘‘more stringent’’ Comment: One comment received in
1178(a)(2)(A)(i)(IV), also requires that criterion that applies under section the Transactions rulemaking suggested
privacy interests be balanced with such 1178(a)(2)(B) of the Act with the criteria that the Department should allow
concerns, to the extent relevant. We that apply to exceptions under section exceptions to the standard transactions
require that exceptions for rules to 1178(a)(2)(A). We are also not adopting to accommodate abbreviated
ensure appropriate state regulation of the language suggested by the first transactions between state agencies,
insurance and health plans be stated in comment, because we do not agree that such as claims between a public health
a statute or regulation, so that such states should necessarily have to try to department and the state Medicaid
agency. Another comment requested an suggesting that the Secretary must We are not accepting the suggestion
exception for Home and Community proactively identify instances of conflict that requests for exception be deemed
Based Waiver Services from the and evaluate them. This suggestion is, approved if not acted upon in some
transactions standards. thus, at bottom the same as the many defined time period. Section
Response: The concerns raised by suggestions that we create a database or 1178(a)(2)(A) requires a specific
these comments would seem to be more compendium of controlling law, and it determination by the Secretary. The
properly addressed through the process is rejected for the same reasons. suggested policy would not be
established for maintaining and Comment: Several comments urged consistent with this statutory
modifying the transactions standards. If that all state requests for non- requirement. It is also inadvisable from
the concerns underlying these preemption include a process for public a policy standpoint, in that it would
comments cannot be addressed in this participation. These comments believe tend to maximize exceptions. This
manner, however, there is nothing in that members of the public and other would be contrary to the underlying
the rules below to preclude states from interested stakeholders should be statutory policy in favor of uniform
requesting exceptions in such cases. allowed to submit comments on a state’s federal standards.
They will then have to make the case request for exception, and that these Comment: One commenter took
that one or more grounds for exception comments should be reviewed and exception to the requirement for states
applies. considered by the Secretary in to seek a determination from the
determining whether the exception Department that a provision of state law
Section 160.204(a)—Process for
should be granted. One comment is necessary to prevent fraud and abuse
Exception Determinations—Comments
suggested that the Secretary at least give or to ensure appropriate state regulation
and Responses
notice to the citizens of the state prior of insurance plans, contending that this
Comment: Several comments received mandate could interfere with the
to granting an exception.
in the Transactions rulemaking stated Insurance Commissioners’ ability to do
that the process for applying for and Response: The revision to
§ 160.204(a), to permit requests for their jobs. Another commenter
granting exception determinations suggested that the regulation
(referred to as ‘‘waivers’’ by some) exception determinations by any
person, responds to these comments. specifically recognize the broad scope of
needed to be spelled out in the final state insurance department activities,
rule. Comment: Many commenters noted
such as market conduct examinations,
Response: We agree with these that the lack of a clear and reasonable
enforcement investigations, and
comments. As noted above, since no time line for the Secretary to issue an
consumer complaint handling.
process was proposed in the exception determination would not Response: The first comment raises an
Transactions rulemaking, a process for provide sufficient assurance that the issue that lies outside our legal
making exception determinations was questions regarding what rules apply authority to address, as section
not adopted in those final rules. Subpart will be resolved in a time frame that 1178(a)(2)(A) clearly mandates that the
B below adopts a process for making will allow business to be conducted Secretary make a determination in these
exception determinations, which properly, and argued that this would areas. With respect to the second
responds to these comments. increase confusion and uncertainty comment, to the extent these concerns
Comment: Comments stated that the about which statutes and regulations pertain to health plans, we believe that
exception process would be should be followed. Timeframes of 60 or the provisions at § 164.512 relating to
burdensome, unwieldy, and time- 90 days were suggested. One group oversight and disclosures required by
consuming for state agencies as well as suggested that, if a state does not receive law should address the concerns
the Department. One comment took the a response from HHS within 60 days, underlying this comment.
position that states should not be the waiver should be deemed approved.
required to submit exception requests to Response: The workload prioritization Section 160.204(a)(4)—Period of
the Department under proposed and management considerations Effectiveness of Exception
§ 160.203(a), but could provide discussed above with respect to Determinations
documentation that the state law meets advisory opinions are also relevant here Comment: Numerous commenters
one of the conditions articulated in and make us reluctant to agree to a stated that the proposed three year
proposed § 160.203. deadline for making exception limitation on the effectiveness of
Response: We disagree that the determinations. This is particularly true exception determinations would pose
process adopted at § 164.204 below will at the outset, since we have no significant problems and should be
be burdensome, unwieldy, or time- experience with such requests. We limited to one year, since a one year
consuming. The only thing the therefore have no basis for determining limitation would provide more frequent
regulation describes is the showings that how long processing such requests will review of the necessity for exceptions.
a requestor must make as part of its take, how many requests we will need The commenters expressed concern that
submission, and all are relevant to the to process, or what resources will be state laws which provide less privacy
issue to be determined by the Secretary. available for such processing. We agree protection than the federal regulation
How much information is submitted is, that states and other requesters should would be given exceptions by the
generally speaking, in the requestor’s receive timely responses and will make Secretary and thus argued that the
control, and the regulation places no every effort to make determinations as exceptions should be more limited in
restrictions on how the requestor expeditiously as possible, but we cannot duration or that the Secretary should
obtains it, whether by acting directly, by commit to firm deadlines in this initial require that each request, regardless of
working with providers and/or plans, or rule. Once we have experience in duration, include a description of the
by working with others. With respect to handling exception requests, we will length of time such an exception would
the suggestion that states not be consult with states and others in regard be needed.
required to submit exception requests, to their experiences and concerns and One state government commenter,
we disagree that this suggestion is either their suggestions for improving the however, argued that the 3 year limit
statutorily authorized or advisable. We Secretary’s expeditious handling of such should be eliminated entirely, on the
read this comment as implicitly requests. ground that requiring a redetermination
every three years would be burdensome Several of these concerns, however, law to be considered more stringent and
for the states and be a waste of time and raise issues of broader concern that need thus not preempted. The Department
resources for all parties. Other to be addressed. First, we disagree that should clarify whether a state law could
commenters, including two state the Secretary lacks legal authority to be non-preempted even without such an
agencies, suggested that the exemption opine on whether or not state privacy advisory opinion. Another commenter
should remain effective until either the laws are preempted. The Secretary is requested that the final rule explicitly
state law or the federal regulation is charged by law with determining state that the stricter rule always
changed. Another commenter suggested compliance, and where state law and applies, whether it be state or federal,
that the three year sunset be deleted and the federal requirements conflict, a and regardless of whether there is any
that the final rule provide for automatic determination of which law controls conflict between state and federal law.
review to determine if changes in will have to be made in order to Response: The elimination of the
circumstance or law would necessitate determine whether the federal standard, proposed process for advisory opinions
amendment or deletion of the opinion. requirement, or implementation renders moot the first question. Also,
Other recommendations included specification at issue has been violated. the preceding response clarifies that
deeming the state law as continuing in Thus, the Secretary cannot carry out her which law preempts in the privacy
effect upon the submission of a state enforcement functions without making context (assuming that the state law and
application for an exemption rather than such determinations. It is further federal requirement are ‘‘contrary’’) is a
waiting for a determination by the reasonable that, if the Secretary makes matter of which one is the ‘‘more
Secretary that may not occur for a such determinations, she can make stringent.’’ This is not a matter which
substantial period of time. those determinations known, for the Secretary will ultimately determine;
Response: We are persuaded that the whatever persuasive effect they may rather, this is a question about which
proposed 3 year limit on exception have. the courts will ultimately make the final
The questions as to whether a state determination. With respect to the
determinations does not make sense
could enforce, or would be subject to second comment, we believe that
where neither law providing the basis
penalties if it chose to continue to § 160.203(b) below responds to this
for the exception has changed in the enforce, its own laws following a denial
interim. We also agree that where either issue, but we would note that the statute
by the Secretary of an exception request already provides for this.
law has changed, a previously granted under § 160.203 or a holding by a court
exception should not continue. Section Comment: Several commenters
of competent jurisdiction that a state
160.205(a) below addresses these supported the decision to limit the
privacy law had been preempted by a
concerns. parties who may request advisory
contrary federal privacy standard raise
opinions to the state. These commenters
Sections 160.203(b) and 160.204(b)— several issues. First, a state law is
did not believe that insurers should be
Advisory Opinions preempted under the Act only to the
allowed to request an advisory opinion
extent that it applies to covered entities;
Section 160.203(b)—Effect of Advisory and open every state law up to
thus, a state is free to continue to
Opinions challenge and review.
enforce a ‘‘preempted’’ state law against
non-covered entities to which the state Several commenters requested that
Comment: Several commenters guidance on advisory opinions be
questioned whether or not DHHS has law applies. If there is a question of
coverage, states may wish to establish provided in all circumstances, not only
standing to issue binding advisory at the Secretary’s discretion. It was
opinions and recommended that the processes to ascertain which entities
within their borders are covered entities suggested that proposed
Department clarify this issue before § 160.204(b)(2)(iv) be revised to read as
implementation of this regulation. One within the meaning of these rules.
Second, with respect to covered entities, follows: ‘‘A state may submit a written
respondent suggested that the request to the Secretary for an advisory
Department clarify in the final rule the if a state were to try to enforce a
preempted state law against such opinion under this paragraph. The
legal issues on which it will opine in request must include the following
advisory opinion requests, and state that entities, it would presumably be acting
without legal authority in so doing. We information: the reasons why the state
in responding to requests for advisory law should or should not be preempted
opinions the Department will not opine cannot speak to what remedies might be
available to covered entities to protect by the federal standard, requirement, or
on the preemptive force of ERISA with implementation specification, including
respect to state laws governing the themselves against such wrongful state
action, but we assume that covered how the state law meets the criteria at
privacy of individually identifiable § 160.203(b).’’
health information, since interpretations entities could seek judicial relief, if all
else failed. With respect to the issue of Response: The decision not to have a
as to the scope and extent of ERISA’s
imposing penalties on states, we do not formal process for issuing advisory
preemption provisions are outside of the
see this as likely. The only situation that opinions renders these issues moot.
Department’s jurisdictional authority.
we can envision in which penalties Sections 160.203(c) and 160.203(d)—
One commenter asked whether a state might be imposed on a state would be
could enforce a state law which the Statutory Carve-Outs
if a state agency were itself a covered
Secretary had indicated through an entity and followed a preempted state Comment: Several commenters asked
advisory opinion is preempted by law, thereby violating the contrary that the Department provide more
federal law. This commenter also asked federal standard, requirement, or specific examples itemizing activities
whether the state would be subject to implementation specification. traditionally regulated by the state that
penalties if it chose to continue to could constitute ‘‘carve-out’’ exceptions.
enforce its own laws. Section 160.204(b)—Process for These commenters also requested that
Response: As discussed above, in part Advisory Opinions the Department include language in the
for reasons raised by these comments, Comment: Several commenters stated regulation stating that if a state law falls
the Department has decided not to have that it was unclear whether a state within several different exceptions, the
a formal process for issuing advisory would be required to submit a request state chooses which determination
opinions, as proposed. for an advisory opinion in order for the exception shall apply.
Response: We are concerned that 1178(a)(2)(A); contrary state laws Article II

itemizing examples in this way could coming within section 1178(a)(2)(B) are Comment: One commenter contended
leave out important state laws or create preempted if not more stringent, while that the Secretary improperly delegated
inadvertent negative implications that if a contrary state law comes within authority to private entities by requiring
laws not listed are not included. section 1178(b) or section 1178(c), it is covered entities to enter into contracts
However, as explained above, we have not preempted. These latter statutory with, monitor, and take action for
designed the types of activities that are provisions operate by their own terms. violations of the contract against their
permissive disclosures for public health Thus, it is not within the Secretary’s business partners. These comments
under § 164.512(b) below in part to authority to establish the determination assert that the selection of these entities
come within the carve-out effected by process which these comments seek. to ‘‘enforce’’ the regulations violates the
section 1178(b); while the state With respect to the request seeking Executive Powers Clause and the
regulatory activities covered by section advisory opinions in the section 1178(b) Appointments and Take Care Clauses.
1178(c) will generally come within and 1178(c) situations, we agree that we Response: We reject the assertion that
§ 164.512(d) below. With respect to the have the authority to issue such the business associate provisions
comments asking that a state get to opinions. However, the considerations constitute an improper delegation of
‘‘choose’’ which exception it comes described above that have led us not to
under, we have in effect provided for executive power to private entities.
adopt a formal process for issuing HIPAA provides HHS with authority to
this with respect to exceptions under advisory opinions in the privacy context
section 1178(a)(2)(A), by giving the state enforce the regulation against covered
apply with equal force and effect here. entities. The rules below regulate only
the right to request an exception under
that section. With respect to exceptions Comment: One commenter argued the conduct of the covered entity; to the
under section 1178(a)(2)(B), those that it would be unnecessarily extent a covered entity chooses to
exceptions occur by operation of law, burdensome for state health data conduct its funding through a business
and it is not within the Secretary’s agencies (whose focus is on the cost of associate, those functions are still
power to ‘‘let’’ the state choose whether healthcare or improving Medicare, functions of the covered entity. Thus, no
an exception occurs under that section. Medicaid, or the healthcare system) to improper delegation has occurred
Comment: Several commenters took obtain a specific determination from the because what is being regulated are the
the position that the Secretary should Department for an exception under actions of the covered entity, not the
not limit the procedural requirements in proposed § 160.203(c). States should be actions of the business associate in its
proposed § 160.204(a) to only those required only to notify the Secretary of independent capacity.
applications under proposed their own determination that such We also reject the suggestion that the
§ 160.203(a). They urged that the collection is necessary. It was also business associates provisions
requirements of proposed § 160.204(a) argued that cases where the statutory constitute an improper appointment of
should also apply to preemption under carve-outs apply should not require a covered entities to enforce the
sections 1178(a)(2)(B), 1178(b) and Secretarial determination. regulation and violate the Take Care
1178(c). It was suggested that the rules Response: We clarify that no Clause. Because the Secretary has not
should provide for exception Secretarial determination is required for delegated authority to covered entities,
determinations with respect to the activities that fall into one of the the inference that she has appointed
matters covered by these provisions of statutory carve-outs. With respect to covered entities to exercise such
the statute; such additional provisions data collections for state health data authority misses the mark.
would provide clear procedures for agencies, we note that provision has Commerce Clause
states to follow and ensure that requests been made for many of these activities
for exceptions are adequately Comment: A few commenters
in several provisions of the rules below,
documented. suggested that the privacy regulation
such as the provisions relating to
A slightly different approach was regulates activities that are not in
disclosures required by law
taken by several commenters, who interstate commerce and which are,
(§ 164.512(a)), disclosures for oversight
recommended that proposed therefore, beyond the powers the U.S.
(§ 164.512(d)), and disclosures for
§ 160.204(b) be amended to clarify that Constitution gives the federal
public health (§ 164.512(b)). Some
the Secretary will also issue advisory government.
disclosures for Medicare and Medicaid
opinions as to whether a state law Response: We disagree. Health care
purposes may also come within the
constitutes an exception under providers, health plans, and health care
definition of health care operations. A
proposed §§ 160.203(c) and 160.203(d). clearinghouses are engaged in economic
fuller discussion of this issue appears in
This change would, they argued, give and commercial activities, including the
connection with § 164.512 below.
states the same opportunity for guidance exchange of individually identifiable
that they have under § 160.203(a) and Constitutional Comments and health information electronically across
(b), and as such, avoid costly lawsuits Responses state lines. These activities constitute
to preserve state laws. interstate commerce. Therefore, they
Response: We are not taking either of Comment: Several commenters come within the scope of Congress’
the recommended courses of action. suggested that as a general matter the power to regulate interstate commerce.
With respect to the recommendation rule is unconstitutional.
that we expand the exception Response: We disagree that the rule is Nondelegation Doctrine
determination process to encompass unconstitutional. The particular Comment: Some commenters objected
exceptions under sections 1178(a)(2)(B), grounds for this conclusion are set out to the manner by which Congress
1178(b), and 1178(c), we do not have the with respect to particular constitutional provided the Secretary authority to
authority to grant exceptions under issues in the responses below. With promulgate this regulation. These
these sections. Under section 1178, the respect to the comments that simply comments asserted that Congress
Secretary has authority to make made this general assertion, the lack of violated the nondelegation doctrine by
exception determinations only with detail of the comments makes a (1) not providing an ‘‘intelligible
respect to the matters covered by section substantive response impossible. principle’’ to guide the agency, (2) not
establishing ‘‘ascertainable standards,’’ because, as proposed, they permitted Response: We disagree that the
and (3) improperly permitting the the Secretary to make determinations on provisions of these rules that permit
Secretary to make social policy preemption, which is a role reserved for disclosures for law enforcement
decisions. the judiciary. purposes and governmental health data
Response: We disagree. HIPAA clearly Response: We disagree. We note that systems generally violate the Fourth
delineates Congress’ general policy to this comment only pertains to Amendment. The privacy regulation
establish strict privacy protections for determinations under section does not create new access rights for law
individually identifiable health 1178(a)(2)(A); as discussed above, the enforcement. Rather, it refrains from
information to encourage electronic rules below provide for no Secretarial placing a significant barrier in front of
transactions. Congress also established determinations with respect to state access rights that law enforcement
boundaries limiting the Secretary’s privacy laws coming within section currently has under existing legal
authority. Congress established these 1178(a)(2)(B). With respect to authority. While the regulation may
limitations in several ways, including determinations under section permit a covered entity to make
by calling for privacy standards for 1178(a)(2)(A), however, the final rules, disclosures in specified instances, it
‘‘individually identifiable health like the proposed rules, provide that at does not require the covered entity
information’’; specifying that privacy a state’s request the Secretary may make make the disclosure. Thus, because we
standards must address individuals’ certain determinations regarding the are not modifying existing law regarding
rights regarding their individually preemptive effect of the rules on a disclosures to law enforcement officials,
identifiable health information, the particular state law. As usually the case except to strengthen the requirements
procedures for exercising those rights, with any administrative decisions, these related to requests already authorized
and the particular uses and disclosures are subject to judicial review pursuant under law, and are not requiring any
to be authorized or required; restricting to the Administrative Procedure Act. such disclosures, the privacy regulation
the direct application of the privacy does not infringe upon individual’s
First Amendment
standards to ‘‘covered entities,’’ which Fourth Amendment rights. We discuss
Congress defined; requiring consultation Comment: Some comments suggested the rationale underlying the permissible
with the National Committee on Vital that the rules violated the First disclosures to law enforcement officials
and Health Statistics and the Attorney Amendment. They asserted that if the more fully in the preamble discussion
General; specifying the circumstances rule included Christian Science relating to § 164.512(f).
under which the federal requirements practitioners as covered entities it We note that the proposed provision
would supersede state laws; and would violate the separation of church relating to disclosures to government
specifying the civil and criminal and state doctrine. health data systems has been eliminated
penalties the Secretary could impose for Response: We disagree. The First in the final rule. However, to the extent
violations of the regulation. These Amendment does not always prohibit that the comments can be seen as raising
limitations also serve as ‘‘ascertainable the federal government from regulating concern over disclosure of protected
standards’’ upon which reviewing secular activities of religious health information to government
courts can rely to determine the validity organizations. However, we address agencies for public health, health
of the exercise of authority. concerns relating to Christian Science oversight, or other purposes permitted
Although Congress could have chosen practitioners more fully in the response by the final rule, the reasoning in the
to impose expressly an exhaustive list of to comments discussion of the previous paragraph applies.
specifications that must be met in order definition of ‘‘covered entity’’ in Comment: One commenter suggested
to achieve the protective purposes of the § 160.103. that the rules violate the Fourth
HIPAA, it was entirely permissible for Fourth Amendment Amendment by requiring covered
Congress to entrust to the Secretary the entities to provide access to the
task of providing these specifications Comment: Many comments expressed Secretary to their books, records,
based on her experience and expertise Fourth Amendment concerns about accounts, and facilities to ensure
in dealing with these complex and various proposed provisions. These compliance with these rules. The
technical matters. comments fall into two categories— commenter also suggested that the
We disagree with the comments that general concerns about warrantless requirement that covered entities enter
Congress improperly delegated searches and specific concerns about into agreements with their business
Congressional policy choices to her. administrative searches. Several partners to make their records available
Congress clearly decided to create comments argued that the proposed to the Secretary for inspection as well
federal standards protecting the privacy regulations permit law enforcement and also violates the warrant requirement of
of ‘‘individually identifiable health government officials access to protected the Fourth Amendment.
information’’ and not to preempt state health information without first Response: We disagree. These
laws that are more stringent. Congress requiring a judicial search warrant or an requirements are consistent with U.S.
also determined over whom the individual’s consent. These comments Supreme Court cases holding that
Secretary would have authority, the rejected the applicability of any of the warrantless administrative searches of
type of information protected, and the existing exceptions permitting commercial property are not per se
minimum level of regulation. warrantless searches in this context. violations of the Fourth Amendment.
Another comment argued that federal The provisions requiring that covered
Separation of Powers and state police should be able to obtain entities provide access to certain
Comment: Some commenters asserted personal medical records only with the material to determine compliance with
that the federal government may not informed consent of an individual. the regulation come within the well-
preempt state laws that are not as strict Many of these comments also expressed settled exception regarding closely
as the privacy regulation because to do concern that protected health regulated businesses and industries to
so would violate the separation of information could be provided to the warrant requirement. From state and
powers in the U.S. Constitution. One government or private agencies for local licensure laws to the federal fraud
comment suggested that the rules raised inclusion in a governmental health data and abuse statutes and regulations, the
a substantial constitutional issue system. health care industry is one of the most
tightly regulated businesses in the Therefore, no taking has occurred in that the rule requires disclosures only to
country. Because the industry has such these situations either. the individual or to the Secretary to
an extensive history of government determine compliance with this rule.
Ninth and Tenth Amendments
oversight and involvement, those Other uses or disclosures under this rule
operating within it have no reasonable Comment: Several comments asserted are permissive, not required. Therefore,
expectation of privacy from the that the proposed rules violated the if a particular use or disclosure under
government such that a warrant would Ninth and Tenth Amendments. One this rule is viewed as interfering with a
be required to determine compliance commenter suggested that the Ninth right that prohibited the use or
with the rules. Amendment prohibits long and disclosure, the rule itself is not what
In addition, the cases cited by the complicated regulations. Other requires the use or disclosure.
commenters concern unannounced commenters suggested that the proposed
rules authorized the compelled Void for Vagueness
searches of the premises and facilities of
particular entities. Because our disclosure of individually identifiable Comment: One comment suggested
enforcement provisions only provide for health information in violation of State that the Secretary’s use of a
the review of books, records, and other constitutional provisions, such as those ‘‘reasonableness’’ standard is
information and only during normal in California and Florida. Similarly, a unconstitutionally vague. Specifically,
business hours with notice, except for couple of commenters asserted that the this comment objected to the
exceptional situations, this case law privacy rules violate the Tenth requirement that covered entities use
does not apply. Amendment. ‘‘reasonable’’ efforts to use or disclose
Response: We disagree. The Ninth the minimum amount of protected
As for business associates, they and Tenth Amendments address the health information, to ensure that
voluntarily enter into their agreements rights retained by the people and business partners comply with the
with covered entities. This agreement, acknowledge that the States or the privacy provisions of their contracts, to
therefore, functions as knowing and people are reserved the powers not notify business partners of any
voluntary consents to the search (even delegated to the federal government and amendments or corrections to protected
assuming it could be understood to be not otherwise prohibited by the health information, and to verify the
a search) and obviates the need for a Constitution. Because HHS is regulating identity of individuals requesting
warrant. under a delegation of authority from information, as well as charge only a
Fifth Amendment Congress in an area that affects ‘‘reasonable’’ fee for inspecting and
interstate commerce, we are within the copying health information. This
Comment: Several comments asserted powers provided to Congress in the comment asserted that the Secretary
that the proposed rules violated the Constitution. Nothing in the Ninth provided ‘‘inadequate guidance’’ as to
Fifth Amendment because in the Amendment, or any other provision of what qualifies as ‘‘reasonable.’’
commenters’ views they authorized the the Constitution, restricts the length or Response: We disagree with the
taking of privacy property without just complexity of any law. Additionally, we comment’s suggestion that by applying
compensation or due process of law. do not believe the rules below a ‘‘reasonableness’’ standard, the
Response: We disagree. The rules set impermissibly authorize behavior that regulation has failed to provide for ‘‘fair
forth below do not address the issue of violates State constitutions. This rule warning’’ or ‘‘fair enforcement.’’ The
who owns an individual’s medical requires disclosure only to the ‘‘reasonableness’’ standard is well-
record. Instead, they address what uses individual or to the Secretary to enforce established in law; for example, it is the
and disclosures of protected health this rule. As noted in the preamble foundation of the common law of torts.
information may be made by covered discussion of ‘‘Preemption,’’ these rules Courts also have consistently held as
entities with or without a consent or do not preempt State laws, including constitutional statutes that rely upon a
authorization. As described in response constitutional provisions, that are ‘‘reasonableness’’ standard. Our reliance
to a similar comment, medical records contrary to and more stringent, as upon a ‘‘reasonableness’’ standard, thus,
have been the property of the health defined at § 160.502, than these rules. provides covered entities with
care provider or medical facility that See the discussion of ‘‘Preemption’’ for constitutionally sufficient guidance.
created them, historically. In some further clarification. Therefore, if these
states, statutes directly provide these Criminal Intent
State constitutions are contrary to the
entities with ownership. These laws are rule below and provide greater Comment: One comment argued that
limited by laws that provide patients or protection, they remain in full force; if the regulation’s reliance upon a
their representatives with access to the they do not, they are preempted, in ‘‘reasonableness’’ standard criminalizes
records or that provide the patient with accordance with the Supremacy Clause ‘‘unreasonable efforts’’ without
an ownership interest in the information of the Constitution. requiring criminal intent or mens rea.
within the records. As we discuss, the Response: We reject this suggestion
final rule is consistent with current state Right to Privacy because HIPAA clearly provides the
law that provides patients access to Comment: Several comments criminal intent requirement.
protected health information, but not suggested that the proposed regulation Specifically, HIPPA provides that a
ownership of medical records. State would violate the right to privacy ‘‘person who knowingly and in
laws that provide patients with greater guaranteed by the First, Fourth, Fifth, violation of this part—(1) uses or causes
access would remain in effect. and Ninth Amendments because it to be used a unique health identifier; (2)
Therefore, because patients do not own would permit covered entities to obtains individually identifiable health
their records, no taking can occur. As disclose protected health information information relating to an individual; or
for their interest in the information, the without the consent of the individual. (3) discloses individually identifiable
final rule retains their rights. As for Response: These comments did not health information to another person,
covered entities, the final rule does not provide specific facts or legal basis for shall be punished as provided in
take away their ownership rights or the claims. We are, thus, unable to subsection (b).’’ HIPAA section 1177
make their ownership interest in the provide a substantive response to these (emphasis added). Subsection (b) also
protected health information worthless. particular comments. However, we note relies on a knowledge standard in
outlining the three levels of criminal will be permitted under § 164.512(a) to federal requirements if the current
sanctions. Thus, Congress, not the make these disclosures without a requirements are weaker than the
Secretary, established the mens rea by consent or authorization; if, however, a requirements of the privacy regulation.
including the term ‘‘knowingly’’ in the statute or regulation merely suggests a This same commenter suggested that
criminal penalty provisions of HIPAA. disclosure, the covered entity will need current federal requirements will trump
to determine if the disclosure comes both state law and the proposed
Data Collection
within another category of permissible regulation, even if Medicaid
Comment: One commenter suggested disclosure under §§ 164.510 or 164.512 transactions remain wholly intrastate.
that the U.S. Constitution authorized the or, alternatively, if the disclosure would Response: We disagree. As noted in
collection of data on individuals only otherwise come within § 164.502. If not, our discussion of ‘‘Relationship to Other
for the purpose of the census. the entity will need to obtain a consent Federal Laws,’’ each law or regulation
Response: While it might be true that or authorization for the disclosure. will need to be evaluated individually.
the U.S. Constitution expressly Comment: One commenter sought We similarly disagree with the second
discusses the national census, it does clarification as to when a disclosure is assertion made by the commenter. The
not forbid federal agencies from considered to be ‘‘required’’ by another final rule will preempt state laws only
collecting data for other purposes. The law versus ‘‘permitted’’ by that law. in specific instances. For a more
ability of agencies to collect non-census Responses: We use these terms detailed analysis, see the preamble
data has been upheld by the courts. according to their common usage. By discussion of ‘‘Preemption.’’
Relationship to Other Federal Laws ‘‘required by law,’’ we mean that a
covered entity has a legal obligation to Administrative Subpoenas
Comment: We received several disclose the information. For example, if Comment: One comment stated that
comments that sought clarification of a statute states that a covered entity the final rule should not impose new
the interaction of various federal laws must report the names of all individuals standards on administrative subpoenas
and the privacy regulation. Many of presenting with gun shot wounds to the that would conflict with existing laws or
these comments simply listed federal emergency room or else be fined $500 administrative or judicial rules that
laws and regulations with which the for each violation, a covered entity establish standards for issuing
commenter currently must comply. For would be required by law to disclose the subpoenas. Nor should the final rule
example, commenters noted that they protected health information necessary conflict with established standards for
must comply with regulations relating to comply with this mandate. The the conduct of administrative, civil, or
to safety, public health, and civil rights, privacy regulation permits this type of criminal proceedings, including the
including Medicare and Medicaid, the disclosure, but does not require it. rules regarding the discovery of
Americans with Disabilities Act, the Therefore, if a covered entity chose not evidence. Other comments sought
Family and Medical Leave Act, the to comply with the reporting statute it further restrictions on access to
Federal Aviation Administration would violate only the reporting statute protected health information in this
regulations, the Department of and not the privacy regulation. context.
Transportation regulations, the Federal On the other hand, if a statute stated Response: Section 164.512(e) below
Highway Administration regulations, that a covered entity may or is permitted addresses disclosures for judicial and
the Occupational Safety and Health to report the names of all individuals administrative proceedings. The final
Administration regulations, and the presenting with gun shot wounds to the rules generally do not interfere with
Environmental Protection Agency emergency room and, in turn, would these existing processes to the extent an
regulations, and alcohol and drug free receive $500 for each month it made individual served with a subpoena,
workplace rules. These commenters these reports, a covered entity would court order, or other similar process is
suggested that the regulation state not be permitted by § 164.512(a) to able to raise objections already
clearly and unequivocally that uses or disclose the protected health available. See the discussion below
disclosures of protected health information. Of course, if another under § 164.512(e) for a fuller response.
information for these purposes were permissible provision applied to these
permissible. Some suggested modifying Americans with Disabilities Act
facts, the covered entity could make the
the definition of health care operations disclosure under that provision, but it Comment: Several comments
to include these uses specifically. would not be considered to be a discussed the intersection between the
Another suggestion was to add a section disclosure. See discussion under proposed Privacy Rule and the
that permitted the transmission of § 164.512(a) below. Americans with Disabilities Act
protected health information to Comment: Several commenters (‘‘ADA’’) and sections 503 and 504 of
employers when reasonably necessary suggested that the proposed rule was the Rehabilitation Act of 1973. One
to comply with federal, state, or unnecessarily duplicative of existing comment suggested that the final rule
municipal laws and regulations, or regulations for federal programs, such as explicitly allows disclosures authorized
when necessary for public or employee Medicare, Medicaid, and the Federal by the Americans with Disabilities Act
safety and health. Employee Health Benefit Program. without an individual’s authorization,
Response: Although we sympathize Response: Congress specifically because this law, in the commenter’s
with entities’ needs to evaluate the subjected certain federal programs, view, provides more than adequate
existing laws with which they must including Medicare, Medicaid, and the protection for the confidentiality of
comply in light of the requirements of Federal Employee Health Benefit medical records in the employment
the final regulation, we are unable to Program to the privacy regulation by context. The comment noted that under
respond substantially to comments that including them within the definition of these laws employers may receive
do not pose specific questions. We offer, ‘‘health plan.’’ Therefore, covered information related to fitness for duty,
however, the following guidance: if an entities subject to requirements of pre-employment physicals, routine
covered entity is required to disclose existing federal programs will also have examinations, return to work
protected health information pursuant to comply with the privacy regulation. examinations, examinations following
to a specific statutory or regulatory Comment: One comment asserts that other types of absences, examinations
scheme, the covered entity generally the regulation would not affect current triggered by specific events, changes in
circumstances, requests for reasonable We agree that this rule does not information technology equipment, but
accommodations, leave requests, permit employers to request or use realize that some covered entities may
employee wellness programs, and protected health information in need to update their equipment. We
medical monitoring. violation of the ADA or other have tried to minimize the costs, while
Other commenters suggested that the antidiscrimination laws. responding appropriately to Congress’
ADA requires the disclosure of mandate for privacy rules. We have
protected health information to Appropriations Laws
dealt with the cost issues in detail in the
employers so that the employee may Comment: One comment suggested ‘‘Regulatory Impact Analysis’’ section of
take advantage of the protections of that the penalty provisions of HIPAA, if this Preamble. With regard to the second
these laws. They suggested that the final extended to the privacy regulation, issue, Congress, not the Secretary,
rules clarify that employment may be would require the Secretary to violate established the compliance data at
conditioned on obtaining an ‘‘Appropriations Laws’’ because the section 1175(b) of the Act.
authorization for disclosure of protected Secretary could be in the position of
health information for lawful purposes assessing penalties against her own and Civil Rights of Institutionalized Persons
and provide guidance concerning the other federal agencies in their roles as Act
interaction of the ADA with the final covered entities. Enforcing penalties on Comment: A few comments expressed
regulation’s requirements. Several these entities would require the transfer concern that the privacy regulation
commenters wanted clarification that of agency funds to the General Fund. would inadvertently hinder the
the privacy regulation would not permit Response: We disagree. Although we Department of Justice Civil Rights
employers to request or use protected anticipate achieving voluntary Divisions’ investigations under the Civil
health information in violation of the compliance and resolving any disputes Rights of Institutionalized Persons Act
ADA. prior to the actual assessment of (‘‘CRIPA’’). These comments suggested
Response: We disagree with the penalties, the Department of Justice’s clearly including civil rights
comment that the final rule should Office of Legal Counsel has determined enforcement activities as health care
allow disclosures of protected health in similar situations that federal oversight.
information authorized by the ADA agencies have authority to assess Response: We agree with this
without the individual’s authorization. penalties against other federal agencies comment. We do not intend for the
We learned from the comments that and that doing so is not in violation of privacy rules to hinder CRIPA
access to and use of protected health the Anti-Deficiency Act, 31 U.S.C. 1341. investigations. Thus, the final rule
information by employers is of includes agencies that are authorized by
particular concern to many people. With Balanced Budget Act of 1997 law to ‘‘enforce civil rights laws for
regard to employers, we do not have Comment: One comment expressed which health information is relevant’’ in
statutory authority to regulate them. concern that the regulation would place the definition of ‘‘health oversight
Therefore, it is beyond the scope of this tremendous burdens on providers agency’’ at § 164.501. Covered entities
regulation to prohibit employers from already struggling with the effects of the are permitted to disclose protected
requesting or obtaining protected health Balanced Budget Act of 1997. health information to health oversight
information. Covered entities may Response: We appreciate the costs agencies under § 164.512(d) without an
disclose protected health information covered entities face when complying authorization. Therefore, we do not
about individuals who are members of with other statutory and regulatory believe the final rule should hinder the
an employer’s workforce with an requirements, such as the Balanced Department of Justice’s ability to
authorization. Nothing in the privacy Budget Act of 1997. However, HHS conduct investigations pursuant to its
regulation prohibits employers from cannot address the impact of the authority in CRIPA.
obtaining that authorization as a Balanced Budget Act or other statutes in
the context of this regulation. Clinical Laboratory Improvement
condition of employment. We note,
Comment: Another comment stated Amendments
however, that employers must comply
with other laws that govern them, such that the regulation is in direct conflict Comment: One comment expressed
as nondiscrimination laws. For with the Balanced Budget Act of 1997 concern that the proposed definition of
example, if an employer receives a (‘‘BBA’’). The comment asserts that the health care operations did not include
request for a reasonable regulation’s compliance date conflicts activities related to the quality control
accommodation, the employer may with the BBA, as well as Generally clinical studies performed by
require reasonable documentation about Acceptable Accounting Principles. laboratories to demonstrate the quality
the employee’s disability and the According to the comment, covered of patient test results. Because the
functional limitations that require the entities that made capital acquisitions to Clinical Laboratory Improvement
reasonable accommodation, if the ensure compliance with the year 2000 Amendments of 1988 (‘‘CLIA’’) requires
disability and the limitations are not (‘‘Y2K’’) problem would not be able to these studies that the comment asserted
obvious. If the individual provides account for the full depreciation of these require the use of protected health
insufficient documentation and does not systems until 2005. Because HIPAA information, the comment suggested
provide the missing information in a requires compliance before that time, including this specific activity in the
timely manner after the employer’s the regulation would force premature definition of ‘‘health care operations.’’
subsequent request, the employer may obsolescence of this equipment because Response: We do not intend for the
require the individual to go to an while it is Y2K compliant, it may be privacy regulation to impede the ability
appropriate health professional of the HIPAA non-compliant. of laboratories to comply with the
employer’s choice. In this situation, the Response: This comment raises two requirements of CLIA. Quality control
employee does not authorize the distinct issues—(1) the investment in activities come within the definition of
disclosure of information to substantiate new equipment and (2) the compliance ‘‘health care operations’’ in § 164.501
the disability and the need for date. With regard to the first issue, we because they come within the meaning
reasonable accommodation, the reject the comment’s assertion that the of the term ‘‘quality assurance
employer need not provide the regulation requires covered entities to activities.’’ To the extent they would not
accommodation. purchase new information systems or come within health care operations, but
are required by CLIA, the privacy appropriate oversight of the health care the CSA should not be subjected to
regulation permits clinical laboratories system. retaliation by their employers. Under
that are regulated by CLIA to comply Therefore, to the extent the DEA is § 164.502(j), we specifically state that a
with mandatory uses and disclosures of enforcing the CSA, disclosures to it in covered entity is not considered to have
protected health information pursuant its capacity as a health oversight agency violated the regulation if a workforce
to § 164.512(a). are permissible under § 164.512(d). member or business associate in good
Comment: One comment stated that Alternatively, CSA required disclosures faith reports violations of laws or
the proposed regulation’s right of access to the DEA for law enforcement professional standards by covered
for inspection and copying provisions purposes are permitted under entities to appropriate authorities. See
were contrary to CLIA in that CLIA § 164.512(f). When acting as a law discussion of § 164.502(j) below.
permits laboratories to disclose lab test enforcement agency under the CSA, the Department of Transportation
results only to ‘‘authorized persons.’’ DEA may obtain the information
This comment suggested that the final Comment: Several commenters stated
pursuant to § 164.512(f). Thus, we do
rule include language adopting this that the Secretary should recognize in
not agree that the privacy regulation
restriction to ensure that patients not the preamble that it is permissible for
will impede the DEA’s enforcement of
obtain laboratory test results before the employers to condition employment on
the CSA. See the preamble discussion of
appropriate health care provider has an individual’s delivering a consent to
§ 164.512 for further explanation.
reviewed and explained those results to certain medical tests and/or
Comment: One commenter suggested examinations, such as drug-free
the patients. clarifying the provisions allowing
A similar comment stated that the workplace programs and Department of
disclosures that are ‘‘required by law’’ to Transportation (‘‘DOT’’)-required
lack of preemption of state laws could ensure that the mandatory reporting
create problems for clinical laboratories physical examinations. These comments
requirements the CSA imposes on also suggested that employers should be
under CLIA. Specifically, this comment covered entities, including making
noted that CLIA permits clinical able to receive certain information, such
available reports, inventories, and as pass/fail test and examination results,
laboratories to perform tests only upon records of transactions, are not
the written or electronic request of, and fitness-to-work assessments, and other
preempted by the regulation. legally required or permissible physical
to provide the results to, an ‘‘authorized Response: We agree that the privacy
person.’’ State laws define who is an assessments without obtaining an
regulation does not alter covered authorization. To achieve this goal,
‘‘authorized person.’’ The comment entities’ obligations under the CSA.
expressed concern as to whether the these comments suggested defining
Because the CSA requires covered ‘‘health information’’ to exclude
regulation would preempt state laws entities manufacturing, distributing,
that only permit physicians to receive information such as information about
and/or dispensing controlled substances how much weight a specific employee
test results. to maintain and provide to the DEA
Response: We agree that CLIA can lift.
specific records and reports, the privacy Response: We reject the suggestion to
controls in these cases. Therefore, we
regulation permits these disclosures define ‘‘health information,’’ which
have amended the right of access,
under § 164.512(a). In addition, when Congress defined in HIPAA, so that it
§ 164.524(a), so that a covered entity
the DEA seeks documents to determine excludes individually identifiable
that is subject to CLIA does not have to
an entity’s compliance with the CSA, health information that may be relevant
provide access to the individual to the
such disclosures are permitted under to employers for these types of
extent such access would be prohibited
§ 164.512(d). examinations and programs. We do not
by law. Because of this change, we
Comment: The same commenter regulate employers. Nothing in the rules
believe the preemption concern is moot.
expressed concern that the proposed prohibit employers from conditioning
Controlled Substance Act privacy regulation inappropriately employment on an individual signing
Comment: One comment expressed limits voluntary reporting and would the appropriate consent or
concern that the privacy regulation as prevent or deter employees of covered authorization. By the same token,
proposed would restrict the Drug entities from providing the DEA with however, the rules below do not relieve
Enforcement Agency’s (‘‘the DEA’’) information about violations of the CSA. employers from their obligations under
enforcement of the Controlled Response: We agree with the general the ADA and other laws that restrict the
Substances Act (‘‘CSA’’). The comment concerns expressed in this comment. disclosure of individually identifiable
suggested including enforcement We do not believe the privacy rules will health information.
activities in the definition of ‘‘health limit voluntary reporting of violations of Comment: One commenter asserted
oversight agency.’’ the CSA. The CSA requires certain that the proposed regulation conflicts
Response: In our view, the privacy entities to maintain several types of with the DOT guidelines regarding
regulation should not impede the DEA’s records that may include protected positive alcohol and drug tests that
ability to enforce the CSA. First, to the health information. Although reports require the employer be notified in
extent the CSA requires disclosures to that included protected health writing of the results. This document
the DEA, these disclosures would be information may be restricted under contains protected health information.
permissible under § 164.512(a). Second, these rules, reporting the fact that an In addition, the treatment center records
some of the DEA’s CSA activities come entity is not maintaining proper reports must be provided to the Substance
within the exception for health is not. If it were necessary to obtain Abuse Professional (‘‘SAP’’) and the
oversight agencies which permits protected health information during the employer must receive a report from
disclosures to health oversight agencies investigatory stages following such a SAP with random drug testing
for: voluntary report, the DEA would be able recommendations.
to obtain the information in other ways, Response: It is our understanding that
Activities authorized by law, including
audits; civil, administrative, or criminal such as by following the administrative DOT requires drug testing of all
investigations; inspections * * * civil, procedures outlined in § 164.512(e). applicants for employment in safety-
administrative, or criminal proceedings or We also agree that employees of sensitive positions or individuals being
actions; and other activity necessary for covered entities who report violations of transferred to such positions.
Employers, pursuant to DOT Comment: One commenter requested national beneficiaries. They noted that
regulations, may condition an that the final rule clarify that section the distinctions are based on nationality
employee’s employment or position 264(c)(2) of HIPAA does not save state and are inconsistent with the stance of
upon first obtaining an authorization for laws that would otherwise be the E.U. Directive on Data Protection
the disclosure of results of these tests to preempted by the Federal Employees and the Department of Commerce’s
the employer. Therefore, we do not Health Benefits Program. The assurances to the European
believe the final rules conflict with the commenter noted that in the NPRM this Commission.
DOT requirements, which do not statement was made with respect to Response: We agree with the general
prohibit obtaining authorizations before Medicare and ERISA, but not the law principle that privacy protections
such information is disclosed to governing the FEHBP. should protect every person, regardless
employers. Response: We agree with this of nationality. As noted in the
comment. The preemption analysis set discussion of the definition of
Developmental Disabilities Act out above with respect to ERISA applies ‘‘individual,’’ the final regulation’s
Comment: One commenter urged HHS equally to the Federal Employees Health definition does not exclude foreign
to ensure that the regulation would not Benefit Program. military and diplomatic personnel, their
impede access to individually Comment: One commenter noted that dependents, or overseas foreign national
identifiable health information to the final rule should clarify the beneficiaries from the definition of
entities that are part of the Protection interplay between state law, the individual. As described in the
and Advocacy System to investigate preemption standards in Subtitle A of discussion of § 164.512 below, the final
abuse and neglect as authorized by the Title I of HIPAA (Health Care Access, rule applies to foreign diplomatic
Developmental Disabilities Bill of Rights Portability and Renewability), and the personnel and their dependents like all
Act. preemption standards in the privacy other individuals. Foreign military
requirements in Subtitle F of Title II of personnel receive the same treatment
Response: The Developmental
HIPAA (Administrative Simplification). under the final rule as U.S. military
Disabilities Assistance and Bill of Rights
Response: The NPRM described only personnel do, as discussed with regard
Act of 2000 (‘‘DD Act’’) mandates
the preemption standards that apply to § 164.512 below. Overseas foreign
specific disclosures of individually
with respect to the statutory provisions national beneficiaries to the extent they
identifiable health information to
of HIPAA that were implemented by the receive care for the Department of
Protection and Advocacy systems
proposed rule. We agree that the Defense or a source acting on behalf of
designated by the chief elected official
preemption standards in Subtitle A of the Department of Defense remain
of the states and Territories. Therefore,
Title I of HIPAA are different. Congress generally excluded from the final rules
covered entities may make these
expressly provided that the preemption protections. For a more detailed
disclosures under § 164.512(a) without
provisions of Title I apply only to Part explanation, see § 164.500.
first obtaining an individual’s
7, which addresses portability, access,
authorization, except in those Fair Credit Reporting Act
and renewability requirements for
circumstances in which the DD Act Comment: A few commenters
Group Health Plans. To the extent state
requires the individual’s authorization. requested that we exclude information
laws contain provisions regarding
Therefore, the rules below will not maintained, used, or disclosed pursuant
portability, access, or renewability, as
impede the functioning of the existing to the Fair Credit Reporting Act
well as privacy requirements, a covered
Protection and Advocacy System. (‘‘FCRA’’) from the requirements of the
entity will need to evaluate the privacy
Employee Retirement Income Security provisions under the Title II preemption privacy regulation. These commenters
Act of 1974 provisions, as explained in the noted that the protection in the privacy
preemption provisions of the rules, and regulation duplicate those in the FCRA.
Comment: Several commenters Response: Although we realize that
the other provisions under the Title I
objected to the fact that the NPRM did some overlap between FCRA and the
preemption requirements.
not clarify the scope of preemption of privacy rules may exist, we have chosen
state laws under the Employee European Union Privacy Directive and not to remove information that may
Retirement Income Security Act of 1974 U.S. Safe Harbors come within the purview of FCRA from
(ERISA). These commenters asserted Comment: Several comments stated the scope of our rules because FCRA’s
that the final rule must state that ERISA that the privacy regulation should be focus is not the same as our
preempts all state laws (including those consistent with the European Union’s Congressional mandate to protect
relating to the privacy of individually Directive on Data Protection. Others individually identifiable health
identifiable health information) so that sought guidance as to how to comply information.
multistate employers could continue to with both the E.U. Directive on Data To the extent a covered entity seeks
administer their group health plans Protection and the U.S. Safe Harbor to engage in collection activities or other
using a single set of rules. In contrast, Privacy Principles. payment-related activities, it may do so
other commenters criticized the Response: We appreciate the need for pursuant to the requirements of this rule
Department for its analysis of the covered entities obtaining personal data related to payment. See discussion of
current principles governing ERISA from the European Union to understand §§ 164.501 and 164.502 below.
preemption of state law, pointing out how the privacy regulation intersects We understand that some covered
that the Department has no authority to with the Data Protection Directive. We entities may be part of, or contain
interpret ERISA. have provided guidance as to this components that are, entities which
Response: This Department has no interaction in the ‘‘Other Federal Laws’’ meet the definition of ‘‘consumer
authority to issue regulations under provisions of the preamble. reporting agencies.’’ As such, these
ERISA as requested by some of these Comment: A few comments expressed entities are subject to the FCRA. As
commenters, so the rule below does not concern that the proposed definition of described in the preamble to § 164.504,
contain the statement requested. See the ‘‘individual’’ excluded foreign military covered entities must designate what
discussion of this point under and diplomatic personnel and their parts of their organizations will be
‘‘Preemption’’ above. dependents, as well as overseas foreign treated as covered entities for the
purpose of these privacy rules. The confidentiality of medical records in the Comment: One comment suggested
covered entity component will need to employment context. that the regulation should not apply to
comply with these rules, while the Response: We disagree that the FMLA any health information that is part of an
components that are consumer reporting provides adequate privacy protections ‘‘education record’’ in any educational
agencies will need to comply with for individually identifiable health agency or institution, regardless of its
FCRA. information. As we understand the FERPA status.
Comment: One comment suggested FMLA, the need for employers to obtain Response: We disagree. As noted in
that the privacy regulation would protected health information under the our discussion of ‘‘Relationship of Other
conflict with the FCRA if the statute is analogous to the employer’s Federal Laws,’’ we exclude education
regulation’s requirement applied to need for protected health information records from the definition of protected
information disclosed to consumer under the ADA. In both situations, health information because Congress
reporting agencies. employers may need protected health expressly provided privacy protections
Response: To the extent a covered information to fulfill their obligations for these records and explained how
entity is required to disclose protected under these statutes, but neither statute these records should be treated in
health information to a consumer requires covered entities to provide the FERPA.
reporting agency, it may do so under information directly to the employer. Comment: One commenter suggested
§ 164.512(a). See also discussion under Thus, covered entities in these eliminating the preamble language that
the definition of ‘‘payment’’ below. circumstances will need an individual’s describes school nurses and on-site
Fair Debt Collection and Practices Act authorizations before the disclosure is clinics as acting as providers and
made to the employer. subject to the privacy regulation, noting
Comment: Several comments
expressed concern that health plans and Federal Common Law that this language is confusing and
health care providers be able to inconsistent with the statements
Comment: One commenter did not
continue using debt collectors in provided in the preamble explicitly
want the privacy rules to interfere with
compliance with the Fair Debt stating that HIPAA does not preempt
the federal common law governing
Collections Practices Act and related FERPA.
collective bargaining agreements
laws. Response: We agree that this language
permitting employers to insist on the
Response: In our view, health plans may have been confusing. We have
cooperation of employees with medical
and health care providers will be able to provided a clearer expression of when
fitness evaluations.
continue using debt collectors. Using Response: We do not seek to interfere schools may be required to comply with
the services of a debt collector to obtain with legal medical fitness evaluations. the privacy regulation in the
payment for the provision of health care These rules require a covered entity to ‘‘Relationship to Other Federal Laws’’
comes within the definition of have an individual’s authorization section of the preamble.
‘‘payment’’ and is permitted under the before the information resulting from Comment: One commenter suggested
regulation. Thus, so long as the use of such evaluations is disclosed to the adding a discussion of FERPA to the
debt collectors is consistent with the employer unless another provision of ‘‘Relationship to Other Federal Laws’’
regulatory requirements (such as, the rule applies. We do not prohibit section of the preamble.
providers obtain the proper consents, employers from conditioning Response: We agree and have added
the disclosure is of the minimum employment, accommodations, or other FERPA to the list of federal laws
amount of information necessary to benefits, when legally permitted to do discussed in ‘‘Relationship to Other
collect the debt, the provider or health so, upon the individual/employee Federal Laws’’ section of the preamble.
plan enter into a business associate providing an authorization that would Comment: One commenter stated that
agreement with the debt collector, etc.), permit the disclosure of protected school clinics should not have to
relying upon debt collectors to obtain health information to employers by comply with the ‘‘ancillary’’
reimbursement for the provision of covered entities. See § 164.508(b)(4) administrative requirements, such as
health care would not be prohibited by below. designating a privacy official,
the regulation. maintaining documentation of their
Federal Educational Rights and Privacy policies and procedures, and providing
Family Medical Leave Act Act the Secretary of HHS with access.
Comment: One comment suggested Comment: A few commenters Response: We disagree. Because we
that the proposed regulation adversely supported the exclusion of ‘‘education have excluded education records and
affects the ability of an employer to records’’ from the definition of records described at 20 U.S.C.
determine an employee’s entitlement to ‘‘protected health information.’’ 1232g(a)(4)(B)(iv) held by educational
leave under the Family Medical Leave However, one commenter requested that agencies and institutions subject to
Act (‘‘FMLA’’) by affecting the ‘‘treatment records’’ of students who are FERPA from the definition of protected
employer’s right to receive medical 18 years or older attending post- health information, only non-FERPA
certification of the need for leave, secondary education institutions be schools would be subject to the
additional certifications, and fitness for excluded from the definition of administrative requirements. Most of
duty certification at the end of the leave. ‘‘protected health information’’ as well these school clinics will also not be
The commenter sought clarification as to avoid confusion. covered entities because they are not
to whether a provider could disclose Response: We agree with these engaged in HIPAA transactions and
information to an employer without first commenters. See ‘‘Relationship to Other these administrative requirements will
obtaining an individual’s consent or Federal Laws’’ for a description of our not apply to them. However, to the
authorization. Another commenter exclusion of FERPA ‘‘education extent a school clinic is within the
suggested that the final rule explicitly records’’ and records defined at 20 definition of a health care provider, as
exclude from the rule disclosures U.S.C. 1232g(a)(4)(B)(iv), commonly Congress defined the term, and the
authorized by the FMLA, because, in the referred to as ‘‘treatment records,’’ from school clinic is engaged in HIPAA
commenter’s view, it provides more the definition of ‘‘protected health transactions, it will be a covered entity
than adequate protection for the information.’’ and must comply with the rules below.
Comment: Several commenters Response: We disagree. Congress Comment: Other comments

expressed concern that the privacy placed enforcement with the Secretary. applauded the Secretary’s references to
regulation would eliminate the parents’ See section 1176 of the Act. Jaffee v. Redman, 518 U.S. 1 (1996),
ability to have access to information in which recognized a psychotherapist-
Federal Rules of Civil Procedure
their children’s school health records. patient privilege, and asked the
Because the proposed regulation Comment: A few comments suggested Secretary to incorporate expressly this
suggests that school-based clinics keep revising proposed § 164.510(d) so that it privilege into the final regulation.
health records separate from other is consistent with the existing discovery Response: We agree that the
educational files, these comments procedure under the Federal Rules of psychotherapist-patient relationship is
argued that the regulation is contrary to Civil Procedure or local rules. an important one that deserves
the spirit of FERPA, which provides Response: We disagree that the rules protection. However, it is beyond the
parents with access rights to their regarding disclosures and uses of scope our mandate to create specific
children’s educational files. protected health information for judicial evidentiary privileges. It is also
Response: As noted in the and administrative procedures should unnecessary because the United States
provide only those protections that exist Supreme Court has adopted this
‘‘Relationship to Other Federal Laws’’
under existing discovery rules. privilege.
provision of the preamble, to the extent
Although the current process may be Comment: A few comments discussed
information in school-based clinics is
appropriate for other documents and whether one remedy for violating the
not protected health information
information requested during the privacy regulation should be to exclude
because it is an education record, the
discovery process, the current system, or suppress evidence obtained in
FERPA access requirements apply and
as exemplified by the Federal Rules of violation of the regulation. One
this regulation does not. For more detail
Civil Procedure, does not provide comment supported using this penalty,
regarding the rule’s application to
sufficient protection for protected health while another opposed it.
unemancipated minors, see the
information. Under current discovery Response: We do not have the
preamble discussion about ‘‘Personal rules, private attorneys, government
Representatives.’’ authority to mandate that courts apply
officials, and others who develop such or not apply the exclusionary rule to
Federal Employees Compensation Act requests make the initial determinations evidence obtained in violation of the
as to what information or regulation. This issue is in the purview
Comment: One comment noted that documentation should be disclosed.
the Federal Employees Compensation of the courts.
Independent third-party review, such as
Act (‘‘FECA’’) requires claimants to sign that by a court, only becomes necessary Federal Tort Claims Act
a release form when they file a claim. if a person of whom the request is made Comment: One comment contended
This commenter suggested that the refuses to provide the information. If that the proposed regulation’s
privacy regulation should not place this happens, the person seeking requirement mandating covered entities
additional restrictions on this type of discovery must obtain a court order or to name the subjects of protected health
release form. move to compel discovery. In our view information disclosed under a business
Response: We agree. In the final rule, this system does not provide sufficient partner contract as third party intended
we have added a new provision, protections to ensure that unnecessary beneficiaries under the contract would
§ 164.512(l), that permits covered and unwarranted disclosures of have created an impermissible right of
entities to make disclosures authorized protected health information does not action against the government under the
under workers’ compensation and occur. For a related discuss, see the Federal Tort Claims Act (‘‘FTCA’’).
similar laws. This provision would preamble regarding ‘‘Disclosures for Response: Because we have deleted
permit covered entities to make Judicial and Administrative the third party beneficiary provisions
disclosures authorized under FECA and Proceedings’’ under § 164.512(e). from the final rules, this comment is
not require a different release form. moot.
Federal Rules of Evidence Comment: Another comment
Federal Employees Health Benefits
Program Comment: Many comments requested suggested the regulation would hamper
clarification that the privacy regulation the ability of federal agencies to disclose
Comment: A few comments expressed does not conflict or interfere with the protected health information to their
concern about the preemption effect on federal or state privileges. In particular, attorneys, the Department of Justice,
FEHBP and wanted clarification that the one of these comments suggested that during the initial stages of the claims
privacy regulation does not alter the the final regulation provide that brought under the FTCA.
existing preemptive scope of the disclosures for a purpose recognized by Response: We disagree. The
program. the regulation not constitute a waiver of regulation applies only to federal
Response: We do not intend to affect federal or state privileges. agencies that are covered entities. To the
the preemptive scope of the FEHBP. The Response: We do not intend for the extent an agency is not a covered entity,
Federal Employee Health Benefit Act of privacy regulation to interfere with it is not subject to the regulation; to the
1998 preempts any state law that federal or state rules of evidence that extent an agency is a covered entity, it
‘‘relates to’’ health insurance or plans. 5 create privileges. Consistent with The must comply with the regulation. A
U.S.C. 8902(m). The final rule does not Uniform Health-Care Information Act covered entity that is a federal agency
attempt to alter the preemptive scope drafted by the National Conference of may disclose relevant information to its
Congress has provided to the FEHBP. Commissioners on Uniform State Laws, attorneys, who are business associates,
Comment: One comment suggested we do not view a consent or an for purposes of health care operations,
that in the context of FEHBP HHS authorization to function as a waiver of which includes uses or disclosures for
should place the enforcement federal or state privileges. For further legal functions. See § 164.501
responsibilities of the privacy regulation discussion of the effect of consent or (definitions of ‘‘business associate’’ and
with Office of Personnel Management, authorization on federal or state ‘‘health care operations’’). The final rule
as the agency responsible for privileges, see preamble discussions in provides specific provisions describing
administering the program. §§ 164.506 and 164.508. how federal agencies may provide
adequate assurances for these types of long as they follow the requirements of disclose it without an authorization
disclosures of protected health those laws. Therefore, the privacy under the rule. To the extent that such
information. See § 164.504(e)(3). regulation will not interfere with the information is required to be disclosed
ability of federal agencies to comply by FOIA or other law, such disclosures
Food and Drug Administration
with FOIA, when it requires the are permitted under the final rule. In
Comment: A few comments expressed disclosure. addition, to the extent that death
concerns about the use of protected We disagree, however, that most records and autopsy reports are
health information for reporting protected health information will not obtainable from non-covered entities,
activities to the Food and Drug come within Exemption 6 of FOIA. See such as state legal authorities, access to
Administration (‘‘FDA’’). Their concern the discussion above under this information is not impeded by this
focused on the ability to obtain or ‘‘Relationship to Other Federal Laws’’ rule.
disclose protected health information for our review of FOIA. Moreover, we If another law does not require the
for pre-and post-marketing adverse disagree with the comment’s assertion disclosure of death records and autopsy
event reports, device tracking, and post- that the protected health information of reports generated and maintained by a
marketing safety and efficacy deceased individuals does not come covered entity, which are protected
evaluation. within Exemption 6. Courts have health information, covered entities are
Response: We agree with this recognized that a deceased individual’s not allowed to disclose such
comment and have provided that surviving relatives may have a privacy information except as permitted or
covered entities may disclose protected interest that federal agencies may required by the final rule, even if
health information to persons subject to consider when balancing privacy another entity discloses them.
the jurisdiction of the FDA, to comply interests against the public interest in Comment: One comment sought
with the requirements of, or at the disclosure of the requested information. clarification of the relationship between
direction of, the FDA with regard to Federal agencies will need to consider the Freedom of Information Act, the
reporting adverse events (or similar not only the privacy interests of the Privacy Act, and the privacy rules.
reports with respect to dietary subject of the protected health
Response: We have provided this
supplements), the tracking of medical information in the record requested, but
analysis in the ‘‘Relationship to Other
devices, other post-marketing also, when appropriate, those of a
Federal Laws’’ section of the preamble
surveillance, or other similar deceased individual’s family consistent
in our discussion of the Freedom of
requirements described at § 164.512(b). with judicial rulings.
If an agency receives a FOIA request Information Act.
Foreign Standards for the disclosure of protected health Gramm-Leach-Bliley
Comment: One comment asked how information of a deceased individual, it
the regulation could be enforced against will need to determine whether or not Comments: One commenter noted
foreign countries (or presumably entities the disclosure comes within Exemption that the Financial Services
in foreign countries) that solicit medical 6. This evaluation must be consistent Modernization Act, also known as
records from entities in the United with the court’s rulings in this area. If Gramm-Leach-Bliley (‘‘GLB’’), requires
States. the exemption applies, the federal financial institutions to provide detailed
Response: We do not regulate agency will not have to release the privacy notices to individuals. The
solicitations of information. To the information. If the federal agency commenter suggested that the privacy
extent a covered entity wants to comply determines that the exemption does not regulation should not require financial
with a request for disclosure of apply, may release it under § 164.512(a) institutions to provide additional notice.
protected health information to foreign of this regulation. Response: We disagree. To the extent
countries or entities within foreign Comment: One commenter expressed a covered entity is required to comply
countries, it will need to comply with concern that our proposal to protect the with the notice requirements of GLB
the privacy rules before making the individually identifiable health and those of our rules, the covered
disclosure. If the covered entity fails to information about the deceased for two entity must comply with both. We will
comply with the rules, it will be subject years following death would impede work with the FTC and other agencies
to enforcement proceedings. public interest reporting and would be implementing GLB to avoid unnecessary
at odds with many state Freedom of duplication. For a more detailed
Freedom of Information Act Information laws that make death discussion of GLB and the privacy rules,
Comment: One comment asserted that records and autopsy reports public see the ‘‘Relationship to Other Federal
the proposed privacy regulation information. The commenter suggested Laws’’ section of the preamble.
conflicts with the Freedom of permitting medical information to be Comment: A few commenters asked
Information Act (‘‘FOIA’’). The available upon the death of an that the Department clarify that
comment argued that the proposed individual or, at the very least, that an financial institutions, such as banks,
restriction on disclosures by agencies appeals process be permitted so that that serve as payors are covered entities.
would not come within one of the health information trustees would be The comments explained that with the
permissible exemptions to the FOIA. In allowed to balance the interests in enactment of the Gramm-Leach-Bliley
addition, the comment noted that only privacy and in public disclosure and Act, banks are able to form holding
in exceptional circumstances would the release or not release the information companies that will include insurance
protected health information of accordingly. companies (that may be covered
deceased individuals come within an Response: These rules permit covered entities). They recommended that banks
exemption because, for the most part, entities to make disclosures that are be held to the rule’s requirements and
death extinguishes an individual’s right required by state Freedom of be required to obtain authorization to
to privacy. Information Act (FOIA) laws under conduct non-payment activities, such as
Response: Section 164.512(a) below § 164.512(a). Thus, if a state FOIA law for the marketing of health and non-
permits covered entities to disclose designates death records and autopsy health items and services or the use and
protected health information when such reports as public information that must disclosure to non-health related
disclosures are required by other laws as be disclosed, a covered entity may divisions of the covered entity.
Response: These comments did not final rule permits, but does not require, the disclosure of information on
provide specific facts that would permit a covered entity to make such a Federally Qualified Health Centers than
us to provide a substantive response. An disclosure under § 164.512(a). If, the proposed privacy regulation
organization will need to determine however, the Social Security Act does suggested. Therefore, the commenter
whether it comes within the definition not require such disclosures, Medicare suggested that the final rule exempt
of ‘‘covered entity.’’ An organization does not have the discretion to require Federally Qualified Health Centers from
may also need to consider whether or the disclosure of psychotherapy notes as the rules requirements
not it contains a health care component. a public policy matter because the final Response: We disagree. Congress
Organizations that are uncertain about rule provides that covered entities, with expressly included Federally Qualified
the application of the regulation to them limited exceptions, must obtain an Health Centers, a provider of medical or
will need to evaluate their specific facts individual’s authorization before other health services under the Social
in light of this rule. disclosing psychotherapy notes. See Security Act section 1861(s), within its
§ 164.508(a)(2). definition of health care provider in
Inspector General Act section 1171 of the Act; therefore, we
Comment: One comment requested National Labor Relations Act cannot exclude them from the
the Secretary to clarify in the preamble Comment: A few comments expressed regulation.
that the privacy regulation does not concern that the regulation did not Comment: One commenter noted that
preempt the Inspector General Act. address the obligation of covered no conflicts existed between the
Response: We agree that to the extent entities to disclose protected health proposed rule and the Public Health
the Inspector General Act requires uses information to collective bargaining Services Act.
or disclosures of protected health representatives under the National Response: As we discuss in the
information, the privacy regulation does Labor Relations Act. ‘‘Relationship to Other Federal Laws’’
not preempt it. The final rule provides Response: The final rule does not section of the preamble, the Public
that to the extent required under section prohibit disclosures that covered Health Service Act contains explicit
201(a)(5) of the Act, nothing in this entities must make pursuant to other confidentiality requirements that are so
subchapter should be construed to laws. To the extent a covered entity is general as not to create problems of
diminish the authority of any Inspector required by law to disclose protected inconsistency. We recognized, however,
General, including the authority health information to collective that in some cases, that law or its
provided in the Inspector General Act of bargaining representatives under the accompanying regulations may contain
1978. See discussion of § 160.102 above. NLRA, it may to so without an greater restrictions. In those situations,
authorization. Also, the definition of a covered entity’s ability to make what
Medicare and Medicaid are permissive disclosures under this
‘‘health care operations’’ at § 164.501
Comment: One comment suggested permits disclosures to employee privacy regulation would be limited by
possible inconsistencies between the representatives for purposes of those laws.
regulation and Medicare/Medicaid grievance resolution. Reporting Requirement
requirements, such as those under the
Quality Improvement System for Organ Donation Comment: One comment noted that
Managed Care. This commenter asked Comment: One commenter expressed federal agencies must provide
that HHS expand the definition of concern about the potential impact of information to certain entities pursuant
health care operations to include health the regulation on the organ donation to various federal statutes. For example,
promotion activities and avoid potential program under 42 CFR part 482. federal agencies must not withhold
conflicts. Response: In the final rule, we add information from a Congressional
Response: We disagree that the provisions allowing the use or oversight committee or the General
privacy regulation would prohibit disclosure of protected health Accounting Office. Similarly, some
managed care plans operating in the information to organ procurement federal agencies must provide the
Medicare or Medicaid programs from organizations or other entities engaged Bureau of the Census and the National
fulfilling their statutory obligations. To in the procurement, banking, or Archives and Records Administration
the extent a covered entity is required transplantation of cadaveric organs, with certain information. This comment
by law to use or disclose protected eyes, or tissue for the purpose of expressed concern that the privacy
health information in a particular facilitating donation and regulation would conflict with these
manner, the covered entity may make transplantation. See § 164.512(h). requirements. Additionally, the
such a use or disclosure under commenter asked whether the privacy
§ 164.512(a). Additionally, quality Privacy Act Comments notice would need to contain these uses
assessment and improvement activities Comment: One comment suggested and disclosures and recommended that
come within the definition of ‘‘health that the final rule unambiguously a general statement that these federal
care operations.’’ Therefore, the specific permit the continued operation of the agencies would disclose protected
example provided by the commenter statutorily established or authorized health information when required by
would seem to be a permissible use or discretionary routine uses permitted law be considered sufficient to meet the
disclosure under § 164.502, even if it under the Privacy Act for both law privacy notice requirements.
were not a use or disclosure ‘‘required enforcement and health oversight. Response: To the extent a federal
by law.’’ Response: We disagree. See the agency acting as a covered entity is
Comment: One commenter stated that discussion of the Privacy Act in required by federal statute to disclose
Medicare should not be able to require ‘‘Relationship to Other Federal Laws’’ protected health information, the
the disclosure of psychotherapy notes above. regulation permits the disclosure as
because it would destroy a practitioner’s required by law under § 164.512(a). The
ability to treat patients effectively. Public Health Services Act notice provisions at
Response: If the Title XVIII of the Comment: One comment suggested § 164.520(b)(1)(ii)(B) require covered
Social Security Act requires the that the Public Health Service Act entities to provide a brief description of
disclosure of psychotherapy notes, the places more stringent rules regarding the purposes for which the covered
entity is permitted or required by the commenter, however, supported the commenter expressed concern that the
rules to use or disclose protected health NPRM’s analysis that stated that more proposed regulation research provisions
information without an individual’s stringent provisions of the substance would override these tribal laws.
written authorization. If these statutes abuse provisions would apply. This Response: We disagree with the
require the disclosures, covered entities commenter suggested an even stronger comment that the consultation with
subject to the requirement may make the approach of including in the text a tribal governments undertaken prior to
disclosure pursuant to § 164.512(a). provision that would preserve existing the proposed regulation is inadequate
Thus, their notice must include a federal law. Yet, one comment under Executive Order No. 13084. As
description of the category of these suggested that the regulation as stated in the proposed regulation, the
disclosures. For example, a general proposed would confuse providers by Department consulted with
statement such as the covered entity making it difficult to determine when representatives of the National Congress
‘‘will disclose your protected health they may disclose information to law of American Indians and the National
information to comply with legal enforcement because the privacy Indian Health Board, as well as others,
requirements’’ should suffice. regulation would permit disclosures about the proposals and the application
Comment: One comment stressed that that the substance abuse regulations of HIPAA to the Tribes, and the
the final rule should not inadvertently would not. potential variations based on the
preempt mandatory reporting laws duly Response: We appreciate the need of relationship of each Tribe with the IHS
enacted by federal, state, or local some covered entities to evaluate the for the purpose of providing health
legislative bodies. This commenter also privacy rules in light of federal services. In addition, Indian and tribal
suggested that the final rule not prevent requirements regarding alcohol and governments had the opportunity to,
the reporting of violations to law drug abuse records. Therefore, we and did, submit substantive comments
enforcement agencies. provide a more detailed analysis in the on the proposed rules.
Response: We agree. Like the ‘‘Relationship to Other Federal Laws’’ Additionally, disclosures permitted
proposed rule, the final rule permits section of the preamble. by this regulation do not conflict with
covered entities to disclose protected Comment: Some of these commenters the policies as described by this
health information when required by also noted that state laws contain strict commenter. Disclosures for research
law under § 164.512(a). To the extent a confidentiality requirements. A few purposes under the final rule, as in the
covered entity is required by law to commenters suggested that HHS proposed regulation, are permissive
make a report to law enforcement reassess the regulations to avoid disclosures only. The rule describes the
agencies or is otherwise permitted to inconsistencies with state privacy outer boundaries of permissible
make a disclosure to a law enforcement requirements, implying that problems disclosures. A covered health care
agency as described in § 164.512(f), it exist because of conflicts between the provider that is subject to the tribal laws
may do so without an authorization. federal and state laws regarding the of the Navajo Nation must continue to
Alternatively, a covered entity may confidentiality of substance abuse comply with those tribal laws. If the
always request that individuals information. tribal laws impose more stringent
authorize these disclosures. Response: As noted in the preamble privacy standards on disclosures for
section discussing preemption, the final research, such as requiring informed
Security Standards rules do not preempt state laws that consent in all cases, nothing in the final
Comment: One comment called for provide more privacy protections. For a rule would preclude compliance with
HHS to consider the privacy regulation more detailed analysis of the those more stringent privacy standards.
in conjunction with the other HIPAA relationship between state law and the The final rule does not interfere with
standards. In particular, this comment privacy rules, see the ‘‘Preemption’’ the internal governance of the Navajo
focused on the belief that the security provisions of the preamble. Nation or otherwise adversely affect the
standards should be compatible with Tribal Law policy choices of the tribal government
the existing and emerging health care with respect to the cultural
and information technology industry Comments: One commenter suggested appropriateness of research conducted
standards. that the consultation process with tribal in the Navajo Nation.
Response: We agree that the security governments described in the NPRM
standards and the privacy rules should was inadequate under Executive Order TRICARE
be compatible with one another and are No. 13084. In addition, the commenter Comment: One comment expressed
working to ensure that the final rules in expressed concern that the disclosures concern regarding the application of the
both areas function together. Because for research purposes as permitted by ‘‘minimum necessary’’ standard to
we are addressing comments regarding the NPRM would conflict with a investigations of health care providers
the privacy rules in this preamble, we number of tribal laws that offer under the TRICARE (formerly the
will consider the comment about the individuals greater privacy rights with CHAMPUS) program. The comment also
security standard as we finalize that set respect to research and reflects cultural expressed concern that health care
of rules. appropriateness. In particular, the providers would be able to avoid
commenter referenced the Health providing their records to such
Substance Abuse Confidentiality Statute Research Code for the Navajo Nation investigators because the proposed
and Regulations which creates a entity with broader § 164.510 exceptions were not
Comment: Several commenters noted authority over research conducted on mandatory disclosures.
that many health care providers are the Navajo Nation than the local IRB Response: In our view, neither the
bound by the federal restrictions and requires informed consent by study minimum necessary standard nor the
governing alcohol and drug abuse participants. Other laws mentioned by final §§ 164.510 and 164.512 permissive
records. One commenter noted that the the commenter included the Navajo disclosures will impede such
NPRM differed substantially from the Nation Privacy and Access to investigations. The regulation requires
substance abuse regulations and would Information Act and a similar policy covered entities to make all reasonable
have caused a host of practical problems applicable to all health care providers efforts not to disclose more than the
for covered entities. Another within the Navajo Nation. The minimum amount of protected health
information necessary to accomplish the disclosures of our rules, no conflict knowledge that her human resources
intended purpose of the use or exists. In some cases, our rules may manager is improperly reviewing
disclosure. This requirement, however, demand additional requirements, such medical records. A few comments raised
does not apply to uses or disclosures as obtaining the approval of a privacy the concern that permitting any person
that are required by law. See board or Institutional Review Board if a to file a complaint lends itself to abuse
§ 164.502(b)(2)(iv). Thus, if the covered entity seeks to disclose and is not necessary to ensure privacy
disclosure to the investigators is protected health information for rights and that the complainant should
required by law, the minimum research purposes without the be a person for whom there is a duty to
necessary standard will not apply. individual’s authorization. A covered protect health information.
Additionally, the final rule provides entity subject to the VA statute will Response: As discussed below, the
that covered entities rely, if such need to ensure that it meets the rule defines ‘‘individual’’ as the person
reliance is reasonable, on assertions requirements of both that statute and the who is the subject of the individually
from public officials about what regulation below. If a conflict arises, the identifiable health information.
information is reasonably necessary for covered entity should evaluate the However, the covered entity may allow
the purpose for which it is being sought. specific potential conflicting provisions other persons, such as personal
See § 164.514(d)(3)(iii). under the implied repeal analysis set representatives, to exercise the rights of
We disagree with the assertion that forth in the ‘‘Relationship to Other the individual under certain
providers will be able to avoid Federal Laws’’ discussion in the circumstances, e.g., for a deceased
providing their records to investigators. preamble. individual. We agree with the
Nothing in this rule permits covered commenters that any person may
entities to avoid disclosures required by WIC become aware of conduct by a covered
other laws. Comment: One comment called on entity that is in violation of the rule.
other federal agencies to examine their Such persons could include the covered
Veterans Affairs
regulations and policies regarding the entity’s employees, business associates,
Comment: One comment sought use and disclosure of protected health patients, or accrediting, health
clarification about how disclosures of information. The comment suggested oversight, or advocacy agencies or
protected health information would that other agencies revise their organizations. Many persons, such as
occur within the Veterans Affairs regulations and policies to avoid the covered entity’s employees, may, in
programs for veterans and their duplicative, contradictory, or more fact, be in a better position than the
dependents. stringent requirements. The comment ‘‘individual’’ to know that a violation
Response: We appreciate the has occurred. Another example is a state
noted that the U.S. Department of
commenter’s request for clarification as Protection and Advocacy group that
Agriculture’s Special Supplemental
to how the rules will affect disclosures may represent persons with
Nutrition Program for Women, Infants,
of protected health information in the developmental disabilities. We have
and Children (‘‘WIC’’) does not release
specific context of Veteran’s Affairs decided to allow complaints from any
WIC data. Because the commenter
programs. Veterans health care person. The term ‘‘person’’ is not
believed the regulation would not
programs under 38 U.S.C. chapter 17 are restricted here to human beings or
prohibit the disclosure of WIC data, the
defined as ‘‘health plans.’’ Without natural persons, but also includes any
comment stated that the Department of
sufficient details as to the particular type of association, group, or
Agriculture should now release such
aspects of the Veterans Affairs programs organization.
information.
that this comment views as problematic, Allowing such persons to file
Response: We support other federal
we cannot comment substantively on complaints may be the only way the
agencies to whom the rules apply in
this concern. Secretary may learn of certain possible
their efforts to review existing
Comment: One comment suggested violations. Moreover, individuals who
regulations and policies regarding
that the final regulation clarify that the are the subject of the information may
protected health information. However,
analysis applied to the substance abuse not be willing to file a complaint
we do not agree with the suggestion that
regulations apply to laws governing because of fear of embarrassment or
other federal agencies that are not
Veteran’s Affairs health records. retaliation. Based on our experience
Response: Although we realize some covered entities must reduce the
with various civil rights laws, such as
difference may exist between the laws, protections or access-related rights they
Title VI of the Civil Rights Act of 1964
we believe the discussion of federal provide for individually identifiable
and Title II of the Americans with
substance abuse confidentiality health information they hold.
Disabilities Act, that allow any person
regulations in the ‘‘Relationship to Part 160, Subpart C—Compliance and to file a complaint with the Secretary,
Other Federal Laws’’ preamble provides Enforcement we do not believe that this practice will
guidance that may be applied to the result in abuse. Finally, upholding
laws governing Veteran’s Affairs (‘‘VA’’) Section 160.306(a)—Who Can File
privacy protections benefits all persons
health records. In most cases, a conflict Complaints With the Secretary
who have or may be served by the
will not exist between these privacy Comment: The proposed rule limited covered entity as well as the general
rules and the VA programs. For those who could file a complaint with public, and not only the subject of the
example, some disclosures allowed the Secretary to individuals. A number information.
without patient consent or authorization of commenters suggested that other If a complaint is received from
under the privacy regulation may not be persons with knowledge of a possible someone who is not the subject of
within the VA statutory list of violation should also be able to file protected health information, the person
permissible disclosures without a complaints. Examples that were who is the subject of this information
written consent. In such circumstances, provided included a mental health care may be concerned with the Secretary’s
the covered entity would have to abide provider with first hand knowledge of a investigation of this complaint. While
by the VA statute, and no conflict exists. health plan improperly requiring we did not receive comments on this
If the disclosures permitted by the VA disclosure of psychotherapy notes and issue, we want to protect the privacy
statute come within the permissible an occupational health nurse with rights of this individual. This might
involve the Secretary seeking to contact complaint coming to the attention of the the regulation require that complaints
the individual to provide information as Secretary because of the time allowed be filed with the Secretary by a certain
to how the Secretary will address for the covered entity to resolve the time. These commenters generally
individual’s privacy concerns while complaint may mean that significant recommended that the time period for
resolving the complaint. Contacting all violations are not addressed filing a complaint should commence to
individuals may not be practicable in expeditiously. Finally, the process run from the time when the individual
the case of allegations of systemic proposed by these commenters is knew or had reason to know of the
violations (e.g., where the allegation is arguably unnecessary because an violation or omission. Another comment
that hundreds of medical records were individual who believes that an suggested that a requirement to file a
wrongfully disclosed). agreement can be reached with the complaint with the Secretary within 180
covered entity, can, through the entity’s days of the alleged noncompliance is a
Requiring That a Complainant Exhaust
internal complaint process or other problem because a patient may, because
the Covered Entity’s Internal Complaint
means, seek resolution before filing a of his or her medical condition, be
Process Prior to Filing a Complaint With
complaint with the Secretary. unable to access his or her records
the Secretary Our approach is consistent with other within that time frame.
Comment: A number of commenters, laws and regulations protecting Response: We agree with the
primarily health plans, suggested that individual rights. None of the civil commenters that complainants should
individuals should not be permitted to rights laws enforced by the Secretary generally be required to submit
file a complaint with the Secretary until require a complainant to provide any complaints in a timely fashion. Federal
they exhaust the covered entity’s own notification to the entity that is alleged regulations implementing Title VI of the
complaint process. Commenters stated to have engaged in discrimination (e.g., Civil Rights Act of 1964 provide that
that covered entities should have a Americans with Disabilities Act, section ‘‘[a] complaint must be filed not later
certain period of time, such as ninety 504 of the Rehabilitation Act, Title VI of than ‘180 days from the date of the
days, to correct the violation. Some the Civil Rights Act, and the Age alleged discrimination’ unless the time
commenters asserted that providing for Discrimination Act). The concept of for filing is extended by the responsible
filing a complaint with the Secretary ‘‘exhaustion’’ is used in laws that Department official or his designee.’’ 45
will be very expensive for both the require individuals to pursue CFR 80.7(b). Other civil rights laws,
public and private sectors of the health administrative remedies, such as that such as the Age Discrimination Act,
care industry to implement. Other provided by a governmental agency, section 504 of the Rehabilitation Act,
commenters suggested requiring the before bringing a court action. Under and Title II of the Americans with
Secretary to inform the covered entity of HIPAA, individuals do not have a right Disabilities Act (ADA) (state and local
any complaint it has received and not to court action. government services), also use this
initiate an investigation or ‘‘take Some commenters seemed to believe approach. Under civil rights laws
enforcement action’’ before the covered that the Secretary would pursue administered by the EEOC, individuals
entity has time to address the enforcement action without notifying have 180 days of the alleged
complaint. the covered entity. It has been the discriminatory act to file a charge with
Response: We have decided, for a Secretary’s practice in investigating EEOC (or 300 days if there is a state or
number of reasons, to retain the cases under other laws, such as various local fair employment practices agency
approach as presented in the proposed civil rights laws, to inform entities that involved).
rule. First, we are concerned that we have received a complaint against Therefore, in the final rule we require
requiring that complainants first notify them and to seek early resolution if that complaints be filed within 180 days
the covered entity would have a chilling possible. In enforcing the privacy rule, of when the complainant knew or
effect on complaints. In the course of the Secretary will generally inform the should have known that the act or
investigating individual complaints, the covered entity of the nature of any omission complained of occurred unless
Secretary will often need to reveal the complaints it has received against the this time limit is waived by the
identity of the complainant to the entity. (There may be situations where Secretary for good cause shown. We
covered entity. However, in the information is withheld to protect the believe that an investigation of a
investigation of cases of systemic privacy interests of the complainant or complaint is likely to be most effective
violations and some individual others or where revealing information if persons can be interviewed and
violations, individual names may not would impede the investigation of the documents reviewed as close to the time
need to be identified. Under the covered entity.) The Secretary will also of the alleged violation as possible.
approach suggested by these generally afford the entity an Requiring that complaints generally be
commenters, the covered entity would opportunity to share information with filed within a certain period of time
learn the names of all persons who file the Secretary that may result in an early increases the likelihood that the
complaints with the Secretary. Some resolution. Our approach will be to seek Secretary will have necessary and
individuals might feel uncomfortable or informal resolution of complaints reliable information. Moreover, we are
fear embarrassment or retaliation whenever possible, which includes taking this approach in order to
revealing their identity to the covered allowing covered entities a reasonable encourage complainants to file
entity they believe has violated the amount of time to work with the complaints as soon as possible. By
regulation. Individuals may also feel Secretary to come into compliance receiving complaints in a timely
they are being forced to enter into before initiating action to seek civil fashion, we can, if such complaints
negotiations with this entity before they monetary penalties. prove valid, reduce the harm caused by
can file a complaint with the Secretary. the violation.
Second, because some potential Section 160.306(b)(3)—Requiring That
complainants would not bring Complaints Be Filed With the Secretary Section 160.308—Basis for Conducting
complaints to the covered entity, Within a Certain Period of Time Compliance Reviews
possible violations might not become Comment: A number of commenters, Comment: A number of comments
known to the Secretary and might primarily privacy and disability expressed concern that the Secretary
continue. Third, the delay in the advocacy organizations, suggested that would conduct compliance reviews
without having received a complaint or extent of intrusion by the federal providing health insurance or care to
having reason to believe there is government into the business practices their employees, church plans are
noncompliance. A number of these of a covered entity and that these engaging in a secular activity. Under the
commenters appeared to believe that the provisions violate the Fourth regulation, church plans are subject to
Secretary would engage in ‘‘routine Amendment of the Constitution. the same compliance and enforcement
visits.’’ Some commenters suggested Finally, a coalition of church plans requirements with which other covered
that the Secretary should only be able to suggested that the Secretary provide entities must comply. Because Congress
conduct compliance reviews if the church plans with additional procedural did not carve out specific exceptions or
Secretary has initiated an investigation safeguards to reduce unnecessary require stricter standards for
of a complaint regarding the covered intrusion into internal church investigations related to church plans,
entity in the preceding twelve months. operations. These suggested safeguards incorporating such measures into the
Some commenters suggested that there included permitting HHS to obtain regulation would be inappropriate.
should only be compliance reviews records and other documents only if Additionally, there is no indication
based on established criteria for reviews they are relevant and necessary to that the regulation will directly interfere
(e.g., finding of ‘‘reckless disregard’’). compliance and enforcement activities with the religious practices of church
Many of these commenters stated that related to church plans, requiring a plans. Also, the regulation as written
cooperating with compliance reviews is senior official to determine the appropriately limits the ability of
potentially burdensome and expensive. appropriateness of compliance-related investigators to obtain information from
One commenter asked whether the activities for church plans, and covered entities. The regulation
Secretary will have a process for providing church plans with a self- provides that the Secretary may obtain
reviewing all covered entities to correcting period similar to that access only to information that is
determine how they are complying with Congress expressly provided in Title I of pertinent to ascertain compliance with
requirements. This commenter HIPAA under the tax code. the regulation. We do not anticipate
questioned whether covered entities Response: The final rule retains the asking for information that is not
will be required to submit plans and proposed language in these two necessary to assess compliance with the
wait for Departmental approval. provisions with one change. The rule regulation. The purpose of obtaining
Another commenter suggested that adds a provision indicating that the records and similar materials is to
the Secretary specify a time limit for the Secretary’s access to information held determine compliance, not to engage in
completion of a compliance review. by the covered entity may be at any time any sort of review or evaluation of
Response: We disagree with the and without notice where exigent religious activities or beliefs. Therefore,
commenters that the final rule should circumstances exist, such as where time we believe the regulation appropriately
restrict the Secretary’s ability to conduct is of the essence because documents balances the need to access information
compliance reviews. The Secretary might be hidden or destroyed. Thus, to determine compliance with the desire
needs to maintain the flexibility to covered entities will generally receive of covered entities to avoid opening
conduct whatever reviews are necessary notice before the Secretary seeks to every record in their possession to the
to ensure compliance with the rule. access the entity’s books or records. government.
Other than the exigent circumstances
Section 160.310 (a) and (c)—The Provision of Technical Assistance
language, the language in these two
Secretary’s Access to Information in
provisions is virtually the same as the Comment: A number of commenters
Determining Compliance
language in this Department’s regulation inquired as to how a covered entity can
Comment: Some commenters raised implementing Title VI of the Civil request technical assistance from the
objections to provisions in the proposed Rights Act of 1964. 45 CFR 80.6(b) and Secretary to come into compliance. A
rule which required that covered (c). The Title VI regulation is number of commenters suggested that
entities maintain records and submit incorporated by reference in other the Secretary provide interpretive
compliance reports as the Secretary Department regulations prohibiting guidance to assist with compliance.
determines is necessary to determine discrimination of the basis of disability. Others recommended that the Secretary
compliance and required that covered 45 CFR 84.61. Similar provisions have a contact person or privacy official,
entities permit access by the Secretary allowing this Department access to available by telephone or email, to
during normal business hours to its recipient information is found in the provide guidance on the
books, records, accounts, and other Secretary’s regulation implementing the appropriateness of a disclosure or a
sources of information, including Age Discrimination Act. 45 CFR 91.34. denial of access. One commenter
protected health information, and its These provisions have not proved to be suggested that there be a formal process
facilities, that are pertinent to burdensome to entities that are subject for a covered entity to submit
ascertaining compliance with this to these civil rights regulations (i.e., all compliance activities to the Secretary
subpart. One commenter stated that the recipients of Department funds). for prior approval and clarification. This
Secretary’s access to private health We do not interpret Constitutional commenter suggested that clarifications
information without appropriate patient case law as supporting the view that a be published on a contemporaneous
consent is contrary to the intent of federal agency’s review of information basis in the Federal Register to help
HIPAA. Another commenter expressed pursuant to statutory mandate violates correct any ambiguities and confusion
the view that, because covered entities the Fifth Amendment protections in implementation. It was also suggested
face criminal penalties for violations, against forced self incrimination. Nor that the Secretary undertake an
these provisions violate the Fifth would such a review of this information assessment of ‘‘best practices’’ of
Amendment protections against forced raise Fourth Amendment problems. See covered entities and document and
self incrimination. Other commenters discussion above regarding promote the findings to serve as a
stated that covered entities should be Constitutional comments and responses. convenient ‘‘road map’’ for other
given the reason the Secretary needs to We appreciate the concern that the covered entities. Another commenter
have access to its books and records. Secretary not involve herself suggested that we work with providers
Another commenter stated that there unnecessarily into the internal to create implementation guidelines
should be a limit to the frequency or operations of church plans. However, by modeled after the interpretative
guidelines that HCFA creates for use or disclosure is necessary to avert an expressed a general concern about
surveyors on the conditions of imminent threat to health or safety resolution of enforcement if an entity
participation for Medicare and Medicaid (§ 164.512(j)(1)(i)). Therefore, covered faced with a HIPAA complaint acquires
contractors. entities need to pay careful attention to or merges with an entity not covered by
Response: While we have not in the the specific language in each HIPAA.
final rule committed the Secretary to requirement. However, we note that Response: As discussed above, the
any specific model of providing many of these provisions can be Secretary will encourage voluntary
guidance or assistance, we do state our implemented in a variety of ways; e.g, efforts to cure violations of the rule, and
intent, subject to budget and staffing covered entities can exercise business will consider that fact in determining
constraints, to develop a technical judgement regarding how to conduct whether to bring a compliance action.
assistance program that will include the staff training. We do not agree, however, that we
provision of written material when As to enforcement, a covered entity should limit our authority to pursue
appropriate to assist covered entities in will not necessarily suffer a penalty violations of the rule if the situation
achieving compliance. We will consider solely because an act or omission warrants it.
other models including HCFA’s violates the rule. As we discuss Comment: One commenter was
Medicare and Medicaid interpretative elsewhere, the Department will exercise concerned about the ‘‘undue risk’’ of
guidelines. Further information discretion to consider not only the harm liability on originators of information,
regarding the Secretary’s technical done, but the willingness of the covered stemming from the fact that ‘‘the
assistance program may be provided in entity to achieve voluntary compliance. number of covered entities is limited
the Federal Register and on the HHS Further, the Administrative and they are unable to restrict how a
Office for Civil Rights (OCR) Web Site. Simplification provisions of HIPAA recipient of information may use or re-
While OCR plans to have fully trained provide that whether a violation was disclose information * * *’’
staff available to respond to questions, known or not is relevant in determining
Response: Under this rule, we do not
its ability to provide individualized whether civil or criminal penalties
hold covered entities responsible for the
advice in regard to such matters as the apply. In addition, if a civil penalty
actions of recipients of protected health
appropriateness of a particular applies, HIPAA allows the Secretary,
information, unless the recipient is a
disclosure or the sufficiency of where the failure to comply was due to
business associate of the covered entity.
compliance activities will be based on reasonable cause and not to willful
We agree that it is not fair to hold
staff resources and demands. The idea neglect, to delay the imposition of the
covered entities responsible for the
of looking at ‘‘best practices’’ and penalty to allow the covered entity to
actions of persons with whom they have
sharing information with all covered comply. The Department will develop
entities is a good one and we will and release for public comment an no on-going relationship, but believe it
explore how best to do this. We note enforcement regulation applicable to all is fair to expect covered entities to hold
that a covered entity is not excused from the administrative simplification their business associates to appropriate
compliance with the regulation because regulations that will address these standards of behavior with respect to
of any failure to receive technical issues. health information.
assistance or guidance. Comment: One commenter asked Other Compliance and Enforcement
whether hospitals will be vicariously Comments
Basis for Violation Findings and liable for the violations of their
Enforcement employees and expressed concern that Comment: A number of comments
Comment: A number of commenters hospitals and other providers will be the raised questions regarding the
asked that covered entities not be liable ones paying large fines. Secretary’s priorities for enforcement. A
for violations of the rule if they have Response: The enforcement regulation few commenters stated that they
acted in good faith. One commenter will address this issue. However, we supported deferring enforcement until
indicated that enforcement actions note that section 1128A(1) of the Social there is experience using the proposed
should not be pursued against covered Security Act, which applies to the standards. One organization asked that
entities that make legitimate business imposition of civil monetary penalties we clarify that the regulation does not
decisions about how to comply with the under HIPAA, provides that a principal replace or otherwise modify the self-
privacy standards. is liable for penalties for the actions of regulatory/consumer empowerment
Response: The commenters seemed to its agent acting within the scope of the approach to consumer privacy in the
argue that even if a covered entity does agency. Therefore, a covered entity will online environment.
not comply with a requirement of the generally be responsible for the actions Response: We have not made any
rule, the covered entity should not be of its employees such as where the decisions regarding enforcement
liable if there was an honest and sincere employee discloses protected health priorities. It appears that some
intention or attempt to fulfill its information in violation of the commenters believe that no enforcement
obligations. The final rule, however, regulation. action will be taken against a given
does not take this approach but instead Comment: A commenter expressed covered entity until that entity has had
draws careful distinctions between what the concern that if a covered entity some time to comply. Covered entities
a covered entity must do acquires a non-compliant health plan, it have two years to come into compliance
unconditionally, and what a covered would be liable for financial penalties. with the regulation (three years in the
entity must make certain reasonable This commenter suggested that, at a case of small health plans). Some
efforts to do. In addition, the final rule minimum, the covered entity be given a covered entities will have had
is clear as to the specific provisions grace period of at least a year, but not experience using the standards prior to
where ‘‘good faith’’ is a consideration. less than six months to bring any the compliance date. We do not agree
For example, a covered entity is acquisition up to standard. The that we should defer enforcement where
permitted to use and disclose protected commenter stated that the Secretary violations of the rule occur. It would be
health information without should encourage, not discourage, wrong for covered entities to believe
authorization based on criteria that compliant companies to acquire non- that enforcement action is based on
includes a good faith belief that such compliant ones. Another commenter their not having much experience in
using a particular standard or meeting privacy. In implementing the privacy with Congress and within the new
another requirement. regulation, OCR plans to continue its Administration in this regard.
We support a self-regulation approach current practice of protecting its
in that we recognize that most Coordination With Reviewing
complaint files from disclosure. OCR
compliance will be achieved by the Authorities
treats these files as investigatory records
voluntary activities of covered entities compiled for law enforcement purposes. Comment: A number of commenters
rather than by our enforcement Moreover, OCR maintains that referenced other entities that already
activities. Our emphasis will be on disclosing protected health information consider the privacy of health
education, technical assistance, and in these files generally constitutes an information. One commenter indicated
voluntary compliance and not on unwarranted invasion of personal opposition to the delegation of
finding violations and imposing privacy. inspections to third party organizations,
penalties. We also support a consumer It is not clear in regarding the use of such as the Joint Commission on the
empowerment approach. A mental health professionals, whether Accreditation of Healthcare
knowledgeable consumer is key to the the commenter believes that such Organizations (JCAHO). A few
effectiveness of this rule. A consumer professionals should be involved commenters indicated that state
familiar with the requirements of this because they would be best able to keep agencies are already authorized to
rule will be equipped to make choices psychotherapy notes confidential or investigate violations of state privacy
regarding which covered entity will best because such professionals can best standards and that we should rely on
serve their privacy interests and will understand the meaning or relevance of those agencies to investigate alleged
know their rights under the rule and such notes. OCR anticipates that it will violations of the privacy rules or
how they can seek redress for violations not have to obtain a copy or review delegate its complaint process to states
of this rule. Privacy-minded consumers that wish to carry out this responsibility
psychotherapy notes in investigating
will seek to protect the privacy rights of or to those states that have a complaint
most complaints regarding
others by bringing concerns to the process in place. Another commenter
noncompliance in regard to such notes.
attention of covered entities, the public, argued that individuals should be
There may be some cases where a
and the Secretary. However, we do not required to exhaust any state processes
review of the notes may be needed such
agree that we should defer enforcement before filing a complaint with the
as where we need to identify that the
where violations of the rule occur. Secretary. Others referenced the fact
information a covered entity disclosed
Comment: One commenter expressed that state medical licensing boards
was in fact psychotherapy notes. If we
concern that by filing a complaint an investigate complaints against
need to obtain a copy of psychotherapy
individual would be required to reveal physicians for violating patient
notes, we will keep these notes confidentiality. One group asked that
sensitive information to the public.
confidential and secure. OCR the federal government streamline all of
Another commenter suggested that
investigative staff will be trained to these activities so physicians can have
complaints regarding noncompliance in
ensure that they fully respect the a single entity to whom they must be
regard to psychotherapy notes should be
made to a panel of mental health confidentiality of personal information. responsive. Another group suggested
professionals designated by the In addition, while the specific contents that OMB should be given responsibility
Secretary. This commenter also of these notes is generally not relevant for ensuring that FEHB Plans operate in
proposed that all patient information be to violations under this rule, if such compliance with the privacy standards
maintained as privileged, not be notes are relevant, we will secure the and for enforcement.
revealed to the public, and be kept expertise of mental health professionals A few commenters stated that the
under seal after the case is reviewed and if needed in reviewing psychotherapy regulation might be used as a basis for
closed. notes. violation findings and subsequent
Response: We appreciate this concern Comment: A member of Congress and penalties under other Department
and will seek to ensure that individually a number of privacy and consumer authorities, such as under Medicare’s
identifiable health information and groups expressed concern with whether Conditions of Participation related to
other personal information contained in OCR has adequate funding to carry out patient privacy and right to
complaints will not be available to the the major responsibility of enforcing the confidentiality of medical records. One
public. The privacy regulation provides, complaint process established by this commenter wanted some assurance that
at § 160.310(c)(3), that protected health rule. The Senator stated that ‘‘[d]ue to this regulation will not be used as
information obtained by the Secretary in the limited enforcement ability allowed grounds for sanctions under Medicare.
connection with an investigation or for in this rule by HIPAA, it is essential Another commenter indicated support
compliance review will not be disclosed that OCR have the capacity to enforce for making compliance with the privacy
except if necessary for ascertaining or the regulations. Now is the time for OCR regulation a Condition of Participation
enforcing compliance with the to begin building the necessary under Medicare.
regulation or if required by law. In infrastructure to enforce the regulation Response: HIPAA does not give the
addition, this Department generally effectively.’’ Secretary the authority to delegate her
seeks to protect the privacy of Response: We agree and are responsibilities to other private or
individuals to the fullest extent committed to an effective enforcement public agencies such as JCAHO or state
possible, while permitting the exchange program. We are working with Congress agencies. However, we plan to explore
of records required to fulfill its to ensure that the Secretary has the ways that we may benefit from current
administrative and program necessary funds to secure voluntary activities that also serve to protect the
responsibilities. The Freedom of compliance through education and privacy of individually identifiable
Information Act, 5 U.S.C. 552, and the technical assistance, to investigate health information. For example, if we
HHS implementing regulation, 45 CFR complaints and conduct compliance conduct an investigation or review of a
part 5, provide substantial protection for reviews, to provide states with covered entity, that entity may want to
records about individuals where exception determinations, and to use share information regarding findings of
disclosure would constitute an civil and criminal penalties when other bodies that conducted similar
unwarranted invasion of their personal necessary. We will continue to work reviews. We would welcome such
information. In developing its discourage physicians and other However, we note that section 1176
enforcement program, we may explore providers from using or disclosing subjects persons to civil monetary
ways it can coordinate with other necessary information. We believe that penalties of not more than $100 for each
regulatory or oversight bodies so that we the rule permits physicians to make the violation of a requirement or prohibition
can efficiently and effectively pursue disclosures that they need to make and not more than $25,000 in a calendar
our joint interests in protecting privacy. under the health care system without year for all violations of an identical
We do not accept the suggestion that exposing themselves to jeopardy under requirement or prohibition. For
individuals be required to exhaust their the rule. We believe that the penalties example, if a covered entity fails to
remedies under state law before filing a under the statute are woefully permit amendment of protected health
complaint with the Secretary. Our inadequate. We support legislation that information for 10 patients in one
rationale is similar to that discussed would increase the amount of these calendar year, the entity may be fined
above in regard to the suggestion that penalties. up to $1000 ($100 times 10 violations
covered entities be required to exhaust Comment: A number of commenters equals $1000).
a covered entity’s internal complaint stated that the regulations should permit
process before filing a complaint with individuals to sue for damages caused Part 164—Subpart A—General
the Secretary. Congress provided for by breaches of privacy under these Requirements
federal privacy protection and we want regulations. Some of these commenters Part 164—Subpart B–D—Reserved
to allow individuals the right to this specified that damages, equitable relief, Part 164—Subpart E—Privacy
protection without barriers or delay. attorneys fees, and punitive damages
Covered entities may in their privacy should be available. Conversely, one Section 164.500—Applicability
notice inform individuals of any rights comment stated that strong penalties are Covered Entities
they have under state law including any necessary and would preclude the need
right to file privacy complaints. We do for a private right of action. Another The response to comments on covered
not have the authority to interfere with commenter stated that he does not entities is included in the response to
state processes and HIPAA explicitly believe that the statute intended to give comments on the definition of ‘‘covered
provides that we cannot preempt state individuals the equivalent of a right to entity’’ in the preamble discussion of
laws that provide greater privacy sue, which results from making § 160.103.
protection. individuals third party beneficiaries to Covered Information
We have not yet addressed the issue contracts between business partners. The response to comments on covered
as to whether this regulation might be Response: We do not have the information is included in the response
used as a basis for violation findings or authority to provide a private right of to comments on the definition of
penalties under other Department action by regulation. As discussed ‘‘protected health information’’ in the
authorities. We note that Medicare below, the final rule deletes the third preamble discussion of § 164.501.
conditions of participation require party beneficiary provision that was in
participating providers to have the proposed rule. Section 164.501—Definitions
procedures for ensuring the However, we believe that, in addition Designated record set
confidentiality of patient records, as to strong civil monetary penalties,
well as afford patients with the right to federal law should allow any individual Comment: Many commenters
the confidentiality of their clinical whose rights have been violated to bring generally supported our proposed
records. an action for actual damages and definition of designated record set.
equitable relief. The Secretary’s Commenters suggested different
Penalties methods for narrowing the information
Recommendations, which were
Comment: Many commenters submitted to Congress on September 11, accessible to individuals, such as
considered the statutory penalties 1997, called for a private right of action excluding information obtained without
insufficient to protect privacy, stating to permit individuals to enforce their face-to-face interaction (e.g., phone
that the civil penalties are too weak to privacy rights. consultations). Other commenters
have the impact needed to reduce the Comment: One comment stated that, recommended broadening the
risk of inappropriate disclosure. Some in calculating civil monetary penalties, information accessible to individuals,
commenters took the opposing view and the criteria should include aggravating such as allowing access to ‘‘the entire
stated that large fines and prison or mitigating circumstances and medical record,’’ not just a designated
sentences for violations would whether the violation is a minor or first record set. Some commenters advocated
discourage physicians from transmitting time violation. Several comments stated for access to all information about
any sort of health care information to that penalties should be tiered so that individuals. A few commenters
any other agency, regardless of the those that commit the most egregious generally supported the provision but
medical necessity. Another comment violations face stricter civil monetary recommended that consultation and
expressed the concern that doctors will penalties. interpretative assistance be provided
be at risk of going to jail for protecting Response: As mentioned above, issues when the disclosure may cause harm or
the privacy of individuals (by not regarding civil fines and criminal misunderstanding.
disclosing information the government penalties will be addressed in the Response: We believe individuals
believes should be released). enforcement regulation. should have a right to access any
Response: The enforcement regulation Comment: One comment stated that protected health information that may
will address the application of the civil the regulation should clarify whether a be used to make decisions about them
monetary and criminal penalties under single disclosure that involved the and modify the final rule to accomplish
HIPAA. The regulation will be health information of multiple parties this result. This approach facilitates an
published in the Federal Register as a would constitute a single or multiple open and cooperative relationship
proposed regulation and the public will infractions, for the purpose of between individuals and covered health
have an opportunity to comment. We do calculating the penalty amount. care providers and health plans and
not believe that our rule, and the Response: The enforcement regulation allows individuals fair opportunities to
penalties available under it, will will address the calculation of penalties. know what health information may be
used to make decisions about them. We report ‘‘Best Principles for Health Comment: Several commenters
list certain records that are always part Privacy,’’ the Health Privacy Working advocated for access to not only
of the designated record set. For covered Group recommended that individuals information that has already been used
providers these are the medical record should have the right to access to make decisions, but also information
and billing record. For health plans information about them.3 The National that may be used to make decisions.
these are the enrollment, payment, Association of Insurance Other commenters believed accessible
claims adjudication, and case or Commissioners’ Health Information information should be more limited; for
medical management records. The Privacy Model Act establishes the right example, some commenters argued that
purpose of these specified records is of an individual to examine or receive accessible information should be
management of the accounts and health a copy of protected health information restricted to only information used to
care of individuals. In addition, we in the possession of the carrier or a make health care decisions.
include in the designated record set to person acting on behalf of the carrier. Response: We agree that it is desirable
which individuals have access any Many states also establish a right for that individuals have access to
record used, in whole or in part, by or individuals to access health information information reasonably likely to be used
for the covered entity to make decisions about them. For example, Alaska law to make decisions about them. On the
about individuals. Only protected (AK Code 18.23.005) entitles patients other hand, it is desirable that the
health information that is in a ‘‘to inspect and copy any records category of records covered be readily
designated record set is covered. developed or maintained by a health ascertainable by the covered entity. We
Therefore, if a covered provider has a care provider or other person pertaining therefore define ‘‘designated record set’’
phone conversation, information to the health care rendered to the to include certain categories of records
obtained during that conversation is patient.’’ Hawaii law (HRS section (a provider’s medical record and billing
subject to access only to the extent that 323C–11) requires health care providers record, the enrollment records, and
it is recorded in the designated record and health plans, among others, to certain other records maintained by a
set. permit individuals to inspect and copy health plan) that are normally used, and
We do not require a covered entity to protected health information about are reasonably likely to be used, to make
provide access to all individually them. Many other states have similar decisions about individuals. We also
identifiable health information, because provisions. add a category of other records that are,
the benefits of access to information not Industry and standard-setting in fact, used, in whole or in part, to
used to make decisions about organizations also have developed make decisions about individuals. This
individuals is limited and is outweighed policies to enable individual access to category includes records that are used
by the burdens on covered entities of health information. The National to make decisions about any
locating, retrieving, and providing Committee for Quality Assurance and individuals, whether or not the records
access to such information. Such the Joint Commission on Accreditation have been used to make a decision
information may be found in many of Healthcare Organizations issued about the particular individual
types of records that include significant recommendations stating, ‘‘Patients’ requesting access.
information not relevant to the confidence in the protection of their We disagree that accessible
individual as well as information about information requires that they have the information should be restricted to
other persons. For example, a hospital’s means to know what is contained in information used to make health care
peer review files that include protected their records. The opportunity for decisions, because other decisions by
health information about many patients patients to review their records will covered entities can also affect
but are used only to improve patient enable them to correct any errors and individuals’ interests. For example,
care at the hospital, and not to make may provide them with a better covered entities make financial
decisions about individuals, are not part understanding of their health status and decisions about individuals, such as
of that hospital’s designated record sets. treatment.’’ 4 Standards of the American whether an individual’s deductible has
We encourage but do not require Society for Testing and Materials state, been met. Because such decisions can
covered entities to provide interpretive ‘‘The patient or his or her designated significantly affect individuals’
assistance to individuals accessing their personal representative has access rights interests, we believe they should have
information, because such a to the data and information in his or her access to any protected health
requirement could impose health record and other health information included in such records.
administrative burdens that outweigh information databases except as Comment: Some commenters believed
the benefits likely to accrue. restricted by law. An individual should the rule should use the term
The importance to individuals of be able to inspect or see his or her ‘‘retrievable’’ instead of ‘‘retrieved’’ to
having the right to inspect and copy health information or request a copy of describe information accessible to
information about them is supported by all or part of the health information, or individuals. Other commenters
a variety of industry groups and is both.’’ 5 We build on this well- suggested that the rule follow the
recognized in current state and federal established principle in this final rule. Privacy Act’s principle of allowing
law. The July 1977 Report of the Privacy access only when entities retrieve
Protection Study Commission 3 Health Privacy Working Group, ‘‘Best Principles records by individual identifiers. Some
recommended that individuals have for Health Privacy,’’ Health Privacy Project, commenters requested clarification that
access to medical records and medical
Institute for Health Care Research and Policy, covered entities are not required to
Georgetown University, July 1999. maintain information by name or other
record information.2 The Privacy Act (5 4 National Committee on Quality Assurance and
U.S.C. 552a) requires government the Joint Commission on Accreditation of

patient identifier.
Healthcare Organizations, ‘‘Protecting Personal Response: We have modified the
agencies to permit individuals to review
Health Information: A Framework for Meeting the proposed definition of the designated
records and have a copy made in a form Challenges in a Managed Care Environment,’’ 1998, record set to focus on how information
comprehensible to the individual. In its p. 25.
5 ASTM, ‘‘Standard Guide for Confidentiality,
is used, not how it is retrieved.
2 Privacy Protection Study Commission, Privacy, Access and Data Security, Principles for
Information may be retrieved or
‘‘Personal Privacy in an Information Society,’’ July Health Information Including Computer-Based retrievable by name, but if it is never
1977, p. 298–299. Patient Records,’’ E 1869–97, § 11.1.1. used to make decisions about any
individuals, the burdens of requiring a information to the individual. We which affiliated companies may
covered entity to find it and to redact clarify that nothing in this provision combine into a single covered entity and
information about other individuals would prevent access to information similarly describe which components of
outweigh any benefits to the individual needed to prosecute or defend a medical a larger organization must comply with
of having access to the information. malpractice action; the rules of the the requirements of this rule. For
When the information might be used to relevant court determine such access. example, transfers of information within
affect the individual’s interests, We found no persuasive evidence to the designated component or affiliated
however, that balance changes and the support excluding information already entity are uses while transfers of
benefits outweigh the burdens. We supplied to individuals on previous information outside the designated
confirm that this regulation does not requests. The burdens of tracking component or affiliated entity are
require covered entities to maintain any requests and the information provided disclosures. See the discussion of
particular record set by name or pursuant to requests outweigh the § 164.504 for further information and
identifier. burdens of providing the access rationale. It is not clear from these
Comment: A few commenters requested. A covered entity may, comments whether the particular
recommended denial of access for however, discuss the scope of the organizational arrangements described
information relating to investigations of request for access with the individual to could constitute a single covered entity.
claims, fraud, and misrepresentations. facilitate the timely provision of access. Comment: A commenter noted that
Many commenters suggested that For example, if the individual agrees, the definition of ‘‘disclosure’’ should
sensitive, proprietary, and legal the covered entity could supply only the reflect that health plan correspondence
documents that are ‘‘typical state law information created or received since containing protected health information,
privileges’’ be excluded from the right to the date access was last granted. such as Explanation of Benefits (EOBs),
access. Specific suggestions for is frequently sent to the policyholder.
Disclosure
exclusion, either from the right of access Therefore, it was suggested that the
or from the definition of designated Comment: A number of commenters words ‘‘provision of access to’’ be
record set, include quality assurance asked that the definition of ‘‘disclosure’’ deleted from the definition and that a
activities, information related to be modified so that it is clear that it does ‘‘disclosure’’ be clarified to include the
medical appeals, peer review and not include the release, transfer, conveyance of protected health
credentialing, attorney-client provision of access to, or divulging in information to a third party.
information, and compliance committee any other manner of protected health Response: The definition is, on its
activities. Some commenters suggested information to the individual who is the face, broad enough to cover the transfers
excluding information already supplied subject of that information. It was of information described and so is not
to individuals on previous requests and suggested that we revise the definition changed. We agree that health plans
information related to health care in this way to clarify that a health care must be able to send EOBs to
operations. However, some commenters provider may release protected health policyholders. Sending EOB
felt that such information was already information to the subject of the correspondence to a policyholder by a
excluded from the definition of information without first requiring that covered entity is a disclosure for
designated record set. Other the patient complete an authorization purposes of this rule, but it is a
commenters requested clarification that form. disclosure for purposes of payment.
this provision will not prevent patients Response: We agree with the Therefore, subject to the provisions of
from getting information related to commenters’ concern, but accomplish § 164.522(b) regarding Confidential
medical malpractice. this result through a different provision Communications, it is permitted even if
Response: We do not agree that in the regulation. In § 164.502 of this it discloses to the policyholder
records in these categories are never final rule, we specify that disclosures of protected health information about
used to affect the interests of protected health information to the another individual (see below).
individuals. For example, while individual are not subject to the
protected health information used for limitations on disclosure of protected Health care operations
peer review and quality assurance health information otherwise imposed Comment: Several commenters stated
activities typically would not be used to by this rule. that the list of activities within the
make decisions about individuals, and, Comment: A number of commenters definition of health care operations was
thus, typically would not be part of a stated that the regulation should not too broad and should be narrowed. They
designated record set, we cannot say apply to disclosures occurring within or asserted that the definition should be
that this is true in all cases. We design among different subsidiaries or limited to exclude activities that have
this provision to be sufficiently flexible components of the same entity. One little or no connection to the care of a
to work with the varying practices of commenter interpreted ‘‘disclosure’’ to particular patient or to only include
covered entities. mean outside the agency or, in the case emergency treatment situations or
The rule addresses several of these of a state Department of Health, outside situations constituting a clear and
comments by excepting from the access sister agencies and offices that directly present danger to oneself or others.
provisions (§ 164.524) information assist the Secretary in performing Response: We disagree. We believe
compiled in reasonable anticipation of, Medicaid functions and are listed in the that narrowing the definition in the
or for use in, a civil, criminal, or state plan as entitled to receive manner requested will place serious
administrative action or proceeding. Medicaid data. burdens on covered entities and impair
Similarly, nothing in this rule requires Response: We agree that there are their ability to conduct legitimate
a covered entity to divulge information circumstances under which related business and management functions.
covered by physician-patient or similar organizations may be treated as a single Comment: Many commenters,
privilege. Under the access provisions, a covered entity for purposes of protecting including physician groups, consumer
covered entity may redact information the privacy of health information, and groups, and privacy advocates, argued
in a record about other persons or modify the rule to accommodate such that we should limit the information
information obtained under a promise of circumstances. In § 164.504 of the final that can be used for health care
confidentiality, prior to releasing the rule, we specify the conditions under operations to de-identified data. They
argued that if an activity could be done Response: We agree that some health that they would not be able to provide
with de-identified data, it should not be care operations have many of the disease management, wellness, and
incorporated in the definition of health characteristics of research studies and in health promotion activities if the
care operations. the NPRM asked for comments on how activity were solely captured in the
Response: We disagree. We believe to make this distinction. While a clear rule’s definition of ‘‘treatment.’’ They
that many activities necessary for the answer was not suggested in any of the also expressed concern that ‘‘treatment’’
business and administrative operations comments, the comments generally usually applies to an individual, not to
of health plans and health care together with our fact finding lead to the a population, as is the practice for
providers are not possible with de- provisions in the final rule. The disease management.
identified information or are possible distinction between health care Response: We were unable to find
only under unduly burdensome operations and research rests on generally accepted definitions of the
circumstances. For example, identified whether the primary purpose of the terms ‘‘disease management’’ and
information may be used or disclosed study is to produce ‘‘generalizable ‘‘disability management.’’ Rather than
during an audit of claims, for a plan to knowledge.’’ We have modified the rely on this label, we include many of
contact a provider about alternative definition of health care operations to the functions often included in
treatments for specific patients, and in include ‘‘quality assessment and discussions of disease management in
reviewing the competence of health care improvement activities, including this definition or in the definition of
professionals. Further, not all covered outcomes evaluation and development treatment, and modify both definitions
entities have the same ability to de- of clinical guidelines, provided that the to address the commenters’ concerns.
identify protected health information. obtaining of generalizable knowledge is For example, we have revised the
Covered entities with highly automated not the primary purpose of any studies definition of health care operations to
information systems will be able to use resulting from such activities.’’ If the include population-based activities
de-identified data for many purposes. primary purpose of the activity is to related to improving health or reducing
Other covered entities maintain most of produce generalizable knowledge, the health care costs. This topic is discussed
their records on paper, so a requirement activity fits within this rule’s definition further in the comment responses
to de-identify information would place of ‘‘research’’ and the covered entity regarding the definition of ‘‘treatment,’’
too great a burden on the legitimate and must comply with §§ 164.508 or below.
164.512, including obtaining an Comment: Several commenters urged
routine business functions included in
authorization or the approval of an that the definition of health care
the definition of health care operations.
institutional review board or privacy operations be illustrative and flexible,
Small business, which are most likely to
board. If not and the activity otherwise rather than structured in the form of a
have largely paper records, would find
meets the definition of health care list as in the proposed rule. They
such a blanket requirement particularly
operations, the activity is not research believed it would be impossible to
burdensome.
and may be conducted under the health identify all the activities that constitute
Protected health information that is health care operations. Commenters
de-identified pursuant to § 164.514(a) is care operations provisions of this rule.
In some instances, the primary representing health plans were
not subject to this rule. We hope this concerned that the ‘‘static’’ nature of the
purpose of the activity may change as
provides covered entities capable of de- definition would stifle innovation and
preliminary results are analyzed. An
identifying information with the could not reflect the new functions that
activity that was initiated as an internal
incentive to do so. health plans may develop in the future
outcomes evaluation may produce
Comment: Some commenters information that the covered entity that benefit consumers, improve quality,
requested that we permit the use of wants to generalize. If the purpose of a and reduce costs. Other commenters,
demographic data (geographic, location, study changes and the covered entity expressed support for the approach
age, gender, and race) separate from all does intend to generalize the results, the taken in the proposed rule, but felt the
other data for health care operations. covered entity should document the list was too broad.
They argued that demographic data was change in status of the activity to Response: In the final rule, we revise
needed to establish provider networks establish that they did not violate the the proposed definition of health care
and monitor providers to ensure that the requirements of this rule. (See definition operations to broaden the list of
needs of ethnic and minority of ‘‘research,’’ below, for further activities included, but we do not agree
populations were being addressed. information on the distinction between with the comments asking for an
Response: The use of demographic ‘‘research’’ and ‘‘health care illustrative definition rather than an
data for the stated purposes is within operations.’’) inclusive list. Instead, we describe the
the definition of health care operations; We note that the difficulty in activities that constitute health care
a special rule is not necessary. determining when an activity is for the operations in broad terms and
Comment: Some commenters pointed internal operations of an entity and categories, such as ‘‘quality assessment’’
out that the definition of health care when it is a research activity is a long- and ‘‘business planning and
operations is similar to, and at times standing issue in the industry. The development.’’ We believe the use of
overlaps with, the definition of research. variation among commenters’ views is broadly stated categories will allow
In addition, a number of commenters one of many indications that, today, industry innovation, but without the
questioned whether or not research there is not consensus on how to draw privacy risks entailed in an illustrative
conducted by the covered entity or its this line. We do not resolve the larger approach.
business partner must only be issue here, but instead provide Comment: Several commenters noted
applicable to and used within the requirements specific to the information that utilization review and internal
covered entity to be considered health covered by this rule. quality review should be included in
care operations. Others questioned Comment: Several commenters asked the definition. They pointed out that
whether such studies or research that disease management and disability both of these activities were discussed
performed internal to a covered entity management activities be explicitly in the preamble to the proposed rule but
are ‘‘health care operations’’ even if included in the definition of health care were not incorporated into the
generalizable results may be produced. operations. Many health plans asserted regulation text.
Response: We agree and have be directly related to treatment and protected health information of
modified the regulation text to payment, and we add to this definition prospective enrollees to underwrite and
incorporate quality assessment and the new categories of business rate new business and change the
improvement activities, including the management (including general definition of health care operations
development of clinical guidelines and administrative activities) and business accordingly. The definition of health
protocol development. planning activities. care operations below includes
Comment: Several commenters stated Comment: One commenter asked for underwriting, premium rating, and
that the proposal did not provide clarification on whether cost-related other activities related to the creation of
sufficient guidance regarding compiling analyses could also be done by a contract of health insurance.
and analyzing information in providers as well as health plans. Comment: Several commenters stated
anticipation of or for use in legal Response: Health care operations, that group health plans needed to be
proceedings. In particular, they raised including business management able to use and disclose protected health
concerns about the lack of specificity as functions, are not limited to health information for purposes of soliciting a
to when ‘‘anticipation’’ would be plans. Any covered entity can perform contract with a new carrier and rate
triggered. health care operations. setting.
Response: We agree that this Comment: One commenter stated that Response: We agree and add
provision was confusing and have the proposed rule did not address what ‘‘activities relating to the * * *
replaced it with a broader reference to happens to records when a covered replacement of a contract of insurance’’
conducting or arranging for legal entity is sold or merged with another to cover such disclosures. See § 164.504
services generally. entity. for the rules for plan sponsors of group
Comment: Hospital representatives Response: We agree and add to the health plans to obtain such information.
pointed out the pressure on health care definition of health care operations Comment: Commenters from the
facilities to improve cost efficiencies, disclosures of protected health business community supported our
make cost-effectiveness studies, and information for due diligence to a recognition of the importance of
benchmark essential health care covered entity that is a potential financial risk transfer mechanisms in
operations. They emphasized that such successor in interest. This provision the health care marketplace by
activities often use identifiable patient includes disclosures pursuant to the including ‘‘reinsurance’’ in the
information, although the products of sale of a covered entity’s business as a definition of health care operations.
the analyses usually do not contain going concern, mergers, acquisitions, However, they stated that the term
identifiable health information. consolidations, and other similar types ‘‘reinsurance’’ alone was not adequate to
Commenters representing state hospital of corporate restructuring between capture ‘‘stop-loss insurance’’ (also
associations pointed out that they covered entities, including a division of referred to as excess of loss insurance),
routinely receive protected health a covered entity, and to an entity that is another type of risk transfer insurance.
information from hospitals for analyses not a covered entity but will become a Response: We agree with the
that are used by member hospitals for covered entity if the reorganization or commenters that stop-loss and excess of
such things as quality of care sale is completed. Other types of sales loss insurance are functionally
benchmark comparisons, market share of assets, or disclosures to organizations equivalent to reinsurance and add these
analysis, determining physician that are not and would not become to the definition of health care
utilization of hospital resources, and covered entities, are not included in the operations.
charge comparisons. definition of health care operations and Comment: Commenters from the
Response: We have expanded the could only occur if the covered entity employer community explained that
definition of health care operations to obtained valid authorization for such there is a trend among employers to
include use and disclosure of protected disclosure in accordance with § 164.508 contract with a single insurer for all
health information for the important or if the disclosure is otherwise their insurance needs (health, disability,
functions noted by these commenters. permitted under this rule. workers’ compensation). They stated
We also allow a covered entity to engage Once a covered entity is sold or that in these integrated systems,
a business associate to provide data merged with another covered entity, the employee health information is shared
aggregation services. See § 164.504(e). successor in interest becomes among the various programs in the
Comment: Several commenters argued responsible for complying with this system. The commenters believed the
that many activities that are integral to regulation with respect to the existing definition poses obstacles for
the day-to-day operations of a health transferred information. those employers utilizing an integrated
plan have not been included in the Comment: Several commenters health system because of the need to
definition. Examples provided by the expressed concern that the definition of obtain authorizations before being
commenters include: issuing plan health care operations failed to include permitted to use protected health
identification cards, customer service, the use of protected health information information from the health plan to
computer maintenance, storage and for the underwriting of new health care administer or audit their disability or
back-up of radiologic images, and the policies and took issue with the workers’ compensation plan.
installation and servicing of medical exclusion of uses and disclosures of Other commenters representing
equipment or computer systems. protected health information of employers stated that some employers
Response: We agree with the prospective enrollees. They expressed wanted to combine health information
commenters that there are activities not the concern that limiting health care from different insurers and health plans
directly part of treatment or payment operations to the underwriting and providing employee benefits to their
that are more closely associated with the rating of existing members places a workforces, including its group health
administrative or clerical functions of health plan in the position of not being plan, workers’ compensation insurers,
the plan or provider that need to be able to evaluate prudently and and disability insurers, so that they
included in the definition. To include underwrite a consumer’s health care could have more information in order to
such activities in the definition of risk. better manage the occurrences of
health care operations, we eliminate the Response: We agree that covered disability and illness among their
requirement that health care operations entities should be able to use the workforces. They expressed concern
that the proposed rule would not permit We note that under the arrangements Health Oversight Agency
such sharing of information. described above, the final rule provides Comment: Some commenters sought
Response: While we agree that substantial flexibility to covered entities to have specific organizations defined as
integrating health information from to provide general data and statistical health oversight agencies. For example,
different benefit programs may produce analyses, resulting in the disclosure of some commenters asked that the
efficiencies as well as benefits for de-identified information, to employers regulation text, rather than the
individuals, the integration also raises and other customers. An employer also preamble, explicitly list state insurance
significant privacy concerns, may receive protected health departments as an example of health
particularly if there are no safeguards on information from a covered entity for oversight agencies. Medical device
uses and disclosures from the integrated any purpose, including those described manufacturers recommended expanding
data. Under HIPAA, we do not have in comment above, with the the definition to include government
jurisdiction over many types of insurers authorization of the individual. See contractors such as coding committees,
that use health information, such as § 164.508.
workers’ compensation insurers or which provide data to HCFA to help the
insurers providing disability income Comment: A number of commenters agency make reimbursement decisions.
asserted that the proposed definition One federal agency sought
benefits, and we cannot address the
appeared to limit training and clarification that several of its sub-
extent to which they provide
individually identifiable health educational activities to that of health agencies were oversight agencies; it was
information to a health plan, nor do we care professionals, students, and concerned about its status in part
prohibit a health plan from receiving trainees. They asked that we expand the because the agency fits into more than
such information. Once a health plan definition to include other education- one of the categories of health oversight
receives identifiable health information, related activities, such as continuing agency listed in the proposed rule.
however, the information becomes education for providers and training of Other commenters recommended
protected and may only be used and non-health care professionals as needed expanding the definition of oversight
disclosed as otherwise permitted by this for supporting treatment or payment. agency to include private-sector
rule. accreditation organizations. One
Response: We agree with the commenter recommended stating in the
We clarify, however, that a covered commenters that the definition of health
entity may provide data and statistical final rule that private companies
care operations was unnecessarily providing information to insurers and
analyses for its customers as a health limiting with respect to educational
care operation, provided that it does not employers are not included in the
activities and expand the definition of definition of health oversight agency.
disclose protected health information in health care operations to include
a way that would otherwise violate this Response: Because the range of health
‘‘conducting training programs in which oversight agencies is so broad, we do
rule. A group health plan or health students, trainees, or practitioners in
insurance issuer or HMO, or their not include specific examples in the
areas of health care learn under definition. We include many examples
business associate on their behalf, may supervision to practice or improve their
perform such analyses for an employer in the preamble above and provide
skills as health care providers.’’ We further clarity here.
customer and provide the results in de- clarify that medical rounds are
identified form to the customer, using As under the NPRM, state insurance
considered treatment, not health care departments are an example of a health
integrated data received from other operations.
insurers, as long as protected health oversight agency. A commenter
information is not disclosed in violation Comment: A few commenters concerned about state trauma registries
of this rule. See the definition of ‘‘health outlined the need to include the training did not describe the registries’ activities
care operations,’’ § 164.501. If the of non-health care professionals, such as or legal charters, so we cannot clarify
employer sponsors more than one group health data analysts, administrators, and whether such registries may be health
health plan, or if its group health plan computer programmers within the oversight agencies. Government
provides coverage through more than definition of health care operations. It contractors such as coding committees,
one health insurance issuer or HMO, the was argued that, in many cases, these which provide data to HCFA to support
different covered entities may be an professionals perform functions which payment processes, are not thereby
organized health care arrangement and support treatment and payment and will health oversight agencies under this
be able to jointly participate in such an need access to protected health rule. We clarify that public agencies
analysis as part of the health care information in order to carry out their may fit into more than one category of
operations of such organized health care responsibilities. health oversight agency.
arrangement. See the definitions of Response: We agree and expand the The definition of health oversight
‘‘health care operations’’ and ‘‘organized definition of health care operations to agency does not include private-sector
health care arrangement,’’ § 164.501. We include training of non-health care accreditation organizations. While their
further clarify that a plan sponsor professionals. work can promote quality in the health
providing plan administration to a care delivery system, private
group health plan may participate in Comment: One commenter stated that accreditation organizations are not
such an analysis, provided that the the definition did not explicitly include authorized by law to oversee the health
requirements of § 164.504(f) and other physician credentialing and peer care system or government programs in
parts of this rule are met. review. which health information is necessary
The results described above are the Response: We have revised the to determine eligibility or compliance,
same whether the health information definition to specifically include or to enforce civil rights laws for which
that is being combined is from separate ‘‘licensing or credentialing activities.’’ health information is relevant. Under
insurers or from one entity that has a In addition, peer review activities are the final rule, we consider private
health component and also provides captured in the definition as reviewing accrediting groups to be performing a
excepted benefits. See the discussion the competence or qualifications of health care operations function for
relating to health care components, health care professionals and evaluating covered entities. Thus, disclosures to
§ 164.504. practitioner and provider performance. private accrediting organizations are
disclosures for health care operations, of overseas foreign national Comment: Several commenters urged
not for oversight purposes. beneficiaries has been deleted from the that the definition of individually
When they are performing definition of ‘‘individual,’’ we have identifiable health information include
accreditation activities for a covered revised § 164.500 to indicate that the information created or received by a
entity, private accrediting organizations rule does not apply to the Department researcher. They reasoned that it is
will meet the definition of business of Defense or other federal agencies or important to ensure that researchers
associate, and the covered entity must non-governmental organizations acting using personally identifiable health
enter into a business associate contract on its behalf when providing health care information are subject to federal
with the accrediting organization in to overseas foreign national privacy standards. They also stated that
order to disclose protected health beneficiaries. This means that the rule if information created by a school
information. This is consistent with will not cover any health information regarding the health status of its
current practice; today, accrediting created incident to the provision of students could be labeled ‘‘health
organizations perform their work health care to foreign nationals overseas information,’’ then information
pursuant to contracts with the by U.S. sponsored missions or compiled by a clinical researcher
accredited entity. This approach is also operations. (See § 164.500 and its regarding an individual also should be
consistent with the recommendation by corresponding preamble for details and considered health information.
the Joint Commission on Accreditation the rationale for this policy.) Response: We are restricted to the
of Healthcare Organizations and the Comment: Several commenters statutory limits of the terms. The
National Committee for Quality expressed concern about the Congress did not include information
Assurance, which stated in their report interrelationship of the definition of created or received by a researcher in
titled Protecting Personal Health ‘‘individual’’ and the two year privacy either definition, and, consequently, we
Information: A Framework for Meeting protection for deceased persons. do not include such language in the
the Challenges in a Managed Care Response: In the final rule, we rule’s definitions.
Environment (1998) that ‘‘Oversight eliminate the two year limit on privacy Comment: Several commenters
organizations, including accrediting protection for protected health suggested modifying the definition of
bodies, states, and federal agencies, information about deceased individuals individually identifiable health
should include in their contracts terms and require covered entities to comply information to state as a condition that
that describe their responsibility to with the requirements of the rule with the information provide a direct means
maintain the confidentiality of any respect to the protected health of identifying the individual. They
personally identifiable health information of deceased individuals as commented that the rule should support
information that they review.’’ long as they hold such information. See the need of those (e.g., researchers) who
We agree with the commenter who discussion under § 164.502. need ‘‘ready access to health
believed that private companies information * * * that remains linkable
Individually Identifiable Health
providing information to insurers and to specific individuals.’’
Information Response: The Congress included in
employers are not performing an
oversight function; the definition of Comment: A number of commenters the statutory definition of individually
health oversight agency does not suggested that HHS revise the identifiable health information the
include such companies. definitions of health information and modifier ‘‘reasonable basis’’ when
In developing and clarifying the individually identifiable health describing the condition for determining
definition of health oversight in the information to include consistent whether information can be used to
final rule, we seek to achieve a balance language in paragraph (1) of each identify the individual. Congress thus
in accounting for the full range of respective definition. They observed intended to go beyond ‘‘direct’’
activities that public agencies may that paragraph (1) of the definition of identification and to encompass
undertake to perform their health health information reads: ‘‘(1) Is created circumstances in which a reasonable
oversight functions while establishing or received by a health care provider, likelihood of identification exists. Even
clear and appropriate boundaries on the health plan, public health authority, after removing ‘‘direct’’ or ‘‘obvious’’
definition so that it does not become a employer, life insurer, school or identifiers of information, a risk or
catch-all category that public and university, or health care clearinghouse probability of identification of the
private agencies could use to justify any * * *;’’ in contrast to paragraph (1) of subject of the information may remain;
request for information. the definition of individually in some instances, the risk will not be
identifiable health information, which inconsequential. Thus, we agree with
Individual reads: ‘‘(1) Is created by or received from the Congress that ‘‘reasonable basis’’ is
Comment: A few commenters stated a health care provider, health plan, the appropriate standard to adequately
that foreign military and diplomatic employer, or health care clearinghouse protect the privacy of individuals’
personnel, and their dependents, and * * *’’ [Emphasis added.] health information.
overseas foreign national beneficiaries, Another commenter asked that we Comment: A number of commenters
should not be excluded from the delete from the definition of health suggested that the Secretary eliminate
definition of ‘‘individual.’’ information, the words ‘‘health or’’ to the distinction between protected health
Response: We agree with concerns make the definition more consistent information and individually
stated by commenters and eliminate with the definition of ‘‘health care,’’ as identifiable health information. One
these exclusions from the definition of well as the words ‘‘whether oral or.’’ commenter asserted that all individually
‘‘individual’’ in the final rule. Special Response: We define these terms in identifiable health information should
rules for use and disclosure of protected the final rule as they are defined by be protected. One commenter observed
health information about foreign Congress in sections 1171(4) and that the terms individually identifiable
military personnel are stated in 1171(6) of the Act, respectively. We health information and protected health
§ 164.512(k). Under the final rule, have, however, changed the word information are defined differently in
protected health information about ‘‘from’’ in the definition of the rule and requested clarification as to
diplomatic personnel is not accorded ‘‘individually identifiable health the precise scope of coverage of the
special treatment. While the exclusion information’’ to conform to the statute. standards. Another commenter stated
that the definition of individually We clarify that the requirements in the processing of claims and coverage
identifiable health information includes proposed Security Standards are decisions, but ultimately affect the
‘‘employer,’’ whereas protected health distinct and separate from the privacy quality and cost of care for health care
information pertains only to covered safeguards promulgated in this final consumers.
entities for which employers are not rule. Response: We disagree. Health
included. The commenter argued that Comment: Several commenters information about individuals exists in
this was an ‘‘incongruity’’ between the expressed confusion and requested many types of records, not just the
definitions of individually identifiable clarification as to what is considered formal medical record about the
health information and protected health health information or individually individual. Limiting the rule’s
information and recommended that we identifiable health information for protections to individually identifiable
remove ‘‘employer’’ from the definition purposes of the rule. For example, one health information contained in medical
of individually identifiable health commenter was concerned that records, rather than individually
information. information exists in collection identifiable health information in any
Response: We define individually agencies, credit bureaus, etc., which form, would omit a significant amount
identifiable health information in the could be included under the proposed of individually identifiable health
final rule generally as it is defined by regulation but may or may not have information, including much
Congress in section 1171(6) of the Act. been originally obtained by a covered information in covered transactions.
Because ‘‘employer’’ is included in the entity. The commenter noted that Comment: One commenter voiced a
statutory definition, we cannot accept generally this information is not need for a single standard for
the comment to remove the word clinical, but it could be inferred from individually identifiable health
‘‘employer’’ from the regulatory the data that a health care provider information and disability and workers’
definition. provided a person or member of compensation information; each
We use the phrase ‘protected health person’s family with health care category of information is located in
information’ to distinguish between the services. The commenter urged the their one electronic data base, but
individually identifiable health Secretary to define more clearly what would be subjected to a different set of
information that is used or disclosed by and when information is covered. use and transmission rules.
the entities that are subject to this rule One commenter queried how a non- Response: We agree that a uniform,
and the entire universe of individually medical record keeper could tell when comprehensive privacy standard is
identifiable health information. personal information is health desirable. However, our authority under
‘Individually identifiable health information within the meaning of rule, the HIPAA is limited to individually
information’ as defined in the statute is e.g., when a worker asks for a low salt identifiable health information as it is
not limited to health information used meal in a company cafeteria, when a defined in the statute. The legislative
or disclosed by covered entities, so the travel voucher of an employee indicates history of HIPAA makes clear that
qualifying phrase ‘protected health that the traveler returned from an area workers’ compensation and disability
information’ is necessary to define that that had an outbreak of fever, or when benefits programs were not intended to
individually identifiable health an airline passenger requests a wheel be covered by the rule. Entities are of
information to which this rule applies. chair. It was suggested that the rule course free to apply the protections
Comment: One commenter noted that cover health information in the hands of required by this rule to all health
the definition of individually schools, employers, and life insurers information they hold, including the
identifiable health information in the only when they receive individually excepted benefits information, if they
NPRM appeared to be the same identifiable health information from a wish to do so (for example, in order to
definition used in the other HIPAA covered entity or when they create it reduce administrative burden).
proposed rule, Security and Electronic while providing treatment or making Comment: Commenters recommended
Signature Standards (63 FR 43242). payment. that the definition of individually
However, the commenter stated that the Response: This rule applies only to identifiable health information not
additional condition in the privacy individually identifiable health include demographic information that
NPRM, that protected health information that is held by a covered does not have any additional health,
information is or has been electronically entity. Credit bureaus, airlines, schools, treatment, or payment information with
transmitted or electronically maintained and life insurers are not covered it. Another commenter recommended
by a covered entity and includes such entities, so the information described in that protected health information
information in any other form, appears the above comments is not protected should not include demographic
to create potential disparity between the health information. Similarly, information at all.
requirements of the two rules. The employers are not covered entities Response: Congress explicitly
commenter questioned whether the under the rule. Covered entities must included demographic information in
provisions in proposed § 164.518(c) comply with this regulation in their the statutory definition of this term, so
were an attempt to install similar health care capacity, not in their we include such language in our
security safeguards for such situations. capacity as employers. For example, regulatory definition of it.
Response: The statutory definition of information in hospital personnel files Comments: A number of commenters
individually identifiable health about a nurses’ sick leave is not expressed concern about whether
information applies to the entire protected health information under this references to personal information about
Administrative Simplification subtitle rule. individuals, such as ‘‘John Doe is fit to
of HIPAA and, thus, was included in the Comment: One commenter work as a pipe fitter * * *’’ or ‘‘Jane
proposed Security Standards. At this recommended that the privacy of health Roe can stand no more than 2 hours
time, however, the final Security information should relate to actual * * *’’, would be considered
Standards have not been published, so medical records. The commenter individually identifiable health
the definition of protected health expressed concern about the definition’s information. They argued that such
information is relevant only to HIPAA’s broadness and contended that applying ‘‘fitness-to-work’’ and ‘‘fitness for duty’’
privacy standards and is, therefore, prescriptive rules to information that statements are not health care because
included in subpart E of part 164 only. health plans hold will not only delay they do not reveal the type of
information (such as the diagnosis) that Comment: Some commenters, law has been violated. Accordingly, we
is detrimental to an individual’s privacy particularly those from the district revise the definition of ‘‘law
interest in the work environment. attorney community, expressed general enforcement official’’ to include
Response: References to personal concern that the proposed definition of investigations of ‘‘potential’’ violations
information such as those suggested by ‘‘law enforcement official’’ was too of law.
the commenters could be individually narrow to account for the variation in
state interpretations of law enforcement Marketing
identifiable health information if the
references were created or received by a officials’ power. One group noted Comments related to ‘‘marketing’’ are
health care provider, health plan, specifically that the proposed definition addressed in the responses to comments
employer, or health care clearinghouse could have prevented prosecutors from regarding § 164.514(e).
and they related to the past, present, or gaining access to needed protected Payment
future physical or mental health or health information.
condition, the provision of health care Response: We agree that protected Comment: One commenter urged that
to an individual, or the past, present, or health information may be needed by the Department not permit protected
future payment for the provision of law enforcement officials for both health information to be disclosed to a
health care to an individual. Although investigations and prosecutions. We did collection agency for collecting payment
these fitness for duty statements may not intend to exclude the prosecutorial on a balance due on patient accounts.
not reveal a diagnosis, they do relate to function from the definition of ‘‘law The commenter noted that, at best, such
a present physical or mental condition enforcement official,’’ and accordingly a disclosure would only require the
of an individual because they describe we modify the definition of law patient’s and/or insured’s address and
the individual’s capacity to perform the enforcement official to reflect their phone number.
involvement in prosecuting cases. Response: We disagree. A collection
physical and mental requirements of a
Specifically, in the final rule, we define agency may require additional protected
particular job at the time the statement
law enforcement official as an official of health information to investigate and
is made (even though there may be other
any agency or authority of the United assess payment disputes for the covered
non-health-based qualifications for the
States, a state, a territory, a political entity. For example, the collection
job). If these statements were created or
subdivision of a state or territory, or an agency may need to know what services
received by one of more of the entities
Indian tribe, who is empowered by law the covered entity rendered in order to
described above, they would be
to: (1) Investigate or conduct an inquiry resolve disputes about amounts due.
individually identifiable health
into a potential violation of law; or (2) The information necessary may vary,
information.
prosecute or otherwise conduct a depending on the nature of the dispute.
Law Enforcement Official criminal, civil, or administrative Therefore we do not specify the
proceeding arising from an alleged information that may be used or
Comment: Some commenters,
violation of law. disclosed for collection activities. The
particularly those representing health
Comment: One commenter commenter’s concern may be addressed
care providers, expressed concern that
recommended making the definition of by the minimum necessary
the proposed definition of ‘‘law
law enforcement official broad enough requirements in § 164.514. Under those
enforcement official’’ could have
to encompass Medicaid program provisions, when a covered entity
allowed many government officials
auditors, because some matters determines that a collection agency only
without health care oversight duties to requiring civil or criminal law requires limited information for its
obtain access to protected health enforcement action are first identified activities, it must make reasonable
information without patient consent. through the audit process. efforts to limit disclosure to that
Response: We do not intend for the Response: We disagree. Program information.
definition of ‘‘law enforcement official’’ auditors may obtain protected health Comment: A number of commenters
to be limited to officials with information necessary for their audit supported retaining the expansive
responsibilities directly related to health functions under the oversight provision definition in the proposed rule so that
care. Law enforcement officials may of this regulation (§ 164.512(d)). current methods of administering the
need protected health information for Comment: One commenter suggested claims payment process would not be
investigations or prosecutions unrelated that the proposed definition of ‘‘law hindered by blocking access to
to health care, such as investigations of enforcement official’’ could be protected health information.
violent crime, criminal fraud, or crimes construed as limited to circumstances in Response: We agree and retain the
committed on the premises of health which an official ‘‘knows’’ that law has proposed overall approach to the
care providers. For these reasons, we been violated. This commenter was definition.
believe it is not appropriate to limit the concerned that, because individuals are Comment: Some commenters argued
definition of ‘‘law enforcement official’’ presumed innocent and because many that the definition of ‘‘payment’’ should
to persons with responsibilities of investigations, such as random audits, be narrowly interpreted as applying
oversight of the health care system. are opened without an agency knowing only to the individual who is the subject
Comment: A few commenters that there is a violation, the definition of the information.
expressed concern that the proposed would not have allowed disclosure of Response: We agree with the
definition could include any county or protected health information for these commenter and modify the definition to
municipal official, even those without purposes. The commenter clarify that payment activities relate to
traditional law enforcement training. recommended modifying the definition the individual to whom health care is
Response: We do not believe that to include investigations into ‘‘whether’’ provided.
determining training requirements for the law has been violated. Comment: Another group of
law enforcement officials is Response: We do not intend for lawful commenters asserted that the doctor-
appropriately within the purview of this disclosures of protected health patient relationship was already being
regulation; therefore, we do not make information for law enforcement interfered with by the current practices
the changes that these commenters purposes to be limited to those in which of managed care. For example, it was
requested. a law enforcement official knows that argued that the definition expanded the
power of government and other third Response: We reject this suggestion. since it may be providing the product
party ‘‘payors,’’ turning them into While we understand that there are through another provider, not directly to
controllers along with managed care policy concerns regarding therapeutic the patient. In this example, the relevant
companies. Others stated that activities substitution, those policy concerns are disclosures of protected health
provided for under the definition occur not primarily about privacy and thus are information by any covered health care
primarily to fulfill the administrative not appropriately addressed in this provider with a direct treatment
function of managed health plans and regulation. relationship with the patient would be
that an individual’s privacy is lost when Comment: A few commenters asked permitted subject to the general consent
his or her individually identifiable that patient assistance programs (PAPS) requirements of § 164.506.
health information is shared for should be excluded from the definition Whether and how this rule affects the
administrative purposes. of payment. Such programs are run by school of pharmacy is equally
Response: Activities we include in the or on behalf of manufacturers and dependent on the specific facts. For
definition of payment reflect core provide free or discounted medications example, if the school merely provides
functions through which health care to individuals who could not afford to a patient or a physician with the name
and health insurance services are purchase them. Commenters were of a manufacturer and a contact phone
funded. It would not be appropriate for concerned that including such activities number, it would not be functioning as
a rule about health information privacy in the definition of payment could harm a health care provider and would not be
to hinder mechanisms by which health these programs. subject to the rule. However, if the
care is delivered and financed. We do For example, a university school of school is more involved in the care of
not through this rule require any health pharmacy may operate an outreach the individual, its activities could come
care provider to disclose protected program and serve as a clearinghouse in within the definition of ‘‘health care
health information to governmental or for information on various provider’’ under this rule.
other third party payors for the activities pharmaceutical manufacturer PAPS. Comment: Commenters pointed out
listed in the payment definition. Rather, Under the program state residents can that drugs may or may not be ‘‘covered’’
we allow these activities to occur, submit a simple application to the under a plan. Individuals, on the other
subject to and consistent with the program (including medication regimen hand, may or may not be ‘‘eligible’’ for
requirements of this rule. and financial information), which is benefits under a plan. The definition
Comment: Several commenters reviewed by program pharmacists who should incorporate both terms to clarify
requested that we expand the definition study the eligibility criteria and/or that determinations of both coverage
to include ‘‘coordination of benefits’’ as directly call the manufacturer’s program and eligibility are payment activities.
a permissible activity. personnel to help evaluate eligibility for Response: We agree and modify the
Response: We agree and modify the particular PAPS. The program provides rule to include ‘‘eligibility’’.
definition accordingly. written guidance to the prescribing Comment: Several commenters urged
Comment: A few commenters raised physicians that includes a suggested that ‘‘concurrent and retrospective
concerns that the use of ‘‘medical data approach for helping their indigent review’’ were significant utilization
processing’’ was too restrictive. It was patients obtain the medications that review activities and should be
suggested that a broader reference such they need and enrollment information incorporated.
as ‘‘health related’’ data processing for particular PAPS. Response: We agree and modify the
would be more appropriate. Response: We note that the concerns definition accordingly.
Response: We agree and modify the presented are not affected by definition Comment: Commenters noted that the
definition accordingly. of ‘‘payment.’’ The application of this proposed rule was not clear as to
Comment: Some commenters rule to patient assistance programs whether protected health information
suggested that the final rule needed to activities will depend on how the could be used to resolve disputes over
clarify that drug formulary individual programs operate and are coverage, including appeals or
administration activities are payment affected primarily by the definition of complaints regarding quality of care.
related activities. treatment. Each of these programs Response: We modify the definition of
Response: While we agree that uses function differently, so it is not possible payment to include resolution of
and disclosures of protected health to state a blanket rule for whether and payment and coverage disputes; the
information for drug formulary how the rule affects such programs. final definition of payment includes
administration and development are Under the example provided, the ‘‘the adjudication * * * of health
common and important activities, we physician who contacts the program on benefit claims.’’ The other examples
believe these activities are better behalf of a patient is managing the provided by commenters, such as
described as health care operations and patient’s care. If the provider is also a arranging, conducting, or assistance
that these activities come within that covered entity, he or she would be with primary and appellate level review
definition. permitted to make such a ‘‘treatment’’ of enrollee coverage appeals, also fall
Comment: Commenters asked that the disclosure of protected health within the scope of adjudication of
definition include calculation of information if a general consent had health benefits claims. Uses and
prescription drug costs, drug discounts, been obtained from the patient. disclosures of protected health
and maximum allowable costs and Depending on the particular facts, the information to resolve disputes over
copayments. manufacturer, by providing the quality of care may be made under the
Response: Calculations of drug costs, prescription drugs for an individual, definition of ‘‘health care operations’’
discounts, or copayments are payment could also be providing health care (see above).
activities if performed with respect to a under this rule. Even so, however, the Comment: Some commenters
specific individual and are health care manufacturer may or may not be a suggested that if an activity falls within
operations if performed in the aggregate covered entity, depending on whether the scope of payment it should not be
for a group of individuals. or not it engages in any of the standard considered marketing. Commenters
Comment: We were urged to electronic transactions (See the supported an approach that would bar
specifically exclude ‘‘therapeutic definition of a covered entity). It also such an activity from being construed as
substitution’’ from the definition. may be an indirect treatment provider, ‘‘marketing’’ even if performing that
activity would result in financial gain to prevent the flow of information between remittance advice information from the
the covered entity. medical providers and debt collectors. ASC X12N 835 when making health
Response: We agree that the proposed Response: We agree that the proposed care payments. It recommended
rule did not clearly define ‘‘marketing,’’ definition of payment did not explicitly modifying the proposed rule to allow
leaving commenters to be concerned provide for ‘‘collection activities’’ and covered entities to provide banks or
about whether payment activities that that this oversight might have impeded financial institutions with the data
result in financial gain might be a covered entity’s debt collection efforts. specified in any transaction set
considered marketing. In the final rule We modify the regulatory text to add mandated under the Transactions Rule
we add a definition of marketing and ‘‘collection activities.’’ for health care claims payment.
clarify when certain activities that Comment: The preamble should Similarly, a private company and a
would otherwise fall within that clarify that self-insured group health state health data organization
definition can be accomplished without and workers’ compensation plans are recommended broadening the scope of
authorization. We believe that these not covered entities or business permissible disclosures pursuant to the
changes will clarify the distinction partners. banking section to include integrated
between marketing and payment and Response: The statutory definition of claims processing information, as
address the concerns raised by health plan does not include workers’ contained in the ASC X12N 835 and
commenters. compensation products. See the proposed for adoption in the proposed
discussion of ‘‘health plan’’ under Transactions Rule; this transaction
Comment: Commenters asserted that
§ 160.103 above. standard includes diagnostic and
HHS should not include long-term care Comment: Certain commenters
insurance within the definition of treatment information. The company
explained that third party argued that inclusion of diagnostic and
‘‘health plan.’’ If they are included, the administrators usually communicate
commenters argued that the definition treatment information in the data
with employees through Explanation of transmitted in claims processing was
of payment must be modified to reflect Benefit (EOB) reports on behalf of their
the activities necessary to support the necessary for comprehensive and
dependents (including those who might efficient integration in the provider’s
payment of long-term care insurance not be minor children). Thus, the
claims. As proposed, commenters patient accounting system of data
employee might be apprised of the corresponding with payment that
argued that the definition of payment medical encounters of his or her
would not permit long term care financial institutions credit to the
dependents but not of medical provider’s account.
insurers to use and disclose protected diagnoses unless there is an over-riding A state health data organization
health information without reason, such as a child suspected of recommended applying these rules to
authorization to perform functions that drug abuse due to multiple financial institutions that process
are ‘‘compatible with and directly relate prescriptions. The commenters urged electronic remittance advice pursuant to
to * * * payment’’ of claims submitted that the current claim processing the Transactions Rule.
under long term care policies. procedures be allowed to continue. Response: The Transactions Rule was
Response: Long-term care policies, Response: We agree. We interpret the published August 17, 2000, after the
except for nursing home fixed- definition of payment and, in particular issuance of the privacy proposed rule.
indemnity policies, are defined as the term ‘‘claims management,’’ to As noted by the commenters, the ASC
health plans by the statute (see include such disclosures of protected X12N 835 we adopted as the ‘‘Health
definition of ‘‘health plan,’’ above). We health information. Care Payment and Remittance Advice’’
disagree with the assertion that the Comment: One private company standard in the Transactions Rule has
definition of payment does not permit noted that pursuant to the proposed two parts. They are the electronic funds
long term care insurers to undertake Transactions Rule standard for payment transfer (EFT) and the electronic
these necessary activities. Processing of and remittance advice, the ASC X12N remittance advice (ERA). The EFT part
premium payments, claims 835 can be used to make a payment, is optional and is the mechanism that
administration, and other activities send a remittance advice, or make a payors use to electronically instruct one
suggested for inclusion by the payment and send remittance advice by financial institution to move money
commenters are covered by the a health care payor and a health care from one account to another at the same
definition. The rule permits protected provider, either directly or through a or at another financial institution. The
health information to be used or designated financial institution. Because EFT includes information about the
disclosed by a health plan to determine a remittance advice includes diagnostic payor, the payee, the amount, the
or fulfill its responsibility for provision or treatment information, several private payment method, and a reassociation
of benefits under the health plan. companies and a few public agencies trace number. Since the EFT is used to
Comment: Some commenters argued believed that the proposed Transactions initiate the transfer of funds between the
that the definition needs to be expanded Rule conflicted with the proposed accounts of two organizations, typically
to include the functions of obtaining privacy rule. Two health plans a payor to a provider, it includes no
stop-loss and ceding reinsurance. requested guidance as to whether, individually identifiable health
Response: We agree that use and pursuant to the ASC X12N 835 information, not even the names of the
disclosure of protected health implementation guide, remittance patients whose claims are being paid.
information for these activities should advice information is considered The funds transfer information may also
be permitted without authorization, but ‘‘required’’ or ‘‘situational.’’ They be transmitted manually (by check) or
have included them under health care sought guidance on whether covered by a variety of other electronic means,
operation rather than payment. entities could include benefits including various formats of electronic
Comment: Commenters asked that the information in payment of claims and transactions sent through a payment
definition be modified to include transfer of remittance information. network, such as the Automated
collection of accounts receivable or One commenter asserted that if the Clearing House (ACH) Network.
outstanding accounts. Commenters transmission of certain protected health The ERA, on the other hand, contains
raised concern that the proposed rule, information were prohibited, health specific information about the patients
without changes, might unintentionally plans may be required to strip and the medical procedures for which
the money is being paid and is used to Comment: A few commenters noted necessary for financial transactions.
update the accounts receivable system the Gramm-Leach-Bliley (GLB) Act Some commenters believed that
of the provider. This information is (Pub. L. 106–102) allows financial implementation of the proposed rule’s
always needed to complete a standard holding companies to engage in a banking provisions could lead banks to
Health Care Payment and Remittance variety of business activities, such as deny loans on the basis of individuals’
Advice transaction, but is never needed insurance and securities, beyond health information.
for the funds transfer activity of the traditional banking activities. Because Response: We seek to achieve a
financial institution. The only the term ‘‘banking’’ may take on broader balance between protecting patient
information the two parts of this meaning in light of these changes, the privacy and facilitating the efficient
transaction have in common is the commenter recommended modifying operation of the health care system.
reassociation trace number. the proposed rule to state that While we agree that financial
Under the ASC X12N 835 standard, disclosure of diagnostic and treatment institutions should not have access to
the ERA may be transmitted alone, information to banks along with extensive information about
directly from the health plan to the payment information would constitute a individuals’ health, we recognize that
health care provider and the violation of the rule. Specifically, the even the minimal information required
reassociation trace number is used by organization recommended clarifying in for processing of payments may
the provider to match the ERA the final rule that the provisions effectively reveal a patient’s health
information with a specific payment included in the proposed section on condition; for example, the fact that a
conducted in some other way (e.g., EFT banking and payment processes person has written a check to a provider
or paper check). The standard also (proposed § 164.510(i)) govern payment suggests that services were rendered to
allows the EFT to be transmitted alone, processes only and that all activities of the person or a family member.
directly to the financial institution that financial institutions that did not relate Requiring authorization for disclosure of
will initiate the payment. It also allows directly to payment processes must be protected health information to a
both parts to be transmitted together, conducted through business partner financial institution in order to process
even though the intended recipients of contracts. Furthermore, this group every payment transaction in the health
the two parts are different (the financial recommended clarifying that if financial care system would make it difficult, if
institution and the provider). For institutions act as payors, they will be not impossible, for the health care
example, this would be done when the covered entities under the rule. system to operate effectively. See also
parties agree to use the ACH system to Response: We recognize that discussion of section 1179 of the Act
carry the ERA through the provider’s implementation of the GLB Act will above.
expand significantly the scope of Comment: Under the proposed rule,
bank to the provider when it is more
activities in which financial holding covered entities could have disclosed
efficient than sending the ERA
companies engage. However, unless a the following information without
separately through a different electronic
financial institution also meets the consent to financial institutions for the
medium.
definition of a ‘‘covered entity,’’ it purpose of processing payments: (1) The
Similarly, the ASC X12N 820 account holder’s name and address; (2)
cannot be a covered entity under this
standard for premium payments has two the payor or provider’s name and
rule.
parts, an EFT part (identical to that of We agree with the commenters that address; (3) the amount of the charge for
the 835) and a premium data part disclosure of diagnostic and specific health services; (4) the date on which
containing identity and health treatment information to financial services were rendered; (5) the
information about the individuals for institutions for many banking and funds expiration date for the payment
whom health insurance premiums are processing purposes may not be mechanism, if applicable (e.g., credit
being paid. consistent with the minimum necessary card expiration date); and (6) the
The transmission of both parts of the requirements of this final rule. We also individual’s signature. The proposed
standards are payment activities under agree with the commenters that rule solicited comments on whether
this rule, and permitted subject to financial institutions are business additional data elements would be
certain restrictions. Because a financial associates if they receive protected necessary to process payment
institution does not require the health information when they engage in transactions from patients to covered
remittance advice or premium data parts activities other than funds processing entities.
to conduct funds transfers, disclosure of for covered entities. For example, if a One commenter believed that it was
those parts by a covered entity to it health care provider contracts with a unnecessary to include this list in the
(absent a business associate arrangement financial institution to conduct ‘‘back final rule, because information that
to use the information to conduct other office’’ billing and accounts receivable could have been disclosed under the
activities) would be a violation of this activities, we require the provider to proposed minimum necessary rule
rule. enter into a business associate contract would have been sufficient to process
We note that additional requirements with the institution. banking and payment information.
may be imposed by the final Security Comment: Two commenters Another private company said that its
Rule. Under the proposed Security Rule, expressed support for the proposed extensive payment systems experience
the ACH system and similar systems rule’s approach to disclosure for indicated that we should avoid attempts
would have been considered ‘‘open banking and payment processes. On the to enumerate a list of information
networks’’ because transmissions flow other hand, many other commenters allowed to be disclosed for banking and
unpredictably through and become were opposed to disclosure of protected payment processing. Furthermore, the
available to member institutions who health information without commenter said, the proposed rule’s list
are not party to any business associate authorization to banks. One commenter of information allowed to be disclosed
agreements (in a way similar to the said that no financial institution should was not sufficient to perform the range
internet). The proposed Security Rule have individually identifiable health of activities necessary for the operation
would require any protected health information for any reason, and it said of modern electronic payment systems.
information transferred through the there were technological means for Finally, the commenter said, inclusion
ACH or similar system to be encrypted. separating identity from information of specific data elements allowed to be
disclosed for banking and payment card expiration date); the individual’s The term ‘payment card’ was
processes rule would stifle innovation signature; and relevant identification intended to apply to a debit or credit
in continually evolving payment and account numbers. card used to initiate payment
systems. Thus, the commenter Comment: One commenter said that transactions with a financial institution.
recommended that in the final rule, we the minimum necessary standard would We clarify that pharmacy benefit cards,
eliminate the minimum necessary be impossible to implement with as well as other health benefit cards, are
requirement for banking and payment respect to information provided on its used for identification of individual,
processing and that we do not include standard payment claim, which, it said, plan, and benefits and do not qualify as
a list of specific types of information was used by pharmacies for concurrent ‘‘other payment cards.’’
allowed to be disclosed for banking and drug utilization review and that was Comment: Two commenters asked the
payment processes. expected to be adopted by HHS as the following questions regarding the
On the other hand, several other national pharmacy payment claim. banking provisions of the proposed rule:
commenters supported applying the Two other commenters also (1) Does the proposed regulation
minimum necessary standard to covered recommended clarifying in the final rule stipulate that disclosures to banks and
entities’ disclosures to financial that pharmacy benefit cards are not financial institutions can occur only
institutions for payment processing. In considered a type of ‘‘other payment once a patient has presented a check or
addition, these groups said that because card’’ pursuant to the rule’s provisions credit card to the provider, or pursuant
financial institutions are not covered governing payment processes. These to a standing authorization?; and (2)
entities under the proposed rule, they commenters were concerned that if Does the proposed rule ban disclosure
urged Congress to enact comprehensive pharmacy benefit cards were covered by of diagnostic or other related detailed
privacy legislation to limit financial the rule’s payment processing payment information to financial
institutions’ use and re-disclosure of the provisions, their payment claim, which institutions?
minimally necessary protected health they said was expected to be adopted by Response: We do not ban disclosure
information they could receive under HHS as the national pharmacy payment of diagnostic information to financial
the proposed rule. Several of these claim, may have to be modified to institutions, because some such
commenters said that, in light of the comply with the minimum necessary information may be evident simply from
increased ability to manipulate data standard that would have been required the name of the payee (e.g., when
electronically, they were concerned that pursuant to proposed § 164.510(i) on payment is made to a substance abuse
financial institutions could use the banking and payment processes. One of clinic). This type of disclosure,
minimal protected health information these commenters noted that its however, is permitted only when
they received for making financial payment claim facilitates concurrent reasonably necessary for the transaction
decisions. For example, one of these drug utilization review, which was (see requirements for minimum
commenters said that a financial mandated by Congress pursuant to the necessary disclosure of protected health
institution could identify an individual Omnibus Budget Reconciliation Act of information, in § 164.502 and
who had paid for treatment of domestic 1990 and which creates the real-time § 164.514).
violence injuries and subsequently ability for pharmacies to gain access to Similarly, we do not stipulate that
could deny the individual a mortgage information that may be necessary to such disclosure may be made only once
based on that information. meet requirements of this and similar a patient has presented a check or credit
Response: We agree with the state laws. The commenter said that card, because some covered entities hire
commenters who were concerned that a information on its standard payment financial institutions to perform services
finite list of information could hamper claim may include information that such as management of accounts
systems innovation, and we eliminate could be used to provide professional receivables and other back office
the proposed list of data items. pharmacy services, such as compliance, functions. In providing such services to
However, we disagree with the disease management, and outcomes covered entities, the financial
commenters who argued that the programs. The commenter opposed institution will need access to protected
requirement for minimum necessary restricting such information by applying health information. (In this situation,
disclosures not apply to disclosures to the minimum necessary standard. the disclosure will typically be made
financial institution or for payment Response: We make an exception to under a business associate arrangement
activities. They presented no persuasive the minimum necessary disclosure that includes provisions for protection
reasons why these disclosures differ provision of this rule for the required of the information.)
from others to which the standard and situational data elements of the Comment: One commenter was
applies, nor did they suggest alternative standard transactions adopted in the concerned that the proposed rule’s
means of protecting individuals’ Transactions Rule, because those section on financial institutions, when
privacy. Further, with elimination of the elements were agreed to through the considered in conjunction with the
proposed list of items that may be ANSI-accredited consensus proposed definition of ‘‘protected health
disclosed, it will be necessary to rely on development process. The minimum information,’’ could have been
the minimum necessary disclosure necessary requirements do apply to construed as making covered entities’
requirement to ensure that disclosures optional elements in such standard disclosures of consumer payment
for payment purposes do not include transactions, because industry history information to consumer
information unnecessary for that consensus has not resulted in precise reporting agencies subject to the rule. It
purposes. In practice, the following is and unambiguous situation specific noted that covered entities’ reporting of
the information that generally will be language to describe their usage. This is payment history information to
needed: the name and address of the particularly relevant to the NCPDP consumer reporting agencies was not
individual; the name and address of the standards for retail pharmacy explicitly covered by the proposed
payor or provider; the amount of the transactions referenced by these rule’s provisions regarding disclosure of
charge for health services; the date on commenters, in which the current protected health information without
which health services were rendered; standard leaves most fields optional. For authorization. It was also concerned that
the expiration date for the payment this reason, we do not accept this the proposed rule’s minimum necessary
mechanism, if applicable (i.e., credit suggestion. standard could have been interpreted to
prevent covered entities and their victims, who may hide the real cause of They argued that treating all records the
business partners from disclosing their injuries. same is consistent with the goal of
appropriate and complete information In addition, commenters felt that a increasing the efficiency of the
to consumer reporting agencies. As a more uniform standard that covered all administration of health care services.
result, it said, consumer reporting records would reduce the complexity, Lastly, in the NPRM, we explained
agencies might not be able to compile burden, cost, and enforcement problems that while we chose not to extend our
complete consumer reports, thus that would result from the NPRM’s regulatory coverage to all records, we
potentially creating an inaccurate proposal to treat electronic and non- did have the authority to do so. Several
picture of a consumer’s credit history electronic records differently. commenters agreed with our
that could be used to make future credit Specifically, they suggested that such a interpretation of the statute and our
decisions about the individual. standard would eliminate any confusion authority and reiterated such statements
Furthermore, this commenter said, the regarding how to treat mixed records in arguing that we should expand the
proposed rule could have been (paper records that include information scope of the rule in this regard.
interpreted to apply to any information that has been stored or transmitted Response: We find these commenters’
disclosed to consumer reporting electronically) and would eliminate the arguments persuasive and extend
agencies, thus creating the possibility need for health care providers to keep protections to individually identifiable
for conflicts between the rule’s track of which portions of a paper health information transmitted or
requirements and those of the Fair record have been (or will be) stored or maintained by a covered entity in any
Credit Reporting Act. They indicated transmitted electronically, and which form (subject to the exception for
that areas of potential overlap included: are not. Many of these commenters ‘‘education records’’ governed by
limits on subsequent disclosures; argued that limiting the definition to FERPA and records described at 20
individual access rights; safeguards; and information that is or has at one time U.S.C. 1232g(a)(4)(B)(iv)). We do so for
notice requirements. been electronic would result in different the reasons described by the
Response: We have added to the protections for electronic and paper commenters and in our NPRM, as well
definition of ‘‘payment’’ disclosure of records, which they believe would be as because we believe that the approach
certain information to consumer unwarranted and give consumers a false in the final rule creates a logical,
reporting agencies. With respect to the sense of security. Other comments consistent system of protections that
remaining concerns, this rule does not argued that the proposed definition recognizes the dynamic nature of health
apply to consumer reporting agencies if would cause confusion for providers information use and disclosure in a
they are not covered entities. and patients and would likely cause continually shifting health care
Comment: Several commenters difficulties in claims processing. Many environment. Rules that are specific to
recommended prohibiting disclosure of others complained about the difficulty certain formats or media, such as
psychotherapy notes under this of determining whether information has ‘‘electronic’’ or ‘‘paper,’’ cannot address
provision and under all of the sections been maintained or transmitted the privacy threats resulting from
governing disclosure without consent electronically. Some asked us to evolving forms of data capture and
for national priority purposes. explicitly list the electronic functions transmission or from the transfer of the
Response: We agree that that are intended to be excluded, such information from one form to another.
psychotherapy notes should not be as voice mail, fax, etc. It was also This approach avoids the somewhat
disclosed without authorization for recommended that the definitions of artificial boundary issues that stem from
payment purposes, and the final rule ‘‘electronic transmission’’ and defining what is and is not electronic.
does not allow such disclosure. See the ‘‘electronic maintenance’’ be deleted. It In addition, we have reevaluated our
discussion under § 164.508. was stated that the rule may apply to reasons for not extending privacy
many medical devices that are regulated protections to all paper records in the
Protected Health Information
by the FDA. A commenter also asserted NPRM and after review of comments
Comment: An overwhelmingly large that the proposal’s definition was believe such justifications to be less
number of commenters urged the technically flawed in that computers are compelling than we originally thought.
Secretary to expand privacy protection also involved in analog electronic For example, in the NPRM, we
to all individually identifiable health transmissions such as faxes, telephone, explained that we chose not to cover all
information, regardless of form, held or etc., which is not the intent of the paper records in order to focus on the
transmitted by a covered entity. language. Many commenters argued that public concerns about health
Commenters provided many arguments limiting the definition to information information confidentiality in electronic
in support of their position. They that has been electronic would create a communications, and out of concern
asserted that expanding the scope of significant administrative burden, that the potential additional burden of
covered information under the rule because covered entities would have to covering all records may not be justified
would increase patient confidence in figure out how to apply the rule to some because of the lower privacy risks
their health care providers and the but not all information. presented by records that are in paper
health care system in general. Others argued that covering all form only. As discussed above however,
Commenters stated that patients may individually identifiable health a great many commenters asserted that
not seek care or honestly discuss their information would eliminate any dealing with a mixture of protected and
health conditions with providers if they disincentives for covered entities to non-protected records is more
do not believe that all of their health convert from paper to computerized burdensome, and that public concerns
information is confidential. In record systems. These commenters over health information confidentiality
particular, many suggested that this fear asserted that under the proposed limited are not at all limited to electronic
would be particularly strong with coverage, contrary to the intent of communications.
certain classes of patients, such as HIPAA’s administrative simplification We note that medical devices in and
persons with disabilities, who may be standards, providers would avoid of themselves, for example, pacemakers,
concerned about potential converting paper records into are not protected health information for
discrimination, embarrassment or computerized systems in order to purposes of this regulation. However,
stigmatization, or domestic violence bypass the provisions of the regulation. information in or from the device may
be protected health information to the there is significantly less risk of breach With respect to the issue of form, the
extent that it otherwise meets the of privacy with respect to such statutory definition of ‘‘health
definition. information. information’’ at section 1171(4) of the
Comment: Numerous commenters The primary justifications provided Act defines such information as ‘‘any
argued that the proposed coverage of by commenters for restricting the scope information, whether oral or recorded in
any information other than that which of covered individually identifiable any form or medium’’ (emphasis added)
is transmitted electronically and/or in a health information under the regulation which is created or received by certain
HIPAA transaction exceeds the were that such an approach would entities and relates to the health
Secretary’s authority under section reduce the complexity, burden, cost, condition of an individual or the
264(c)(1) of HIPAA. The principal and enforcement problems that would provision of health care to an individual
argument was that the initial language result from a rule that treats electronic (emphasis added). ‘‘Individually
in section 264(c)(1) (‘‘If language and non-electronic records differently; identifiable health information’’, as
governing standards with respect to the would appropriately limit the rule’s defined at section 1171(6) of the Act, is
privacy of individually identifiable focus to the security risks that are information that is created or received
health information transmitted in inherent in electronic transmission or by a subset of the entities listed in the
connection with the transactions maintenance of individually identifiable definition of ‘‘health information’’,
described in section 1173(a) of the health information; and would conform relates to the same subjects as ‘‘health
Social Security Act * * * is not enacted these provisions of the rule more closely information,’’ and is, in addition,
by [August 21, 1999], the Secretary with their interpretation of the HIPAA individually identifiable. Thus,
* * * shall promulgate final regulations statutory language. ‘‘individually identifiable health
containing such standards* * * ’’) Response: We disagree with these information’’ is, as the term itself
limits the privacy standards to commenters. We believe that restricting implies, a subset of ‘‘health
‘‘information transmitted in connection the scope of covered information under information.’’ As ‘‘health information,’’
with the [HIPAA] transactions.’’ The the rule consistent with any of the ‘‘individually identifiable health
precise argument made by some comments described above would information’’ means, among other
commenters was that the grant of generate a number of policy concerns. things, information that is ‘‘oral or
authority is contained in the words Any restriction in the application of recorded in any form or medium.’’
‘‘such standards,’’ and that the referent privacy protections based on the media Therefore, the statute does not limit
of that phrase was ‘‘standards with used to maintain or transmit the ‘‘individually identifiable health
respect to the privacy of individually information’’ to information that is in
information is by definition arbitrary,
identifiable health information electronic form only.
unrelated to the potential use or
transmitted in connection with the With respect to the issue of content,
disclosure of the information itself and
transactions described in section the limitation of the Secretary’s
therefore not responsive to actual
1173(a)* * *’’. authority to information in HIPAA
Commenters also argued that this privacy risks. For example, information
transactions under section 264(c)(1) is
limitation on the Secretary’s authority is contained in a paper record may be
more apparent than real. While the first
discernible from the statutory purpose scanned and transmitted worldwide
sentence of section 264(c)(1) may be
statement at section 261 of HIPAA, from almost as easily as the same information
read as limiting the regulations to
the title to section 1173(a) (‘‘Standards contained in an electronic claims standards with respect to the privacy of
to Enable Electronic Exchange’’), and transaction, but would potentially not individually identifiable health
from various statements in the be protected. information ‘‘transmitted in connection
legislative history, such as the statement In addition, application of the rule to with the [HIPAA] transactions,’’ what
in the Conference Report that the only the standard transactions would that sentence in fact states is that the
‘‘Secretary would be required to leave large gaps in the amount of health privacy regulations must ‘‘contain’’ such
establish standards and modifications to information covered. This limitation standards, not be limited to such
such standards regarding the privacy of would be particularly harmful for standards. The first sentence thus sets a
individually identifiable health information used and disclosed by statutory minimum, first for Congress,
information that is in the health health care providers, who are likely to then for the Secretary. The second
information network.’’ H. Rep. No. 104– maintain a great deal of information sentence of section 264(c)(1) directs that
736,104th Cong., 2d Sess., at 265. It was never contained in a transaction. the regulations ‘‘address at least the
also argued that extension of coverage We disagree with the arguments that subjects in subsection (b) (of section
beyond the HIPAA transactions would the Secretary lacks legal authority to 264).’’ Section 264(b), in turn, refers
be inconsistent with the underlying cover all individually identifiable health only to ‘‘individually identifiable health
statutory trade-off between facilitating information transmitted or maintained information’’, with no qualifying
accessibility of information in the by covered entities. The arguments language, and refers back to subsection
electronic transactions for which raised by these comments have two (a) of section 264, which is not limited
standards are adopted under section component parts: (1) That the to HIPAA transactions. Thus, the first
1173(a) and protecting that information Secretary’s authority is limited by form, and second sentences of section
through the privacy standards. to individually identifiable health 264(c)(1) can be read as consistent with
Other commenters argued more information in electronic form only; and each other, in which case they direct the
generally that the Secretary’s authority (2) that the Secretary’s authority is issuance of privacy standards with
was limited to information in electronic limited by content, to individually respect to individually identifiable
form only, not information in any other identifiable health information that is health information. Alternatively, they
form. These comments tended to focus contained in what commenters can be read as ambiguous, in which case
on the statutory concern with regulating generally termed the ‘‘HIPAA one must turn to the legislative history.
transactions in electronic form and transactions,’’ i.e., information The legislative history of section 264
argued that there was no need to have contained in a transaction for which a does not reflect the content limitation of
the privacy standards apply to standard has been adopted under the first sentence of section 264(c)(1).
information in paper form, because section 1173(a) of the Act. Rather, the Conference Report
summarizes this section as follows: ‘‘If to individually identifiable health and others would be classified as
Congress fails to enact privacy information in any form once the protected or not under the rule.
legislation, the Secretary is required to information is transmitted or Response: All types of individually
develop standards with respect to maintained electronically. These identifiable health information in any
privacy of individually identifiable commenters asserted that our statutory form, including those described, when
health information not later than 42 authority limited us accordingly. maintained or transmitted by a covered
months from the date of enactment.’’ Id., Therefore, they believed we had entity are covered in the final rule.
at 270. This language indicates that the proposed protections to the extent Comment: A few commenters
overriding purpose of section 264(c)(1) possible within the bounds of our requested clarification with regard to
was to postpone the Secretary’s duty to statutory authority and could not the differences between the definitions
issue privacy standards (which expand the scope of such protections of individually identifiable health
otherwise would have been controlled without new legislative authority. information and protected health
by the time limits at section 1174(a)), in Response: We disagree with these information.
order to give Congress more time to pass commenters regarding the limitations Response: In expanding the scope of
privacy legislation. A corollary under our statutory authority. As covered information in the final rule, we
inference, which is also supported by explained above, we have the authority have simplified the distinction between
other textual evidence in section 264 to extend the scope of the regulation as the two definitions. In the final rule,
and Part C of title XI, is that if Congress we have done in the final rule. We also protected health information is the
failed to act within the time provided, note here that most of these commenters subset of individually identifiable
the original statutory scheme was to who supported the NPRM’s proposed health information that is maintained or
kick in. Under that scheme, which is set approach, voiced strong support for transmitted by covered entity, and
out in section 1173(e) of the House bill, extending the scope of coverage to all thereby protected by this rule. For
the standards to be adopted were individually identifiable health additional discussion of protected
‘‘standards with respect to the privacy information in any form, but concluded health information and individually
of individually identifiable health that we had done what we could within identifiable health information, see the
information.’’ Thus, the legislative the authority provided. descriptive summary of § 164.501.
history of section 264 supports the Comment: A few commenters
Comment: One commenter argued remarked that the federal government
statutory interpretation underlying the that the term ‘‘transaction’’ is generally
rules below. has no right to access or control any
understood to denote a business matter, medical records and that HHS must get
Comment: Many commenters were and that the NPRM applied the term too
opposed to the rule covering specific consent in order to store or use any
broadly by including hospital directory individually identifiable health
forms of communication or records that
information, communication with a information.
could potentially be considered covered
patient’s family, researchers’ use of data Response: We understand the
information, i.e., faxes, voice mail
and many other non-business activities. commenters’ concern. It is not our
messages, etc. A subset of these
Response: This comment reflects a intent, nor do we through this rule
commenters took issue particularly with
misunderstanding of our use of the term create any government right of access to
the inclusion of oral communications
‘‘transaction.’’ The uses and disclosures medical records, except as needed to
within the scope of covered
information. The commenters argued described in the comment are not investigate possible violations of the
that covering information when it takes ‘‘transactions’’ as defined in § 160.103. rule. Some government programs, such
oral form (e.g., verbal discussions of a The authority to regulate the types of as Medicare, are authorized under other
submitted claim) makes the regulation uses and disclosures described is law to gain access to certain beneficiary
extremely costly and burdensome, and provided under section 264 of Pub. L. records for administrative purposes.
even impossible to administer. Another 104–191. The conduct of the activities However, these programs are covered by
commenter also offered that it would noted by the commenters are not related the rule and its privacy protections
make it nearly impossible to discuss to the determination of whether a health apply.
health information over the phone, as care provider is a covered entity. We Comment: Some commenters asked us
the covered entity cannot verify that the explain in the preamble that a health to clarify how schools would be treated
person on the other end is in fact who care provider is a covered entity if it by the rule. Some of these commenters
he or she claims to be. transmits health information in worried that privacy would be
Response: We disagree. Covering oral electronic form in connection with compromised if schools were exempted
communications is an important part of transactions referred to in section from the provisions of the final rule.
keeping individually identifiable health 1173(a)(1) of the Act. Other commenters thought that school
information private. If the final rule Comment: A few commenters asserted medical records were included in the
were not to cover oral communication, that the Secretary has no authority to provisions of the NPRM.
a conversation about a person’s regulate ‘‘use’’ of protected health Response: We agree with the request
protected health information could be information. They stated that although for clarification and provide guidance
shared with anyone. Therefore, the same section 264(b) mentions that the regarding the treatment of medical
protections afforded to paper and Secretary should address ‘‘uses and records in schools in the ‘‘Relationship
electronically based information must disclosures,’’ no other section of HIPAA to Other Federal Laws’’ preamble
apply to verbal communication as well. employs the term ‘‘use.’’ discussion of FERPA, which governs the
Moreover, the Congress explicitly Response: We disagree with these privacy of education records.
included ‘‘oral’’ information in the commenters. As they themselves note, Comment: One commenter was
statutory definition of health the authority to regulate use is given in concerned that only some information
information. section 264(b) and is sufficient. from a medical chart would be included
Comment: A few commenters Comment: Some commenters as covered information. The commenter
supported, without any change, the requested clarification as to how certain was especially concerned that
approach proposed in the NPRM to types of health information, such as transcribed material might not be
limit the scope of covered information photographs, faxes, X-Rays, CT-scans, considered covered information.
Response: As stated above, all definition is sufficiently clear without a the covered entity and subject to the
individually identifiable health specific amendment to this effect. other requirements of the rule.
information in any form, including Comment: One commenter Comment: A commenter
transcribed or oral information, recommended that the definition be recommended that information
maintained or transmitted by a covered amended to explicitly exclude transmitted for employee drug testing be
entity is covered under the provisions of individually identifiable health exempted from the definition.
the final rule. information maintained, used, or Response: We disagree that is
Comment: In response to our disclosed pursuant to the Fair Credit necessary to specifically exclude such
solicitation of comments on the scope of Reporting Act, as amended, 15 U.S.C. information from the definition of
the definition of protected health 1681. It was stated that a disclosure of protected health information. If a
information, many commenters asked us payment history to a consumer covered entity is involved, triggering
to narrow the scope of the proposed reporting agency by a covered entity this rule, the employer may obtain
definition to include only information should not be considered protected authorization from the individuals to be
in electronic form. Others asked us to health information. Another commenter tested. Nothing in this rule prohibits an
include only information from the recommended that health information, employer from requiring an employee to
HIPAA standard transactions. billing information, and a consumer’s provide such an authorization as a
Response: For the reasons stated by credit history be exempted from the condition of employment.
the commenters who asked us to expand definition because this flow of Comment: A few commenters
the proposed definition, we reject these information is regulated by both the Fair addressed our proposal to exclude
comments. We reject these approaches Credit Reporting Act (FCRA) and the individually identifiable health
for additional reasons, as well. Limiting Fair Debt Collection Practices Act information in education records
the protections to electronic information (FDCPA). covered by FERPA. Some expressed
would, in essence, protect information Response: We disagree. To the extent support for the exclusion. One
only as long as it remained in a that such information meets the commenter recommended adding
computer or other electronic media; the definition of protected health another exclusion to the definition for
protections in the rule could be avoided information, it is covered by this rule. the treatment records of students who
simply by printing out the information. These statutes are designed to protect attend institutions of post secondary
This approach would thus result in the financial, not health, information. education or who are 18 years old or
illusion, but not the reality, of privacy Further, these statutes primarily older to avoid confusion with rules
protections. Limiting protection to regulate entities that are not covered by under FERPA. Another commenter
information in HIPAA transactions has this rule, minimizing the potential for suggested that the definition exclude
many of the problems in the proposed overlap or conflict. The protections in health information of participants in
approach: it would fail to protect this rule are more appropriate for ‘‘Job Corps programs’’ as it has for
significant amounts of health protecting health information. However, educational records and inmates of
information, would force covered we add provisions to the definition of correctional facilities.
entities to figure out which information payment which should address these Response: We agree with the
had and had not been in such a concerns. See the definition of commenter on the potential for
transaction, and could cause the ‘payment’ in § 164.501. confusion regarding records of students
administrative burdens the commenters Comment: An insurance company who attend post-secondary schools or
feared would result from protecting recommended that the rule require that who are over 18, and therefore in the
some but not all information. medical records containing protected final rule we exclude records defined at
Comment: A few commenters asserted health information include a notation 20 U.S.C. 1232g(a)(4)(B)(iv) from the
that the definition of protected health on a cover sheet on such records. definition of protected health
information should explicitly include Response: Since we have expanded information. For a detailed discussion of
‘‘genetic’’ information. It was argued the scope of protected health this change, refer to the ‘‘Relationship to
that improper disclosure and use of information, there is no need for Other Federal Laws’’ section of the
such information could have a profound covered entities to distinguish among preamble. We find no similar reason to
impact on individuals and families. their records, and such a notation is not exclude ‘‘Job Corps programs’’ from the
Response: We agree that the definition needed. This uniform coverage requirements of this regulation.
of protected health information includes eliminates the mixed record problem Comment: Some commenters voiced
genetic information that otherwise and resultant potential for confusion. support for the exclusion of the records
meets the statutory definition. But we Comment: A government agency of inmates from the definition of
believe that singling out specific types requested clarification of the definition protected health information,
of protected health information for to address the status of information that maintaining that correctional agencies
special mention in the regulation text flows through dictation services. have a legitimate need to share some
could wrongly imply that other types Response: A covered entity may health information internally without
are not included. disclose protected health information authorization between health service
Comment: One commenter for transcription of dictation under the units in various facilities and for
recommended that the definition of definition of health care operations, purposes of custody and security. Other
protected health information be which allows disclosure for ‘‘general commenters suggested that the proposed
modified to clarify that an entity does administrative’’ functions. We view exclusion be extended to individually
not become a ‘covered entity’ by transcription and clerical services identifiable health information: created
providing a device to an individual on generally as part of a covered entity’s by covered entities providing services to
which protected health information may general administrative functions. An inmates or detainees under contract to
be stored, provided that the company entity transcribing dictation on behalf of such facilities; of ‘‘former’’ inmates; and
itself does not store the individual’s a covered entity meets this rule’s of persons who are in the custody of law
health information.’’ definition of business associate and may enforcement officials, such as the
Response: We agree with the receive protected health information United States Marshals Service and
commenter’s analysis, but believe the under a business associate contract with local police agencies. They stated that
corrections and detention facilities must individual or family members at risk of about inmates in accordance with this
be able to share information with law discrimination by employers and in the rule and are permitted to use and
enforcement agencies such as the community at large. disclose such information to
United States Marshals Service, the Some commenters asserted that the correctional institutions as allowed
Immigration and Naturalization rule should be amended to prohibit jails under § 164.512(k)(5).
Services, county jails, and U.S. and prisons from disclosing private As to former inmates, the final rule
Probation Offices. medical information of individuals who considers such persons who are released
Another commenter said that there is have been discharged from these on parole, probation, supervised release,
a need to have access to records of facilities. They argued that such or are otherwise no longer in custody,
individuals in community custody and disclosures may seriously impair to be individuals who are not inmates.
explained that these individuals are still individuals’ rehabilitation into society Therefore, the permissible disclosure
under the control of the state or local and subject them to discrimination as provision at § 164.512(k)(5) does not
government and the need for immediate they attempt to re-establish acceptance apply in such cases. Instead, a covered
access to records for inspections and/or in the community. entity must apply privacy protections to
drug testing is necessary. Response: We find commenters’ the protected health information about
A number of commenters were arguments against a blanket exemption former inmates in the same manner and
opposed to the proposed exclusion to from privacy protection for inmates to the same extent that it protects the
the definition of protected health persuasive. We agree health information protected health information of other
information, arguing that the proposal in these settings may be misused, which individuals. In addition, individuals
was too sweeping. Commenters stated consequently poses many risks to the who are former inmates hold the same
that while access without consent is inmate or detainee and in some cases, rights as all other individuals under the
acceptable for some purposes, it is not their families as described above by the rule.
acceptable in all circumstances. Some of commenters. Accordingly, we delete As to individuals in community
these commenters concurred with the this exception from the definition of custody, the final rule considers inmates
sharing of health care information with ‘‘protected health information’’ in the to be those individuals who are
other medical facilities when the inmate final rule. The final rule considers incarcerated in or otherwise confined to
is transferred for treatment. These individually identifiable health a correctional institution. Thus, to the
commenters recommended that we information of individuals who are extent that community custody confines
delete the exception for jails and prisons prisoners and detainees to be protected an individual to a particular facility,
and substitute specific language about health information to the extent that it § 164.512(k)(5) is applicable.
what information could be disclosed meets the definition and is maintained
Psychotherapy Notes
and the limited circumstances or or transmitted by a covered entity.
purposes for which such disclosures At the same time, we agree with those Comment: Some commenters thought
could occur. commenters who explained that the definition of psychotherapy notes
Others recommended omission of the correctional facilities have legitimate was contrary to standard practice. They
proposed exclusion entirely, arguing needs for use and sharing of claimed that reports of psychotherapy
that excluding this information from individually identifiable health are typically part of the medical record
protection sends the message that, with information inmates without and that psychologists are advised, for
respect to this population, abuses do not authorization. Therefore, we add a new ethical reasons and liability risk
matter. Commenters argued that inmates provision (§ 164.512(k)(5)) that permits management purposes, not to keep two
and detainees have a right to privacy of a covered entity to disclose protected separate sets of notes. Others
medical records and that individually health information about inmates acknowledged that therapists may
identifiable health information obtained without individual consent, maintain separate notations of therapy
in these settings can be misused, e.g., authorization, or agreement to sessions for their own purpose. These
when communicated indiscriminately, correctional institutions for specified commenters asked that we make clear
health information can trigger assaults health care and other custodial that psychotherapy notes, at least in
on individuals with stigmatized purposes. For example, covered entities summary form, should be included in
conditions by fellow inmates or are permitted to disclose for the the medical record. Many plans and
detainees. It can also lead to the denial purposes of providing health care to the providers expressed concern that the
of privileges, or inappropriately individual who is the inmate, or for the proposed definition would encourage
influence the deliberations of bodies health and safety of other inmates or the creation of ‘‘shadow’’ records which
such as parole boards. officials and employees of the facility. may be dangerous to the patient and
A number of commenters explicitly In addition, a covered entity may may increase liability for the health care
took issue with the exclusion relative to disclose protected health information as providers. Some commenters claimed
individuals, and in particular youths, necessary for the administration and that psychotherapy notes contain
with serious mental illness, seizure maintenance of the safety, security, and information that is often essential to
disorders, and emotional or substance good order of the institution. See the treatment.
abuse disorders. They argued that these preamble discussion of the specific Response: We conducted fact-finding
individuals come in contact with requirements at § 164.512(k)(5), as well with providers and other knowledgeable
criminal justice authorities as a result of as discussion of certain limitations on parties to determine the standard
behaviors stemming directly from their the rights of individuals who are practice of psychotherapists and
illness and assert that these provisions inmates with regard to their protected determined that only some
will cause serious problems. They argue health information at §§ 164.506, psychotherapists keep separate files
that disclosing the fact that an 164.520, 164.524, and 164.528. with notes pertaining to psychotherapy
individual was treated for mental illness We also provide the following sessions. These notes are often referred
while incarcerated could seriously clarifications. Covered entities that to as ‘‘process notes,’’ distinguishable
impair the individual’s reintegration provide services to inmates under from ‘‘progress notes,’’ ‘‘the medical
into the community. Commenters stated contract to correctional institutions record,’’ or ‘‘official records.’’ These
that such disclosures could put the must treat protected health information process notes capture the therapist’s
impressions about the patient, contain to, or even be seen by, persons other not consent to sharing of psychotherapy
details of the psychotherapy than the therapist. Although all notes for treatment purposes, the
conversation considered to be psychotherapy information may be treating provider should be allowed to
inappropriate for the medical record, considered sensitive, we have limited decline to treat the patient, providing a
and are used by the provider for future the definition of psychotherapy notes to referral to another provider.
sessions. We were told that process only that information that is kept Response: The final rule retains the
notes are often kept separate to limit separate by the provider for his or her policy that psychotherapy notes be
access, even in an electronic record own purposes. It does not refer to the separated from the remainder of the
system, because they contain sensitive medical record and other sources of medical record in order to receive
information relevant to no one other information that would normally be additional protection. We based this
than the treating provider. These disclosed for treatment, payment, and decision on conversations with mental
separate ‘‘process notes’’ are what we health care operations. health providers who have told us that
are calling ‘‘psychotherapy notes.’’ Comment: One commenter was information that is critical to the
Summary information, such as the particularly concerned that the use of treatment of individuals is normally
current state of the patient, symptoms, the term ‘‘counseling’’ in the definition maintained in the medical record and
summary of the theme of the of psychotherapy notes would lead to that psychotherapy notes are used by
psychotherapy session, diagnoses, confusion because counseling and the provider who created them and
medications prescribed, side effects, and psychotherapy are different disciplines. rarely for other purposes. A strong part
any other information necessary for Response: In the final rule, we of the rationale for the special treatment
treatment or payment, is always placed continue to use the term ‘‘counseling’’ of psychotherapy notes is that they are
in the patient’s medical record. in the definition of ‘‘psychotherapy.’’ the personal notes of the treating
Information from the medical record is During our fact-finding, we learned that provider and are of little or no use to
routinely sent to insurers for payment. ‘‘counseling’’ had no commonly agreed others who were not present at the
Comment: Various associations and upon definition, but seemed to be session to which the notes refer.
their constituents asked that the widely understood in practice. We do Comment: Several commenters
exceptions for psychotherapy notes be not intend to limit the practice of requested that we clarify that the
extended to health care information psychotherapy to any specific information contained in psychotherapy
from other health care providers. These professional disciplines. notes is being protected under the rule
commenters argued that Comment: One commenter noted that and not the notes themselves. They
psychotherapists are not the only the public mental health system is were concerned that the protection for
providers or even the most likely increasingly being called upon to psychotherapy notes would not be
providers to discuss sensitive and integrate and coordinate services among meaningful if health plans could
potentially embarrassing issues, as other providers of mental health demand the same information in a
treatment and counseling for mental services and they have developed an different format.
health conditions, drug abuse, HIV/ integrated electronic medical record Response: This rule provides special
AIDS, and sexual problems are often system for state-operated hospitals, part protection for the information in
provided outside of the traditional of which includes psychotherapy notes, psychotherapy notes, but it does not
psychiatric settings. One writer stated, and which cannot be easily modified to extend that protection to the same
‘‘A prudent health care provider will provide different levels of information that may be found in other
always assess the past and present confidentiality. Another commenter locations. We do not require the notes
psychiatric medical history and recommended allowing use or to be in a particular format, such as
symptoms of a patient.’’ disclosure of psychotherapy notes by hand-written. They may be typed into a
Many commenters believed that the members of an integrated health care word processor, for example. Copying
psychotherapy notes should include facility as well as the originator. the notes into a different format, per se,
frequencies of treatment, results of Response: The final rule makes it would not allow the information to be
clinical tests, and summary of diagnosis, clear that any notes that are routinely accessed by a health plan. However, the
functional status, the treatment plan, shared with others, whether as part of requirement that psychotherapy notes
symptoms, prognosis and progress to the medical record or otherwise, are, by be kept separate from the medical
date. They claimed that this information definition, not psychotherapy notes, as record and solely for the use of the
is highly sensitive and should not be we have defined them. To qualify for provider who created them means that
released without the individual’s the definition and the increased the special protection does not apply to
written consent, except in cases of protection, the notes must be created the same information in another
emergency. One commenter suggested and maintained for the use of the location.
listing the types of mental health provider who created them i.e., the
information that can be requested by originator, and must not be the only Public Health Authority
third party payors to make payment source of any information that would be Comment: A number of the comments
determinations and defining the critical for the treatment of the patient called for the elimination of all
meaning of each term. or for getting payment for the treatment. permissible disclosures without
Response: As discussed above and in The types of notes described in the authorization, and some specifically
the NPRM, the rationale for providing comment would not meet our definition cited the public health section and its
special protection for psychotherapy for psychotherapy notes. liberal definition of public health
notes is not only that they contain Comment: Many providers expressed authority as an inappropriately broad
particularly sensitive information, but concern that if psychotherapy notes loophole that would allow unfettered
also that they are the personal notes of were maintained separately from other access to private medical information by
the therapist, intended to help him or protected health information, other various government authorities.
her recall the therapy discussion and are health providers involved in the Other commenters generally
of little or no use to others not involved individual’s care would be unable to supported the provision allowing
in the therapy. Information in these treat the patient properly. Some disclosure to public health authorities
notes is not intended to communicate recommended that if the patient does and to non-governmental entities
authorized by law to carry out public the Secretary’s recognition of OSHA as definition of ‘‘research’’ should be the
health activities. They further supported both a health oversight agency and same as the definition in the Common
the broad definition of public health public health authority. It suggested Rule. These commenters argued that it
authority and the reliance on broad legal adding OSHA-approved programs that was important that the definition of
or regulatory authority by public health operate in states to the list of entities ‘‘research’’ be consistent with the
entities although explicit authorities included in these categories. In Common Rule’s definition to ensure the
were preferable and better informed the addition, the comment requested the coherent oversight of medical research.
public. final regulation specifically mention In addition, some of these commenters
Response: In response to comments these entities in the text of the also supported this definition because
arguing that the provision is too broad, regulation as well. they believed it was already well-
we note that section 1178(b) of the Act, Response: We agree that OSHA, understood by researchers and provided
as explained in the NPRM, explicitly MSHA and their state equivalents are reasonably clear guidance needed to
carves out protection for state public public health authorities when carrying distinguish between research and health
health laws. This provision states that: out their activities related to the health care operations.
‘‘[N]othing in this part shall be and safety of workers. We do not Some commenters, believed that the
construed to invalidate or limit the specifically reference any agencies in NPRM’s definition was too narrow.
authority, power, or procedures the regulatory definition, because the Several of these commenters agreed that
established under any law providing for definition of public health authority and the Common Rule’s definition should be
the reporting of disease or injury, child this preamble sufficiently address this adopted in the final rule, but argued that
abuse, birth or death, public health issue. As defined in the final rule, the the proposed definition of
surveillance, or public health definition of ‘‘public health authority’’ ‘‘generalizable knowledge’’ within the
investigation or intervention.’’ In light at § 164.501 continues to include OSHA definition of ‘‘research,’’ which limited
of this broad Congressional mandate not as a public health authority. State generalizable knowledge to knowledge
to interfere with current public health agencies or authorities responsible for that is ‘‘related to health,’’ was too
practices, we believe the broad public health matters as part of their narrow. For example, one commenter
definition of ‘‘public health authority’’ official mandate, such as OSHA- stated that gun shot wound, spousal
is appropriate to achieve that end. approved programs, also come within abuse, and other kinds of information
Comment: Some commenters said that this definition. See discussion of from emergency room statistics are often
they performed public health activities § 164.512(b) below. We have refrained, used to conduct research with
in analyzing data and information. however, from listing specific agencies ramifications for social policy, but may
These comments suggested that and have retained a general descriptive not be ‘‘related to health.’’ Several of
activities conducted by provider and definition. these commenters recommended that
health plan organizations that compile Comments: Several commenters the definition of research be revised to
and compare data for benchmarking recommended expanding the definition delete the words ‘‘related to health.’’
performance, monitoring, utilization, of public health authority to encompass Additional commenters who argued that
and determining the health needs of a other governmental entities that may the definition was too narrow raised the
given market should be included as part collect and hold health data as part of following concerns: the difference
of the public health exemption. One their official duties. One recommended between ‘‘research’’ and ‘‘health care
commenter recommended amending the changing the definition of public health operations’’ is irrelevant from the
regulation to permit covered entities to authority to read as follows: Public patients’ perspective, and therefore, the
disclose protected health information to health authority means an agency or proposed rule should have required
private organizations for public health authority * * * that is responsible for documentation of approval by an IRB or
reasons. public health matters or the collection privacy board before protected health
Response: We disagree that such a of health data as part of its official information could be used or disclosed
change should be made. In the absence mandate. for either of these purposes, and the
of some nexus to a government public Response: We do not adopt this proposed definition was too limited
health authority or other underlying recommendation. The public health because it did not capture research
legal authority, covered entities would provision is not intended to cover conducted by non-profit entities to
have no basis for determining which agencies that are not responsible for ensure public health goals, such as
data collections are ‘‘legitimate’’ and public health matters but that may in disease-specific registries.
how the confidentiality of the the course of their responsibilities Commenters who argued that the
information will be protected. In collect health-related information. definition was too broad recommended
addition, the public health functions Disclosures to such authorities may be that certain activities should be
carved out for special protection by permissible under other provision of explicitly excluded from the definition.
Congress are explicitly limited to those this rule. In general, these commenters were
established by law. Comment: Many commenters asked concerned that if certain activities were
Comment: Two commenters asked for us to include a formal definition of considered to be ‘‘research’’ the rule’s
additional clarification as to whether ‘‘required by law’’ incorporating the research requirements would represent
the Occupational Safety and Health material noted in this preamble and a problematic level of regulation on
Administration (OSHA) and the Mine additional suggested disclosures. industry initiatives. Some activities that
Safety and Health Administration Response: We agree generally and these commenters recommended be
(MSHA) would be considered public modify the definition accordingly. See explicitly excluded from the definition
health authorities as indicated in the discussion above. of ‘‘research’’ included: marketing
preamble. They suggested specific research, health and productivity
language for the final rule. Commenters Research management, quality assessment and
also suggested that we specify that states Comment: We received many improvement activities, and internal
operating OSHA-approved programs comments from supporting the research conducted to improve health.
also are considered public health proposed definition of ‘‘research.’’ Response: We agree that the final
authorities. One comment applauded These commenters agreed that the rule’s definition of ‘‘research’’ should be
consistent with the Common Rule’s We also disagree with many of the here. If such a project is a systematic
definition of this term. We also agree commenters who argued that certain investigation that designed to develop
that our proposal to limit ‘‘generalizable activities should be explicitly excluded or contribute to generalizable
knowledge’’ to knowledge that is from the definition of research. We knowledge, it is considered to be
‘‘related to health,’’ and ‘‘knowledge found no persuasive evidence that, ‘‘research,’’ not ‘‘health care
that could be applied to populations when particular activities are also operations.’’
outside of the population served by the systematic investigations designed to In some instances, the primary
covered entity,’’ was too narrow. contribute to generalizable knowledge, purpose of the activity may change as
Therefore, in the final rule, we retain they should be treated any different preliminary results are analyzed. An
the Common Rule’s definition of from other such activities. activity that was initiated as an internal
‘‘research’’ and eliminate the further We are aware that the National outcomes evaluation may produce
elaboration of ‘‘generalizable Bioethics Advisory Commission (NBAC) information that could be generalized. If
knowledge.’’ We understand knowledge is currently assessing the Common the purpose of a study changes and the
to be generalizable when it can be Rule’s definition of ‘‘research’’ as part of covered entity does intend to generalize
applied to either a population inside or a report they are developing on the the results, the covered entity should
outside of the population served by the implementation and adequacy of the document the fact as evidence that the
covered entity. Therefore, knowledge Common Rule. Since we agree that a activity was not subject to § 164.512(i)
may be ‘‘generalizable’’ even if a consistent definition is important to the of this rule.
research study uses only the protected conduct and oversight of research, if the We understand that for research that
health information held within a Common Rule’s definition of ‘‘research’’ is subject to the Common Rule, this is
covered entity, and the results are is modified in the future, the not the case. The Office for Human
generalizable only to the population Department of Health and Human Research Protection interprets 45 CFR
served by the covered entity. For Services will consider whether the part 46 to require IRB review as soon as
example, generalizable knowledge could definition should also be modified for an activity meets the definition of
be generated from a study conducted by this subpart. research, regardless of whether the
the HCFA, using only Medicare data Comment: Some commenters urged activity began as ‘‘health care
held by HCFA, even if the knowledge the Department to establish precise operations’’ or ‘‘public health,’’ for
gained from the research study is definitions for ‘‘health care operations’’ example. The final rule does not affect
applicable only to Medicare and ‘‘research’’ to provide clear the Office of Human Research
beneficiaries. guidance to covered entities and Protection’s interpretation of the
adequate privacy protections for the Common Rule.
We rejected the other arguments subjects of the information whose We were not persuaded that an
claiming that the definition of information is disclosed for these individual’s privacy interest is of less
‘‘research’’ was either too narrow or too purposes. One commenter supported concern when covered entities use
broad. While we agree that it is the definition of ‘‘research’’ proposed in protected health information for
sometimes difficult to distinguish the NPRM, but was concerned about the research purposes than when covered
between ‘‘research’’ and ‘‘health care ‘‘crossover’’ from data analyses that entities disclose protected health
operations,’’ we disagree that the begin as health care operations but later information for research purposes. We
difference between these activities is become ‘‘research’’ because the do not agree generally that internal
irrelevant from the patients’ perspective. analytical results are of such importance activities of covered entities do not
We believe, based on many of the that they should be shared through potentially compromise the privacy
comments, that individuals expect that publication, thereby contributing to interests of individuals. Many persons
individually identifiable health generalizable knowledge. To distinguish within a covered entity may have access
information about themselves will be between the definitions of ‘‘health care to protected health information. When
used for health care operations such as operations’’ and ‘‘research,’’ a few the activity is a systematic investigation,
reviewing the competence or commenters recommended that the rule the number of persons who may be
qualifications of health care make this distinction based upon involved in the records review and
professionals, evaluating provider and whether the activity is a ‘‘use’’ or a analysis may be substantial. We believe
plan performance, and improving the ‘‘disclosure.’’ These commenters that IRB or privacy board approval of
quality of care. A large number of recommend that the ‘‘use’’ of protected the waiver of authorization will provide
commenters, however, indicated that health information for research without important privacy protections to
they did not expect that individually patient authorization should be exempt individuals about whom protected
identifiable health information about from the proposed research provisions health information is used or disclosed
themselves would be used for research provided that protected health for research. If a covered entity wishes
purposes without their authorization. information was not disclosed in the to use protected health information
Therefore, we retain more stringent final analysis, report, or publication. about its enrollees for research
protections for research disclosures Response: We agree with commenters purposes, documentation of an IRBs’ or
without patient authorization. that at times it may be difficult to privacy board’s assessment of the
We also disagree with the commenters distinguish projects that are health privacy impact of such a use is as
who were concerned that the proposed operations and projects that are important as if the same research study
definition was too limited because it did research. We note that this ambiguity required the disclosure of protected
not capture research conducted by non- exists today, and disagree that we can health information. This conclusion is
profit entities to ensure public health address this issue with more precise consistent with the Common Rule’s
goals, such as disease-specific registries. definitions of research and health care requirement for IRB review of all human
Such activities conducted by either non- operations. Today, the issue is largely subjects research.
profit or for-profit entities could meet one of intent. Under the Common Rule,
the rule’s definition of research, and the ethical and regulatory obligations of Treatment
therefore are not necessarily excluded the researcher stem from the intent of Comment: Some commenters
from this definition. the activity. We follow that approach advocated for a narrow interpretation of
treatment that applies only to the of health care claims for enrolled made in the treatment context from the
individual who is the subject of the populations enables proactive contact definition of marketing. (See discussion
information. Other commenters asserted with those identified individuals to above.)
that treatment should be broadly notify them of the availability of Comment: Some commenters noted
defined when activities are conducted services. Certain commenters noted that the issues and recommendations raised
by health care providers to improve or ‘‘disease management’’ services in the Institutes of Medicine report ‘‘To
maintain the health of the patient. A provided to their patient populations, Err Is Human’’ and the critical need to
broad interpretation may raise concerns such as reminders about recommended share information about adverse drug
about potential misuse of information, tests based on nationally accepted and other medical events, evaluation of
but too limited an interpretation will clinical guidelines, are integral the information, and its use to prevent
limit beneficial activities and further components of quality health care. future medical errors. They noted that
contribute to problems in patient Response: We do not agree that privacy rules should not be so stringent
compliance and medical errors. population based services should be as to prohibit the sharing of patient data
Response: We find the commenters’ considered treatment activities. The needed to reduce errors and optimize
arguments for a broad definition of definition of ‘‘treatment’’ is closely health care outcomes. To bolster the
treatment persuasive. Today, health care linked to the § 160.103 definition of notion that other programs associated
providers consult with one another, ‘‘health care,’’ which describes care, with the practice of pharmacy must be
share information about their services and procedures related to the considered as integral to the definition
experience with particular therapies, health of an individual. The activities of health care and treatment, they
seek advice about how to handle unique described by ‘‘treatment,’’ therefore, all reference OBRA ’90 (42 U.S.C. 1396r–8)
or challenging cases, and engage in a involve health care providers supplying and the minimum required activities for
variety of other discussions that help health care to a particular patient. While dispensing drugs; they also note that
them maintain and improve the quality many activities beneficial to patients are virtually every state Board of Pharmacy
of care they provide. Quality of care offered to entire populations or involve adopted regulations imposing OBRA’90
improves when providers exchange examining health information about requirements on pharmacies for all
information about treatment successes entire populations, treatment involves patients and not just Medicaid
and failures. These activities require health services provided by a health recipients.
sharing of protected health information. care provider and tailored to the specific Response: We agree that reducing
We do not intend this rule to interfere needs of an individual patient. medical errors is critical, and do not
with these important activities. We Although a population-wide analysis or believe that this regulation impairs
therefore define treatment broadly and intervention may prompt a health care efforts to reduce medical errors. We
allow use and disclosure of protected provider to offer specific treatment to an define treatment broadly and include
health information about one individual individual, we consider the population- quality assessment and improvement
for the treatment of another individual. based analyses to improve health care or activities in the definition of health care
Under this definition, only health care reduce health care costs to be health operations. Covered pharmacies may
providers or a health care provider care operations (see definition of conduct such activities, as well as
working with a third party can perform ‘‘health care operations,’’ above). treatment activities appropriate to
treatment activities. In this way, we Comment: A number of commenters improve quality and reduce errors. We
temper the breadth of the definition by requested clarification about whether believe that respect for the privacy
limiting the scope of information prescription drug compliance rights of individuals and appropriate
sharing. The various codes of management programs would be protection of the confidentiality of their
professional ethics also help assure that considered ‘‘treatment.’’ One health information are compatible with
information sharing among providers for commenter urged HHS to clarify that the goal of reducing medical errors.
treatment purposes will be appropriate. provision by a pharmacy to a patient of Comment: Some commenters urged us
We note that poison control centers customized prescription drug to clarify that health plans do not
are health care providers for purposes of information about the risks, benefits, perform ‘‘treatment’’ activities; some of
this rule. We consider the counseling and conditions of use of a prescription these were concerned that a different
and follow-up consultations provided drug being dispensed is considered a approach in this regulation could cause
by poison control centers with treatment activity. Others asked that the conflict with state corporate practice of
individual providers regarding patient final rule expressly recognize that medicine restrictions. Some
outcomes to be treatment. Therefore, prescription drug advice provided by a commenters believed that the proposed
poison control centers and other health dispensing pharmacist, such as a definition of treatment crossed into the
care providers can share protected customized pharmacy letter, is within area of cost containment, which would
health information about the treatment the scope of treatment. seem to pertain more directly to
of an individual without a business Response: The activities that are part payment. They supported a narrower
associate contract. of prescription drug compliance definition that would eliminate any
Comment: Many commenters management programs were not fully references to third party payors. One
suggested that ‘‘treatment’’ activities described by these commenters, so we commenter argued that the permissible
should include services provided to cannot state a general rule regarding disclosure of protected health
both a specific individual and larger whether such activities constitute information to carry out treatment is too
patient populations and therefore urged treatment. We agree that pharmacists’ broad for health plans and that health
that the definition of treatment provision of customized prescription plans that have no responsibility for
specifically allow for such activities, drug information and advice about the treatment or care coordination should
sometimes referred to as ‘‘disease prescription drug being dispensed is a have no authority to release health
management’’ activities. Some argued treatment activity. Pharmacists’ information without authorization for
that an analysis of an overall population provisions of information and treatment purposes.
is integral to determining which counseling about pharmaceuticals to Response: We do not consider the
individuals would benefit from disease their customers constitute treatment, activities of third party payors,
management services. Thus, an analysis and we exclude certain communications including health plans, to be
‘‘treatment.’’ Only health care providers, health care services and cost with physician groups, health plan
not health plans, conduct ‘‘treatment’’ management efforts. They groups and disease management
for purposes of this rule. A health plan recommended that the definition of associations confirm that a consensus
may, however, disclose protected health disease management include services definition from the field has not yet
information without consent or directed at an entire population and not evolved, although efforts are underway.
authorization for treatment purposes if just individual care, in order to identify Therefore, rather than rely on this label,
that disclosure is made to a provider. individuals who would benefit from we delete ‘‘disease management’’ from
Health plans may have information the services based on accepted clinical the treatment definition and instead
provider needs, for example information guidelines. They recommended that include the functions often discussed as
from other providers or information disease management be included under disease management activities in this
about the patient’s treatment history, to health care operations and include definition or in the definition of health
develop an appropriate plan of care. population level services. A commenter care operations and modify both
Comment: We received many asserted that limiting disease definitions to address the commenters’
comments relating to ‘‘disease management programs to the definition concerns.
management’’ programs and whether of treatment ignores that these programs We add population-based activities to
activities described as disease extend beyond providers, especially improve health care or reduce health
management should be included in the since NCQA accreditation standards care costs to the definition of health care
definition of treatment. One group of strongly encourage plans and insurers to operations. Outreach programs as
commenters supported the proposed provide these services. described by the commenter may be
definition of treatment that includes Response: Disease management considered either health care operations
disease management. One commenter appeared to represent different activities or treatment, depending on whether
offered the position that disease to different commenters. Our review of population-wide or patient-specific
management services are more closely the literature, industry materials, state activities occur, and if patient-specific,
aligned with treatment because they and federal statutes,6 and discussions whether the individualized
involve the coordination of treatment communication with a patient occurs on
whereas health care operations are more 6 Definition of Disease Management, October 1999 behalf of health care provider or a
akin to financial and ministerial (from web site of Disease Management Association health plan. For example, a call placed
of America (www.dmaa.org/definition.html)
functions of plans. accessed May 21, 2000. Other references used for by a nurse in a doctor’s office to a
Some recommended that the our analysis include: Mary C. Gurnee, et al, patient to discuss follow-up care is a
definition of treatment be limited to Constructing Disease Management Programs, treatment activity. The same activity
direct treatment of individual patients Managed Care, June 1997, accessed at http:// performed by a nurse working for a
managedcaremag.com, 5/19/2000; Peter Wehrwein,
and not allow for sharing of information Disease Management Gains a Degree of health plan would be a health care
for administrative or other Respectability, Managed Care, August 1997, operation. In both cases, the database
programmatic reasons. They believed accessed at www.managedcaremag.com, 5/18/00; analysis that created a list of patients
that allowing disclosures for disease John M. Harris, Jr., disease management: New Wine
in Old Bottles, 124 Annals of Internal Medicine 838
that would benefit from the intervention
management opens a loophole for (1996); Robert S. Epstein and Louis M. Sherwood, would be a health care operation. Use or
certain uses and disclosures, such as From Outcomes research to disease management: A disclosure of protected health
marketing, that should only be Guide for the Perplexed, 124 Annals of Internal information to provide education
permitted with authorization. Others Medicine 832 (1996); Anne Mason et al, disease
management, the Pharmaceutical Industry and the
materials to patients may similarly be
recommended that the definition of NHS, Office of Health Economics (United either treatment or operations,
disease management be restricted to Kingdom), accessed at www.ohe.org, 5/19/2000; depending on the circumstances and on
prevent unauthorized use of individual Thomas Bodenheimer, Disease Management— who is sending the materials. We cannot
health records to target individuals in a Promises and Pitfalls, 340 New Eng. J. Med, April
15, 1999, accessed at www.nejm.org, 4/20/99;
say in the abstract whether any such
health plan or occupational health Bernard Lo and Ann Alpers, Uses and Abuses of activities constitute marketing under
program. Many asked that the definition Prescription Drug information in pharmacy benefits this rule. See §§ 164.501 and 164.514 for
of disease management be clarified to Management Programs, 283 JAMA 801 (2000); details on what communications are
identify those functions that, although Robert F. DeBusk, Correspondence, Disease
Management, and Regina E. Herzlinger,
marketing and when the authorization
some might consider them to be Correspondence, Disease Management, 341 New of the individual may be required.
subsumed by the term, are not permitted Eng. J. Med, Sept 2, 1999, accessed 9/2/99; Letter, Comment: Many commenters were
under this regulation without John A. Gans, American Pharmaceutical concerned that the definition of
authorization, such as marketing and Association, to Health Care Financing treatment would not permit Third Party
Administration, Reference HCFA–3002–P, April 12,
disclosures of protected health 1999, accessed at www.aphanet.org, 1/18/2000; Administrators (TPAs) to be involved
information to employers. They Ronald M. Davis, et al, Editorial, Advances in with disease management programs
suggested that disease management may Managing Chronic Disease, 320 BMJ 525 (2000), without obtaining authorization. They
describe desirable activities, but is accessed at www.bmj.com, 2/25/00; Thomas asserted that while the proposed
Bodenheimer, Education and Debate, disease
subject to abuse and therefore should be management in the American Market, 320 BMJ 563 definition of treatment included disease
restricted and controlled. One (2000), accessed at www.bmj.com, 2/25/2000; management conducted by health care
commenter recommends that we adopt David J. Hunter, disease management: has it a providers it did not recognize the role
future?, 320 BMJ 530 (2000), accessed
a portion of the definition adopted by www.bmj.com 2/25/2000; Trisha Greenhalgh,
of employers and TPAs in the current
the Disease Management Association of Commercial partnerships in chronic disease disease management process.
America in October 1999. management: proceeding with caution, 320 BMJ 566 Response: Covered entities disclose
On the other hand, many comments (2000); Edmund X. DeJesus, disease management in protected health information to other
urged that disease management be part a Warehouse, Healthcare Informatics, September persons, including TPAs, that they hire
1999, accessed at www.healthcare-informatics.com,
of the ‘‘treatment’’ definition or the 5/19/00; Regulation, 42 CFR 422.112, to perform services for them or on their
‘‘health care operations’’ definition and Medicare+Choice Program, subpart C, Benefits and behalf. If a covered entity hires a TPA
asked that specific activities be included Beneficiary Protections, sec. 422.112, Access to to perform the disease management
Services; and Arnold Chen, Best Practices in
in a description of the term. They Coordinated Care, Submitted by Mathematica
activities included in the rule’s
viewed disease management as Policy Research, Inc., to Health Care Financing definitions of treatment and health care
important element of comprehensive Administration, March 22, 2000. operations that disclosure will not
require authorization. The relationship privacy interest and his or her right to protected health information about a
between the covered entity and the TPA control own medical care. prospective patient to a health care
may be subject to the business associate Response: Employers are not covered provider (e.g., a possible admission to
requirements of §§ 164.502 and 164.504. entities under HIPAA, so we cannot an assisted living facility from a nursing
Disclosures by covered entities to plan prohibit them under this rule from facility) is a treatment activity that does
sponsors, including employers, for the undertaking these or other activities not require authorization.
purpose of plan administration are with respect to health information. In Response: We agree that the described
addressed in § 164.504. § 164.504 we limit disclosure of health activity is ‘‘treatment,’’ because it
Comment: Commenters suggested that information from group health plans to constitutes referral and coordination of
as disease management is defined only the employers sponsoring the plans. health care.
as an element of treatment, it could only However, other federal and/or state Comment: Comments called for the
be carried out by health care providers, laws, such as disability removal of ‘‘other services’’ from the
and not health plans. They opposed this nondiscrimination laws, may govern the definition.
approach because health plans also rights of employees under such Response: We disagree with the
conduct such programs, and are indeed circumstances. concept that only health care services
required to do it by accreditation Comment: Many commenters urged are appropriately included in the
standards and HCFA Managed Care that disease management only be treatment definition. We have modified
Organization standards. allowed with the written consent of the this definition to instead include ‘‘the
Response: We agree that the individual. Others also desired consent provision, coordination, or management
placement of disease management in the but suggested that an opt-out would be of health care and related services.’’
proposed definition of treatment sufficient. Other commenters This definition allows health care
suggested that health plans could not complained that the absence of a
providers to offer or coordinate social,
conduct such programs. We revise the definition for disease management
rehabilitative, or other services that are
final rule to clarify that health plans created uncertainty in view of the
associated with the provision of health
may conduct population based care proposed rule’s requirement to get
care. Our use of the term ‘‘related’’
management programs as a health care authorization for marketing. They were
prevents ‘‘treatment’’ from applying to
operation activity. concerned that the effect would be to
Comment: Some commenters stated the provision of services unrelated to
require patient consent for many
that the rule should require that disease health care.
activities that are desirable, not
management only be done with the practicably done if authorization is Comment: Several commenters stated
approval of the treating physician or at required, and otherwise classifiable as that the definition of treatment should
least with the knowledge of the treatment, payment, or health care include organ and tissue recovery
physician. operations. Examples provided include activities. They asserted that the
Response: We disagree with this reminders for appointments, reminders information exchanged and collected to
comment because we do not believe that to get preventive services like request consent, evaluate medical
this privacy rule is an appropriate venue mammograms, and information about information about a potential donor and
for setting policies regarding the home management of chronic illnesses. perform organ recoveries relates to
management of health care costs or Response: We agree with the treatment and are not administrative
treatment. commenters who stated that the activities. When hospitals place a
Comment: Some industry groups requirement for specific authorization patient on the UNOS list it is
stated that if an activity involves selling for certain activities considered part of transferring individually identifiable
products, it is not disease management. disease management could impede the health information. Also, when an organ
They asked for a definition that ability of health plans and covered procurement organization registers a
differentiates use of information for the providers to implement effective health donor with UNOS it could be disclosing
best interests of patient from uses care management and cost containment protected health information.
undertaken for ‘‘ulterior purposes’’ such programs. In addition, this approach Commenters questioned whether these
as advertising, marketing, or promoting would require us to distinguish activities would be administrative or
separate products. activities undertaken as part of a formal constitute treatment.
Response: We eliminate the definition disease management program from the Response: In the proposed rule we
of ‘‘disease management’’ from the rule. same activities undertaken outside the included in the definition of ‘‘health
Often however, treatment decisions context of disease management program. care’’ activities related to the
involve discussing the relevant For example, we see no clear benefit to procurement or organs, blood, eyes and
advantages and disadvantages of privacy in requiring written other tissues. This final rule deletes
products and services. Health plans, as authorization before a physician may those activities from the definition of
part of payment and operations, call a patient to discuss treatment ‘‘health care.’’ We do so because, while
sometimes communicate with options in all cases, nor do we see a organ and tissue procurement
individuals about particular products sound basis for requiring it only when organizations are integral components of
and services. We address these the physician was following a formal the health care system, we do not
distinctions in the definitions of protocol as part of a population based believe that the testing, procurement,
marketing and ‘‘health care operations’’ intervention. We also are not persuaded and other procedures they undertake
in § 164.501, and in the requirements for that the risk to privacy for these describe ‘‘health care’’ offered to the
use and disclosure of protected health activities warrants a higher degree of donors of the tissues or organs
information for marketing in § 164.514. protection than do other payment, themselves. See the discussion under
Comment: Some health care providers health care operations or treatment the definition of ‘‘health care’’ in
noted that there is a danger that activities for which specific § 160.103.
employers will ‘‘force’’ individual authorization was not suggested by Comment: Some commenters
employees with targeted conditions into commenters. recommended including health
self-care or compliance programs in Comment: A few commenters asked promotion activities in the definition of
ways that violate both the employee’s that we clarify that disclosure of health care.
Response: We consider health beyond the intent of Congress in resulting from the assessment is
promotion activities to be preventive addressing uses of information within protected health information. We note
care, and thus within the definition of the covered entity, as opposed to that a covered entity is permitted to
health care. In addition, such activities transactions and disclosures outside the condition the provision of health care
that are population based are included covered entity. This commenter argued when the sole purpose is to create
in the definition of health care that, although HIPAA mentions use, it is protected health information for the
operations. unclear that the word ‘‘use’’ in the benefit of a third person. See
Comment: We received a range of proposed rule is what Congress § 164.508(b). For example, a covered
comments regarding the proper intended. The commenter pointed to the health care provider may condition the
placement of case and disease legislative history to argue that ‘‘use’’ is provision of a fitness for duty
management in the definitions and the related to an information exchange examination to an individual on
perceived overlap between health care outside of the entity. obtaining an authorization from the
operations and treatment. Some Response: We disagree with the individual for disclosure to the
consider that these activities are a commenter regarding the Congress’ employer who has requested the
function of improving quality and intent. Section 264 of HIPAA requires examination.
controlling costs. Thus, they that the Secretary develop and send to
recommend that the Secretary move risk Congress recommendations on Section 164.502—Uses and Disclosures
assessment, case and disease standards with respect to the privacy of of Protected Health Information:
management to the definition of health individually identifiable health General Rules
care operations. information (which she did on Section 164.502(a)—General Standard
Response: In response to these September 11, 1997) and prescribes that
comments, we remove these terms from the recommendations address among Comment: A few commenters
the definition of treatment and add case other items ‘‘the uses and disclosures of requested an exemption from the rule
management to the definition of health such information that should be for the Social Security and
care operations. We explain our authorized or required.’’ Section 264 Supplemental Security Income
treatment of disease management in explicitly requires the Secretary to Disability Programs so that disability
responses to comments above. Whether promulgate standards that address at claimants can be served in a fair and
an activity described as disease or case least the subjects described in these timely manner. The commenters were
management falls under treatment or recommendations. It is therefore our concerned that the proposal would be
health care operations would depend in interpretation that Congress intended to narrowly interpreted, thereby impeding
part on whether the activity is focused cover ‘‘uses’’ as well as disclosures of the release of medical records for the
on a particular individual or a individually identifiable health purposes of Social Security disability
population. A single program described information. We find nothing in the programs.
as a ‘‘case management’’ effort may legislative history to indicate that Another commenter similarly asked
include both health care operations Congress intended to deviate from the that a special provision be added to the
activities (e.g., records analysis, protocol common meaning of the term ‘‘use.’’ proposal’s general rule for uses and
development, general risk assessment) Comment: One commenter observed disclosures without authorization for
and treatment activities (e.g., particular that the definition could encompass the treatment, payment, and health care
services provided to or coordinated for processing of data by computers to operations purposes to authorize
an individual, even if applying a execute queries. It was argued that this disclosure of all medical information
standardized treatment protocol). would be highly problematic because from all sources to the Social Security
Comment: We received comments computers are routinely used to identify Administration, including their
that argued for the inclusion of subsets of data sets. It was explained contracted state agencies handling
‘‘disability management’’ in the that in performing this function, disability determinations.
treatment definition. They explained computers examine each record in the Response: A complete exemption for
that through disability management, data set and return only those records in disclosures for these programs is not
health care providers refer and the data set that meet specific criteria. necessary. Under current practice, the
coordinate medical management and Consequently, a human being will see Social Security Administration obtains
they require contemporaneous exchange only the subset of data that the authorization from applicants for
of an employee’s specific medical data computer returns. Thus, the commenter providers to release an individual’s
for the provider to properly manage. stated that it is only this subset that records to SSA for disability and other
Response: To the extent that a covered could be used or disclosed. determinations. Thus, there is no reason
provider is coordinating health care Response: We interpret ‘‘use’’ to mean to believe that an exemption from the
services, the provider is providing only the uses of the product of the authorization required by this rule is
treatment. We do not include the term computer processing, not the internal needed to allow these programs to
‘‘disability management’’ because the computer processing that generates the function effectively. Further, such an
scope of the activities covered by that product. exemption would reduce privacy
term is not clear. In addition, the Comments: Some commenters asked protections from current levels. When
commenters did not provide enough that the Department clarify that this rule goes into effect, those
information for us to make a fact-based individualized medical information authorizations will need to meet the
determination of how this rule applies obtained through a fitness for duty requirements for authorization under
to the uses and disclosures of protected examination is not subject to the privacy § 164.508 of this rule.
health information that are made in a protections under the regulation. We do, however, modify other
particular ‘‘disability management’’ Response: As discussed above, we provisions of the proposed rule to
program. have clarified that the definition of accommodate the special requirements
‘‘treatment’’ to include assessments of of these programs. In particular, Social
Use an individual. If the assessment is Security Disability and other federal
Comment: One commenter asserted performed by a covered health care programs, and public benefits programs
that the scope of the proposal had gone provider, the health information run by the states, are authorized by law
to share information for eligibility apply the regulation only to the health information for purposes relating
purposes. Where another public body ‘‘disclosure’’ of protected health to property and casualty benefits. The
has determined that the appropriate information and not to ‘‘use’’ of such commenter argued that the proposal
balance between need for efficient information. Section 264 charges the could affect its ability to obtain
administration of public programs and Secretary with promulgating standards protected health information from
public funds and individuals’ privacy that address, among other things, ‘‘the covered entities, thereby constricting
interests is to allow information sharing uses and disclosures’’ of individually the flow of medical information needed
for these limited purposes, we do not identifiable health information. We also to administer property and casualty
upset that determination. Where the do not agree that applying the regulation benefits, particularly in the workers’
sharing of enrollment and eligibility to ‘‘use’’ offers little benefit to protecting compensation context. It was stated that
information is required or expressly protected health information. The this could seriously impede property
authorized by law, this rule permits potential exists for misuse of protected and casualty benefit providers’ ability to
such sharing of information for health information within entities. This conduct business in accordance with
eligibility and enrollment purposes (see potential is even greater when the state law.
§ 164.512(k)(6)(i)), and also excepts covered entity also provides services or Response: We disagree that the rule
these arrangements from the products outside its role as a health care should be expanded to permit all uses
requirements for business associate provider, health plan, or health care and disclosures that relate to property
agreements (see § 164.502(e)(1)). clearinghouse for which ‘‘use’’ of and casualty benefits. Such a broad
Comment: A few commenters asked protected health information offers provision is not in keeping with
that the rule be revised to authorize economic benefit to the entity. For protecting the privacy of individuals.
disclosures to clergy, for directory example, if this rule did not limit Although we generally lack the
purposes, to organ and tissue ‘‘uses’’ generally to treatment, payment authority under HIPAA to regulate the
procurement organizations, and to the and health care operations, a covered practices of this industry, the final rule
American Red Cross without patient entity that also offered financial services addresses when covered entities may
authorization. could be able to use protected health
Response: We agree and revise the disclose protected health information to
information without authorization to property and casualty insures. We
final rule accordingly. The new policies market or make coverage or rate
and the rationale for these policies are believe that the final rule permits
decisions for its financial services
found in §§ 164.510 and 164.512, and property and casualty insurers to obtain
products. Without the minimum
the corresponding preamble. the protected health information that
necessary standard for uses, a hospital
Comment: One commenter they need to maintain their promises to
would not be constrained from allowing
recommended that the rule apply only their policyholders. For example, the
their appointment scheduling clerks free
to the ‘‘disclosure’’ of protected health rule permits a covered entity to use or
access to medical records.
information by covered entities, rather We agree, however, that it is disclose protected health information
than to both ‘‘use’’ and ‘‘disclosure.’’ appropriate to apply somewhat different relating to an individual when
The commenter stated that the requirements to uses and disclosures of authorized by the individual. Property
application of the regulation to a protected health information permitted and casualty insurers are free to obtain
covered entity’s use of individually by this rule. We therefore modify the authorizations from individuals for
identifiable health information offers application of the minimum necessary release by covered entities of the health
little benefit in terms of protecting standard to accomplish this. See the information that the insurers need to
protected health information, yet preamble to § 164.514 for a discussion administer claims, and this rule does
imposes costs and may hamper many of these changes. not affect their ability to condition
legitimate activities, that fall outside the Comment: A commenter argued that payment on obtaining such an
definition of treatment, payment or the development, implementation, and authorization from insured individuals.
health care operations. use of integrated computer-based Property and casualty insurers
Another commenter similarly urged patient medical record systems, which providing payment on a third-party
that the final regulation draw requires efficient information sharing, basis have an opportunity to obtain
substantive distinctions between will likely be impeded by regulatory authorization from the individual and to
restrictions on the ‘‘use’’ of individually restrictions on the ‘‘use’’ of protected condition payment on obtaining such
identifiable health information and on health information and by the minimum authorization. The final rule also
the ‘‘disclosure’’ of such information, necessary standard. permits covered entities to make
with broader latitude for ‘‘uses’’ of such Response: We have modified the disclosures to obtain payment, whether
information. The commenter believed proposed approach to regulating ‘‘uses’’ from a health plan or from another
that internal ‘‘uses’’ of such information of protected health information within person such as a property and casualty
generally do not raise the same issues an entity, and believe our policy is insurer. For example, where an
and concerns that a disclosure of that compatible with the development and automobile insurer is paying for medical
information might raise. It was argued implementation of computer-based benefits on a first-party basis, a health
that any concerns about the potential medical record systems. In fact, we care provider may disclose protected
breadth of use of this information could drew part of the revised policy on health information to the insurer as part
be addressed through application of the ‘‘minimum necessary’’ use of protected of a request for payment. We also
‘‘minimum necessary’’ standard. The health information from the role-based include in the final rule a new provision
commenter also argued that access approach used in several that permits covered entities to use or
Congressional intent was that a computer-based records systems today. disclose protected health information as
‘‘disclosure’’ of individually identifiable These policies are described further in authorized by workers’ compensation or
health information is potentially much § 164.514. similar programs established by law
more significant than a ‘‘use’’ of that Comment: One commenter asked that addressing work-related injuries or
information. the general rules for uses and illness. See § 164.512(l). These statutory
Response: We do not accept the disclosures be amended to permit programs establish channels of
commenter’s broad recommendation to covered entities to disclose protected information sharing that are necessary
to permit compensation of injured information. Since we would have no with the statements made in the
workers. enforcement authority, the costs and preamble to the proposed rule that the
Comment: A few commenters burdens of requiring covered entities to privacy concerns addressed by this
suggested that the Department specify produce and distribute such a statement policy are not limited to the confidential
‘‘prohibited’’ uses and disclosures rather to all recipients of protected heath protection of the deceased individual
than ‘‘permitted’’ uses and disclosures. information, including those with but instead also affects the decedent’s
Response: We reject these whom the covered entity has no on- family, as genetic information and
commenters’ because we believe that going relationship, would outweigh any information pertinent to hereditary
the best privacy protection in most benefits to be gained from such a policy. diseases and risk factors for surviving
instances is to require the individual’s Similarly, where protected health relatives and direct family members
authorization for use or disclosure of information is disclosed for routine may be disclosed through the disclosure
information, and that the role of this treatment, payment and operations of the deceased individual’s
rule is to specify those uses and purposes, the sheer volume of these confidential data. It was argued that the
disclosures for which the balance disclosures makes the burden of proposal would be inadequate to protect
between the individuals’ privacy providing such a statement the survivors who could be negatively
interest and the public’s interests unacceptable. Appropriate protection affected and in most cases will outlive
dictates a different approach. The for these disclosures requires law or the two-year period of protection. A
opposite approach would require us to regulation directly applicable to the number of medical associations asserted
anticipate the much larger set of all recipient of the information, not further that individuals may avoid genetic
possible uses of information that do not burden on the disclosing entity. Where, testing, diagnoses, and treatment and
implicate the public’s interest, rather however, the recipient of protected suppress information important to their
than to specify the public interests that health information is providing a health care if they fear family members
merit regulatory protection. service to or on behalf of the covered will suffer discrimination from the
Comment: A commenter entity this balance changes. It is release of their medical information
recommended that the rule be revised to consistent with long-standing legal after their death. One commenter
more strongly discourage the use of
principles to hold the covered entity to pointed out that ethically little
a higher degree of responsibility for the distinction can be made between
information where de-identified
actions of its agents and contractors. See protecting an individual’s health
information could be used.
Response: We agree that the use of de- § 164.504 for a discussion of the information during life and protecting it
identified information wherever responsibilities of covered entities for post-mortem. Further, it was argued that
possible is good privacy practice. We the actions of their business associates the privacy of the deceased individual
believe that by requiring covered with respect to protected health and his or her family is far more
entities to implement these privacy information. important than allowing genetic
restrictions only with respect to information to be abstracted by an
Section 164.502(b)—Minimum
individually identifiable health institutional or commercial collector of
Necessary
information, the final rule strongly information. A few commenters asked
Comments on the minimum necessary that we provide indefinite protection on
encourages covered entities to use de-
standard are addressed in the preamble the protected health information about a
identified information as much as
to § 164.514(d). deceased person contained in
practicable.
Comment: One commenter Section 164.502(c)—Uses or Disclosures psychotherapy notes. One commenter
recommended that when information of Protected Health Information Subject asked that we extend protections on
from health records is provided to to an Agreed Upon Restriction records of children who have died of
authorized external users, this cancer for the lifetime of a deceased
Comments on the agreed upon child’s siblings and parents.
information should be accompanied by restriction standard are addressed in the
a statement prohibiting use of the The majority of commenters who
preamble to § 164.522(a).
information for other than the stated supported increased protections on the
purpose; prohibiting disclosure by the Section 164.502(d)—Uses and protected health information about the
recipient to any other party without Disclosures of De-Identified Protected deceased asked that we extend
written authorization from the patient, Health Information protections on such information
or the patient’s legal representative, Comments on the requirements for de- indefinitely or for as long as the covered
unless such information is urgently identifying information are addressed in entity maintains the information. It was
needed for the patient’s continuing care the preamble to § 164.514(a)–(c). also argued that the administrative
or otherwise required by law; and burden of perpetual protection would be
requiring destruction of the information Section 164.502(e)—Business Associates no more burdensome than it is now as
after the stated need has been fulfilled. Comments on business associates are current practice is that the
Response: We agree that restricting addressed in the preamble to confidentiality of identifiable patient
other uses or re-disclosure of protected § 164.504(e). information continues after death. A
health information by a third party that number of others pointed out that there
may receive the information for Section 164.502(f)—Deceased was no reason to set a different privacy
treatment, payment, and health care Individuals standard for deceased individuals than
operations purposes or other purposes Comment: Most commenters on this we had for living individuals and that
permitted by rule would be ideal with topic generally did not approve of the it has been standard practice to release
regard to privacy protection. However, Secretary’s proposal with regard to the information of deceased individuals
as described elsewhere in this preamble, protected health information about with a valid consent of the executor,
once protected health information deceased individuals. The majority of next of kin, or specific court order. In
leaves a covered entity the Department these commenters argued that our addition, commenters referenced
no longer has jurisdiction under the proposal was not sufficiently protective Hawaii’s health care information
statute to apply protections to the of such information. Commenters agreed privacy law (see Haw. Rev. Stat. section
323C–43) as at least one example of a Comment: Another commenter deceased individual, exists for the entire
state law where the privacy and access expressed concern over the period the information is held by a
provisions of the law continue to apply administrative problems that the covered entity.
to the protected health information of a proposed standard would impose, Response: We agree with these
deceased individual following the death particularly in the field of retrospective comments, given the change in policy
of that individual. health research. discussed above.
Response: We find the arguments Response: For certain research Comment: A few commenters
raised by these commenters persuasive. purposes, we permit a covered entity to suggested that privacy protections on
We have reconsidered our position and use and disclose the protected health protected health information about
believe these arguments for maintaining information of a deceased individual deceased individuals remain in effect
privacy on protected health information without authorization by a personal for a specified time period longer than
without temporal limitations outweigh representative and absent review by an 2 years, arguing that two years was not
any administrative burdens associated IRB or privacy board. The verification long enough to protect the privacy rights
with maintaining such protections. As standard (§ 164.514(h)) requires that of living individuals. These
such, in the final rule we revise our covered entities obtain an oral or commenters, however, were not in
policy to extend protections on the written representation that the protected agreement as to what other period of
protected health information about a health information sought will be used protection should be imposed,
deceased individual to remain in effect or disclosed solely for research, and suggesting various durations from 5 to
for as long as the covered entity § 164.512(i)(1)(iii) requires the covered 20 years.
maintains the information. entity to obtain from the researcher Response: We chose not to extend
For purposes of this regulation, this documentation of the death of the protections in this way because
means that, except for uses and individual. We believe the burden on specifying another time period would
disclosures for research purposes (see the covered entity will be small, because raise many of the same concerns voiced
§ 164.512(i)), covered entities must it can reasonably rely on the by the commenters regarding our
under this rule protect the protected representation of purpose and proposed two year period and would
health information about a deceased documentation of death presented by not reduce the administrative burden of
individual in the same manner and to the researcher. having to track or learn dates of death.
the same extent as required for the Comment: A few commenters argued We believe that the policy in this final
protected health information of living that the standard in the proposed rule rule extending protections for as long as
individuals. This policy alleviates the would cause significant administrative the covered entity maintains the
burden on the covered entity from burdens on their record retention and information addresses commenter
having to determine whether or not the storage policies. Commenters explained concerns regarding the need for
person has died and if so, how long ago, that they have internal policy record- increased protections on the protected
when determining whether or not the retention guidelines which do not health information about the deceased.
information can be released. envision the retention of records beyond Comment: Some commenters asserted
Comment: One commenter asked us a few years. Some commenters that information on the decedent from
to delete our standard for deceased complained about the burden of having the death certificate is important for
individuals, asserting that the deceased to track dates of death, as the assessment and research purposes and
have no constitutional right to privacy commenters are not routinely notified requested that the Department clarify
and state laws are sufficient to maintain when an individual has died. accordingly that death certificate data be
protections for protected health Response: The final rule does not allowed for use in traditional public
information about deceased individuals. dictate any record retention health assessment activities.
Response: We understand that requirements for the records of deceased Response: Nothing in the final rule
traditional privacy law has historically individuals. Since we have modified the impedes reporting of death by covered
stripped privacy protection on NPRM to cover protected health entities as required or authorized by
information at the time the subject of information about deceased individuals other laws, or access to death certificate
the information dies. However, as we for as long as the covered entity data to the extent that such data is
pointed out in the preamble to the maintains the information, there will be available publicly from non-covered
proposed rule, the dramatic no need for the covered entity to track entities. Death certificate data
proliferation of electronic-based dates of death. maintained by a covered entity is
interchanges and maintenance of Comment: A few commenters voiced protected health information and must
information has enabled easier and support for the approach proposed in only be used or disclosed by a covered
more ready access to information that the proposal to maintain protections for entity in accordance with the
once may have been de facto protected a period of two years. requirements of this regulation.
for most people because of the difficulty Response: After consideration of However, the final rule permits a
of its collection and aggregation. It is public comments, we chose not to retain covered entity to disclose protected
also our understanding that current state this approach because the two-year health information about a deceased
laws vary widely with regard to the period would be both inadequate and individual for research purposes
privacy protection of a deceased arbitrary. As discussed above, we agree without authorization and absent IRB or
individual’s individually identifiable with commenter arguments in support privacy board approval.
health information. Some are less of providing indefinite protection. Comment: A few commenters asked
protective than others and may not take Comment: A few commenters that we include in the regulation a
into account the implications of expressed concern that the regulations mechanism to provide for notification of
disclosure of genetic and hereditary may be interpreted as providing a right date of death. These commenters
information on living individuals. For of access to a deceased’s records only questioned how a covered entity or
these reasons, a regulatory standard is for a two-year period after death. They business partner would be notified of a
needed here in order to adequately asked the Department to clarify that the death and subsequently be able to
protect the privacy interests of those right of access of an individual, determine whether the two-year period
who are living. including the representatives of a of protection had expired and if they
were permitted to use or disclose the arrangements as hospitals, hospices, and relatives prior to the end of the two-year
protected health information about the other health care providers would not period and provide them with the
deceased. One commenter further stated be allowed to disclose the time of death authority to extend the proposed two-
that absent such a mechanism, a and other similar information critical to year period of protection if they see fit.
covered entity would continue to funeral directors for funeral preparation. Lastly, the commenter suggested that
protect the information as if the The commenter also noted that funeral the regulation address the concept of
individual were still living. This directors are already precluded by state when the next-of-kin may not be
commenter recommended that the licensing regulations and ethical appropriate to control a deceased
burden for providing notification and standards from inappropriately person’s health information.
confirmation of death be placed on any disclosing confidential information Response: We agree that family
authorized entity requesting information about the deceased. members may need access to the
from the covered entity beyond the two- Further, the commenter stated that protected health information of a
year period. funeral directors have legitimate needs deceased individual, and this regulation
Response: In general, such for protected health information of the permits such disclosure in two ways.
notification is no longer necessary as, deceased or of an individual when First, a family member may qualify as a
except for uses and disclosures for death is anticipated. For example, often ‘‘personal representative’’ of the
research purposes, the final rule funeral directors are contacted when individual (see § 164.502(g)). Personal
protects the protected health death is foreseen in order to begin the representatives include anyone who has
information about a deceased individual process of planning funeral authority to act on behalf of a deceased
for as long as the covered entity holds arrangements and prevent unnecessary individual or such individual’s estate,
the record. With regard to uses and delays. In addition, the embalming of not just legally-appointed executors. We
disclosures for research, the researcher the body is affected by the medical also allow disclosure of protected health
must provide covered entities with condition of the body. information to health care providers for
appropriate documentation of proof of In addition, it was noted that funeral purposes of treatment, including
death, the burden is not on the covered directors need to be aware of the treatment of persons other than the
entity. presence of a contagious or infectious individual. Thus, where protected
Comment: A few commenters pointed disease in order to properly advise health information about a deceased
to the sensitivity of genetic and family members of funeral and person is relevant to the treatment of a
hereditary information and its potential disposition options and how they may family member, the family member’s
impact on the privacy of living relatives be affected by state law. For example, physician may obtain that information.
as a reason for extending protections on certain states may prohibit cremation of Because we limit these disclosures to
the information about deceased remains for a certain period unless the disclosures for treatment purposes,
individuals for as long as the covered death was caused by a contagious or there is no need to distinguish between
entity maintains the information. infectious disease, or prohibit family disclosure of information about
However, a few commenters members from assisting in preparing the communicable diseases and disclosure
recommended additional protections for body for disposition if there is a risk of of genetic information.
genetic and hereditary information. For transmitting a communicable disease With regard to fitness to control
example, one commenter suggested that from the corpse. information, we defer to existing state
researchers should be able to use Response: We agree that disclosures and other laws that address this matter.
sensitive information of the deceased to funeral directors for the above
purposes should be allowed. Section 164.502(g)—Personal
but then be required to publish findings
Accordingly, the final rule at Representative
in de-identified form. Another
commenter recommended that protected § 164.512(g)(2) permits covered entities Comment: It was observed that under
health information about a deceased to disclose protected health information the proposed regulation, legal
individual be protected as long as it to funeral directors, consistent with representatives with ‘‘power of
implicates health problems that could applicable law, as necessary to carry out attorney’’ for matters unrelated to health
be developed by living relatives. their duties with respect to the care would have unauthorized access to
Response: We agree with many of the decedent. Such disclosures are also confidential medical records.
commenters regarding the sensitivity of permitted prior to, and in reasonable Commenters recommended that access
genetic or hereditary information and, anticipation of, the individual’s death. to a person’s protected health
in part for this reason, extended Comment: Several commenters urged information be limited to those
protections on the protected health that the proposed standard for deceased representatives with a ‘‘power of
information of deceased individuals. individuals be clarified to allow access attorney’’ for health care matters only.
Our reasons for retaining the exception by a family member who has Related comments asked that the rule
for research are explained above. demonstrated a legitimate health-related limit the definition of ‘‘power of
We agree with and support the reason for seeking the information when attorney’’ to include only those
practice of publishing research findings there is no executor, administrator, or instruments granting specific power to
in de-identified form. However, we other person authorized under deal with health care functions and
cannot regulate researchers who are not applicable law to exercise the right of health care records.
otherwise covered entities in this access of the individual. Response: We have deleted the
regulation. Another commenter asked that the reference to ‘‘power of attorney.’’ Under
Comment: One commenter asked that rule differentiate between blood the final rule, a person is a personal
the final rule allow for disclosure of relatives and family members and representative of a living individual if,
protected health information to funeral address their different access concerns, under applicable law, such person has
directors as necessary for facilitating such as with genetic information versus authority to act on behalf of an
funeral and disposition arrangements. information about transmittable individual in making decisions related
The commenter believed that our diseases. They also recommended that to health care. ‘‘Decisions relating to
proposal could seriously disrupt a the regulation allow access to protected health care’’ is broader than consenting
family’s ability to make funeral health information by blood-related to treatment on behalf of an individual;
for example, it would include decisions choose not to disclose such information Response: In the final rule, the parent,
relating to payment for health care. We if the individual who lacks capacity to as the personal representative of a minor
clarify that the rights and authorities of act expresses his or her desire that such child, controls the protected health
a personal representative under this rule information not be disclosed. information about the minor, except that
are limited to protected health Comment: A commenter suggested the parent does not act as a personal
information relevant to the rights of the that the final rule should provide health representative of the minor under the
person to make decisions about an plans with a set of criteria for formally rule in three limited circumstances
individual under other law. For identifying an incapacitated based on state consent law and
example, if a husband has the authority individual’s decision-maker. Such physician practice. The final rule defers
only to make health care decisions criteria would give guidance to health to consent laws of each state and does
about his wife in an emergency, he plans that would help in not releasing not attempt to evaluate the amount of
would have the right to access protected information to the wrong person. control a state gives to a parent or
health information related to that Response: The determination about minor. If a state provides an alternative
emergency, but he may not have the who is a personal representative under means for a minor to obtain health care,
right to access information about this rule is based on state or other other than with the consent of a parent,
treatment that she had received ten applicable law. We require that a this rule preserves the system put in
years ago. covered entity verify the authority of a place by the state.
We note that the rule for deceased personal representative, in accordance The first two exceptions, whereby a
individuals differs from that of living with § 164.514(h) in order to disclose parent is not the personal representative
individuals. A person may be a personal information to such person. for the minor and the minor can act for
representative of a deceased individual Comment: Commenters were troubled himself or herself under the rule, occur
if they have the authority to act on by the inclusion of minors in the if the minor consents to a health care
behalf of such individual or such definition of ‘‘individual’’ and believed service, and no other consent to such
individual’s estate for any decision, not that the presumption should be that health care service is required by law,
only decisions related to health care. We parents have the right to care for their or when the minor may lawfully obtain
create a broader scope for a person who children. a health care service without the
is a personal representative of a consent of a parent, and the minor, a
Response: We agree that a parent
deceased individual because the court, or another person authorized by
should have access to the protected
deceased individual can not request that law consents to such service. The third
health information about their
information be disclosed pursuant to an exception is based on guidelines of the
unemancipated minor children, except
authorization, whereas a living American Pediatric Association, current
in limited circumstances based on state
individual can do so. practice, and agreement by parents. If a
Comment: Some commenters asked law. The approach in the final rule
parent assents to an agreement of
that the NPRM provision allowing helps clarify this policy. The definition
confidentiality between a covered
informal decision-makers access to the of ‘‘individual’’ is simplified in the final provider and a minor with respect to a
protected health information of an rule to ‘‘the person who is the subject health care service, the parent is not the
incapacitated individual should be of protected health information.’’ personal representative of the minor
maintained in the final rule. (§ 164.501). We created a new section with respect to the protected health
Response: We agree with the (§ 164.502(g)) to address ‘‘personal information created or received subject
commenters, and retain permission for representatives,’’ which includes to that confidentiality agreement. In
covered entities to share protected parents and guardians of such circumstances, the minor would
health information with informal unemancipated minors. Generally, we have the authority to act as an
decision-makers, under conditions provide that if under applicable law a individual, with respect to such
specified in § 164.510(b). A person need parent has authority to act on behalf of protected health information.
not be a personal representative for such an unemancipated minor in making Comment: Some commenters
disclosure of protected health decisions relating to health care about requested that we permit minors to
information to be made to an informal the minor, a covered entity must treat exercise the rights of an individual
decision-maker. the parent as the personal representative when applicable law requires parental
Comment: Commenters urged that with respect to protected health notification as opposed to parental
individuals with mental retardation, information relevant to such personal consent.
who can provide verbal agreement or representation. The regulation provides Response: We adopt this policy in the
authorization, should have control over only three limited exceptions to this final rule. If the minor consents to a
dissemination of their protected health rule based upon current state law and health care service, and no other
information, in order to increase the physician practice. consent to such health care service is
privacy rights of such individuals. Comment: Many commenters agreed required by law, regardless of whether
Response: Individuals with mental with our approach in the NPRM to give the consent of another person has also
retardation have control over minors who may lawfully access health been obtained or notification to another
dissemination of their protected health care the rights to control the protected person has been given, only the minor
information under this rule to the extent health information related to such may be treated as the individual with
that state law provides such individuals health care. respect to the protected health
with the capacity to act on their own Several commenters disagreed with information relating to such health care
behalf. We note that a covered entity this approach and recommended that service. The rule does not affect state
need not disclose information pursuant where states allow minors too much law that authorizes or requires
to a consent or authorization. Therefore, independence from parents, the rule notification to a parent of a minor’s
even if state law determines that an should not defer to state law. One decision to obtain a health care service
individual with mental retardation is commenter suggested that we give an to the extent authorized or required by
not competent to act and a personal individual the right to control protected such law. In addition, state parental
representative provides authorization health information only when the notification laws do not affect the rights
for a disclosure, a covered entity may individual reaches the age of majority. of minors under this regulation.
Comment: Some commenters the age of twelve (or as early as the age Response: Once a minor becomes
requested clarification that when a of ten if it is comfortable for the child). emancipated or attains the age of
minor may obtain a health care service This recommendation is based on the majority, as determined by applicable
without parental consent and fact that adolescents tend to state law, the parent is no longer the
voluntarily chooses to involve a parent, underutilize existing health care personal representative under
the minor retains the rights, authorities resources, in part, because of a concern § 164.502(g)(3) of such individual,
and confidentiality protections for confidentiality.7 The recommended unless the parent has the authority to
established in this rule. interview technique in the Guidelines act on behalf of the individual for some
Response: We agree that minors states that the provider discuss the rules reason other than their authority as a
should be encouraged to voluntarily of confidentiality with the adolescent parent. An adult or emancipated minor
involve a parent or other responsible and the parent and that the adolescent’s has rights under the rule with respect to
adult in their health care decisions. The confidentiality should be respected. We all protected health information about
rule is not intended to require that do not intend to interfere with these them, including information obtained
minors choose between involving a established protocols or current while the individual was an
parent and maintaining confidentiality practices. Covered entities will need to unemancipated minor.
protections. We have added language in establish procedures to separate Comment: One commenter pointed
§ 164.502(g)(3)(i) to clarify that when a protected health information over which out that language in the definition of
minor consents to a health care service the minor maintains control from individual in the NPRM that grants a
and no other consent is required by law, protected health information with minor the rights of an individual when
if the minor voluntarily chooses to respect to which the minor’s parent has he or she ‘‘lawfully receives care
involve a parent or other adult, the rights as a personal representative of the
without the consent of, or notification
minor nonetheless maintains the minor.
to, a parent * * *’’ would have the
exclusive ability to exercise their rights A covered provider may disclose
under the rule. This is true even if a protected health information to a parent, effect of granting rights to an infant
parent or other person also has regardless of a confidentiality minor who receives emergency care
consented to the health care service for agreement, if there is an imminent when the parent is not available.
which the minor lawfully consented. threat to the minor or another person, in Response: This result was not our
Under the rule, a minor may involve a accordance with § 164.512(j)(1)(i). intent. We have changed the language in
parent and still preserve the Comment: Several commenters § 164.502(g)(3)(i) of the final rule to
confidentiality of their protected health suggested that we add a provision in the provide a minor the right to act as an
information. In addition, a minor may final rule to provide minors and parents individual when the minor can obtain
choose to have a parent act as his or her with concurrent rights under certain care without the consent of a parent and
personal representative even if the circumstances, particularly when the the minor consents to such care.
minor could act on his or her own minor reaches 16 years of age or when Because an infant treated in an
behalf under the rule. If the minor a parent authorizes his or her minor emergency situation would not be able
requests that a covered entity treat a child to exercise these rights to consent to care, the infant’s parent
parent as his or her personal concurrently. would be treated as the personal
representative, the covered entity must Response: We do not add such representative of the infant. Section
treat such person as the minor’s provision in the final rule. We believe 164.502(g)(3)(ii) provides that the parent
personal representative even if the that establishing concurrent rights is not the personal representative of the
minor consents to a health care service through this rule could result in minor under the rule if the minor may
and no other consent to such health care problems that effect the quality of health obtain health care without the consent
service is required by law. care if the minor and the parent were to of a parent and the minor, a court, or
Comment: Some commenters disagree on the exercise of their rights. another person authorized by law
requested that the rule provide for the The rule would not prevent a parent consents to such service. If an infant
preservation of patient confidences if a from allowing a minor child to make obtains emergency care without the
health care provider and a minor patient decisions about his or her protected consent of a parent, a health care
enter into an agreement of health information and acting provider may provide such care without
confidentiality and a parent assents to consistently with the minor’s decision. consent to treatment. This situation
this arrangement. In all cases, either the parent has the would fall outside the second exception,
Response: We have addressed this right to act for the individual with and the parent would remain the
concern in the final rule by adding a respect to protected health information, personal representative of the minor.
provision that ensures that a minor or the minor has the right to act for Comment: Commenters were
maintains the confidentiality himself or herself. The rule does not concerned about the interaction of this
protections provided by the rule for establish concurrent rights for parents rule with FERPA with respect to
information that is created or received and minors. parents’ right to access the medical
pursuant to a confidential Comment: Commenters requested
communication between a provider and records of their children.
clarification about the rights of an adult
a minor when the minor’s parent assents or emancipated minor with respect to Response: We direct the commenters
to an agreement of confidentiality protected health information concerning to a discussion of the interaction
between the provider and the minor. health care services rendered while the between our rule and FERPA in the
(§ 164.502(g)(3)(ii)). The American person was an unemancipated minor. ‘‘Relationship to Other Federal Laws’’
Academy of Pediatrics Guidelines for section of the preamble.
Health Supervision III, which are meant 7 Confidentiality in Adolescent Health Care, a
Section 164.502(h)—Confidential
to serve as ‘‘a framework to help joint policy statement of the American Academy of Communications
clinicians focus on important issues at Pediatrics; the American Academy of Family
Physicians; the American College of Obstetricians
developmentally appropriate time and Gynecologists; NAACOG—The Organization for
Comments on confidential
intervals,’’ recommends that physicians Obstetric, Gynecologic, and Neonatal Nurses; and communications are addressed in the
interview children alone beginning at the National Medical Association. preamble to § 164.522(b).
Section 164.502(i)—Uses and whistleblowing disclosures of protected On the other hand, some commenters
Disclosures Consistent With Notice health information under the felt that all suspicious activities should
Comments on the notice requirements circumstances described in § 164.502(j). be reported. This would ease potential
are addressed in the preamble to Our purpose in including this provision whistleblowers’ concerns over whether
§ 164.520. is to make clear that we are not erecting or not they had a legitimate concern by
a new barrier to whistleblowing, and leaving this decision up to someone
Section 164.502(j)—Uses and that covered entities may not use this else. A number of commenters felt that
Disclosures by Whistleblowers and rule as a mechanism for sanctioning employees should be encouraged to
Workforce Crime Victims workforce members or business report violations of professional or
Comments: Some commenters wanted associates for whistleblowing activity. clinical standards, or when a patient,
to see more limitations put on the We do not find convincing commenters’ employee, or the public would be put at
ability to whistleblow in the final rule. arguments for narrowing or eliminating risk. A small number of commenters felt
These commenters were concerned the scope of the whistleblowing which that the whistleblower should raise the
about how disclosed protected health triggers this protection. issue within the covered entity before
Congress, as well as several states, going to the attorney, oversight agency,
information would be used during and
have recognized the importance of or law enforcement entity.
subsequent to the whistleblowing event
whistleblower activity to help identify Response: We do not attempt to
and felt that adding additional
fraud and mismanagement and protect regulate the conduct of whistleblowers
limitations to the ability to whistleblow
the public’s health and safety. in this rule. We address uses and
would help to alleviate these concerns.
Whistleblowers, by their unique insider disclosures of protected health
Some of these commenters were
position, have access to critical information by covered entities, and
concerned that there was no protection
information not otherwise easily when a covered entity will violate this
against information later being leaked to
attainable by oversight and enforcement rule due to the actions of a workforce
the public or re-released after the initial
organizations. member or business associate. In the
whistleblowing event, and that this While we recognize that in many final rule, we provide that a covered
could put covered entities in violation instances, de-identified or anonymous entity is not in violation of the rule
of the law. Many commenters wanted to information can be used to accomplish when a workforce member or business
see the whistleblower provision deleted whistleblower objectives, there are associate has a good faith belief that the
entirely. According to a number of instances, especially involving patient conduct being reported is unlawful or
health care associations who care and billing, where this may not be otherwise violates professional or
commented on this topic, current feasible. Oversight investigative clinical standards, or potentially
practices already include adequate agencies such as the Department of endangers patients, employees or the
mechanisms for informing law Justice rely on identifiable information public. We concur that the NPRM
enforcement, oversight and legal in order to issue subpoenas that are language requiring only a ‘‘belief’’ was
counsel of possible violations without enforceable. Relevant court standards insufficient. Consequently, we have
the need for patient identifiable require the government agency issuing strengthened the standard to require a
information; thus, the provision the subpoena to explain why the good faith belief that an inappropriate
allowing whistleblowers to share specific records requested are relevant behavior has occurred.
protected health information is to the subject of the investigation, and Comment: A number of commenters
unnecessary. Additionally, some without such an explanation the believe that employees should be
commenters felt that the covered entity subpoena will be quashed. Issuing a encouraged to report violations of
needs to be allowed to prohibit subpoena for large quantities of professional or clinical standards, or
disclosures outside of legitimate individual records to find a few records report situations where patients,
processes. Some commenters were involving fraud is cost prohibitive as employees, or the public would be put
concerned about not having any well as likely being unenforceable. at risk. Their contention is that
recourse if the whistleblower’s We note that any subsequent employees, especially health care
suspicions were unfounded. inappropriate disclosure by a recipient employees, may not know whether the
Response: In this rule, we do not of whistleblower information would not problem they have encountered meets a
regulate the activities of whistleblowers. put the covered entity in violation of legal threshold of wrongdoing, putting
Rather, we regulate the activities of this rule, since the subsequent them at jeopardy of sanction if they are
covered entities, and determine when disclosure is not covered by this incorrect, even if the behavior did
they may be held responsible under this regulation. reflect violation of professional and
rule for whistleblowing activities of Comments: A few commenters felt clinical standards or put patients,
their workforce or business associates that the whistleblower should be held to employees, or the public at risk.
when that whistleblowing involves the a ‘‘reasonableness standard’’ rather than Response: We agree that covered
disclosure of protected health a ‘‘belief’’ that a violation has taken entities should be protected when their
information. Similarly, we regulate place before engaging in whistleblower employees and others engage in the
when covered entities must and need activities. The commenters felt that a conduct described by these commenters.
not sanction their workforce who belief standard is too subjective. By We therefore modify the proposal to
disclose protected health information in holding the whistleblower to this higher protect covered entities when the
violation of the covered entity’s policies standard, this would serve to protect whistleblowing relates to violations of
and procedures, when that disclosure is protected health information from being professional or clinical standards, or
for whistleblowing purposes. See arbitrarily released. Some commenters situations where the public may be at
§ 164.530(e). This rule does not address saw the whistleblower provision as a risk, and eliminate the reference to
a covered entity’s recourse against a loophole that gives too much power to ‘‘evidence.’’
whistleblower under other applicable disgruntled employees to Comments: A significant number of
law. inappropriately release information in those commenting on the whistleblower
We do not hold covered entities order to cause problems for the provision felt that this provision was
responsible under this rule for employer. contrary to the rest of the rule.
Whistleblowers could very easily related to their health, safety, welfare, or Section 164.504—Uses and
release protected health information rights. Nursing home staff often bring Disclosures—Organizational
under this provision despite the fact complaints regarding substandard care Requirements—Component Entities,
that the rest of this rule works very hard or abuse to ombudsmen. Ombudsmen Affiliated Entities, Business Associates
to ensure privacy of protected health provide a potentially more attractive and Group Health Plans
information in all other contexts. To this outlet for whistleblowers since Section 164.504(a)–(c)—Health Care
end, some commenters felt that resolution of problems may be handled Component (Component Entities) and
whistleblowers should not be exempt short of legal action or formal Section 164.504(d)—Affiliated Entities
from the minimum necessary investigation by an oversight agency.
requirement. Comment: A few commenters asked
Response: As stated above, we do not We disagree with commenters that the that the concept of ‘‘use’’ be modified to
regulate the conduct of whistleblowers. provision permitting disclosures to allow uses within an integrated
We discuss above the importance of attorneys is too broad. Workforce healthcare delivery system. Commenters
whistleblowing, and our intention not to members or business associates may not argued that the rule needs to ensure that
erect a new barrier to such activity. The understand their legal options or their the full spectrum of treatment is
minimum necessary standard applies to legal exposure when they come into protected from the need for
covered entities, not to whistleblowers. possession of information about authorizations at the points where
Comments: Some commenters felt unlawful or other inappropriate or treatment overlaps entities. It was
that disclosures of suspected violations dangerous conduct. Permitting potential explained that, for example, treatment
should only be made to a law whistleblowers to consult an attorney for a patient often includes services
enforcement official or oversight agency. provides them with a better provided by various entities, such as by
Other commenters said that understanding of their legal options. We a clinic and hospital, or that treatment
whistleblowers should be able to rephrase the provision to improve its may also necessitate referrals from one
disclose their concerns to long-term care clarity. provider entity to another unrelated
ombudsmen or health care accreditation entity. Further, the commenter argued
organizations, particularly because Comment: One commenter suggested that the rule needs to ensure that the
certain protected health information that a notice of information practices necessary payment and health care
may contain evidence of abuse. Some that omits disclosure for voluntary operations can be carried out across
commenters felt that whistleblowers reporting of fraud will chill internal entities without authorizations.
should not be allowed to freely disclose whistleblowers who will be led to Response: The Department
information to attorneys. They felt that believe—falsely—that they would understands that in today’s health care
this may cause more lawsuits within the violate federal privacy law, and be industry, the organization of and
health care industry and be costly to lawfully subject to sanction by their relationships among health care entities
providers. Furthermore, allowing employer, if they reported fraud to are highly complex and varied. We
whistleblowers to go to attorneys health oversight agencies. modify the proposed rule significantly
increases the number of people who to allow affiliated entities to designate
Response: The notice of information
have protected health information themselves as a single covered entity. A
practices describes a covered entity’s
without any jurisdiction for the complex organization, depending on
information practices. A covered entity
Secretary to do anything to protect this how it self-designates, may have one or
does not make whistleblower several ‘‘health care component(s)’’ that
information.
Response: We agree with the disclosures of protected health are each a covered entity. Aggregation
commenters who suggested that we information, nor can it be expected to into a single covered entity will allow
recognize other appropriate entities to anticipate any such disclosures by its the entities to use a single notice of
which workforce members and business workforce. information practices and will allow
associates might reasonably make a Comment: One commenter suggested providers that must obtain consent for
whistleblowing disclosure. In the final that the whistleblower provisions could uses and disclosures for treatment,
rule we expand the provision to protect allow covered entities to make illegal payment, and operations to obtain a
covered entities for disclosures of disclosures to police through the back single consent.
protected health information made to door by having an employee who We do not allow this type of
accreditation organizations by believes there is a violation of law do aggregation for unrelated entities, as
whistleblowers. We agree with the the disclosing. Any law could have been suggested by some commenters, because
commenters that whistleblowers may violated and the violator could be unrelated entities’ information practices
see these organizations as appropriate anyone (a patient, a member of the will be too disparate to be accurately
recipients of health information, and do patient’s family, etc.) reflected on a single consent or notice
not believe that covered entities should form. Our policies on when consent and
be penalized for such conduct. Response: We have eliminated authorization are required for sharing
We also agree that covered entities whistleblower disclosures for law information among unrelated entities,
should be protected when enforcement purposes from the list of and the rationale for these policies, is
whistleblowers disclose protected circumstances in which the covered described in §§ 164.506 and 164.508
health information to any health entity will be protected under this rule. and corresponding preamble.
oversight agency authorized by law to This provision is intended to protect the As discussed above, in the final rule
investigate or oversee the conditions of covered entity when a member of its we have added a definition of organized
the covered entity, including state Long- workforce or a business associate health care arrangement and permit
Term Care Ombudsmen appointed in discloses protected health information covered entities participating in such
accordance with the Older Americans to whistleblow on the covered entity (or arrangements to disclose protected
Act. Among their mandated its business associates); it is not health information to support the health
responsibilities is their duty to identify, intended for disclosures of conduct by care operations of the arrangement. See
investigate and resolve complaints that the individual who is the subject of the the preamble discussion of the
are made by, or on behalf of, residents information or third parties. definitions of organized health care
arrangement and health care operations, that having a health care component While we do not specifically identify
§ 164.501. alone did not make the larger entity a the safeguards that are required, the
Comment: Some commenters covered entity under the rule. covered entity must implement policies
expressed concern that the requirement Response: We appreciate the support and procedures to ensure that: the
to obtain authorization for the of the commenters on the health care health care component’s use and
disclosure of information to a non- component approach and we agree that disclose of protected health information
health related division of the covered there was some ambiguity in the complies with the regulation; members
entity would impede covered entities’ proposed rule. The final rule creates a of the health care component who
ability to engage in otherwise- new § 164.504(b) for health care perform duties for the larger entity do
permissible activities such as health components. Under § 164.504(b), for a not use and disclose protected health
care operations. Some of these covered entity that is a single legal information obtained through the health
commenters requested clarification that entity which predominantly performs care component while performing non-
covered entities are only required to functions other than the functions component functions unless otherwise
obtain authorization for disclosures to performed by a health plan, provider, or permitted or required by the regulation;
non-health related divisions if the clearinghouse, the privacy rules apply and when a covered entity conducts
disclosure is for marketing purposes. only to the entity’s health care multiple functions regulated under this
Response: In the final rule, we remove component. A policy, plan, or program rule, the health care component adheres
the example of use and disclosure to that is an ‘‘excepted benefit’’ under to the appropriate requirements (e.g.
non-health related divisions of the section 2791(c)(1) of HIPAA cannot be when acting as a health plan, adheres to
covered entity from the list of examples part of a health care component because the health plan requirements) and uses
of uses and disclosures requiring it is expressly excluded from the or discloses protected health
authorization in § 164.508. We definition of ‘‘health plan’’ for the information of individuals who receive
determined that the example could lead reasons discussed above. The health limited functions from the component
covered entities to the mistaken care component is prohibited from only for the appropriate functions. See
conclusion that some uses or sharing protected health information §§ 164.504(c)(2) and 164.504(g). For
disclosures that would otherwise be outside of the component, except as example, a covered entity that includes
permitted under the rule without otherwise permitted or required by the both a hospital and a health plan may
authorization would require regulation. not use protected health information
authorization when made to a non- At a minimum, the health care obtained from an individual’s
health related division of the covered component includes the organizational hospitalization for the health plan,
entity. In the final rule, we clarify that units of the covered entity that operate unless the individual is also enrolled in
disclosure to a non-health related as or perform the functions of the health the health plan. We note that covered
division does not require authorization plan, health care provider, or entities are permitted to make a
if the use or disclosure is otherwise clearinghouse and does not include any disclosure to a health care provider for
permitted or required under the rule. unit or function of the excepted benefits treatment of an individual without
For example, in § 164.501 we define plan, policy, or program. While the restrictions.
health care operations to include covered entity remains responsible for Comment: One commenter stated that
conducting or arranging for legal and compliance with this rule because it is multiple health care components of a
auditing services. A covered entity that responsible for the actions of its single organization should be able to be
is the health care component of a larger workforce, we otherwise limit the treated as a single component entity for
entity is permitted under the final rule responsibility to comply to the health the purposes of this rule. Under this
to include the legal department of the care component of the covered entity. approach, they argued, one set of
larger entity as part of the health care The requirements of this rule apply only policies and procedures would govern
component. The covered entity may not, to the uses and disclosures of the the entire component and protected
however, generally permit the protected health information by the health information could be shared
disclosure of protected health component entity. See § 164.504(b). among components without
information from the health care Comment: Some commenters stated authorization. Similarly, other
component to non-health related that the requirement to erect firewalls commenters stated that corporate
divisions unless they support the between different components would subsidiaries and affiliated entities
functions of the health care component unnecessarily delay treatment, payment, should not be treated as separate
and there are policies and procedures in and health care operations and thereby covered entities.
place to restrict the further use to the increase costs. Other commenters Response: We agree that some
support of the health related functions. stressed that it is necessary to create efficiencies may result from designating
Comment: Many commenters, firewalls between the health care multiple component entities as a single
especially those who employed component and the larger entity to covered entity. In the final rule we
providers, supported our position in the prevent unauthorized disclosures of allow legally distinct covered entities
proposed rule to consider only the protected health information. that share common ownership or
health care component of an entity to be Response: We believe that the control to designate themselves or their
the covered entity. They stated that this requirement to implement firewalls or health care components as a single
was a balanced approach that would safeguards is necessary to provide covered entity. See § 164.504(d).
allow them to continue conducting meaningful privacy protections, Common ownership is defined as an
business. Some commenters felt that particularly because the health care ownership or equity interest of five
there was ambiguity in the regulation component is part of a larger legal percent or more. Common control exists
text of the proposed rule and requested organization that performs functions if an entity has the power—directly or
that the final rule explicitly clarify that other than those covered under this indirectly—to significantly influence or
only the health care component is rule. Without the safeguard requirement direct the actions or policies of another
considered the covered entity, not the we cannot ensure that the component entity. If the affiliated entity contains
entity itself. Similarly, another will not share protected health health care components, it must
commenter requested that we clarify information with the larger entity. implement safeguards to prevent the
larger entity from using protected health all organizations. Covered entities must as life vs. health insurance, not different
information maintained by the designate their health care components variations of the same coverage, such as
component entity. As stated above, consistent with the definition at HMO vs. PPO. Finally, one commenter
organizations that perform multiple § 164.504(a). We have tried to frame this stated that any distinction among
functions may designate a single definition to delineate what comes product lines is unworkable because
component entity as long as it does not within a health care component and insurance companies need to share
include the functions of an excepted what falls outside the component. information across product lines for
benefit plan that is not covered under Comment: A commenter representing coordinating benefits. This sharing of
the rule. In addition, it must adhere to a government agency recommended that information, the commenter urged,
the appropriate requirements when only the component of the agency that should be able to take place whether or
performing its functions (e.g. when runs the program be considered a not all product lines are covered under
acting as a health plan, adhere to the covered entity, not the agency itself. In the rule.
health plan requirements) and uses or addition, this commenter stated that Response: We agree that many forms
discloses protected health information often subsets of other government of insurance do not and should not
of individuals who receive limited agencies work in partnership with the come within the definition of ‘‘health
functions from the component only for agency that runs the program to provide plan,’’ and we have excepted them from
the appropriate functions. At the same certain services. For example, one state the definition of this term in § 160.103
time, a component that is outside of the agency may provide maternity support applies. This point is more fully
health care component may perform services to the Medicaid program which discussed in connection with that
activities that otherwise are not is run by a separate agency. The definition. Although we do not agree
permitted by a covered entity, as long as commenter read the rule to mean that that the covered entity is only the
it does not use or disclose protected the agency providing the maternity specific product line, as this comment
health information created or received support services would be a business suggests, the hybrid entity rules in
by or on behalf of the health care associate of the Medicaid agency, but § 164.504 address the substance of this
component in ways that violate this was unclear as to whether it would also concern. Under § 164.504(c)(3), an
rule. constitute a health care component entity may create a health plan
Comment: Some commenters asked within its own agency. component which would include all its
whether or not workers’ compensation Response: We generally agree. We health insurance lines of business or
carriers could be a part of the health expect that in most cases, government separate health care components for
care component as described in the agencies that run health plans or each health plan product line. Finally,
proposed rule. They argued that this provide health care services would the sharing of protected health
would allow for sharing of information typically meet the definition of a information across lines of business is
between the group health plan and ‘‘hybrid entity’’ under § 164.504(a), so allowed if it meets the permissive or
workers’ compensation insurers. that such an agency would be required required disclosures under the rule. The
Response: Under HIPAA, workers’ to designate the health care component commenter’s example of coordination of
compensation is an excepted benefit or components that run the program or benefits would be allowed under the
program and is excluded from the programs in question under rule as payment.
definition of ‘‘health plan.’’ As such, a § 164.504(c)(3), and the rules would not Comment: Several commenters
component of a covered entity that apply to the remainder of the agency’s representing occupational health care
provides such excepted benefits may operations, under § 164.504(b). In providers supported our use of the
not be part of a health care component addition, we have created an exception component approach to prohibit
that performs the functions of a health to the business associate contract unauthorized disclosures of protected
plan. If workforce members of the larger requirement for government agencies health information. They requested that
entity perform functions for both the who perform functions on behalf of the regulation specifically authorize
health care component and the non- other government agencies. Government them to deny requests for disclosures
covered component, they may not use agencies can enter into a memorandum outside of the component entity when
protected health information created or of understanding with another the disclosure was not otherwise
received by or on behalf of the health government entity or adopt a regulation permitted or required by the regulation.
care component for the purposes of the that applies to the other government Response: We appreciate the
non-covered component, unless entity in lieu of a business associate commenters’ support of the health care
otherwise permitted by the rule. For contract, as long as the memorandum or component approach. As members of a
example, information may be shared regulation contains certain terms. See health care component, occupational
between the components for § 164.504(e). health providers are prohibited from
coordination of benefits purposes. Comment: One commenter sharing protected health information
Comment: Several commenters representing an insurance company with the larger entity (i.e., the
requested specific guidance on stated that different product lines employer), unless otherwise permitted
identifying the health care component should be treated separately under the or required by the regulation.
entity. They argued that we rule. For example, the commenter Comment: One commenter asked how
underestimated the difficulty in argued, because an insurance company the regulation affects employers who
determining the component and that offers both life insurance and health carry out research. The commenter
many organizations have multiple insurance, it does not mean that the questioned whether the employees
functions with the same people insurance company itself is a covered carrying out the research would be
performing duties for both the entity, rather only the health insurance component entities under the rule.
component and the larger entity. component is a covered entity. Another Response: If the employer is gathering
Response: With the diversity of commenter requested clarification of the its own information rather than
organizational structures, it is use of the term ‘‘product line’’ in the obtaining it from an entity regulated by
impossible to provide a single specific proposed rule. This commenter stated this rule, the information does not
guidance for identifying health care that product line should differentiate constitute protected health information
components that will meet the needs of between different lines of coverage such since the employer is not a covered
entity. If the employer is obtaining depending on whether the research national drug supplier and medical
protected health information from a program performed or supported equipment companies, and asserted that
covered entity, the disclosure by the covered functions. it would be impossible, or very
covered entity must meet the Comment: Several commenters stated expensive, for a small physician group
requirements of § 164.512(i) regarding that employers need access to protected to attempt to monitor the activity of
disclosures for research. health information in order to provide large national companies. Commenters
Comment: One commenter stated that employee assistance programs, wellness stated that complex contract terms and
the proposed rule did not clearly programs, and on-site medical testing to new obligations would necessitate the
articulate whether employees who are their employees. investment of significant time and
health care providers are considered Response: This rule does not affect resources by medical and legal
covered entities when they collect and disclosure of health information by personnel, resulting in substantial
use individually identifiable health employees to the employer if the expenses. Many commenters proposed
information acting on behalf of an information is not obtained from a that the duty to monitor be reduced to
employer. Examples provided include, covered entity. The employer’s access to a duty to terminate the contractual
administering mandatory drug testing, information from an EAP, wellness arrangement upon discovery of a failure
making fitness-for-duty and return-to- program, or on-site medical clinic will to comply with the privacy
work determinations, testing for depend on whether the program or requirements.
exposure to environmental hazards, and clinic is a covered entity. In addition, many commenters argued
making short and long term disability Comment: One commenter stated that that covered entities should have less
determinations. This commenter argued access to workplace medical records by responsibility for business partners’
that if disclosing information gained the occupational medical physicians is actions regarding the use and disclosure
through these activities requires fundamental to workplace and of protected health information. The
authorization, many of the activities are community health and safety. Access is proposed rule would have held covered
meaningless. For example, an employee necessary whether it is a single location entities responsible for the actions of
who fails a drug test is unlikely to give or multiple sites of the same company, their business partners when they
authorization to the provider to share such as production facilities of a ‘‘knew or reasonably should have
the information with the employer. national company located throughout known’’ of improper use of protected
Response: Health care providers are the country. health information and failed to take
covered entities under this rule if they Response: Health information reasonable steps to cure a breach of the
conduct standard transactions. A health collected by the employer directly from business partner contract or terminate
care provider who is an employee and providers who are not covered entities the contract. Many commenters urged
is administering drug testing on behalf is outside the scope of this regulation. that the term ‘‘knew or should have
of the employer, but does not conduct We note that the disclosures which this known’’ be clearly defined, with
standard transactions, is not a covered comment concerns should be covered examples. Some commenters stated that
entity. If the health care provider is a by § 164.512(b). covered entities should be liable only
covered entity, then we require Section 164.504(e)—Business when they have actual knowledge of the
authorization for the provider to Associates material breach of the privacy rules by
disclose protected health information to the business partner. Others
an employer. Nothing in this rule, Comment: Many commenters recommended creation of a process by
however, prohibits the employer from generally opposed the business partner which a business partner could seek
conditioning an individual’s standard and questioned the Secretary’s advice to determine if a particular
employment on agreeing to the drug legal authority under section 1172(a) of disclosure would be appropriate. Some
testing and requiring the individual to HIPAA to require business partner commenters stated that, in order to
sign an authorization allowing his or her contracts. Others stated that the create an environment that would
drug test results to be disclosed to the proposed rule imposed too great a encourage covered entities to report
employer. burden on covered entities with regard misuses of protected health information,
Comment: One commenter stated its to monitoring their business partners’ a covered entity should not be punished
belief that only a health center at an actions. Commenters stated that they if it discovered an inappropriate
academic institution would be a covered did not have the expertise to adequately disclosure.
entity under the component approach. supervise their business partners’ Response: With regard to our
This commenter believed it was less activities—including billing, authority to require business associate
clear whether or not other components accounting, and legal activities—to contracts, we clarify that Congress gave
that may create protected health ensure that protected health information the Department explicit authority to
information ‘‘incidentally’’ through is not inappropriately disclosed. regulate what uses and disclosures of
conducting research would also become Commenters argued that business protected health information by covered
covered entities. partners are not ‘‘under the control’’ of entities are ‘‘authorized.’’ If covered
Response: While a covered entity health care providers, and that the rule entities were able to circumvent the
must designate as a health care would significantly increase the cost of requirements of these rules by the
component the functions that make it a medical care. Many commenters stated simple expedient of contracting out the
health care provider, the covered entity that the business partner provisions performance of various functions, these
remains responsible for the actions of its would be very time consuming and rules would afford no protection to
workforce. Components that create expensive to implement, noting that it is individually identifiable health
protected health information through not unusual for a health plan or hospital information and be rendered
research would be covered entities to to have hundreds of business partners, meaningless. It is thus reasonable to
the extent they performed one of the especially if independent physicians place restrictions on disclosures to
required transactions described in and local pharmacies are considered business associates that are designed to
§ 164.500; however, it is possible that business partners. Many physician ensure that the personal medical
the research program would not be part groups pointed out that their business information disclosed to them continues
of the health care component, partners are large providers, hospitals, to be protected and used and further
disclosed only for appropriate (i.e., directly regulates most entities that use most important privacy protections in
permitted or required) purposes. or disclose protected health the proposed rule.
We do not agree that business information. However, we reiterate that Response: We eliminate the
associate contracts would necessarily our jurisdiction under the statute limits requirement that business associate
have complex terms or result in us to regulate only those covered contracts contain a provision stating
significant time and resource burdens. entities listed in § 160.102. that individuals whose protected health
The implementation specifications for Comment: Many commenters strongly information is disclosed under the
business associate contracts set forth in opposed the provision in the proposed contract are intended third-party
§ 164.504 are straightforward and clear. rule requiring business partner contracts beneficiaries of the contract.
Nothing prohibits covered entities from to state that individuals whose We do not intend this change to affect
having standard contract forms which protected health information is existing laws regarding when
could require little or no modification disclosed under the contract are individuals may be third party
for many business associates. intended third party beneficiaries of the beneficiaries of contracts. If existing law
In response to comments that the contract. Many noted that HIPAA did allows individuals to claim third party
‘‘knew or should have known’’ standard not create a private right of action for beneficiary rights, or prohibits them
in the proposed rule was too vague or individuals to enforce a right to privacy from doing so, we do not intend to affect
difficult to apply, and concerns that we of medical information, and questioned those rules. Rather, we intend to leave
were asking too much of small entities the Secretary’s authority to create such this matter to such other law.
in monitoring the activities of much a right through regulation. Others Comment: Some commenters objected
larger business associates, we have questioned whether the creation of such to the proposed rule’s requirement that
changed the rule. Under the final rule, a right was appropriate in light of the the business partner must return or
we put responsibility on the covered inability of Congress to reach consensus destroy all protected health information
entity to take action when it ‘‘knew of on the question, and perceived the received from the covered entity at the
a pattern of activity or practice of the provision as a ‘‘back door’’ attempt to termination of the business partner
business associate that constituted, create a right that Congress did not contract. Commenters argued that
respectively, a material breach or provide. Some commenters noted that business partners will need to maintain
violation of the business associate’s third party beneficiary law varies from business records for legal and/or
obligation under the contract * * *’’ state to state, and that a third party financial auditing purposes, which
This will preclude confusion about beneficiary provision may be would preclude the return or
what a covered entity ‘should have unenforceable in some states. These destruction of the information.
known.’ We interpret the term ‘‘knew’’ commenters suggested that the Moreover, they argued that computer
to include the situation where the complexity and variation of state third back-up files may contain protected
covered entity has credible evidence of party beneficiary law would increase health information, but business
a violation. Covered entities cannot cost and confusion with limited privacy partners cannot be expected to destroy
avoid responsibility by intentionally benefits. entire electronic back-up files just
ignoring problems with their Commenters predicted that the because part of the information that they
contractors. In addition, we have provision would result in a dramatic contain is from a client for whom they
eliminated the requirement that a increase in frivolous litigation, have completed work.
covered entity actively monitor and increased costs throughout the health Response: We modify the proposed
ensure protection by its business care system, and a chilling effect on the requirement that the business associate
associates. However, a covered entity willingness of entities to make must return or destroy all protected
must investigate credible evidence of a authorized disclosures of protected health information received from the
violation by a business associate and act information. Many commenters covered entity when the business
upon any such knowledge. predicted that fear of lawsuits by associate contract is terminated. Under
In response to the concern that the individuals would impede the flow of the final rule, a business associate must
covered entity should not be punished communications necessary for the return or destroy all protected health
if it discovers an inappropriate smooth operation of the health care information when the contract is
disclosure by its business associate, system, ultimately affecting quality of terminated if feasible and lawful. The
§ 164.504(e) provides that the covered care. For example, some predicted that business partner contract must state that
entity is not in compliance with the rule the provision would inhibit providers privacy protections continue after the
if it fails to take reasonable steps to cure from making authorized disclosures that contract ends, if there is a need for the
the breach or end the violation, while would improve care and reduce medical business associate to retain any of the
§ 164.530(f) requires the covered entity errors. Others predicted that it would protected health information and for as
to mitigate, to the extent practicable, limit vendors’ willingness to support long as the information is retained. In
any resultant harm. The breach itself information systems requirements. One addition, the permissible uses of
does not cause a violation of this rule. large employer stated that the provision information after termination of the
Comment: Some commenters voiced would create a substantial disincentive contract must be limited to those
support for the concept of business for employers to sponsor group health activities that make return or
partners. Moreover, some commenters plans. Another commenter noted that destruction of the information not
urged that the rule apply directly to the provision creates an anomaly in that feasible.
those entities that act as business individuals may have greater recourse Comment: Many commenters
partners, by restricting disclosures of against business partners and covered recommended that providers and plans
protected health information after a entities that contract with them than be excluded from the definition of
covered entity has disclosed it to a against covered entities acting alone. ‘‘business partner’’ if they are already
business partner. However, some commenters strongly governed by the rule as covered entities.
Response: We are pleased that supported the concept of providing Providers expressed particular concern
commenters supported the business individuals with a mechanism to about the inclusion of physicians with
associate standard and we agree that enforce the provisions of the rule, and hospital privileges as business partners
there are advantages to legislation that considered the provision among the of the hospital, as each hospital would
be required to have written contracts and other agencies conducting certain a business associate of an employer. See
with and monitor the privacy practices functions for the health plan, because § 164.504(f) with respect to disclosures
of each physician with privileges, and these arrangements are typically very to plan sponsors from a group health
each physician would be required to do constrained by other law. plan or health insurance issuer or HMO
the same for the hospital. Another Comment: Many commenters with respect to a group health plan.
commenter argued that consultations expressed concern that required With respect to attorneys generally,
between covered entities for treatment contracts for federal agencies would the reasons the commenters put forward
or referral purposes should not be adversely affect oversight activities, to exempt attorneys from this
subject to the business partner including investigations and audits. requirement were not persuasive. The
contracting requirement. Some health plan commenters were business associate requirements will not
Response: The final rule retains the concerned that if HMOs are business prevent attorneys from disclosing
general requirement that, subject to the partners of an employer then the protected health information as
exceptions below, a covered entity must employer would have a right to all necessary to find and prepare witness,
enter into a business associate contract personal health information collected by nor from doing their work generally,
with another covered entity when one is the HMO. A commenter wanted to be because the business associate contract
providing services to or acting on behalf sure that authorization would not be can allow disclosures for these
of the other. We retain this requirement required for accreditation agencies to purposes. We do not require business
because we believe that a covered entity access information. A large associate contracts to identify each
that is a business associate should be manufacturing company wanted to disclosure to be made by the business
restricted from using or disclosing the make sure that business associate associate; these disclosures can be
protected health information it creates contracts were not required between identified by type or purpose. We
or receives through its business affiliates and a parent corporation that believe covered entities and their
associate function for any purposes provides administrative services for a attorneys can craft agreements that will
other than those that are explicitly sponsored health plan. Attorney allow for uses and disclosures of
detailed in its contract. commenters asserted that a business protected health information as
However, the final rule expands the partner contract would undermine the necessary for these activities. The
proposed exception for disclosures of attorney/client relationship, interfere requirement for a business associate
protected health information by a with attorney/client privilege, and was contract does not interfere with the
covered health care provider to another not necessary to protect client attorney-client relationship, nor does it
health care provider. The final rule confidences. A software vendor wanted override professional judgement of
allows such disclosures without a to be excluded because the requirements business associates regarding the
business associate contract for any for contracts were burdensome and protected health information they need
activities that fall under the definition government oversight intrusive. Some to discharge their responsibilities. We
of ‘‘treatment.’’ We agree with the argued that because the primary do not require covered entities to
commenter that the administrative purpose of medical device second guess their professional business
burdens of requiring contracts in staff manufacturers is supplying devices, not associates’ reasonable requests to use or
privileges arrangements would not be patient care, they should be excluded. disclose protected health information in
outweighed by any potential privacy Response: We clarify in the above the course of the relationship.
enhancements from such a requirement. discussion of the definition of ‘‘business The attorney-client privilege covers
Although the exception for disclosure of associate’’ that a health insurance issuer only a small portion of information
protected health information for or an HMO providing health insurance provided to attorneys and so is not a
treatment could be sufficient to relieve or health coverage to a group health substitute for this requirement. More
physicians and hospitals of the contract plan does not become a business important, attorney-client privilege
requirement, we also believe that this associate simply by providing health belongs to the client, in this case the
arrangement does not meet the true insurance or health coverage. The health covered entity, and not to the individual
meaning of ‘‘business associate,’’ insurance issuer or HMO may perform who is the subject of the information.
because both the hospital and physician additional functions or activities or The business associate requirements are
are providing services to the patient, not provide additional services, however, intended to protect the subject of the
to each other. We therefore also add an that would give rise to a business information.
exception to § 164.502(e)(1) that associate relationship. However, even With regard to government attorneys
explicitly states that a contract is not when an health insurance issuer or and other government agencies, we
required when the association involves HMO acts as a business associate of a recognize that federal and other law
a health care facility and another health group health plan, the group health plan often does not allow standard legal
care provider with privileges at that has no right of access to the other contracts among governmental entities,
facility, if the purpose is providing protected health information but instead requires agreements to be
health care to the individual. We have maintained by the health insurance made through the Economy Act or other
also added other exceptions in issuer or HMO. The business associate mechanisms; these are generally
§ 164.502(e)(1)(ii) to the requirement to contract must constrain the uses and reflected in a memorandum of
obtain ‘‘satisfactory assurances’’ under disclosures of protected health understanding (MOU). We therefore
§ 164.502(e)(1)(i). We do not require a information obtained by the business modify the proposed requirements to
business associate arrangement between associate through the relationship, but allow government agencies to meet the
group health plans and their plan does not give the covered entity any required ‘‘satisfactory assurance’’
sponsors because other, albeit right to request the business associate to through such MOUs that contain the
analogous, requirements apply under disclose protected health information same provisions required of business
§ 164.504(f) that are more tailored to the that it maintains outside of the business associate contracts. As discussed
specifics of that legal relationship. We associate relationship to the group elsewhere, we believe that direct
do not require business associate health plan. Under HIPAA, employers regulation of entities receiving protected
arrangements between government are not covered entities, so a health health information can be as or more
health plans providing public benefits insurance issuer or HMO cannot act as effective in protecting health
information as contracts. We therefore need business associate contracts to Comment: Other commenters
also allow government agencies to meet share protected health information. recommended that certain entities be
the required ‘‘satisfactory assurances’’ if Absent such designation, affiliates are included within the definition of
law or regulations impose requirements business associates of the covered entity ‘‘business partner,’’ such as
on business associates consistent with if they perform a function or service for transcription services; employee
the requirements specified for business the covered entity that necessitates the representatives; in vitro diagnostic
associate contracts. use or disclosure of protected health manufacturers; private state and
We do not believe that the information. comparative health data organizations;
requirement to have a business associate Software vendors are business state hospital associations; warehouses;
contract with agencies that are associates if they perform functions or ‘‘whistleblowers,’’ credit card
performing the specified services for the activities on behalf of, or provide companies that deal with health billing;
covered entity or undertaking functions specified services to, a covered entity. and patients.
or activities on its behalf undermines The mere provision of software to a Response: We do not list all the types
the government functions being covered entity would not appear to give of entities that are business associates,
performed. A business associate rise to a business associate relationship, because whether an entity is a business
arrangement requires the business although if the vendor needs access to associate depends on what the entity
associate to maintain the confidentiality the protected health information of the does, not what the entity is. That is, this
of the protected health information and covered entity to assist with data is a definition based on function; any
generally to use and disclose the management or to perform functions or entity performing the function described
information only for the purposes for activities on the covered entity’s behalf, in the definition is a business associate.
which it was provided. This does not the vendor would be a business Using one of the commenters’ examples,
undermine government functions. We associate. We note that when an a state hospital association may be a
have exempted from the business employee of a contractor, like a software business associate if it performs a
associate requirement certain situations or IT vendor, has his or her primary service for a covered entity for which
in which the law has created joint uses duty station on-site at a covered entity, protected health information is
or custody over health information, the covered entity may choose to treat required. It is not a business associate
such as when law requires another the employee of the vendor as a member by virtue of the fact that it is a hospital
government agency to determine the of the covered entity’s workforce, rather association, but by virtue of the service
eligibility for enrollment in a covered than as a business associate. See the it is performing.
health plan. In such cases, information preamble discussion to the definition of Comment: A few commenters urged
is generally shared across a number of workforce, § 160.103. that certain entities, i.e., collection
government programs to determine With regard to medical device agencies and case managers, be business
eligibility, and often is jointly manufacturers, we clarify that a device partners rather than covered entities for
maintained. We also clarify that health manufacturer that provides ‘‘health purposes of this rule.
oversight activities do not give rise to a care’’ consistent with the rule’s Response: Collection agencies and
business associate relationship, and that definition, including being a ‘‘supplier’’ case managers are business associates to
protected health information may be under the Medicare program, is a health the extent that they provide specified
disclosed by a covered entity to a health care provider under the final rule. We services to or perform functions or
oversight agency pursuant to do not require a business associate activities on behalf of a covered entity.
§ 164.512(d). contract when protected health A collection agency is not a covered
We clarify for purposes of the final information is shared among health care entity for purposes of this rule.
rule that accreditation agencies are providers for treatment purposes. However, a case manager may be a
business associates of a covered entity However, a device manufacturer that covered entity because, depending on
and are explicitly included within the does not provide ‘‘health care’’ must be the case manager’s activities, the person
definition. During accreditation, a business associate of a covered entity may meet the definition of either a
covered entities disclose substantial if that manufacturer receives or creates health care provider or a health plan.
amounts of protected health information protected health information in the See definitions of ‘‘health care
to other private persons. A business performance of functions or activities on provider’’ and ‘‘health plan’’ in
associate contract basically requires the behalf of, or the provision of specified § 164.501.
business associate to maintain the services to, a covered entity. Comment: Several commenters
confidentiality of the protected health As to financial institutions, they are complained that the proposed HIPAA
information that it receives and business associates under this rule security regulation and privacy
generally to use and disclose such when they conduct activities that cause regulation were inconsistent with regard
information for the purposes for which them to meet the definition of business to business partners.
it was provided. As with attorneys, we associate. See the preamble discussion Response: We will conform these
believe that requiring a business of the definition of ‘‘payment’’ in policies in the final Security Rule.
associate contract in this instance § 164.501, for an explanation of Comment: One commenter expressed
provides substantial additional privacy activities of a financial institution that concern that the proposal appeared to
protection without interfering with the do not require it to have a business give covered entities the power to limit
functions that are being provided by the associated contract. by contract the ability of their business
business associate. Disease managers may be health care partners to disclose protected health
With regard to affiliates, § 164.504(d) providers or health plans, if they information obtained from the covered
permits affiliates to designate otherwise meet the respective entity regardless of whether the
themselves as a single covered entity for definitions and perform disease disclosure was permitted under
purposes of this rule. (See § 164.504(d) management activities on their own proposed § 164.510, ‘‘Uses and
for specific organizational behalf. However, such persons may also disclosures for which individual
requirements.) Affiliates that choose to be business associates if they perform authorization is not required’’ (§ 164.512
designate themselves as a single covered disease management functions or in the final rule). Therefore, the
entity for purposes of this rule will not services for a covered entity. commenter argued that the covered
entity could prevent the business no viable alternatives to continuing a Response: It is unclear from the
partner from disclosing protected health contract with that particular business comment whether the ‘‘sister agencies’’
information to oversight agencies or law associate. It does not mean, however, are components of a larger entity, are
enforcement by omitting them from the that the covered entity can choose to affiliated entities, or are otherwise
authorized disclosures in the contract. continue the contract with a non- linked. Requirements regarding sharing
In addition, the commenter expressed compliant business associate merely protected health information among
concern that the proposal did not because it is more convenient or less affiliates and components are found in
authorize business partners and their costly than doing business with other § 164.504.
employees to engage in whistleblowing. potential business associates. We also Comment: One commenter stated that
The commenter concluded that this require that if a covered entity some union contracts specify that the
omission was unintended since the determines that it is not feasible to employer and employees jointly
proposal’s provision at proposed terminate a non-compliant business conduct patient quality of care reviews.
§ 164.518(c)(4) relieved the covered associate, the covered entity must notify The commenter requested clarification
entity, covered entity’s employees, the Secretary. as to whether this arrangement made the
business partner, and the business Comment: Another commenter argued employee a business partner.
partner’s employees from liability for that having to renegotiate every existing Response: An employee organization
disclosing protected health information contract within the 2-year that agrees to perform quality assurance
to law enforcement and to health implementation window so a covered for a group health plan meets the
oversight agencies when reporting entity can attest to ‘‘satisfactory definition of a business associate. We
improper activities, but failed to assurance’’ that its business partner will note that the employee representatives
specifically authorize business partners appropriately safeguard protected health acting on behalf of the employee
and their employees to engage in information is not practical. organization would be performing the
whistleblowing in proposed Response: The 2-year implementation functions of the organization, and the
§ 164.510(f), ‘‘Disclosures for law period is statutorily required under employee organization would be
enforcement.’’ section 1175(b) of the Act. Further, we responsible under the business associate
Response: Under our statutory believe that two years provides adequate contract to ensure that the
authority, we cannot directly regulate time to come into compliance with the representatives abided by the
entities that are not covered entities; regulation. restrictions and conditions of the
thus, we cannot regulate most business Comment: A commenter contract. If the employee organization is
associates, or ‘authorize’ them to use or recommended that the business partner a plan sponsor of the group health plan,
disclose protected health information. contract specifically address the issue of the similar provisions of § 164.504(f)
We agree with the result sought by the data mining because of its increasing would apply instead of the business
commenter, and accomplish it by prevalence within and outside the associate requirements. See
ensuring that such whistle blowing health care industry. § 164.502(e)(1).
disclosures by business associates and Response: We agree that protected Comment: Some commenters
others do not constitute a violation of health information should only be used supported regulating employers as
this rule on the part of the covered by business associates for the purposes business partners of the health plan.
entity. identified in the business associate These commenters believed that this
Comment: Some commenters contract. We address the issue of data approach provided flexibility by giving
suggested that the need to terminate mining by requiring that the business employers access to information when
contracts that had been breached would associate contract explicitly identify the necessary while still holding employers
be particularly problematic when the uses or disclosures that the business accountable for improper use of the
contracts were with single-source associate is permitted to make with the information. Many commenters,
business partners used by health care protected health information. Aside however, stressed that this approach
providers. For example, one commenter from disclosures for data aggregation would turn the relationship between
explained that when the Department and business associate management, the employers, employees and other agents
awards single-source contracts, such as business associate contract cannot ‘‘on its head’’ by making the employer
to a Medicare carrier acting as a fiscal authorize any uses or disclosures that subordinate to its agents. In addition,
intermediary that then becomes a the covered entity itself cannot make. several commenters objected to the
business partner of a health care Therefore, data mining by the business business partner approach because they
provider, the physician is left with no associate for any purpose not specified alleged it would place employers at risk
viable alternative if required to in the contract is a violation of the for greater liability.
terminate the contract. contract and grounds for termination of Response: We do not require a
Response: In most cases, we expect the contract by the covered entity. business associate contract for
that there will be other entities that Comment: One commenter stated that disclosure of protected health
could be retained by the covered entity the rule needs to provide the ability to information from group health plans to
as a business associate to carry out those contract with persons and organizations employers. We do, however, put other
functions on its behalf or provide the to complete clinical studies, provide conditions on the disclosure of
necessary services. We agree that under clinical expertise, and increase access to protected health information from group
certain circumstances, however, it may experts and quality of care. health plans to employers who sponsor
not be possible for a covered entity to Response: We agree, and do not the plan. See further discussion in
terminate a contract with a business prohibit covered entities from sharing § 164.504 on disclosure of protected
associate. Accordingly, although the protected health information under a health information to employers.
rule still generally requires a covered business associate contract for these Comment: One commenter expressed
entity to terminate a contract if steps to purposes. concern that the regulation would
cure such a material breach fail, it also Comment: A commenter requested discourage organizations from
allows an exception to this to clarification as to whether sister participating with Planned Parenthood
accommodate those infrequent agencies are considered business since pro bono and volunteer services
circumstances where there simply are partners when working together. may have no contract signed.
Response: We design the rule’s from their employer sponsors. The issuer, or HMO, the documents under
requirements with respect to volunteers group health plan itself, however, which the group health plan was
and pro bono services to allow generally does not have any employees. established and is maintained must be
flexibility to the covered entity so as not Most operations of the group health amended to: (1) Describe the permitted
to disturb these arrangements. plan are contracted out to other entities uses and disclosures of protected health
Specifically, when such volunteers or are carried out by employees of the information by the plan sponsor (see
work on the premises of the covered employer who sponsors the plan. The above for further explanation); (2)
entity, the covered entity may choose to commenters stressed that while group specify that disclosure is permitted only
treat them as members of the covered health plans are clearly covered entities, upon receipt of a written certification
entity’s workforce or as business the Department does not have the that the plan documents have been
associates. See the definitions of statutory authority to cover employers amended; and (3) provide adequate
business associate and workforce in or other entities that sponsor group firewalls. The firewalls must identify
§ 160.103. If the volunteer performs its health plans. In contrast, many the employees or classes of employees
work off-site and needs protected health commenters stated that without or other persons under the plan
information, a business associate covering employers, meaningful privacy sponsor’s control who will have access
arrangement will be required. In this protection is unattainable. to protected health information; restrict
instance, where protected health Response: We agree that group health access to only the employees identified
information leaves the premises of the plans are separate legal entities from and only for the administrative
covered entity, privacy concerns are their plan sponsors and that the group functions performed on behalf of the
heightened and it is reasonable to health plan itself may be operated by group health plan; and provide a
require an agreement to protect the employees of the plan sponsor. We mechanism for resolving issues of
information. We believe that pro bono make significant modification to the noncompliance by the employees
contractors will easily develop standard proposed rule to better reflect this identified. Any employee of the plan
contracts to allow those activities to reality. We design the requirements in sponsor who receives protected health
continue smoothly while protecting the the final regulation to use the existing information in connection with the
health information that is shared. regulatory tools provided by ERISA, group health plan must be included in
such as the plan documents required by the amendment to the plan documents.
Section 164.504(f)—Group Health Plans that law and the constellation of plan As required by ERISA, the named
Comment: Several commenters administration functions defined by that fiduciary is responsible for ensuring the
interpreted the preamble in the law that established and maintain the accuracy of amendments to the plan
proposed rule to mean that only self- group health plan. documents.
insured group health plans were We recognize plan sponsors’
covered entities. Another commenter Group health plans, and health
legitimate need for health information
suggested there was an error in the insurance issuers or HMOs with respect
in certain situations while, at the same
definition of group health plans because to the group health plan, that disclose
time, protecting health information from
it only included plans with more than being used for employment-related protected health information to plan
50 participants or plans administered by functions or for other functions related sponsors are bound by the minimum
an entity other than the employer to other employee benefit plans or other necessary standard as described in
(emphasis added by commenter). This benefits provided by the plan sponsor. § 164.514.
commenter believed the ‘‘or’’ should be We do not attempt to directly regulate Group health plans, to the extent they
an ‘‘and’’ because almost all plans under plan sponsors, but pursuant to our provide health benefits only through an
50 are administered by another entity authority to regulate health plans, we insurance contract with a health
and therefore this definition does not place restrictions on the flow of insurance issuer or HMO and do not
exclude most small plans. information from covered entities to create, receive, or maintain protected
Response: We did not intend to imply non-covered entities. The final rule health information (except for summary
that only self-insured group health permits group health plans to disclose information or enrollment and
plans are covered health plans. We protected health information to plan disenrollment information), are not
clarify that all group health plans, both sponsors, and allows them to authorize required to comply with the
self-insured and fully-funded, with 50 health insurance issuers or HMOs to requirements of §§ 164.520 or 164.530,
or more participants are covered disclose protected health information to except for the documentation
entities, and that group health plans plan sponsors, if the plan sponsors agree requirements of § 164.530(j). In
with fewer than 50 participants are to use and disclose the information only addition, because the group health plan
covered health plans if they are as permitted or required by the does not have access to protected health
administered by another entity. While regulation. The information may be information, the requirements of
we agree with the commenter that few used only for plan administration §§ 164.524, 164.526, and 164.528 are not
group health plans with fewer than 50 functions performed on behalf of the applicable. Individuals enrolled in a
participants are self-administered, the group health plan and specified in the group health plan that provides benefits
‘‘or’’ is dictated by the statute. plan documents. Hereafter, any only through an insurance contract with
Therefore, the statute only exempts reference to employer in a response to a health insurance issuer or HMO would
group health plans with fewer than 50 a comment uses the term ‘‘plan have access to all rights provided by this
participants that are not administered sponsor,’’ since employers can only regulation through the health insurance
by an entity other than the employer. receive protected health information in issuer or HMO, because they are
Comment: Several commenters stated their role as plan sponsors, except as covered entities in their own right.
that the proposed rule mis-characterized otherwise permitted under this rule, Comment: We received several
the relationship between the employer such as with an authorization. comments from self-insured plans who
and the group health plan. The Specifically, in order for a plan stated that the proposed rule did not
commenters stated that under ERISA sponsor to obtain without authorization fully appreciate the dual nature of an
and the Internal Revenue Code group protected health information from a employer as a plan sponsor and as a
health plans are separate legal entities group health plan, health insurance insurer. These commenters stated that
the regulation should have an exception employees through such plan such persons and what activities and
for employers who are also insurers. administration activities will not be functional areas may be included. The
Response: We believe the approach used for employment-related decisions. commenter alleged that identification of
we have taken in the final rule Comment: Several commenters persons needing access to protected
recognizes the special relationship stressed that the regulation must require health information will be
between plan sponsors and group health the establishment of firewalls between administratively burdensome. Another
plans, including group health plans that group health plans and employers. commenter requested clarification on
provide benefits through a self-insured These commenters stated that firewalls distinguishing the component entity
arrangement. The final rule allows plan were necessary to prevent the employer from non-component entities within an
sponsors and employees of plan from accessing information improperly organization and how to administer
sponsors access to protected health and using it in making job placements, such relationships. The commenter
information for purposes of plan promotions, and firing decisions. In stated that individuals included in the
administration. The group health plan is addition, one commenter stated that covered entity could change on a daily
bound by the permitted uses and employees with access to protected basis and advocated for a simpler set of
disclosures of the regulation, but may health information must be empowered rules governing intra-organizational
disclose protected health information to through this regulation to deny relationships as opposed to inter-
plan sponsors under certain unauthorized access to protected health organizational relationships.
circumstances. To the extent that group information to corporate managers and Response: While we have not adopted
health plans do not provide health executives. the component approach for plan
benefits through an insurance contract, Response: We agree with the sponsors in the final rule, plan sponsors
they are required to establish a privacy commenters that firewalls are necessary who want protected health information
officer and provide training to to prevent unauthorized use and must still identify who in the
employees who have access to protected disclosure of protected health organization will have access to the
health information, as well as meet the information. Among the conditions for information. Several of the changes we
other applicable requirements of the group health plans to disclose make to the NPRM will make this
regulation. information to plan sponsors, the plan designation easier. First, we move from
Comment: Some commenters sponsor must establish firewalls to ‘‘component’’ to a more familiar
supported our position not to require prevent unauthorized uses and functional approach. We limit the
individual consent for employers to disclosures of information. The firewalls employees of the plan sponsor who may
have access to protected health include: describing the employees or receive protected health information to
information for purposes of treatment, classes of employees with access to those employees performing plan
payment, and health care operations. protected health information; restricting administration functions, as that term is
For employer sponsored insurance to access to and use of the protected health understood with respect to ERISA
continue to exist as it does today, the information to the plan administration compliance, and as limited by this rule’s
commenters stressed, this policy is functions performed on behalf of the definitions of payment and health care
essential. Other commenters encouraged group health plan and described in plan operation. We also allow designation of
the Department to amend the regulation documents; and providing an effective a class of employees (e.g., all employees
to require authorization for disclosure of mechanism for resolving issues of assigned to a particular department) or
information to employers. These noncompliance. individual employees.
commenters stressed that because the Comment: Several commenters Although some commenters have
employer was not a covered entity, supported our proposal to cover the asked for guidance, we have
individual consent is the only way to health care component of an employer intentionally left the process flexible to
prohibit potential abuses of information. in its capacity as an administrator of the accommodate different organizational
Response: In the final regulation, we group health plan. These commenters structures. Plan sponsors may identify
maintain the position in the proposed felt the component approach was who will have access to protected health
rule that a health plan, including a necessary to prevent the disclosure of information in whatever way best
group health plan, need not obtain protected health information to other reflects their business needs as long as
individual consent for use and parts of the employer where it might be participants can reasonably identify
disclosure of protected health used or disclosed improperly. Other who will have access. For example,
information for treatment, payment and commenters believed the component persons may be identified by naming
or health care operations purposes. approach was unworkable and that individuals, job titles (e.g. Director of
However, we impose conditions distinguishing who was in the covered Human Resources), functions (e.g.
(described above) for making such entity would not be as easy as assumed employees with oversight responsibility
disclosures to the plan sponsor. Because in the proposed rule. One commenter for the outside third party claims
employees of the plan sponsor often stated it was unreasonable for an administrator), divisions of the
perform health care operations and employer to go through its workforce company (e.g. Employee Benefits) or
payment (e.g. plan administration) division by division and employee by other entities related to the plan
functions, such as claims payment, employee designating who is included sponsor. We believe this flexibility will
quality review, and auditing, they may in the component and who is not. In also ease any administrative burden that
have legitimate need for such addition, some commenters argued that may result from the identification
information. Requiring authorization we did not have the statutory authority process. Identification in terms such as
from every participant in the plan could to regulate employers at all, including ‘‘individuals who from time to time may
make such fundamental plan their health care components. need access to protected health
administration activities impossible. We One commenter requested more information’’ or in other broad or
therefore impose regulatory restrictions, guidance with respect to identifying the generic ways, however, would not be
rather than a consent requirement, to health care component as proposed sufficient.
prevent abuses. For example, the plan under the proposed rule. In particular, Comment: In addition to the
sponsor must certify that any protected the commenter requested that the comments on the component approach
health information obtained by its regulation clearly define how to identify itself, several commenters pointed out
that many employees wear two hats in commenter requested guidance in what constitute de-identified information
the organization, one for the group types of information can be released to because there may be a reasonable basis
health plan and one for the employer. employers to help them determine the to believe the information is identifiable
The commenters stressed that these organization’s responsibilities and to the plan sponsor, especially if the
employees should not be regulated liabilities. number of participants in the group
when they are performing group health Response: In the final regulation we health plan is small. A group health
plan functions. This arrangement is recognize the diversity in plan sponsors’ plan, however, may not permit an issuer
necessary, particularly in small need for protected health information. or HMO to disclose protected health
employers where the plan fiduciary may Many plan sponsors need access to information to a plan sponsor unless the
also be in charge of other human protected health information to perform requirement in § 164.520 states that this
resources functions. The commenter plan administration functions, disclosure may occur.
recommended that employees be including eligibility and enrollment Comment: Several commenters stated
allowed access to information when functions, quality assurance, claims that health insurance issuers cannot be
necessary to perform health plan processing, auditing, monitoring, trend held responsible for employers’ use of
functions while prohibiting them from analysis, and management of carve-out protected health information. They
using the information for non-health plans (such as vision and dental plans). stated that the issuer is the agent of the
plan functions. In the final regulation we allow group employer and it should not be required
Response: We agree with the health plans to disclose protected health to monitor the employer’s use and
commenters that many employees information to plan sponsors if the plan disclosure of information.
perform multiple functions in an sponsor voluntarily agrees to use the Response: Under this regulation,
organization and we design these information only in accordance with the health insurance issuers are covered
provisions specifically to accommodate purposes stated in the plan documents entities and responsible for their own
this way of conducting business. Under and as permitted by the regulation. We uses and disclosures of protected health
the approach taken in the final clarify, however, that plan information. A group health plan must
regulation, employees who perform administration does not include any require a health insurance issuer or
multiple functions (i.e. group health employment-related decisions, HMO providing coverage to the group
plan and employment-related functions) including fitness for duty health plan to disclose information to
may receive protected health determinations, or duties related to the plan sponsor only as provided in the
information from group health plans, other employee benefits or plans. Plan plan documents.
but among other things, the plan documents may only permit health Comment: Several commenters urged
documents must certify that these insurance issuers to disclose protected us to require de-identified information
employees will not use the information health information to a plan sponsor as to be used to the greatest extent possible
for activities not otherwise permitted by is otherwise permitted under this rule when information is being shared with
this rule including for employment- and consistent with the minimum employers.
related activities. necessary standard. Response: De-identified information
Comment: Several commenters Some plan sponsors, including those is not sufficient for many functions plan
pointed out that the amount of access with a fully insured group health plan, sponsors perform on behalf of their
needed to protected health information do not perform plan administration group health plans. We have created a
varies greatly from employer to functions on behalf of group health process to allow plan sponsors and their
employer. Some employers may perform plans, but still may require health employees access to protected health
many plan administration functions information for other purposes, such as information when necessary to
themselves which are not possible modifying, amending or terminating the administer the plan. We note that all
without access to protected health plan or soliciting bids from prospective uses and disclosures of protected health
information. Other employers may issuers or HMOs. In the ERISA context information by the group health plan are
simply offer health insurance by paying actions undertaken to modify, amend or bound by the minimum necessary
a premium to a health insurance issuer terminate a group health plan may be standard.
rather than provide or administer health known as ‘‘settlor’’ functions (see Comment: One commenter
benefits themselves. Some commenters Lockheed Corp. v. Spink, 517 U.S. 882 representing church plans argued that
argued that fully insured plans should (1996)). For example, a plan sponsor the regulation should treat such plans
not be covered under the rule. Similarly, may require access to information to differently from other group health
some commenters argued that the evaluate whether to adopt a three-tiered plans. The commenter was concerned
regulation was overly burdensome on drug formulary. Additionally, a about the level of access to information
small employers, most of whom fully prospective health insurance issuer may the Secretary would have in performing
insure their group health plans. Other need claims information from a plan compliance reviews and suggested that
commenters pointed out that health sponsor in order to provide rating a higher degree of sensitivity is need for
insurance issuers—even in fully insured information. The final rule permits plan information related to church plans than
arrangements—are often asked for sponsors to receive summary health information related to other group
identifiable health information, information with identifiers removed in health plans. This sensitivity is needed,
sometimes for legitimate purposes such order to carry out such functions. the commenter alleged, to reduce
as auditing or quality assurance, but Summary health information is unnecessary intrusion into church
sometimes not. One commenter, information that summarizes the claims operations. The commenter also
representing an insurer, gave several history, expenses, or types of claims by advocated that church plans found to be
examples of employer requests, individuals enrolled in the group health out of compliance should be able to self-
including claims reports for employees, plan. In addition, the identifiers listed correct within a stated time frame (270
individual and aggregate amounts paid in § 164.514(b)(2)(i) must be removed days) and avoid paying penalty taxes as
for employees, identity of employees prior to disclosing the information to a allowed in the Internal Revenue Code.
using certain drugs, and the identity, plan sponsor for purposes of modifying, Response: We do not believe there is
diagnosis and anticipated future costs amending, or terminating the plan. See sufficient reason to treat church plans
for ‘‘high cost’’ employees. This same § 164.504(a). This information does not differently than other covered entities.
The intent of the compliance reviews is not be prohibited from seeking be expected to have an opportunity to
to determine whether or not the plan is authorization for treatment, payment, obtain consent and may continue to rely
abiding by the regulation, not to gather and health care operations. Some on regulatory authorization for their
information on the general operations of commenters stated that the prohibition uses and disclosures for these purposes.
the church. As required by § 160.310(c), against obtaining an authorization goes As described in the comments, it is
the covered entity must provide access against professional ethics, undermines the relationship between the health care
only to information that is pertinent to the patient-provider relationship, and is provider and the patient that is the basis
ascertaining compliance with part 160 contrary to current industry practice. for many decisions about uses and
or subpart E of 164. Some commenters specifically noted disclosures of protected health
Comment: Several commenters stated the primacy of the doctor-patient information. Much of the individually
that employers often advocate on behalf relationship regarding consent. In identifiable health information that is
of their employees in benefit disputes general, commenters recommended that the subject of this rule is created when
and appeals, answer questions with individually identifiable health a patient interacts with a health care
regard to the health plan, and generally information not be released by doctors provider. By requiring covered
help them navigate their health benefits. without patient consent. A few providers to obtain consent for
These commenters questioned whether commenters stated that prohibiting treatment, payment, and health care
this type of assistance would be allowed health care providers from obtaining operations, the individual will have
under the regulation, whether consent could cause the patient to appropriate opportunity to consider the
individual consent was required, and become suspicious and distrustful of the appropriate uses and disclosures of his
whether this intervention would make health care provider. Other commenters or her protected health information. We
them a covered entity. believed that clinicians have the also require that the consent contain a
Response: The final rule does nothing responsibility for making sure that reference to the provider’s notice, which
to hinder or prohibit plan sponsors from patients are fully informed about the contains a more detailed description of
advocating on behalf of group health consequences of releasing information. the provider’s practices relating to uses
plan participants or providing A few commented that the process of and disclosures of protected health
assistance in understanding their health obtaining consent provided an information. This combination provides
plan. Under the privacy rule, however, opportunity for the patient and provider the basis for an individual to have an
the plan sponsor could not obtain any to negotiate the use and disclosure of informed conversation with his or her
information from the group health plan patient information. provider and to request restrictions.
or a covered provider unless Commenters discussed how, when, It is our understanding that it is
authorization was given. We do not and by whom consent should be sought. common practice for providers to obtain
believe obtaining authorization when For example, some commenters viewed consent for this type of information-
advocating or providing assistance will a visit between a health care provider sharing today. Many providers and
be impractical or burdensome since the and patient as the appropriate place for provider organizations stated that they
individual is requesting assistance and consent to be discussed and obtained. are ethically obligated to obtain the
therefore should be willing to provide While others did not necessarily dispute patient’s consent and that it is their
authorization. Advocating on behalf of the appropriateness of health care practice to do so. A 1998 study by Merz,
participants or providing other providers obtaining consent for uses and et al, published in the Journal of Law,
assistance does not make the plan disclosures of protected health Medicine and Ethics examined hospital
sponsor a covered entity. information from individuals, some said consent forms regarding disclosure of
that it was appropriate for health plans medical information.8 They found that
Section 164.506—Consent for to be permitted to obtain consent.
Treatment, Payment, and Health Care 97% of all hospitals seek consent for the
Response: In the NPRM we stated our release of information for payment
Operations concern that the blanket consents that purposes; 45% seek consent for
Comment: Many commenters individuals sign today provide these disclosure for utilization review, peer
supported regulatory authorization for individuals with neither notice nor review, quality assurance, and/or
treatment, payment, and health care control over how their information is to prospective review; and 50% seek
operations. In particular, health plans, be used. While we retain those consent for disclosure to providers,
employers, and institutional providers concerns, we also understand that for other health care facilities, or others for
supported the use of regulatory many who participate in the health care continuity of care purposes. All of these
authorization for treatment, payment, system, the acts of providing and activities fall within our definitions of
and health care operations. obtaining consent represent important
treatment, payment, or health care
In contrast, a large number of values that these parties wish to retain.
operations.
commenters, particularly health care Many individuals argued that providing In the final rule we have not required
professionals, patients, and patient consent enhances their control; many that health plans or health care
advocates, suggested that consent for advocates argued that the act of consent clearinghouses obtain consent for their
treatment, payment, and health care focuses patient attention on the uses and disclosures of protected health
operations should be required. Many transaction; and many health care information for treatment, payment, or
commenters supported the use of providers argued that obtaining consent health care operations. The rationale
consent for treatment, payment, and is part of ethical behavior. underlying the consent requirements for
health care operations, considering this The final rule amends our proposed
uses and disclosures by health care
a requirement for maintaining the approach and requires most covered
providers do not pertain to health plans
integrity of the health care system. Some health care providers to obtain a consent
and health care clearinghouses. First,
commenters made a distinction between from their patients to use or disclose
current practice is varied, and there is
requiring and permitting providers to protected health information for
little history of health plans obtaining
obtain consent. treatment, payment, and health care
Commenters nearly uniformly agreed operations. Providers who have an 8 J. Merz, P. Sankar, S.S. Yoo, ‘‘Hospital Consent
that covered health care providers, indirect treatment relationship with the for Disclosure of Medical Records,’’ Journal of Law,
health plans, and clearinghouses should patient, as defined in § 164.501, cannot Medicine & Ethics, 26 (1998): 241–248.
consent relating to their own information from another covered care providers to exhaust other options,
information practices unless required to entity, it must do so using an such as making alternative payment
do so by some other law. This is authorization under § 164.508. arrangements with the individual,
reflected in the public comments, in before refusing to treat the individual on
‘‘Consent’’ versus ‘‘Authorization’’
which most health plans supported the these grounds.
regulatory authorization approach Comment: In general, commenters did We also permit health plans to
proposed in the NPRM. Further, unlike not distinguish between ‘‘consent’’ and condition enrollment in the health plan
many health care providers, health ‘‘authorization.’’ Commenters used both on the individual’s consent for the
plans did not maintain that they were terms to refer to the individual’s giving health plan to use and disclose
ethically obligated to seek the consent of permission for the use and disclosure of protected health information to carry
their patients for their use and protected health information by any out treatment, payment, and health care
disclosure activities. Finally, it is the entity. operations (see § 164.506(b)(2)). The
unique relationship between an Response: In the final rule we have health plan must seek the consent in
individual and his or her health care made an important distinction between conjunction with the individual’s
provider that provides the foundation consent and authorization. Under the enrollment in the plan for this provision
for a meaningful consent process. final rule, we refer to the process by
to apply. For example, a health plan’s
Requiring that consent process between which a covered entity seeks agreement
application for enrollment may include
an individual and a health plan or from an individual regarding how it will
a consent for the health plan to use or
clearinghouse, when no such unique use and disclose the individual’s
disclose protected health information to
relationship exists, we believe is not protected health information for
carry out treatment, payment, and/or
necessary. treatment, payment, and health care
health care operations. If the individual
Unlike their relationship with health operations as ‘‘consent.’’ The provisions
does not sign this consent, the health
care providers, individuals in most in the final rule relating to consent are
plan, under § 164.502(a)(1)(iii), is
instances do not have a direct largely contained in § 164.506. The
prohibited from using or disclosing
opportunity to engage in a discussion process by which a covered entity seeks
agreement from an individual to use or protected health information about the
with a health plan or clearinghouse at individual for the purposes stated in the
the time that they enter into a disclose protected health information
for other purposes, or to authorize consent form. Because the health plan
relationship with those entities. Most may not be able adequately to provide
individuals choose a health plan another covered entity to disclose
protected health information to the services to the individual without these
through their employer and often sign uses and disclosures, we permit the
up through their employer without any requesting covered entity, are termed
‘‘authorizations’’ and the provisions health plan to refuse to enroll the
direct contact with the health plan. We individual if the consent is not signed.
concluded that providing for a signed relating to them are found in § 164.508.
Comment: Some commenters were
consent in such a circumstance would Consent Requirements concerned that the NPRM conflicted
add little to the proposed approach,
which would have required health plans Comment: Many commenters believed with state law regarding when covered
to provide a detailed notice to their that consent might be problematic in entities would be required to obtain
enrollees. In the final rule, we also that it could allow covered entities to consent for uses and disclosures of
clarify that an individual can request a refuse enrollment or services if the protected health information.
restriction from a health plan or health individual does not grant the consent. Response: We have modified the
care clearinghouse. Since individuals Some commenters proposed that provisions in the final rule to require
rarely if ever have any direct contact covered entities be allowed to condition certain health care providers to obtain
with clearinghouses, we concluded that treatment, payment, or health care consent for uses and disclosures for
requiring a signed consent would have operations on whether or not an treatment, payment, and health care
virtually no effect beyond the provision individual granted consent. Other operations and to permit other covered
of the notice and the opportunity to commenters said that consent should be entities to do so. A consent under this
request restrictions. voluntary and not coerced. rule may be combined with other types
We agree with the comments we Response: In the final rule of written legal permission from the
received objecting to the provision (§ 164.506(b)(1)), we permit covered individual, such as state-required
prohibiting covered entities from health care providers to condition consents for uses and disclosures of
obtaining consent from individuals. As treatment on the individual’s consent to certain types of health information (e.g.,
discussed above, in the final rule we the covered provider’s use or disclosure information relating to HIV/AIDS or
require covered health care providers of protected health information to carry mental health). We also permit covered
with direct treatment relationships to out treatment, payment, and health care entities to seek authorization from the
obtain consent to use or disclose operations. We recognize that it would individual for another covered entity’s
protected health information for be difficult, if not impossible, for health use or disclosure of protected health
treatment, payment, and health care care providers to treat their patients and information for these purposes,
operations. In addition, we have run their businesses without being able including if the covered entity is
eliminated the provision prohibiting to use or disclose protected health required to do so by other law. Though
other covered entities from obtaining information for these purposes. For we do not believe any states currently
such consents. We note that the example, a health care provider could require such authorizations, we wanted
consents that covered entities are not be reimbursed by a health plan to avoid future conflicts. These changes
permitted to obtain relate to their own unless the provider could share should resolve the concerns raised by
uses and disclosures of protected health protected health information about the commenters regarding conflicts with
information for treatment, payment, and individual with the health plan. Under state laws that require consent,
health care operations and not to the the final rule, if the individual refuses authorization, or other types of written
practices of others. If a covered entity to grant consent for this disclosure, the legal permission for uses and
wants to obtain the individual’s health care provider may refuse to treat disclosures of protected health
permission to receive protected health the individual. We encourage health information.
Comment: Some commenters noted commenters recommend that the rule significantly reduced if patient
that there would be circumstances when permit covered entities that are part of information is not stored electronically.
consent is impossible or impractical. A the same integrated health care system One commenter suggested that consent
few commenters suggested that in such to obtain a single consent allowing each should be given for patient information
situations patient information be de- of the covered entities to use and to be stored electronically. One
identified or reviewed by an objective disclose protected health information in commenter believed that information
third party to determine if consent is accordance with that consent form. stored in data systems should not be
necessary. Some commenters said that it would be individually identifiable.
Response: Covered health care confusing to patients and Response: We agree that storing and
providers with direct treatment administratively burdensome to require transmitting health information
relationships are required to obtain separate consents for health care electronically creates concerns about the
consent to use or disclose protected systems that include multiple covered privacy of health information. We do
health information to carry out entities. not agree, however, that covered entities
treatment, payment, and health care Response: We agree with commenters’ should be expected to maintain health
operations. In certain treatment concerns. In § 164.506(f) of the final rule information outside of an electronic
situations where the provider is we permit covered entities that system, particularly as health care
permitted or required to treat an participate in an organized health care providers and health plans extend their
individual without the individual’s arrangement to obtain a single consent reliance on electronic transactions. We
written consent to receive health care, on behalf of the arrangement. See do not believe that it would be feasible
the provider may use and disclose § 164.501 and the corresponding to permit individuals to opt out of
protected health information created or preamble discussion regarding electronic transactions by withholding
obtained in the course of that treatment organized health care arrangements. To their consent. We note that individuals
without the individual’s consent under obtain a joint consent, the covered can ask providers and health plans
this rule (see § 164.506(a)(3)). In these entities must have a joint notice and whether or not they store information
situations, the provider must attempt to must refer to the joint notice in the joint electronically, and can choose only
obtain the individual’s consent and, if consent. See § 164.520(d) and the providers who do not do so or who
the provider is unable to obtain consent, corresponding preamble discussion agree not to do so. We also do not
the provider must document the attempt regarding joint notice. The joint consent believe that it is practical or efficient to
and the reason consent could not be must also identify the covered entities require that electronic data bases
obtained. Together with the uses and to which it applies so that individuals contain only de-identified information.
disclosures permitted under §§ 164.510 will know who is permitted to use and Electronic transactions have achieved
and 164.512, the concerns raised disclose information about them. tremendous savings in the health care
regarding situations in which it is Comment: Many commenters stated system and electronic records have
impossible or impractical for covered that individuals own their medical enabled significant improvements in the
entities to obtain the individual’s records and, therefore, should have quality and coordination of health care.
permission to use or disclose protected absolute control over them, including These improvements would not be
health information about the individual knowing by whom and for what purpose possible with de-identified information.
have been addressed. protected health information is used,
Comment: An agency that provides disclosed, and maintained. Some Section 164.508—Uses and Disclosures
care to individuals with mental commenters asserted that, according to for Which Authorization Is Required
retardation and developmental existing law, a patient owns the medical
Uses and Disclosures Requiring
disabilities expressed concern that records of which he is the subject.
Authorization
many of their consumers lack capacity Response: We disagree. In order to
to consent to the release of their records assert an ownership interest in a Comment: We received many
and may not have a surrogate readily medical record, a patient must comments in general support of
available to provide consent on their demonstrate some legitimate claim of requiring authorization for the use or
behalf. entitlement to it under a state law that disclosure of protected health
Response: Under § 164.506(a)(3), we establishes property rights or under information. Some comments suggested,
provide exceptions to the consent state contract law. Historically, medical however, that we should define those
requirement for certain treatment records have been the property of the uses and disclosures for which
situations in which consent is difficult health care provider or medical facility authorization is required and permit
to obtain. In these situations, the that created them, and some state covered entities to make all other uses
covered provider must attempt to obtain statutes directly provide that medical and disclosures without authorization.
consent and must document the reason records are the property of a health care Response: We retain the requirement
why consent was not obtained. If these provider or a health care facility. The for covered entities to obtain
conditions are met, the provider may final rule is consistent with current state authorization for all uses and
use and disclose the protected health law that provides patients access to disclosures of protected health
information created or obtained during protected health information but not information that are not otherwise
the treatment for treatment, payment, or ownership of medical records. permitted or required under the rule
health care operations purposes, Furthermore, state laws that are more without authorization. We define
without consent. stringent than the rule, that is, state laws exceptions to the general rule requiring
Comment: Many commenters were that provide a patient with greater authorization for the use or disclosure of
concerned that covered entities working access to protected health information, protected health information, rather
together in an integrated health care remain in effect. See discussion of than defining narrow circumstances in
system would each separately be ‘‘Preemption’’ above. which authorization is required.
required to obtain consent for use and We believe this approach is consistent
disclosure of protected health Electronically Stored Data with well-established privacy
information for treatment, payment, and Comment: Some commenters stated principles, with other law, and with
health care operations. These that privacy concerns would be industry standards and ethical
guidelines. The July 1977 Report of the social considerations.’’ 12 We build on related to health care. If the attorney is
Privacy Protection Study Commission these standards in this final rule. the personal representative under the
recommended that ‘‘each medical-care Comment: Some comments suggested rule, he may obtain a copy of the
provider be considered to owe a duty of that, under the proposed rule, a covered protected health information relevant to
confidentiality to any individual who is entity could not use protected health such personal representation under the
the subject of a medical record it information to solicit authorizations individual’s right to access. If the
maintains, and that, therefore, no from individuals. For example, a attorney is not the personal
medical care provider should disclose, covered entity could not use protected representative under the rule, or if the
or be required to disclose, in health information to generate a mailing attorney wants a copy of more protected
individually identifiable form, any list for sending an authorization for health information than that which is
information about any such individual marketing purposes. relevant to his personal representation,
Response: We agree with this concern the individual would have to authorize
without the individual’s explicit
and clarify that covered entities are such disclosure.
authorization, unless the disclosures Comment: Commenters expressed
permitted to use protected health
would be’’ for specifically enumerated concern about whether a covered entity
information in this manner without
purposes such as treatment, audit or authorization as part of the management can rely on authorizations made by
evaluation, research, public health, and activities relating to implementation of parents on behalf of their minor
law enforcement.9 The Commission and compliance with the requirements children once the child has reached the
made similar recommendations with of this rule. See § 164.501 and the age of majority and recommended that
respect to insurance institutions.10 The corresponding preamble regarding the covered entities be able to rely on the
Privacy Act (5 U.S.C. 552a) prohibits definition of health care operations. most recent, valid authorization,
government agencies from disclosing Comment: We received several whether it was authorized by the parent
records except pursuant to the written comments suggesting that we not or the minor.
request of or pursuant to a written require written authorizations for Response: We agree. If an
consent of the individual to whom the disclosures to the individual or for authorization is signed by a parent, who
record pertains, unless the disclosure is disclosures initiated by the individual is the personal representative of the
for certain specified purposes. The or the individual’s legal representative. minor child at the time the
National Association of Insurance Response: We agree with this concern authorization is signed, the covered
Commissioners’ Health Information and in the final rule we clarify that entity may rely on the authorization for
Privacy Model Act states, ‘‘A carrier disclosures of protected health as long as it is a valid authorization, in
shall not collect, use or disclose information to the individual who is the accordance with § 164.508(b). A valid
protected health information without a subject of the information do not require authorization remains valid until it
valid authorization from the subject of the individual’s authorization. See expires or is revoked. This protects a
§ 164.502(a)(1). We do not intend to covered entity’s reasonable reliance on
the protected health information, except
impose barriers between individuals such authorization. The expiration date
as permitted by * * * this Act or as
and disclosures of protected health of the authorization may be the date the
permitted or required by law or court
information to them. minor will reach the age of majority. In
order. Authorization for the disclosure that case, the covered entity would be
When an individual requests that the
of protected health information may be required to have the individual sign a
covered entity disclose protected health
obtained for any purpose, provided that new authorization form in order to use
information to a third party, however,
the authorization meets the or disclose information covered in the
the covered entity must obtain the
requirements of this section.’’ In its expired authorization form.
individual’s authorization, unless the
report ‘‘Best Principles for Health third party is a personal representative Comment: Some commenters were
Privacy,’’ the Health Privacy Working of the individual with respect to such concerned that covered entities working
Group stated, ‘‘Personally identifiable protected health information. See together in an integrated system would
health information should not be § 164.502(g). If under applicable law a each be required to obtain authorization
disclosed without patient authorization, person has authority to act on behalf of separately. These commenters suggested
except in limited circumstances’ such as an individual in making decisions the rule should allow covered entities
when required by law, for oversight, and related to health care, except under that are part of the same system to
for research.11 The American Medical limited circumstances, that person must obtain a single authorization allowing
Association’s Council on Ethical and be treated as the personal representative each of the covered entities to use and
Judicial Affairs has issued an opinion under this rule with respect to protected disclose protected health information in
stating, ‘‘The physician should not health information related to such accordance with that authorization.
reveal confidential communications or Response: If the rule does not permit
representation. A legal representative is
information without the express consent or require a covered entity to use or
a personal representative under this rule
of the patient, unless required to do so disclose protected health information
if, under applicable law, such person is
by law [and] subject to certain without the individual’s authorization,
able to act on behalf of an individual in
the covered entity must obtain the
exceptions which are ethically and making decisions related to health care,
individual’s authorization to make the
legally justified because of overriding with respect to the protected health
use or disclosure. Multiple covered
information related to such decisions.
entities working together as an
9 Privacy Protection Study Commission, For example, an attorney of an
integrated delivery system or otherwise
‘‘Personal Privacy in an Information Society,’’ July individual may or may not be a personal
1977, p. 306. may satisfy this requirement in at least
representative under the rule depending
10 Privacy Protection Study Commission, three ways. First, each covered entity
on the attorney’s authority to act on
‘‘Personal Privacy in an Information Society,’’ July may separately obtain an authorization
1977, pp. 215–217. behalf of the individual in decisions
11 Health Privacy Working Group, ‘‘Best
directly from the individual who is the
Principles for Health Privacy,’’ Health Privacy 12 AMA Council on Ethical and Judicial Affairs, subject of the protected health
Project, Institute for Health Care Research and ‘‘Opinion E–5.05: Confidentiality,’’ Issued information to be used or disclosed.
Policy, Georgetown University, July 1999, p. 19. December 1983, Updated June 1994. Second, one covered entity may obtain
a compound authorization in therefore, required authorizations from monitor the effectiveness of an

accordance with § 164.508(b)(3) that the individuals who were the subjects of individual’s mental health care and
authorizes multiple covered entities to the information. We clarify in the final eligibility for benefits. Other
use and disclose protected health rule that if the use or disclosure is commenters, many from insurance
information. In accordance with otherwise permitted or required under companies, cited the need to have
§ 164.508(c)(1)(ii), each covered entity, the rule without authorization, such psychotherapy notes to detect fraud.
or class of covered entities, that is authorization is not required simply A few commenters said that it was not
authorized to make the use or disclosure because the disclosure is made by sale, necessary to provide additional
must be clearly identified. Third, if the rental, or barter. protections to psychotherapy notes
requirements in § 164.504(d) are met, Comment: Many commenters because the ‘‘minimum necessary’’
the integrated delivery system may elect expressed concerns that their health provisions of the NPRM provide
to designate itself as a single affiliated information will be sold to sufficient protections.
covered entity. A valid authorization pharmaceutical companies. Response: In the final rule, a covered
obtained by that single affiliated Response: Although we have removed entity generally must obtain an
covered entity would satisfy the the reference to sale, rental or barter, the authorization for disclosure of
authorization requirements for each final rule generally would not permit psychotherapy notes, or for use by a
covered entity within the affiliated the sale of protected health information person other than the person who
covered entity. Whichever option is to a pharmaceutical company without created the psychotherapy notes. This
used, because these authorizations are the authorization of individuals who are authorization is specific to
being requested by a covered entity for the subjects of the information. In some psychotherapy notes and is in addition
its own use or disclosure, the cases, a covered entity could disclose to the consent an individual may have
authorization must contain both the protected health information to a given for the use or disclosure of other
core elements in § 164.508(c) and the pharmaceutical company for research protected health information to carry
additional elements in § 164.508(d). purposes if the disclosure met the out treatment, payment, and health care
requirements of § 164.512(i). operations. This additional level of
Sale, Rental, or Barter individual control provides greater
Psychotherapy Notes
Comment: Proposed § 164.508 listed protection than a general application of
examples of activities that would have Comment: Public response to the the ‘‘minimum necessary’’ rule. Nothing
required authorization, which included concept of providing additional in this regulation weakens existing rules
disclosure by sale, rental, or barter. protections for psychotherapy notes was applicable to mental health information
Some commenters requested divided. Many individuals and most that provide more stringent protections.
clarification that this provision is not providers, particularly mental health We do not intend to alter the holding in
intended to affect mergers, sale, or practitioners, advocated requiring Jaffee v. Redmond.
similar transactions dealing with entire consent for use or disclosure of all or Generally, we have not treated
companies or their individual divisions. most protected health information, but sensitive information differently from
A few commenters stated that covered particularly sensitive information such other protected health information;
entities should be allowed to sell as mental health information, not however, we have provided additional
protected health information, including necessarily limited to psychotherapy protections for psychotherapy notes
claims data, as an asset of the covered notes. Others thought there should be because of Jaffee v. Redmond and the
entity. special protections for psychotherapy unique role of this type of information.
Response: We clarify in the definition information based on the federal There are few reasons why other health
of health care operations that a covered psychotherapist-patient privilege care entities should need access to
entity may sell or transfer its assets, created by the U.S. Supreme Court in psychotherapy notes, and in those cases,
including protected health information, Jaffee v. Redmond and the need for an the individual is in the best position to
to a successor in interest that is or will atmosphere of trust between therapist determine if the notes should be
become a covered entity. See § 164.501 and patient that is required for effective disclosed. As we have defined them,
and the corresponding preamble psychotherapy. Several consumer psychotherapy notes are primarily of
discussion regarding this change. We groups recommended prohibiting use to the mental health professional
believe this change meets commenters’ disclosure of psychotherapy notes for who wrote them, maintained separately
business needs without compromising payment purposes. from the medical record, and not
individuals’ privacy interests. Some commenters, however, saw no involved in the documentation
Comment: Some commenters need for special protections for necessary to carry out treatment,
supported the requirement for covered psychotherapy communications and payment, or health care operations.
entities to obtain authorization for the thought that the rules should apply the Since psychotherapy notes have been
sale, rental, or barter of protected health same protections for all individually defined to exclude information that
information. Some commenters argued identifiable information. Other health plans would typically need to
that protected health information commenters who advocated for no process a claim for benefits, special
should never be bought or sold by special protections based their authorization for payment purposes
anyone, even with the individual’s opposition on the difficulty in drawing should be rare. Unlike information
authorization. a distinction between physical and shared with other health care providers
Response: We removed the reference mental health and that special for the purposes of treatment,
to sale, rental, or barter in the final rule protections should be left to the states. psychotherapy notes are more detailed
because we determined that the term Many health plans and employers did and subjective and are today subject to
was overly broad. For example, if a not support additional protections for unique privacy and record retention
researcher reimbursed a provider for the psychotherapy notes because they stated practices. In fact, it is this separate
cost of configuring health data to be they need access to this information to existence and isolated use that allows us
disclosed under the research provisions assess the adequacy of treatment, the to grant the extra protection without
at § 164.512(i), there may have been severity of a patient’s condition, the causing an undue burden on the health
ambiguity that this was a sale and, extent of a disability, or the ability to care system.
Comment: Many commenters governing confidentiality of alcohol and psychotherapy notes or any other
suggested we prohibit disclosure of substance abuse records as a model for protected health information.
psychotherapy notes without limited disclosure of psychotherapy Comment: A provider organization
authorization for uses and disclosures notes for audits or evaluations. Under argued for inclusion of language in the
under proposed § 164.510 of the NPRM, these regulations, a third party payor or final rule that specifies that real or
or that protections should be extended a party providing financial assistance perceived ‘‘ownership’’ of the mental
to particular uses and disclosures, such may access confidential records for health record does not negate the
as disclosures for public health, law auditing purposes if the party agrees in requirement that patients must
enforcement, health oversight, and writing to keep the records secure and specifically authorize the disclosure of
judicial and administrative proceedings. destroy any identifying information their psychotherapy notes. They cited a
One of these commenters stated that the upon completion of the audit. (42 CFR July 1999 National Mental Health
only purpose for which psychotherapy part 2) Association survey, which found that
notes should be disclosed without Response: We agree that the federal for purposes of utilization review, every
authorization is for preventing or regulations concerning alcohol and drug managed care plan policy reviewed
lessening a serious or imminent threat abuse provide a good model for ‘‘maintains the right to access the full
to health or safety (proposed protection of information. However, medical record (including detailed
§ 154.510(k)). Another commenter stated according to our fact-finding psychotherapy notes) of any consumer
that the rule should allow disclosure of discussions, audit or evaluation should covered under its benefit plan at its
psychotherapy notes without not require access to psychotherapy whim.’’ At least one of the major
authorization for this purpose, or as notes. Protected health information kept managed health plans surveyed
required by law in cases of abuse or in the medical record about an considered the patient record to be the
neglect. individual should be sufficient for these property of the health plan and
Other commenters did not want these purposes. The final rule does not governed by the health plan’s policies.
protections to be extended to certain require authorization for use or Response: Although a covered entity
national priority activities. They disclosure of psychotherapy notes when may own a mental health record, the
claimed that information relative to needed for oversight of the covered ability to use or disclose an individual’s
psychotherapy is essential to states’ health care provider who created the information is limited by state law and
activities to protect the public from psychotherapy notes. this rule. Under this rule, a mental
dangerous mentally ill offenders and Comment: A provider organization health plan would not have access to
abusers, to deliver services to urged that the disclosure of psychotherapy notes created by a
individuals who are unable to authorize psychotherapy notes be strictly covered provider unless the individual
release of health care information, and prohibited except to the extent needed who is the subject of the notes
for public health assessments. One in litigation brought by the client authorized disclosure to the health plan.
commenter requested clarification of against the mental health professional Comment: Some commenters
when psychotherapy notes could be on the grounds of professional expressed concern regarding the burden
released in emergency circumstances. malpractice or disclosure in violation of created by having to obtain multiple
Several commenters stated that this section. authorizations and requested
psychotherapy notes should not be Response: We agree that clarification as to whether separate
disclosed for public health purposes. psychotherapy notes should be available authorization for use and disclosure of
Response: We agree with the for the defense of the provider who psychotherapy notes is required.
commenters who suggested extending created the notes when the individual Response: For the reasons explained
protections of psychotherapy notes and who is the subject of the notes puts the above, we retain in the final rule a
have limited the purposes for which contents of the notes at issue in a legal requirement that a separate
psychotherapy notes may be disclosed case. In the final rule, we allow the authorization must be obtained for most
without authorization for purposes provider to disclose the notes to his or uses or disclosures of psychotherapy
other than treatment, payment, or health her lawyer for the purpose of preparing notes, including those for treatment,
care operations. The final rule requires a defense. Any other disclosure related payment, and health care operations.
covered entities to obtain authorization to judicial and administrative The burden of such a requirement is
to use or disclose psychotherapy notes proceedings is governed by § 164.512(e). extremely low, however, because under
for purposes listed in § 164.512, with Comment: One commenter requested our definition of psychotherapy notes,
the following exceptions: An that we prohibit mental health the need for such authorization will be
authorization is not required for use or information that has been disclosed very rare.
disclosure of psychotherapy notes when from being re-disclosed without patient Comment: One commenter stated that
the use or disclosure is required for authorization. Medicare should not be able to require
enforcement of this rule, in accordance Response: Psychotherapy notes may the disclosure of psychotherapy notes
with § 164.502(a)(2)(ii); when required only be disclosed pursuant to an because it would destroy a practitioner’s
by law, in accordance with § 164.512(a); authorization, except under limited ability to treat patients effectively.
when needed for oversight of the circumstances. Covered entities must Response: We agree. As in the
covered health care provider who adhere to the terms of authorization and proposed rule, covered entities may not
created the psychotherapy notes, in not disclose psychotherapy notes to disclose psychotherapy notes for
accordance with § 164.512(d); when persons other than those identified as payment purposes without an
needed by a coroner or medical intended recipients or for other authorization. If a specific provision of
examiner, in accordance with purposes. A covered entity that receives law requires the disclosure of these
§ 164.512(g)(1); or when needed to avert psychotherapy notes must adhere to the notes, a covered entity may make the
a serious and imminent threat to health terms of this rule—including obtaining disclosure under § 164.512(a). The final
or safety, in accordance with an authorization for any further use or rule, however, does not require the
§ 164.512(j)(1)(i). disclosure. We do not have the disclosure of these notes to Medicare.
Comment: A commenter suggested authority, however, to prohibit non- Comment: One commenter expressed
that we follow the federal regulations covered entities from re-disclosing concern that by filing a complaint an
individual would be required to reveal obtain a copy of psychotherapy notes, Research Information Unrelated to
sensitive information to the public. we will keep these notes confidential Treatment
Another commenter suggested that and secure. Investigative staff will be
Definition of Research Information
complaints regarding noncompliance in trained in privacy to ensure that they
Unrelated to Treatment
regard to psychotherapy notes should be fully respect the confidentiality of
made to a panel of mental health personal information. In addition, while Comment: The majority of
professionals designated by the the content of these notes is generally commenters, including many
Secretary. This commenter also not relevant to violations under this researchers and health care providers,
proposed that all patient information rule, we will secure the expertise of objected to the proposed definition of
would be maintained as privileged, mental health professionals if needed in research information unrelated to
would not be revealed to the public, and reviewing psychotherapy notes. treatment, asserting that the privacy rule
would be kept under seal after the case Comment: A mental health should not distinguish research
is reviewed and closed. organization recommended prohibiting information unrelated to treatment from
Response: We appreciate this concern health plans and covered health care other forms of protected health
and the Secretary will ensure that providers from disclosing information. Even those who supported
individually identifiable health psychotherapy notes to coroners or the proposed distinction between
information and other personal medical examiners. research information related and
information contained in complaints Response: In general, we have unrelated to treatment suggested
will not be available to the public. This severely limited disclosures of alternative definitions for research
Department seeks to protect the privacy psychotherapy notes without the information unrelated to treatment.
of individuals to the fullest extent A large number of commenters were
individual’s authorization. One case
possible, while permitting the exchange concerned that the definition of research
where the information may prove
of records required to fulfill its information unrelated to treatment was
invaluable, but authorization by the vague and unclear and, therefore, would
administrative and program individual is impossible and
responsibilities. The Freedom of be difficult or impossible to apply.
authorization by a surrogate is These commenters asserted that in
Information Act, 5 U.S.C. 552, and the potentially contraindicated, is in the
HHS implementing regulation, 45 CFR many instances it would not be feasible
investigation of the death of the to ascertain whether research
part 5, protect records about individuals individual. The final rule allows for
if the disclosure would constitute an information bore some relation to
disclosures to coroners or medical treatment. In addition, several
unwarranted invasion of their personal examiners in this limited case.
privacy, as does the Privacy Act, 5 commenters asserted that the need for
Comment: One commenter distinguishing research information
U.S.C. 552a. See the discussion of FOIA
recommended prohibiting disclosure unrelated to treatment from other forms
and the Privacy Act in the ‘‘Relationship
without authorization of psychotherapy of protected health information was not
to Other Federal Laws’’ section of the
notes to government health data necessary because the proposed rule’s
preamble. Information that the Secretary
systems. general restrictions for the use and
routinely withholds from the public in
its current enforcement activities Response: The decision to eliminate disclosure of protected health
includes individual names, addresses, the general provision permitting information and the existing protections
and medical information. Additionally, disclosures to government health data for research information were
the Secretary attempts to guard against systems addresses this comment. sufficiently strong.
the release of information that might Comment: Several commenters were Of the commenters who supported the
involve a violation of personal privacy concerned that in practice, a treatment proposed distinction between research
by someone being able to ‘‘read between team in a mental health facility shares information related and unrelated to
the lines’’ and piece together items that information about a patient in order to treatment, very few supported the
would constitute information that care for the patient and that the proposed definition of research
normally would be protected from provision requiring authorization for unrelated to treatment. A few
release to the public. In implementing use and disclosure of psychotherapy commenters recommended that the
the privacy rule, the Secretary will notes would expose almost all definition incorporate a good faith
continue this practice of protecting privileged information to disclosure. provision and apply only to health care
personal information. They requested that we add a provision providers, because they thought it was
It is not clear whether the commenter that any authorization or disclosure unlikely that a health plan or health
with regard to the use of mental health under that statute shall not constitute a care clearinghouse would be conducting
professionals believes that such waiver of the psychotherapist-patient research. One commenter recommended
professionals should be involved privilege. defining research information unrelated
because they would be best able to keep Response: Because of the restricted to treatment as information which does
psychotherapy notes confidential or definition we have adopted for not directly affect the treatment of the
because such professionals can best psychotherapy notes, we do not expect individual patient. As a means of
understand the meaning or relevance of that members of a team will share such clarifying and standardizing the
such notes. We anticipate that we would information. Information shared in application of this definition, one
not have to obtain a copy or review order to care for the patient is, by commenter also asserted that the
psychotherapy notes in investigating definition, not protected as definition should be based on whether
most complaints regarding psychotherapy notes. With respect to the research information was for
noncompliance in regard to such notes. waiving privilege, however, we believe publication. In addition, one commenter
There may be some cases in which a that the consents and authorizations specifically objected to the provision of
quick review of the notes may be described in §§ 164.506 and 164.508 the proposed definition that would have
needed, such as when we need to should not be construed as waivers of a required that research information
identify that the information a covered patient’s evidentiary privilege. See the unrelated to treatment be information
entity disclosed was in fact discussions under § 164.506 and ‘‘with respect to which the covered
psychotherapy notes. If we need to ‘‘Relationship to Other Laws,’’ above. entity has not requested payment from
a third party payor.’’ This commenter believe this provision in the final rule agreed with the concern expressed in
asserted that patient protection should provides covered entities that the proposed rule that patients would be
not be dependent on whether a health participate in research necessary reluctant to participate in research if
plan will pay for certain care. flexibility to enhance privacy they feared that research information
Response: We agree with the protections for research information and could be disclosed without their
commenters who found the proposed provides prospective research subjects permission or used against them. They
definition of research information with needed information to determine argued that fewer allowable disclosures
unrelated to treatment to be impractical whether their privacy interests would be should be permitted for research
and infeasible to apply and have adequately protected before agreeing to information because the clinical utility
eliminated this definition and its related participate in a research study that of the research information is most often
provisions in the final rule. Although involves the delivery of health care. unknown, and thus, it is unsuitable for
we share concerns raised by some The intent of this provision is to use in clinical decision making. Others
commenters that research information permit covered entities that participate also argued that it is critical to the
generated from research studies that in research to bind themselves to a more conduct of clinical research that
involve the delivery of treatment to limited scope of uses and disclosures for researchers be able to provide
individual subjects may need additional all or identified subsets of research individual research subjects, and the
privacy protection, we agree with the information generated from research public at large, the greatest possible
commenters who asserted that there is that involves the delivery of treatment assurance that their privacy and the
not always a clear distinction between than it may apply to other protected confidentiality of any individually
research information that is related to health information. In designing their identifiable research information will be
treatment and research information that authorizations, we expect covered protected from disclosure.
is not. We found that the alternative entities to be mindful of the often highly Several commenters further
definitions proposed by commenters did sensitive nature of research information recommended that only the following
not alleviate the serious concerns raised and the impact of individuals’ privacy uses and disclosures be permitted for
by the majority of comments received concerns on their willingness to research information unrelated to
on this definition. participate in research. For example, a treatment without authorization: (1) For
Instead, in the final rule, we require covered entity conducting a study the oversight of the researcher or the
covered entities that create protected which involves the evaluation of a new research study; (2) for safety and
health information for the purpose, in drug, as well as an assessment of a new efficacy reporting required by FDA; (3)
whole or in part, of research that un-validated genetic marker of a for public health; (4) for emergency
includes treatment of individuals to particular disease, could choose to circumstances; or (5) for another
include additional elements in stipulate in the research authorization research study. Other commenters
authorizations they request for the use that the genetic information generated recommended that the final rule
or disclosure of that protected health from this study will not be disclosed explicitly prohibit law enforcement
information. As discussed in without authorization for some of the officials from gaining access to research
§ 164.508(f), these research-related public policy purposes that would records.
authorizations must include a otherwise be permitted by the rule In addition, several commenters
description of the extent to which some under §§ 164.510 and 164.512 and by asserted that the rule should be revised
or all of the protected health the covered entity’s notice. A covered to ensure that once protected health
information created for the research will entity may not, however, include a information was classified as research
also be used or disclosed for purposes limitation affecting its right to make a information unrelated to treatment, it
of treatment, payment, and health care use or disclosure that is either required could not be re-classified as something
operations. For example, if the covered by law or is necessary to avert a serious else at a later date. These commenters
entity intends to seek reimbursement and imminent threat to health or safety. believed that if this additional
from the individual’s health plan for the The final rule also permits the protection were not added, this
routine costs of care associated with the covered entity to combine the research information would be vulnerable to
research protocol, it must explain in the authorization under § 164.508(f) with disclosure in the future, if the
authorization the types of information the consent to participate in research, information were later to gain scientific
that it will provide to the health plan for such as the informed consent document validity. They argued that individuals
this purpose. This information, and the as stipulated under the Common Rule or may rely on this higher degree of
circumstances under which disclosures the Food and Drug Administration’s confidentiality when consenting to the
will be made for treatment, payment, human subjects regulations. collection of the information in the first
and health care operations, may be more instance, and that confidentiality should
Enhance Privacy Protections for
limited than the information and not be betrayed in the future just
circumstances described in the covered Research Information because the utility of the information
entity’s general notice of information Comment: A number of commenters has changed.
practices and are binding on the covered argued that research information Response: We agree with commenters
entity. unrelated to treatment should have who argued that special protections may
Under this approach, the covered fewer allowable disclosures without be appropriate for research information
entity that creates protected health authorization than those that would in order to provide research subjects
information for research has discretion have been permitted by the proposed with assurances that their decision to
to determine whether there is a subset rule. The commenters who made this participate in research will not result in
of research information that will have argument included those commenters harm stemming from the misuse of the
fewer allowable disclosures without who recommended that the privacy rule research information. We are aware that
authorization, and prospective research not cover the information we proposed some researchers currently retain
subjects will be informed about how to constitute research information separate research records and medical
research information about them would unrelated to treatment, as well as those records as a means of providing more
be used and disclosed should they agree who asserted that the rule should cover stringent privacy protections for the
to participate in the research study. We such information. These commenters research record. The final rule permits
covered entities that participate in disclosed for any of the public policy commenters argued that the research
research to continue to provide more purposes outlined in proposed records held by researchers who are
stringent privacy protections for the § 164.510, and that this restriction performing clinical trials and who keep
research record, and the Secretary would have significantly hindered many separate research records should not be
strongly encourages this practice to important activities. Many of these subject to the final rule. These
protect research participants from being commenters specifically opposed this commenters strongly disagreed that a
harmed by the misuse of their research provision, arguing that the distinction health provider-researcher cannot carry
information. would undermine and impede research out two distinct functions while
As discussed above, in the final rule, by requiring patient authorization before performing research and providing
we eliminate the special rules for this research information unrelated to clinical care to research subjects and,
proposed definition of research treatment could be used or disclosed for thus, asserted that research information
information unrelated to treatment and research. unrelated to treatment that is kept
its related provisions, so the comments Furthermore, some commenters separate from the medical record, would
regarding its application are moot. recommended that the disclosure of not be covered by the privacy rule.
Comment: Some commenters research information should be Response: We do not agree the
recommended that the final rule governed by an informed consent Secretary lacks the authority to adopt
prohibit a covered entity from agreement already in place as part of a standards relating to research
conditioning treatment, enrollment in a clinical protocol, or its disclosure information, including research
health plan, or payment on a should be considered by an institutional information unrelated to treatment.
requirement that the individual review board or privacy board. HIPAA provides authority for the
authorize the use or disclosure of Response: Our decision to eliminate
Secretary to set standards for the use
information we proposed to constitute the definition of research information
and disclosure of individually
research information unrelated to unrelated to treatment and its related
identifiable health information created
treatment. provisions in the final rule renders the
Response: Our decision to eliminate or received by covered entities. For the
first two comments moot.
the definition of research information We disagree with the comment that reasons commenters identified for why
unrelated to treatment and its related suggests that existing provisions under it was not practical or feasible to divide
provisions in the final rule renders this the Common Rule are sufficient to research information into two
comment moot. protect the privacy interests of categories—research information related
Comment: A few commenters individuals who are subjects in research to treatment and research information
opposed distinguishing between that involves the delivery of treatment. unrelated to treatment—we also
research information related to As discussed in the NPRM, not all determined that for a single research
treatment and research information research is subject to the Common Rule. study that includes the treatment of
unrelated to treatment, arguing that In addition, we are not convinced that research subjects, it is not practical or
such a distinction could actually existing procedures adequately inform feasible to divide a researcher into two
weaken the protection afforded to individuals about how their information categories—a researcher who provides
clinically-related health information will be used as part of the informed treatment and a researcher who does not
that is collected in clinical trials. These consent process. In the final rule, we provide treatment to research subjects.
commenters asserted that Certificates of provide for additional disclosure to When a researcher is interacting with
Confidentiality shield researchers from subjects of research that involves the research subjects for a research study
being compelled to disclose delivery of treatment as part of the that involves the delivery of health care
individually identifiable health research authorization under to subjects, it is not always clear to
information relating to biomedical or § 164.508(f). We also clarify that the either the researcher or the research
behavioral research information that an research authorization could be subject whether a particular research
investigator considers sensitive. combined with the consent to activity will generate research
Response: Our decision to eliminate participate in research, such as the information that will be pertinent to the
the definition of research information informed consent document as health care of the research subject.
unrelated to treatment and its related stipulated under the Common Rule or Therefore, we clarify that a researcher
provisions in the final rule renders this the Food and Drug Administration’s may also be a health care provider if
comment moot. We would note that human subjects regulations. The that researcher provides health care,
nothing in the final rule overrides Common Rule (§_.116(a)(5)) requires e.g., provides treatment to subjects in a
Certificates of Confidentiality, which that ‘‘informed consent’’ include ‘‘a research study, and otherwise meets the
protect against the compelled disclosure statement describing the extent, if any, definition of a health care provider,
of identifying information about to which confidentiality of records regardless of whether there is a
subjects of biomedical, behavioral, identifying the subject will be component of the research study that is
clinical, and other research as provided maintained.’’ We believe that the unrelated to the health care of the
by the Public Health Service Act section research authorization requirements of research subjects. This researcher/health
301(d), 42 U.S.C. 241(d). § 164.508(f) complement the Common care provider is then a covered entity
Rule’s requirement for informed with regard to her provider activities if
Privacy Protections for Research she conducts standard transactions.
consent.
Information Too Stringent
The Secretary’s Authority Valid Authorizations
Comment: Many of the commenters
who opposed the proposed definition of Comment: Several commenters, many Comment: In proposed
research information unrelated to from the research community, asserted § 164.508(b)(1), we specified that an
treatment and its related provisions that the coverage of ‘‘research authorization containing the applicable
believed that the proposed rule would information unrelated to treatment’’ was required elements ‘‘must be accepted by
have required authorization before beyond the Department’s legal authority the covered entity.’’ A few comments
research information unrelated to since HIPAA did not give the Secretary requested clarification of this
treatment could have been used or authority to regulate researchers. These requirement.
Response: We agree with the argued that requiring covered entities to covered entities to include multiple
commenters that the proposed provision follow up with each individual to uses and disclosures in a single
was ambiguous and we remove it from complete the form will cause authorization and allow individuals to
the final rule. We note that nothing in unwarranted delays. In addition, authorize or not authorize specific uses
the rule requires covered entities to act commenters were concerned that large and disclosures in the authorization.
on authorizations that they receive, even covered entities might act in good faith Other commenters asked whether a
if those authorizations are valid. A on a completed authorization, only to single authorization is sufficient for
covered entity presented with an find out that a component of the entity multiple uses or disclosures for the
authorization is permitted to make the ‘‘knew’’ some of the information on the same purpose, for multiple uses and
disclosure authorized, but is not form to be false or that the authorization disclosures for related purposes, and for
required to do so. had been revoked. These commenters uses and disclosures of different types
We want to be clear, however, that did not feel that covered entities should of information for the same purpose.
covered entities will be in compliance be held in violation of the rule in such Some comments from health care
with this rule if they use or disclose situations. providers noted that specific
protected health information pursuant Response: We retain the provision as authorizations would aid their
to an authorization that meets the proposed and include one additional compliance with requests.
requirements of § 164.508. We have element: the authorization is invalid if Response: As a general rule, we
made changes in § 164.508(b)(1) to it is combined with other documents in prohibit covered entities from
clarify this point. First, we specify that violation of the standards for compound combining an authorization for the use
an authorization containing the authorizations. We also clarify that an or disclosure of protected health
applicable required elements is a valid authorization is invalid if material information with any other document.
authorization. A covered entity may not information on the form is known to be For example, an authorization may not
reject as invalid an authorization false. The elements we require to be be combined with a consent to receive
containing such elements. Second, we included in the authorization are treatment or a consent to assign
clarify that a valid authorization may intended to ensure that individuals payment of benefits to a provider. We
contain elements or information in knowingly and willingly authorize the intend the authorizations required
addition to the required elements, as use or disclosure of protected health under this rule to be voluntary for
long as the additional elements are not information about them. If these individuals, and, therefore, they need to
inconsistent with the required elements. elements are missing or incomplete, the be separate from other forms of consent
Comment: A few comments requested covered entity cannot know which that may be a condition of treatment or
that we provide a model authorization protected health information to use or payment or that may otherwise be
or examples of wording meeting the disclose to whom and cannot be coerced.
‘‘plain language’’ requirement. One confident that the individual intends for
commenter requested changes to the We do, however, permit covered
the use or disclosure to occur.
language in the model authorization to We have attempted to make the entities to combine authorizations for
avoid confusion when used in standards for defective authorizations as uses and disclosures for multiple
conjunction with an insurer’s unambiguous as possible. In most cases, purposes into a single authorization.
authorization form for application for the covered entity will know whether The only limitations are that an
life or disability income insurance. the authorization is defective by looking authorization for the use or disclosure of
Many other comments, however, found at the form itself. Otherwise, the psychotherapy notes may not be
fault with the proposed model covered entity must know that the combined with an authorization for the
authorization form. authorization has been revoked, that use or disclosure of other types of
Response: Because of the myriad of material information on the form is protected health information and that an
types of forms that could meet these false, or that the expiration date or event authorization that is a condition of
requirements and the desire to has occurred. If the covered entity does treatment, payment, enrollment, or
encourage covered entities to develop not know these things and the eligibility may not be combined with
forms that meet their specific needs, we authorization is otherwise satisfactory any other authorization.
do not include a model authorization on its face, the covered entity is In § 164.508(b)(3), we also permit
form in the final rule. We intend to permitted to make the use or disclosure covered entities to combine an
issue additional guidance about in compliance with this rule. authorization for the use or disclosure of
authorization forms prior to the We have added two provisions to protected health information created for
compliance date. We also encourage make it easier for covered entities to purposes of research including
standard-setting organizations to ‘‘know’’ when an authorization has been treatment of individuals with certain
develop model forms meeting the revoked. First, under § 164.508(b)(5), the other documents.
requirements of this rule. revocation must be made in writing. We note that covered entities may
Second, under § 164.508(c)(1)(v), only make uses or disclosures pursuant
Defective Authorizations to an authorization that are consistent
authorizations must include
Comment: Some commenters instructions for how the individual may with the terms of the authorization.
suggested we insert a ‘‘good-faith revoke the authorization. Written Therefore, if an individual agrees to one
reliance’’ or ‘‘substantial compliance’’ revocations submitted in the manner of the disclosures described in the
standard into the authorization appropriate for the covered entity compound authorization but not
requirements. Commenters suggested should ease covered entities’ another, the covered entity must comply
that covered entities should be compliance burden. with the individual’s decision. For
permitted to rely on an authorization as example, if a covered entity asks an
long as the individual has signed and Compound Authorizations individual to sign an authorization to
dated the document. They stated that Comment: Many commenters raised disclose protected health information
individuals may not fill out portions of concerns about the specificity of the for both marketing and fundraising
a form that they feel are irrelevant or for authorization requirement. Some purposes, but the individual only agrees
which they do not have an answer. They comments recommended that we permit to the fundraising disclosure, the
covered entity is not permitted to make with respect to psychotherapy notes, a conditioning enrollment on obtaining an
the marketing disclosure. health plan may condition the authorization.
individual’s enrollment or eligibility in Response: As explained above, under
Prohibition on Conditioning Treatment, § 164.506(a)(4), health plans and other
the health plan on obtaining an
Payment, Eligibility, or Enrollment covered entities may seek the
Comment: Many commenters protected health information for making individual’s consent for the covered
supported the NPRM’s prohibition of enrollment or eligibility determinations entity’s use and disclosure of protected
covered entities from conditioning relating to the individual or for its health information to carry out
treatment or payment on the underwriting or risk rating treatment, payment, or health care
individual’s authorization of uses and determinations. Third, a health plan operations. If the consent is sought in
disclosures. Some commenters may condition payment of a claim for conjunction with enrollment, the health
requested clarification that employment specified benefits on obtaining an plan may condition enrollment in the
can be conditioned on an authorization. authorization under § 164.508(e) for plan on obtaining the individual’s
Some commenters recommended that disclosure to the plan of protected consent.
we eliminate the requirement for health information necessary to Under § 164.506(a)(5), we specify that
covered entities to state on the determine payment of the claim. Fourth, a consent obtained by one covered
authorization form that the a covered entity may condition the entity is not effective to permit another
authorization is not a condition of provision of health care that is solely for covered entity to use or disclose
treatment or payment. Some the purpose of creating protected health protected health information for
commenters suggested that we prohibit information for disclosure to a third payment purposes. If state law requires
the provision of anything of value, party (such as fitness-for-duty exams a Medicaid agency to obtain the
including employment, from being and physicals necessary to obtain life individual’s authorization for providers
conditioned on receipt of an insurance coverage) on obtaining an to disclose protected health information
authorization. authorization for the disclosure of the to the Medicaid agency for payment
In addition, many commenters argued protected health information. We purposes, the agency may do so under
that patients should not be coerced into recognize that covered entities need § 164.508(e). This authorization must
signing authorizations for a wide variety protected health information in order to not be a condition of enrollment or
of purposes as a condition of obtaining carry out these functions and provide eligibility, but may be a condition of
insurance coverage. Some health plans, services to the individual; therefore, we payment of a claim for specified benefits
however, requested clarification that allow authorization for the disclosure of if the disclosure is necessary to
health plan enrollment and eligibility the protected health information to be a determine payment of the claim.
can be conditioned on an authorization. condition of obtaining the services.
Response: We proposed to prohibit Revocation of Authorizations
We believe that we have prohibited
covered entities from conditioning covered entities from conditioning the Comment: Many commenters
treatment, payment, or enrollment in a services they provide to individuals on supported the right to revoke an
health plan on an authorization for the obtaining an authorization for uses and authorization. Some comments,
use or disclosure of psychotherapy disclosures that are not essential to however, suggested that we require
notes (see proposed § 164.508(a)(3)(iii)). those services. Due to our limited authorizations to remain valid for a
We proposed to prohibit covered authority, however, we cannot entirely minimum period of time, such as one
entities from conditioning treatment or prevent individuals from being coerced year or the duration of the individual’s
payment on authorization for the use or into signing these forms. We do not, for enrollment in a health plan.
disclosure of any other protected health example, have the authority to prohibit Response: We retain the right for
information (see proposed an employer from requiring its individuals to revoke an authorization
§ 164.508(a)(2)(iii)). employees to sign an authorization as a at any time, with certain exceptions. We
We resolve this inconsistency by condition of employment. Similarly, a believe this right is essential to ensuring
clarifying in § 164.508(b)(4) that, with program such as the Job Corps may that the authorization is voluntary. If an
certain exceptions, a covered entity may make such an authorization a condition individual determines that an
not condition the provision of of enrollment in the Job Corps program. authorized use or disclosure is no longer
treatment, payment, enrollment in a While the Job Corps may include a in her best interest, she should be able
health plan, or eligibility for benefits on health care component, the non-covered to withdraw the authorization and
an authorization for the use or component of the Job Corps may require prevent any further uses or disclosures.
disclosure of any protected health as a condition of enrollment that the Comment: Several commenters
information, including psychotherapy individual authorize the health care suggested that we not permit
notes. We intend to minimize the component to disclose protected health individuals to revoke an authorization if
potential for covered entities to coerce information to the non-covered the revocation would prevent an
individuals into signing authorizations component. See § 164.504(b). However, investigation of material
for the use or disclosure of protected we note that other nondiscrimination misrepresentation or fraud. Other
health information when such laws may limit the ability to condition commenters similarly suggested that we
information is not essential to carrying these authorizations as well. not permit individuals to revoke an
out the relationship between the Comment: A Medicaid fraud control authorization prior to a claim for
individual and the covered entity. association stated that many states benefits if the insurance was issued in
Pursuant to that goal, we have created require or permit state Medicaid reliance on the authorization.
limited exceptions to the prohibition. agencies to obtain an authorization for Response: To address this concern,
First, a covered health care provider the use and disclosure of protected we include an additional exception to
may condition research-related health information for payment the right to revoke an authorization.
treatment of an individual on obtaining purposes as a condition of enrolling an Individuals do not have the right to
the individual’s authorization to use or individual as a Medicaid recipient. The revoke an authorization that was
disclose protected health information commenter, therefore, urged an obtained as a condition of insurance
created for the research. Second, except exception to the prohibition on coverage during any contestability
period under other law. For example, if Comment: One commenter expressed July 1977 Report of the Privacy
a life insurer obtains the individual’s concern as to whether the proposed Protection Study Commission
authorization for the use or disclosure of rule’s standard to protect the protected recommended that authorizations
protected health information to health information about a deceased obtained by insurance institutions
determine eligibility or premiums under individual for two years would interfere include plain language, the date of
the policy, the individual does not have with the payment of death benefit authorization, and identification of the
the right to revoke the authorization claims. The commenter asked that the entities authorized to disclose
during any period of time in which the regulation permit the beneficiary or information, the nature of the
life insurer can contest a claim for payee under a life insurance policy to information to be disclosed, the entities
benefits under the policy in accordance authorize disclosure of protected health authorized to receive information, the
with state law. If an individual were information pertaining to the cause of purpose(s) for which the information
able to revoke the authorization after death of a decedent or policyholder. may be used by the recipients, and an
enrollment but prior to making a claim, Specifically, the commenter explained expiration date.13 The Commission
the insurer would be forced to pay that when substantiating a claim a made similar recommendations
claims without having the necessary beneficiary, such as a fiancee or friend, concerning the content of authorizations
information to determine whether the may be unable to obtain the obtained by health care providers.14 The
benefit is due. We believe the existing authorization required to release National Association of Insurance
exception for covered entities that have information to the insurer, particularly Commissioners’ Health Information
acted in reliance on the authorization is if, for example, the decedent’s estate Privacy Model Act requires
insufficient to address this concern does not require probate or if the authorizations to be in writing and
because it is another person, not the beneficiary is not on good terms with include a description of the types of
covered entity, that has acted in reliance the decedent’s next of kin. Further, the protected health information to be used
on the authorization. In the life commenter stated that particularly in or disclosed, the name and address of
insurance example, it is the life insurer cases where the policyholder dies the person to whom the information is
that has taken action (i.e., issued the within two years of the policy’s to be disclosed, the purpose of the
policy) in reliance on the authorization. issuance (within the policy’s contestable authorization, the signature of the
The life insurer is not a covered entity, period) and the cause of death is individual or the individual’s
therefore the covered entity exception is uncertain, the insurer’s inability to representative, and a statement that the
inapplicable. access relevant protected health individual may revoke the authorization
Comment: Some comments suggested information would significantly at any time, subject to the rights of any
that a covered entity that had compiled, interfere with claim payments and person that acted in reliance on the
but not yet disclosed, protected health increase administrative costs. authorization prior to revocation and
information would have already taken Response: We do not believe this will provided the revocation is in writing,
action in reliance on the authorization be a problem under the final regulation, dated, and signed. Standards of the
and could therefore disclose the because we create an exception to the American Society for Testing and
information even if the individual right to revoke an authorization if the Materials recommend that
revoked the authorization. authorization was obtained as a authorizations identify the subject of the
Response: We intend for covered condition of obtaining insurance protected health information to be
entities to refrain from further using or coverage and other applicable law disclosed; the name of the person or
disclosing protected health information provides the insurer that obtained the institution that is to release the
to the maximum extent possible once an authorization with the right to contest a information; the name of each
authorization is revoked. The exception claim under the policy. Thus, if a individual or institution that is to
exists only to the extent the covered policyholder dies within the two year receive the information; the purpose or
entity has taken action in reliance on contestability period, the authorization need for the information; the
the authorization. If the covered entity the insurer obtained from the information to be disclosed; the specific
has not yet used or disclosed the policyholder prior to death could not be date, event, or condition upon which
protected health information, it must revoked during the contestability the authorization will expire, unless
refrain from doing so, pursuant to the period. revoked earlier; and the signature and
revocation. If, however, the covered
entity has already disclosed the Core Elements and Requirements date signed. They also recommend the
information, it is not required to retrieve Comment: Many commenters raised authorization include a statement that
the information. concerns about the required elements the authorization can be revoked or
Comment: One comment suggested for a valid authorization. They argued amended, but not retroactive to a release
that the rule allow protected health that the requirements were overly made in reliance on the authorization.15
information to be only rented, not sold, burdensome and that covered entities Comment: Some commenters
because there can be no right to revoke should have greater flexibility to craft requested clarification that
authorization for disclosure of protected authorizations that meet their business authorizations ‘‘initiated by the
health information that has been sold. needs. Other commenters supported the individual’’ include authorizations
Response: We believe this limitation required elements as proposed because initiated by the individual’s
would be an unwarranted abrogation of the elements help to ensure that representative.
covered entities’ business practices and individuals make meaningful, informed 13 Privacy Protection Study Commission,
outside the scope of our authority. We choices about the use and disclosure of ‘‘Personal Privacy in an Information Society,’’ July
believe individuals should have the protected health information about 1977, p. 196–197.
right to authorize any uses or them. 14 Privacy Protection Study Commission,
disclosures they feel are appropriate. Response: As in the proposed rule, we ‘‘Personal Privacy in an Information Society,’’ July
We have attempted to create define specific elements that must be 1977, p. 315.
authorization requirements that make included in any authorization. We draw Privacy, Access and Data Security, Principles for
the individual’s decisions as clear and on established laws and guidelines for Health Information Including Computer-Based
voluntary as possible. these requirements. For example, the Patient Records,’’ E 1869–97, § 12.1.4.
Response: In the final rule, we do not for programs that require the collection of the authorization. For example, a
classify authorizations as those initiated of protected health information from valid authorization could expire upon
by the individual versus those initiated multiple sources, such as the individual’s disenrollment from a
by a covered entity. Instead, we determinations of eligibility for health plan or upon termination of a
establish a core set of elements and disability benefits. research project. We prohibit an
requirements that apply to all Response: Covered entities must authorization from having an
authorizations and require certain obtain the individual’s authorization to indeterminate expiration date.
additional elements for particular types use or disclose protected health These changes were intended to
of authorizations initiated by covered information for any purpose not address situations in which a specific
entities. otherwise permitted or required under date for the termination of the purpose
Comment: Some commenters urged us this rule. They may obtain this for the authorization is difficult to
to permit authorizations that designate a authorization directly from the determine. An example may be a
class of entities, rather than specifically individual or from a third party, such as research study where it may be difficult
named entities, that are authorized to a government agency, on the to predetermine the length of the
use or disclose protected health individual’s behalf. In accordance with project.
information. Commenters made similar the requirements of § 164.530(j), the Comment: A few commenters
recommendations with respect to the covered entity must retain a written requested that the named insured be
authorized recipients. Commenters record of authorization forms signed by permitted to sign an authorization on
suggested these changes to prevent the individual. Covered entities must, behalf of dependents.
covered entities from having to seek, therefore, obtain the authorization in Response: We disagree with the
and individuals from having to sign, writing. They may not rely on commenter that a named insured should
multiple authorizations for the same assurances from others that a proper always be able to authorize uses and
purpose. authorization exists. They may, disclosures for other individuals in the
Response: We agree. Under however, rely on copies of family. Many dependents under group
§ 164.508(c)(1), we require authorizations if doing so is consistent health plans have their own rights
authorizations to identify both the with other law. under this rule, and we do not assume
person(s) authorized to use or disclose Comment: We requested comments on that one member of a family has the
the protected health information and the reasonable steps that a covered entity authority to authorize uses or
person(s) authorized to receive could take to be assured that the disclosures of the protected health
protected health information. In both individual who requests the disclosure information of other family members.
cases, we permit the authorization to is whom she or he purports to be. Some A named insured may sign a valid
identify either a specific person or a commenters stated that it would be authorization for an individual if the
class of persons. extremely difficult to verify the identity named insured is a personal
Comment: Many commenters of the person signing the authorization, representative for the individual in
requested clarification that covered particularly when the authorization is accordance with § 164.502(g). The
entities may rely on electronic not obtained in person. Other comments determination of whether an individual
authorizations, including electronic recommended requiring authorizations is a personal representative under this
signatures. to be notarized. rule is based on other applicable law
Response: All authorizations must be Response: To reduce burden on that determines when a person can act
in writing and signed. We intend e-mail covered entities, we are not requiring on behalf of an individual in making
and electronic documents to qualify as verification of the identities of decisions related to health care. This
written documents. Electronic individuals signing authorization forms rule limits a person’s rights and
signatures are sufficient, provided they or notarization of the forms. authorities as a personal representative
meet standards to be adopted under Comment: A few commenters asked to only the protected health information
HIPAA. In addition, we do not intend to for clarification regarding the relevant to the matter for which he or
interfere with the application of the circumstances in which a covered entity she is a personal representative under
Electronic Signature in Global and may consider a non-response as an other law. For example, a parent may be
National Commerce Act. authorization. a personal representative of a child for
Comment: Some commenters Response: Non-responses to requests most health care treatment and payment
requested that we permit covered for authorizations cannot be considered decisions under state law. In that case,
entities to use and disclose protected authorizations. Authorizations must be a parent, who is a named insured for her
health information pursuant to verbal signed and have the other elements of minor child, would be able to provide
authorizations. a valid authorization described above. authorization with respect to most
Response: To ensure compliance and Comment: Most commenters generally protected health information about her
mutual understanding between covered supported the requirement for an dependent child. However, a wife who
entities and individuals, we require all expiration date on the authorization. is the named insured for her husband
authorizations to be in writing. Commenters recommended expiration who is a dependent under a health
Comment: Some commenters asked dates from 6 months to 3 years and/or insurance policy may not be a personal
whether covered entities can rely on proposed that the expiration be tied to representative for her husband under
copies of authorizations rather than the an event such as duration of enrollment other law or may be a personal
original. Other comments asked whether or when an individual changes health representative only for limited
covered entities can rely on the plans. Others requested no expiration purposes, such as for making decisions
assurances of a third party, such as a requirement for some or all regarding payment of disputed claims.
government entity, that a valid authorizations. In this case, she may have limited
authorization has been obtained to use Response: We have clarified that an authority to access protected health
or disclose protected health authorization may include an expiration information related to the payment of
information. These commenters date in the form of a specific date, a disputed claims, but would not have the
suggested that such procedures would specific time period, or an event directly authority to authorize that her
promote the timely provision of benefits related to the individual or the purpose husband’s information be used for
marketing purposes, absent any other litigation is the purpose of the protected health information by the
authority to act for her husband. See disclosure. If the covered entity is covered entity or the business associate
§ 164.502(g) for more information initiating the authorization for its own must meet the requirements in
regarding personal representatives. use or disclosure, however, the § 164.508(d). Similarly, authorizations
Comment: One commenter suggested individual and the covered entity requested by a business associate on
that authorizations should be dated on maintaining the protected health behalf of a covered entity to accomplish
the day they are signed. information should have a mutual the disclosure of protected health
Response: We agree and have retained understanding of the purpose of the use information to that business associate or
this requirement in the final rule. or disclosure. Similarly, when a covered covered entity as described in
Additional Elements and Requirements entity is requesting authorization for a § 164.508(e) must meet the requirements
for Authorizations Requested by the disclosure by another covered entity of that provision.
Covered Entity for Its Own Uses and that may have already obtained the We disagree that these elements are
Disclosures individual’s consent for the disclosure, unnecessary, confusing, or burdensome.
the individual and covered entity that We require them to ensure that the
Comment: Some commenters maintains the protected health individual has a complete
suggested that we should not require information should be aware of this understanding of what he or she is
different elements in authorizations potential conflict. agreeing to permit.
initiated by the covered entity versus There are two additional requirements Comment: Many commenters
authorizations initiated by the for authorizations requested by a suggested we include in the regulation
individual. The commenters argued the covered entity for its own use or text a provision stated in the preamble
standards were unnecessary, confusing, disclosure of protected health that entities and their business partners
and burdensome. information it maintains. First, we must limit their uses and disclosures to
Response: The proposed authorization require the covered entity to describe the purpose(s) specified by the
requirements are intended to ensure that the individual’s right to inspect or copy individual in the authorization.
an individual’s authorization is truly the protected health information to be Response: We agree. In accordance
voluntary. The additional elements used or disclosed. Individuals may want with § 164.508(a)(1), covered entities
required for authorizations initiated by to review the information to be used or may only use or disclose protected
the covered entity for its own uses and disclosed before signing the health information consistent with the
disclosures or for receipt of protected authorization and should be reminded authorization. In accordance with
health information from other covered of their ability to do so. This § 164.504(e)(2), a business associate may
entities to carry out treatment, payment, requirement is not appropriate for not make any uses or disclosures that
or health care operations address authorizations for a covered entity to the covered entity couldn’t make.
concerns that are unique to these forms receive protected health information Comment: Some comments suggested
of authorization. (See above regarding from another covered entity, however, that authorizations should identify the
requirements for research authorizations because the covered entity requesting source and amount of financial gain, if
under § 164.508(f).) the authorization is not the covered any, resulting from the proposed
First, when applicable, these entity that maintains the protected disclosure. Others suggested that the
authorizations must state that the health information and cannot, proposed financial gain requirements
covered entity will not condition therefore, grant or describe the were too burdensome and would
treatment, payment, eligibility, or individual’s right to access the decrease trust between patients and
enrollment on the individual’s information. providers. Commenters recommended
providing authorization for the If applicable, we also require a that the requirement either should be
requested use or disclosure. This covered entity that requests an eliminated or should only require
statement is not appropriate for authorization for its own use or covered entities, when applicable, to
authorizations initiated by the disclosure to state that the use or state that direct and foreseeable
individual or another person who does disclosure of the protected health financial gain to the covered entity will
not have the ability to withhold services information will result in direct or result. Others requested clarification of
if the individual does not authorize the indirect remuneration to the entity. how the requirement for covered
use or disclosure. Individuals should be aware of any entities to disclose financial gain relates
Second, the authorization must state conflicts of interest or financial to the criminal penalties that accrue for
that the individual may refuse to sign incentives on the part of the covered offenses committed with intent to sell,
the authorization. This statement is entity requesting the use or disclosure. transfer, or use individually identifiable
intended to signal to the individual that These statements are not appropriate, health information for commercial
the authorization is voluntary and may however, in relation to uses and advantage, personal gain, or malicious
not be accurate if the authorization is disclosures to carry out treatment, harm. Some commenters advocated use
obtained by a person other than a payment, and health care operations. of the term ‘‘financial compensation’’
covered entity. Uses and disclosures for these purposes rather than ‘‘financial gain’’ to avoid
Third, these authorizations must will often involve remuneration by the confusion with in-kind compensation
describe the purpose of the use or nature of the use or disclosure, not due rules. Some comments additionally
disclosure. We do not include this to any conflict of interest on the part of suggested excluding marketing uses and
element in the core requirements either covered entity. disclosures from the requirements
because we understand there may be We note that authorizations requested regarding financial gain.
times when the individual does not by a covered entity include Response: We agree that clarification
want the covered entity maintaining the authorizations requested by the covered is warranted. In § 164.508(d)(1)(iv) of
protected health information to know entity’s business associate on the the final rule, we require a covered
the purpose for the use or disclosure. covered entity’s behalf. Authorizations entity that asks an individual to sign an
For example, an individual requested by a business associate on the authorization for the covered entity’s
contemplating litigation may not want covered entity’s behalf and that use or disclosure of protected health
the covered entity to know that authorize the use or disclosure of information and that will receive direct
or indirect remuneration from a third for individuals to make informed complying with the law based on their
party for the use or disclosure, to state decisions about these authorizations. interpretation, family members and
that fact in the authorization. Response: We confirm that covered clergy had difficulty locating patients in
Remuneration from a third party entities may act on authorizations the hospital.
includes payments such as a fixed price signed in advance of the creation of the Response: We share commenters’
per disclosure, compensation for the protected health information to be concern about the need to ensure that
costs of compiling and sending the released. We note, however, that all of family members and clergy who have a
information to be disclosed, and, with the required elements must be legitimate need to locate patients are not
respect to marketing communications, a completed, including a description of prevented from doing so by excessively
percentage of any sales generated by the the protected health information to be stringent restrictions on disclosure of
marketing communication. For example, used or disclosed pursuant to the protected health information to health
a device manufacturer may offer to pay authorization. This description must care facilities’ directories. Accordingly,
a fixed price per name and address of identify the information in a specific the final rule takes an opt-out approach,
individuals with a particular diagnosis, and meaningful fashion so that the stating that health care institutions may
so that the device manufacturer can individual can make an informed include the name, general condition,
market its new device to people with decision as to whether to sign the religious affiliation, and location of a
the diagnosis. The device manufacturer authorization. patient within the facility in the
may also offer the covered entity a Comment: Some commenters facility’s directory unless the patient
percentage of the profits from any sales suggested that the final rule prohibit explicitly objects to the use or
generated by the marketing materials financial incentives, such as premium disclosure of protected health
sent. If a covered entity seeks an discounts, designed to encourage information for directory purposes. To
authorization to make such a disclosure, individuals to sign authorizations. ensure that this opt-out can be
the authorization must state that the Response: We do not prohibit or exercised, the final rule requires
remuneration will occur. We believe require financial incentives for facilities to notify individuals of their
individuals should have the opportunity authorizations. We have attempted to right not to be included in the directory
to weigh the covered entity’s potential ensure that authorizations are entered and to give them the opportunity to opt
conflict of interest when deciding to into voluntary. If a covered entity out. The final rule indicates that the
authorize the covered entity’s use or chooses to offer a financial incentive for notice and opt-out may be oral. The
disclosure of protected health the individual to sign the authorization, final rule that allows health care
information. We believe that the term and the individual chooses to accept it, facilities to disclose to clergy the four
‘‘remuneration from a third party’’ they are free to do so. types of protected health information
clarifies our intent to describe a direct, specified above without requiring the
Section 164.510—Uses and Disclosures clergy to ask for the individual by name
tangible exchange, rather than the mere Requiring an Opportunity for the
fact that parties intend to profit from will allow the clergy to identify the
Individual to Agree or to Object members of his or her faith who are in
their enterprises.
Section 164.510(a)—Use and Disclosure the facility, thus ensuring that this rule
Comment: One commenter suggested
for Facility Directories will not significantly interfere with the
we require covered entities to request
exercise of religion, including the
authorizations in a manner that does not Comment: Many hospital clergy’s traditional religious mission to
in itself disclose sensitive information. organizations opposed the NPRM’s provide services to individuals.
Response: We agree that covered proposed opt-in approach to disclosure Comment: A small number of
entities should make reasonable efforts of directory information. These groups commenters recommended requiring
to avoid unintentional disclosures. In noted the preamble’s statement that written authorization for all disclosures
§ 164.530(c)(2), we require covered most patients welcomed the of protected health information for
entities to have in place appropriate convenience of having their name, directory purposes. These commenters
administrative, technical, and physical location, and general condition believed that the NPRM’s proposed
safeguards to protect the privacy of included in the patient directory. They provision allowing oral agreement
protected health information. said that requiring hospitals to obtain would not provide sufficient privacy
Comment: Some commenters authorization before including patient protection; that it did not sufficiently
requested clarification that covered information in the directory would hold providers accountable for
entities are permitted to seek cause harm to many patients’ needs in complying with patient wishes; and that
authorization at the time of enrollment an effort to serve the needs of the small it could create liability issues for
or when individuals otherwise first number of patients who may not want providers.
interact with covered entities. Similarly, their information to be included. Response: The final rule does not
commenters requested clarification that Specifically, they argued that the require written authorization for
covered entities may disclose protected proposed approach ultimately could disclosure of protected health
health information created after the date have the effect of making it difficult or information for directory purposes. We
the authorization was signed but prior impossible for clergy, family members, believe that requiring written
to the expiration date of the and florists to locate patients for authorization in these cases would
authorization. These commenters were legitimate purposes. In making this increase substantially the administrative
concerned that otherwise multiple argument, commenters pointed to burdens and costs for covered health
authorizations would be required to problems that occurred after enactment care providers and could lead to
accomplish a single purpose. Other of privacy legislation in the State of significant inconvenience for families
comments suggested that we prohibit Maine in 1999. The legislation, which and others attempting to locate
prospective authorizations (i.e., never was officially implemented, was individuals in health care institutions.
authorizations requested prior to the interpreted by hospitals to prohibit Experience from the State of Maine
creation of the protected health disclosure of patient information to suggests that requiring written
information to be disclosed under the directories without written consent. As authorization before patient information
authorization) because it is not possible a result, when hospitals began may be included in facility directories
can be disruptive for providers, families, an individual’s incapacity or an sensitive medical information would be
clergy, and others. emergency treatment circumstance, disclosed or unless the health care
Comment: Domestic violence covered health care providers may use provider was aware of the individual’s
organizations raised concerns that or disclose some or all of the protected prior objection. These commenters
including information about domestic health information that the rule allows recommended that good professional
violence victims in health care facilities’ to be included in the directory, if the practice and ethics determine when
directories could result in further harm disclosure is: (1) consistent with the disclosures were appropriate and that
to victims. The NPRM addressed the individual’s prior expressed preference, disclosure should relate only to the
issue of potential danger to patients by if known to the covered health care individual’s current treatment. A health
stating that when patients were provider; and (2) in the individual’s best care provider organization said that the
incapacitated, covered health care interest, as determined by the covered ethical and legal obligations of the
providers could exercise discretion— health care provider in the exercise of medical professional alone should
consistent with good medical practice professional judgement. The rule allows control in this area, although it believed
and prior expression of patient covered health care providers making the proposed rule was generally
preference—regarding whether to decisions about incapacitated patients consistent with these obligations.
disclose protected health information to include some portions of the patient’s Response: The diversity of comments
for directory purposes. Several information (such as name) but not regarding the proposal on disclosures to
commenters recommended prohibiting other information (such as location in family members, next of kin, and other
providers from including information in the facility) to protect patient interests. persons, reflects a wide range of current
a health care facility’s directory about practice and individual expectations.
incapacitated individuals when the Section 164.510(b)—Uses and We believe that the NPRM struck the
provider reasonably believed that the Disclosures for Involvement in the proper balance between the competing
injuries to the individual could have Individual’s Care and Notification interests of individual privacy and the
been caused by domestic violence. Purposes need that covered health care providers
These groups believed that such a Comment: A number of comments may have, in some cases, to have
prohibition was necessary to prevent supported the NPRM’s proposed routine, informal conversations with an
abusers from locating and causing approach, which would have allowed individual’s family and friends
further harm to domestic violence covered entities to disclose protected regarding the individual’s treatment.
patients. health information to the individual’s We do not agree with the comments
Response: We share commenters’ next of kin, family members, or other stating that all such disclosures should
concerns about protecting victims of close personal friends when the be made only with consent or with the
domestic violence from further abuse. individual verbally agreed to the individual’s written authorization. The
We are also concerned, however, that disclosure. These commenters agreed rule does not prohibit obtaining the
imposing an affirmative duty on that the presumption should favor agreement of the individual in writing;
institutions not to disclose information disclosures to the next of kin, and they however, we believe that imposing a
any time injuries to the individual could believed that health care providers requirement for consent or written
have been the result of domestic should encourage individuals to share authorization in all cases for disclosures
violence would place too high a burden genetic information and information to individuals involved in a person’s
on health care facilities, essentially about transmittable diseases with family care would be unduly burdensome for
requiring them to rule out domestic members at risk. Others agreed with the all parties. In the final rule, we clarify
violence as a potential cause of the general approach but suggested the the circumstances in which such
injuries before disclosing to family individual’s agreement be noted in the disclosures are permissible. The rule
members that an incapacitated person is medical record. These commenters also allows covered entities to disclose to
in the institution. supported the NPRM’s proposed family members, other relatives, close
We do believe, however, that it is reliance on good professional practices personal friends of the individual, or
appropriate to require covered health and ethics to determine when any other person identified by the
care providers to consider whether disclosures should be made to the next individual, the protected health
including the individual’s name and of kin when the individual’s agreement information directly relevant to such
location in the directory could lead to could not practicably be obtained. person’s involvement with the
serious harm. As in the preamble to the A few commenters recommended that individual’s care or payment related to
NPRM, in the preamble to the final rule, the individual’s agreement be in writing the individual’s health care. In addition,
we encourage covered health care for the protection of the covered entity the final rule allows covered entities to
providers to consider several factors and to facilitate the monitoring of use or disclose protected health
when deciding whether to include an compliance with the individual’s information to notify, or assist in the
incapacitated patient’s information in a wishes. These commenters were notification of (including identifying or
health care facility’s directory. One of concerned that, absent the individual’s locating) a family member, a personal
these factors is whether disclosing an written agreement, the covered entity representative of the individual, or
individual’s presence in the facility would become embroiled in intra-family another person responsible for the care
could reasonably cause harm or danger disputes concerning the disclosures. of the individual, of the individual’s
to the individual (for example, if it Others argued that the individual’s location, general condition, or death.
appeared that an unconscious patient authorization should be obtained for all The final rule includes separate
had been abused and disclosing that the disclosures, even to the next of kin. provisions for situations in which the
individual is in the facility could give One commenter favored disclosures to individual is present and for when the
the attacker sufficient information to family members and others unless the individual is not present at the time of
seek out the person and repeat the individual actively objected, as long as disclosure. When the individual is
abuse). Under the final rule, when the the disclosure was consistent with present and can make his or her own
opportunity to object to uses and sound professional practice. Others decisions, a covered entity may disclose
disclosures for a facility’s directory believed that no agreement by the protected health information only if the
cannot practicably be provided due to individual was necessary unless covered entity: (1) Obtains the
individual’s agreement to disclose to the that in most cases it would be disclosure of protected health
third parties involved in the impracticable to verify that the person information about deceased individuals
individual’s care; (2) provides the was acting with the individual’s in § 164.512(g).
individual with the opportunity to permission. Two commenters requested Comments: A number of commenters
object to the disclosure, and the that the rule specifically allow this expressed concern for the interaction of
individual does not express an practice. One comment opposed the the proposed section with state laws.
objection; or (3) reasonably infers from practice of giving prescriptions to Some of these comments interpreted the
the circumstances, based on the exercise another person without the individual’s NPRM’s use of the term next of kin as
of professional judgement, that the authorization, because a prescription referring to individuals with health care
individual does not object to the implicitly could disclose medical power of attorney and thus they
disclosure. The final rule continues to information about the individual. believed that the proposed rule’s
permit disclosures in circumstances Response: As stated in the NPRM, we approach to next of kin was
when the individual is not present or intended for this provision to authorize inappropriately informal and in conflict
when the opportunity to agree or object pharmacies to dispense prescriptions to with state law. Others noted that some
to the use or disclosure cannot family or friends who are sent by the state laws did not allow health care
practicably be provided due to the individual to the pharmacy to pick up information to be disclosed to family or
individual’s incapacity or an emergency the prescription. We believe that friends without consent or other
circumstance. In such instances, stringent consent or verification authorization. One commenter said that
covered entities may, in the exercise of requirements would place an case law may be evolving toward
professional judgement, determine unreasonable burden on numerous imposing a more affirmative duty on
whether the disclosure is in the transactions. In addition, such health care practitioners to inform next
individual’s best interests and if so, requirements would be contrary to the of kin in a variety of circumstances. One
disclose only the protected health expectations and preferences of all commenter noted that state laws may
information that is directly relevant to parties to these transactions. Although not define clearly who is considered to
the person’s involvement with the prescriptions are protected health be the next of kin.
individual’s health care. information under the rule, we believe Response: The intent of this provision
As discussed in the preamble for this that the risk to individual privacy in was not to interfere with or change
section, we do not intend to disrupt allowing this practice to continue is current practice regarding health care
most covered entities’ current practices minimal. We agree with the suggestion powers of attorney or the designation of
with respect to informing family that the final rule should state explicitly other personal representatives. Such
members and others with whom a that pharmacies have the authority to designations are formal, legal actions
patient has a close personal relationship operate in this manner. Therefore, we which give others the ability to exercise
about a patient’s specific health have added a sentence to § 164.510(b)(3) the rights of or make treatment
condition when a patient is allowing covered entities to use decisions related to individuals. While
incapacitated due to a medical professional judgement and experience persons with health care powers of
emergency and the family member or with common practice to make attorney could have access to protected
close personal friend comes to the reasonable inferences of an individual’s health information under the personal
covered entity to ask about the patient’s best interest in allowing a person to act representatives provision (§ 164.502(g)),
condition. To the extent that disclosures on the individual’s behalf to pick up and covered entities may disclose to
to family members and others in these filled prescriptions, medical supplies, such persons under this provision, such
situations currently are allowed under X-rays, or other similar forms of disclosures do not give these
state law and covered entities’ own protected health information. In such individuals substantive authority to act
rules, § 164.510(b) allows covered situations, as when making disclosures for or on behalf of the individual with
entities to continue making them in of protected health information about an respect to health care decisions. State
these situations, consistent with the individual who is not present or is law requirements regarding health care
exercise of professional judgement as to unable to agree to such disclosures, powers of attorney continue to apply.
the patient’s best interest. As indicated covered entities should disclose only The comments suggesting that state
in the preamble above, this section is information which directly relates to the laws may not allow the disclosures
not intended to provide a loophole for person’s involvement in the individual’s otherwise permitted by this provision
avoiding the rule’s other requirements, current health care. Thus, when or, conversely, that they may impose a
and it is not intended to allow dispensing a prescription to a friend more affirmative duty, did not provide
disclosures to a broad range of who is picking it up on the patient’s any specifics with which to judge the
individuals, such as journalists who behalf, the pharmacist should not affect of such laws. In general, however,
may be curious about a celebrity’s disclose unrelated health information state laws that are more protective of an
health status. about medications that the patient has individual’s privacy interests than the
Comments: A few comments taken in the past which could prove rule by prohibiting a disclosure of
supported the NPRM approach because embarrassing to the patient. protected health information continue
it permitted the current practice of Comment: We received a few to apply. The rule’s provisions regarding
allowing someone other than the patient comments that misunderstood the disclosure of protected health
to pick up prescriptions at pharmacies. provision as addressing disclosures information to family or friends of the
One commenter noted that this practice related to deceased individuals. individual are permissive only, enabling
occurs with respect to 25–40% of the Response: We understand that use of covered entities to abide by more
prescriptions dispensed by community the term next of kin in this section may stringent state laws without violating
retail pharmacies. These commenters cause confusion. To promote clarity in our rules. Furthermore, if the state law
strongly supported the proposal’s the final rule, we eliminate the term creates an affirmative and binding legal
reliance on the professional judgement ‘‘next of kin,’’ as well as the term’s obligation on the covered entity to make
of pharmacists in allowing others to proposed definition. In the final rule, disclosures to family or other persons
pick up prescriptions for bedridden or we address comments on next of kin under specific circumstances, the final
otherwise incapacitated patients, noting and the deceased in the section on rule allows covered entities to comply
with these legal obligations. See We agree with the recommendation to of protected health information during a
§ 164.512(a). require written authorization for a disaster. As noted above, a power of
Comments: A number of commenters disclosure of psychotherapy notes to attorney or other legal relationship to an
supported the proposal to limit family, close personal friends, or others individual is not necessary for these
disclosures to family or friends to the involved in the individual’s care. As informal discussions about the
protected health information that is discussed below, the final rule allows individual for the purpose of assisting
directly relevant to that person’s disclosure of psychotherapy notes in or providing a service related to the
involvement in the individual’s health without authorization in a few limited individual’s care.
care. Some comments suggested that circumstances; disclosure to individuals We agree with the comments noting
this standard apply to all disclosures to involved in a person’s care is not among that the Red Cross and other
family or friends, even when the those circumstances. See § 164.508 for a organizations may play an important
individual has agreed to or not objected further discussion of the final rule’s role in locating and communicating
to the disclosure. One commenter provisions regarding disclosure of with the family about individuals
objected to the proposal, stating that it psychotherapy notes. injured or killed in an accident or
would be too difficult to administer. We do not agree, however, with the disaster situation. Therefore, the final
According to this comment, it is suggestion to treat some medical rule includes new language, in
accepted practice for health care information as more sensitive than § 164.510(b)(4), which allows covered
providers to communicate with family others. In most cases, individuals will entities to use or disclose protected
and friends about an individual’s have the opportunity to prohibit or limit health information to a public or private
condition, regardless of whether the such disclosures. For situations in entity authorized by law or its charter to
person is responsible for or otherwise which an individual is unable to do so, assist in disaster relief efforts, for the
involved in the individual’s care. covered entities may, in the exercise of purpose of coordinating with such
Other comments expressed concern professional judgement, determine entities to notify, or assist in the
for disclosures related to particular whether the disclosure is in the notification of (including identifying or
types of information. For example, two individual’s best interests and, if so, locating) a family member, an
commenters recommended that disclose only the protected health individual’s personal representative, or
psychotherapy notes not be disclosed information that is directly relevant to another person responsible for the
without patient authorization. One the person’s involvement with the individual’s care regarding the
commenter suggested that certain individual’s health care. individual’s location, general condition,
sensitive medical information Comment: One commenter suggested or death. The Red Cross is an example
associated with social stigma not be that this provision should allow of a private entity that may obtain
disclosed to family members or others disclosure of protected health protected health information pursuant
without patient consent. information to the clergy and to the Red to these provisions. We recognize the
Response: We agree with commenters Cross. The commenter noted that clergy role of the Red Cross and similar
who advocated limiting permissible have ethical obligations to ensure organizations in disaster relief efforts,
disclosures to relatives and close confidentiality and that the Red Cross and we encourage cooperation with
personal friends to information often notifies the next of kin regarding these entities in notification efforts and
consistent with a person’s involvement an individual’s condition in certain other means of assistance.
in the individual’s care. Under the final circumstances. Another commenter Comment: One commenter
rule, we clarify the NPRM provision to recommended allowing disclosures to recommended stating that individuals
state that covered entities may disclose law enforcement for the purpose of who are mentally retarded and unable to
protected health information to family contacting the next of kin of individuals agree to disclosures under this provision
members, relatives, or close personal who have been injured or killed. One do not, thereby, lose their access to
friends of an individual or any other commenter sought clarification that further medical treatment. This
person identified by the individual, to ‘‘close personal friend’’ was intended to commenter also proposed stating that
the extent that the information directly include domestic partners and same-sex mentally retarded individuals who are
relates to the person’s involvement in couples in committed relationships. able to provide agreement have the right
the individual’s current health care. It is Response: As discussed above, to control the disclosure of their
not intended to allow disclosure of past § 164.510(a) allows covered health care protected health information. The
medical history that is not relevant to providers to disclose to clergy protected commenter expressed concern that the
the individual’s current condition. In health information from a health care parent, relative, or other person acting
addition, as discussed above, we do not facility’s directory. Under § 164.510(b), in loco parentis may not have the
intend to disrupt covered entities’ an individual may identify any person, individual’s best interest in mind in
current practices with respect to including clergy, as involved in his or seeking or authorizing for the individual
disclosing specific information about a her care. This approach provides more the disclosure of protected health
patient’s condition to family members flexibility than the proposed rule would information.
or others when the individual is have provided. Response: The final rule regulates
incapacitated due to a medical As discussed in the preamble of the only uses and disclosures of protected
emergency and the family member or final rule, this provision allows health information, not the delivery of
other individual comes to the covered disclosures to domestic partners and health care. Under the final rule’s
entity seeking specific information others in same-sex relationships when section on personal representatives
about the patient’s condition. For such individuals are involved in an (§ 164.502(g)), a person with authority to
example, this section allows a hospital individual’s care or are the point of make decisions about the health care of
to disclose to a family member the fact contact for notification in a disaster. We an individual, under applicable law,
that a patient had a heart attack, and to do not intend to change current may make decisions about the protected
provide updated information to the practices with respect to involvement of health information of that individual, to
family member about the patient’s others in an individual’s treatment the extent that the protected health
progress and prognosis during his or her decisions; informal information-sharing information is relevant to such person’s
period of incapacity. among persons involved; or the sharing representation.
In the final rule, § 164.510(b) may particular covered health care provider commenter approved of the provision as
apply to permit disclosures to a person does not follow the entity’s a needed fail-safe mechanism should
other than a personal representative. documentation requirements, the the enumeration of permissible uses and
Under § 164.510(b), when an individual disclosure is not a violation of this rule. disclosures of protected health
is present and has the capacity to make Comments: The majority of comments information in the NPRM prove to be
his or her own decisions, a covered on this provision were from individuals incomplete. Other commenters cited
entity may disclose protected health and organizations concerned about specific statutes which required access
information only if the covered entity: domestic violence. Most of these to protected health information, arguing
(1) Obtains the individual’s agreement commenters wanted assurance that that such a provision was necessary to
to disclose protected health information domestic violence would be a ensure that these legally mandated
to the third parties involved in the consideration in any disclosure to the disclosures would continue to be
individual’s care; (2) provides the spouse or relatives of an individual permitted. For example, some
individual with an opportunity to object whom the covered entity suspected to commenters argued for continued access
to such disclosure, and the individual be a victim of domestic violence or to protected health information to
does not express an objection; or (3) abuse. In particular, these commenters investigate and remedy abuse and
reasonably infers from the recommended that disclosures not be neglect as currently required by the
circumstances, based on the exercise of made to family members suspected of Developmental Disabilities Assistance
professional judgment, that the being the abuser if to do so would and Bill of Rights, 42 U.S.C. 6042, and
individual does not object to the further endanger the individual. the Protection and Advocacy for
disclosure. These conditions apply to Commenters believed that this Mentally Ill Individuals Act, 42 U.S.C.
disclosure of protected health limitation was particularly important 10801.
information about individuals with when the individual was unconscious Some comments urged deletion of the
mental retardation as well as to or otherwise unable to object to the provision for uses and disclosures
disclosures about all other individuals. disclosures. required by other law. This concern
Thus we do not believe it is necessary Response: We agree with the appeared to be based on a generalized
to include in this section of the final comments that victims of domestic concern that the provision fostered
rule any language specifically on violence and other forms of abuse need government intrusion into individual
persons with mental retardation. special consideration in order to avoid medical information.
Comments: A few commenters further harm, and we provide for Finally, a number of commenters also
recommended that disclosures made in discretion of a covered entity to urged that the required by law provision
good faith to the family or friends of the determine that protected health be deleted. These commenters argued
individual not be subject to sanctions by information not be disclosed pursuant that the proposed provision would have
the Secretary, even if the covered entity to § 164.510(b). Section 164.510(b) of undermined the intent of the statute to
had not fully complied with the the final rule, disclosures to family or preempt state laws which were less
requirements of this provision. One friends involved in the individual’s protective of individual privacy. As
commenter believed that a fear of care, states that when an individual is stated in these comments, the provision
sanction would make covered entities unable to agree or object to the for uses and disclosures required by
overly cautious, such that they would disclosure due to incapacity or another other law was ‘‘broadly written and
not disclose protected health emergency situation, a covered entity
information to domestic partners or could apply to a variety of state laws
must determine based on the exercise of that are contrary to the proposed rule
others not recognized by law as next of professional judgment whether it is in
kin. Another commenter recommended and less protective of privacy. (Indeed,
the individual’s best interest to disclose a law requiring disclosure is the least
that sanctions not be imposed if the the information. As stated in the
covered entity has proper policies in protective of privacy since it allows for
preamble, we intend for this exercise of no discretion.) The breadth of this
place and has trained its staff professional judgment in the
appropriately. According to this provision greatly exceeds the exceptions
individual’s best interest to account for to preemption contained in HIPAA.’’
commenter, the lack of documentation the potential for harm to the individual
of disclosures in a particular case or Response: We agree with the
in cases involving domestic violence. comments that proposed § 164.510(n)
medical record should not subject the These circumstances are unique and are
entity to sanctions if the information was necessary to harmonize the rule
best decided by a covered entity, in the with existing state and federal laws
was disclosed in good faith. exercise of professional judgment, in
Response: We generally agree with mandating uses and disclosures of
each situation rather than by a blanket protected health information. Therefore,
commenters regarding disclosure in
rule. in the final rule, the provision
good faith pursuant to this provision. As
discussed above, the final rule expands Section 164.512—Uses and Disclosures permitting uses and disclosures as
the scope of individuals to whom for Which Consent, Authorization, or required by other law is retained. To
covered entities may disclose protected Opportunity to Agree or Object Is Not accommodate other reorganization of
health information pursuant to this Required the final rule, this provision has been
section. In addition, we delete the term designated as § 164.512(a).
next of kin, to avoid the appearance of Section 164.512(a)—Uses and We do not agree with the comments
requiring any legal determination of a Disclosures Required by Law expressing concern for increased
person’s relationship in situations Comment: Numerous commenters governmental intrusion into individual
involving informal disclosures. addressed directly or by implication the privacy under this provision. The final
Similarly, consistent with the informal question of whether the provision rule does not create any new duty or
nature of disclosures pursuant to this permitting uses and disclosures of obligation to disclose protected health
section, we do not require covered protected health information if required information. Rather, it permits covered
entities to document such disclosures. If by other law was necessary. Other entities to use or disclose protected
a covered entity imposes its own commenters generally endorsed the health information when they are
documentation requirements and a need for such a provision. One such required by law to do so.
We likewise disagree with the requested clarification of the effect on how this section interacts with the other
characterization of the proposed specific statutes. provisions in the rule.
provision as inconsistent with or The majority of the commenters Comment: A number of commenters
contrary to the preemption standards in focused their concerns on the potential sought expanded authority to use and
the statute or Part 160 of the rule. As conflict between mandatory reporting disclosure protected health information
described in the NPRM, we intend this laws to law enforcement and the when permitted by other law, not just
provision to preserve access to limitations imposed by proposed when required by law. These comments
information considered important § 164.510(f), on uses and disclosures to specified a number of significant duties
enough by state or federal authorities to law enforcement. For example, the or potential societal benefits from
require its disclosure by law. comments raised concerns that disclosures currently permitted or
The importance of these required uses mandatory reporting to law enforcement authorized by law, and they expressed
or disclosures is evidenced by the of injuries resulting from violent acts concern should these beneficial uses
legislative or other public process and abuse require the health care and disclosures no longer be allowed if
necessary for the government to create provider to initiate such reports to local not specifically recognized by the rule.
a legally binding obligation on a covered law enforcement or other state agencies, For example, one commenter listed 25
entity. Furthermore, such required uses while the NPRM would have allowed disclosures of health records that are
and disclosures arise in a myriad of such reporting on victims of crimes only currently permitted, but not required, by
other areas of law, ranging from topics in response to specific law enforcement state law. This commenter was
addressing national security (uses and requests for information. Similarly, concerned that many of these
disclosures to obtain security mandatory reports of violence-related authorized uses and disclosures would
clearances), to public health (reporting injuries may implicate suspected not be covered by any of the national
of communicable diseases), to law perpetrators, as well as victims, and priority purposes specified in the
enforcement (disclosures of gun shot compliance with such laws could be NPRM, and, therefore, would not be a
wounds). Required uses and disclosures blocked by the proposed requirement permissible use or disclosure under the
also may address broad national that disclosures about suspects was rule. To preserve these important uses
concerns or particular regional or state similarly limited to a response to law and disclosures, the comments
concerns. It is not possible, or enforcement inquiries for the specific recommended that provision be made
appropriate, for HHS to reassess the purpose of identifying the suspect. The for any use or disclosure which is
legitimacy of or the need for each of NPRM also would have limited the type authorized or permitted by other law.
Response: We do not agree with the
these mandates in each of their of protected health information that
comments that seek general authority to
specialized contexts. In some cases could have been disclosed about a
use and disclose protected health
where particular concerns have been suspect or fugitive.
information as permitted, but not
raised by legal mandates in other laws, In general, commenters sought to required, by other law. The uses and
we allow disclosure as required by law, resolve this overlap by removing the disclosures permitted in the final rule
and we establish additional condition that the required-by-other-law reflect those purposes and
requirements to protect privacy (for provision applied only when no other circumstances which we believe are of
example, informing the individual as national priority purpose addressed the sufficient national importance or
required in § 164.512(c)) when covered particular use or disclosure. The relevance to the needs of the health care
entities make a legally mandated suggested change would permit the system to warrant the use or disclosure
disclosure. covered entity to comply with legally of protected health information in the
We also disagree with commenters mandated uses and disclosures as long absence of either the individual’s
who suggest that the approach in the as the relevant requirements of that law express authorization or a legal duty to
final rule is contrary to the preemption were met. Alternatively, other make such use or disclosure. In
provisions in HIPAA. HIPAA provides commenters suggested that the permitting specific uses and disclosures
HHS with broad discretion in fashioning restrictions on disclosures to law that are not required by law, we have
privacy protections. Recognizing the enforcement be lifted to permit full considered the individual privacy
legitimacy of existing legal requirements compliance with laws requiring interests at stake in each area and
is certainly within the Secretary’s reporting for these purposes. crafted conditions or limitations in each
discretion. Additionally, given the Finally, some comments sought identified area as appropriate to balance
variety of these laws, the varied contexts clarification of when a use or disclosure the competing public purposes and
in which they arise, and their was ‘‘covered by paragraphs (b) through individual privacy needs. A general rule
significance in ensuring that important (m).’’ These commenters were confused authorizing any use or disclosure that is
public policies are achieved, we do not as to whether a particular use or permitted, but not required, by other
believe that Congress intended to disclosure had to be specifically law would undermine the careful
preempt each such law unless HHS addressed by another provision of the balancing in the final rule.
specifically recognized the law or rule or simply within the scope of the In making this judgment, we have
purpose in the regulation. one of the national priority purposes distinguished between laws that
Comment: A number of commenters specified by proposed paragraphs (b) mandate uses or disclosures and laws
urged that the provision permitting uses through (m). that merely permit them. In the former
and disclosures required by other law be Response: We agree with the case, jurisdictions have determined that
amended by deleting the last sentence commenters that the provision as public policy purposes cannot be
which stated: ‘‘This paragraph does not proposed would have inadvertently achieved absent the use of certain
apply to uses or disclosures that are interfered with many state and federal protected health information, and we
covered by paragraphs (b) through (m) laws mandating the reporting to law have chosen in general not to disturb
of this section.’’ Some commenters enforcement or others of protected their judgments. On the other hand,
sought deletion of this sentence to avoid health information. where jurisdictions have determined
any inadvertent preemption of In response to these comments, we that certain protected health
mandatory reporting laws, and have modified the final rule to clarify information is not necessary to achieve
a public policy purpose, and only have uses or disclosures that are required by purpose of this rule is to protect
permitted its use or disclosure, we do law. Some of the commenters noted that privacy, and to allow those disclosures
not believe that those judgments reflect ‘‘state law’’ was a defined term in Part consistent with sound public policy.
an interest in use or disclosure strong 160 of the NPRM and that the terms Consistent with this purpose, we
enough to override the Congressional should be used consistently. Other mandate disclosure only to the
goal of protecting privacy rights. commenters were concerned about individual who is the subject of the
Moreover, the comments failed to differentiating between laws that information, and for purposes of
present any compelling circumstance to required a use or disclosure and those enforcing the rule. Where a law imposes
warrant such a general provision. that merely authorize or permit a use or a legal duty on the covered entity to use
Despite commenters’ concerns to the disclosure. A number of commenters or disclose protected health
contrary, most of the beneficial uses and recommended that the final rule include information, it is sufficient that the
disclosures that the commenters a definitive list of the laws that mandate privacy rule permit the covered entity to
referenced to support a general a use or disclosure of protected health comply with such law. The enforcement
provision were, in fact, uses or information. of that legal duty, however, is a matter
disclosures already permissible under Response: In the final rule, we clarify for that other law.
the rule. For example, the general that, consistent with the ‘‘state law’’
statutory authorities relied on by one definition in § 160.202, ‘‘law’’ is Section 164.512(b)—Uses and
state health agency to investigate intended to be read broadly to include Disclosures for Public Health Activities
disease outbreaks or to comply with the full array of binding legal authority, Comment: Several non-profit entities
health data-gathering guidelines for such as constitutions, statutes, rules, commented that medical records
reporting to certain federal agencies are regulations, common law, or other research by nonprofit entities to ensure
permissible disclosures to public health governmental actions having the effect public health goals, such as disease-
agencies. of law. However, for the purposes of specific registries, would not have been
Finally, in the final rule, we add new § 164.512(a), law is not limited to state covered by this provision. These
provisions to § 164.512 to address three action; rather, it encompasses federal, organizations collect information
examples raised by commenters of uses state or local actions with legally without relying on a government agency
and disclosures that are authorized or binding effect, as well as those by or law. Commenters asserted that such
permitted by law, but may not be territorial and tribal governments. activities are essential and must
required by law. First, commenters For more detail on the meaning of
continue. They generally supported the
expressed concern for the states that ‘‘required by law,’’ see § 164.501. Only
provisions allowing the collection of
provide for voluntary reporting to law where the law imposes a duty on the
enforcement or state protective services health care professional to report would
information without authorization for
of domestic violence or of abuse, neglect the disclosure be considered to be
registries. One stated that both
or exploitation of the elderly or other required by law.
The final rule does not include a governmental and non-governmental
vulnerable adults. As discussed below,
definitive list of the laws that contain cancer registries should be exempt from
a new section, § 164.512(c), has been
legal mandates for disclosures of the regulation. They stated that ‘‘such
added to the final rule to specifically
address uses and disclosures of protected health information. In light of entities, by their very nature, collect
protected health information in cases of the breadth of the term ‘‘law’’ and health information for legitimate public
abuse, neglect, or domestic violence. number of federal, state, local, and health and research purposes.’’ Another,
Second, commenters were concerned territorial or tribal authorities that may however, addressed its comments only
about state or federal laws that engage in the promulgation of binding to ‘‘disclosure to non-government
permitted coordination and cooperation legal authority, it would be impossible entities operating such system as
with organizations or entities involved to compile and maintain such a list. required or authorized by law.’’
in cadaveric organ, eye, or tissue Covered entities have an independent Response: We acknowledge that such
donation and transplantation. In the duty to be aware of their legal entities may be engaged in disease-
final rule, we add a new section, obligations to federal, state, local and specific or other data collection
§ 164.512(h), to permit disclosures to territorial or tribal authorities. The activities that provide a benefit to their
facilitate such donation and rule’s approach is simply intended to members and others affected by a
transplantation functions. Third, a avoid any obstruction to the health plan particular malady and that they
number of commenters expressed or covered health care provider’s ability contribute to the public health and
concern for uses and disclosure to comply with its existing legal scientific database on low incidence or
permitted by law in certain custodial obligations. little known conditions. However, in the
settings, such as those involving Comment: A number of commenters absence of some nexus to a government
correctional or detention facilities. In recommended that the rule compel public health authority or other
the final rule, we add a new subsection covered entities to use or disclose underlying legal authority, it is unclear
to the section on uses and disclosures protected health information as required upon what basis covered entities can
for specialized government functions, by law. They expressed concern that determine which registries or
§ 164.512(k), to identify custodial covered entities could refuse or delay collections are ‘‘legitimate’’ and how the
settings in which special rules are compliance with legally mandated confidentiality of the registry
necessary and to specify the additional disclosures by misplaced reliance on a information will be protected.
uses and disclosures of the protected rule that permits, but does not require, Commenters did not suggest methods
health information of inmates or a use or disclosure required by other for ‘‘validating’’ these private registry
detainees which are necessary in such law. programs, and no such methods
facilities. Response: We do not agree that the currently exist at the federal level. It is
Comment: A number of commenters final rule should require covered unknown whether any states have such
asked for clarification of the term ‘‘law’’ entities to comply with uses or a program. Broadening the exemption
and the phrase ‘‘required by law’’ for disclosures of protected health could provide a loophole for private
purposes of the provision permitting information mandated by law. The data collections for inappropriate
purposes or uses under a ‘‘public otherwise as required by law. For surveillance. In addition, we believe
health’’ mask. example, the final rule continues to that removing defective or harmful
In this rule, we do not seek to make allow collection of protected health products from the market is a critical
judgments as to the legitimacy of private information without authorization to national priority and is an important
entities’ disease-specific registries or of monitor trends in the spread of tool in FDA efforts to promote the safety
private data collection endeavors. infectious disease, morbidity and and efficacy of the products it regulates.
Rather, we establish the general terms mortality. We understand that in most cases, the
and conditions for disclosure and use of Comment: Several commenters FDA lacks statutory authority to require
protected health information. Under the recommended expanding the scope of product recalls. We also recognize that
final rule, covered entities may obtain disclosures permissible under proposed the FDA typically does not conduct
authorization to disclose protected § 164.510(b)(1)(iii), which would have recalls, repairs, or product replacement
health information to private entities allowed covered entities to disclose surveillance directly, but rather, that it
seeking to establish registries or other protected health information to private relies on the private entities it regulates
databases; they may disclose protected entities that could demonstrate that they to collect data, notify patients when
health information as required by law; were acting to comply with applicable, repair and replace products,
or they may disclose protected health requirements, or at the direction, of a and undertake other activities to
information to such entities if they meet public health authority. These promote the safety and effectiveness of
the conditions of one of the provisions commenters said that they needed to FDA-regulated products.
of §§ 164.510 or 164.512. We believe collect individually identifiable health We believe, however, that modifying
that the circumstances under which information in the process of drug and the NPRM to allow disclosure of
covered entities may disclose protected device development, approval, and protected health information to private
health information to private entities post-market surveillance—activities that entities as part of any data-gathering
should be limited to specified national are related to, and necessary for, the activity related to a drug, device, or
priority purposes, as reflected through FDA regulatory process. However, they biological product or its use, or for any
the FDA requirements or directives noted that the specific data collections activity that is consistent with, or that
listed in § 164.512(b)(iii), and to enable involved were not required by FDA appears to promote objectives specified,
recalls, repairs, or replacements of regulations. Some commenters said that in FDA regulation would represent an
products regulated by the FDA. they often devised their own data inappropriately broad exception to the
Disclosures by covered health care collection methods, and that health care general requirement to obtain
providers who are workforce members providers disclosed information to authorization prior to disclosure. Such a
of an employer or are conducting companies voluntarily for activities change could allow, for example, drug
evaluations relating to work-related such as post-marketing surveillance and companies to collect protected health
injuries or illnesses or workplace efficacy surveys. Commenters said they information without authorization to
surveillance also may disclose protected used this information to comply with use for the purpose of marketing
health information to employers of FDA requirements such as reporting pharmaceuticals. We do not agree that
findings of such evaluations that are adverse events, filing other reports, or all activities taken to promote
necessary for the employer to comply recordkeeping. Commenters indicated compliance with FDA regulations
with requirements under OSHA and that the FDA encouraged but did not represent public health activities as that
related laws. require them to establish other data term is defined in this rule. In addition,
Comment: Several commenters said collection mechanisms, such as we believe it would not be appropriate
that the NPRM did not indicate how to pregnancy registries that track maternal to include in the regulation text an
distinguish between public health data exposure to drugs and the outcomes. ‘‘illustrative list’’ of requirements
collections and government health data Accordingly, several commenters ‘‘related to’’ the FDA. The regulation
systems. They suggested eliminating recommended modifying proposed text and preamble list the FDA-related
proposed § 164.510(g) on disclosures § 164.510(b) to allow covered entities to activities for which we believe
and uses for government health data disclose protected health information disclosure of protected health
systems, because they believed that without authorization to manufacturers information to private entities without
such disclosures and uses were registered with the FDA to manufacture, authorization is warranted.
adequately covered by proposed distribute, or sell a prescription drug, We believe it is appropriate to allow
§ 164.510(b) on public health. device, or biological product, in disclosure of protected health
Response: As discussed below, we connection with post-marketing safety information without authorization to
agree with the commenters who and efficacy surveillance or for the private entities only: For purposes that
suggested that the proposed provision entity to obtain information about the the FDA has, in effect, identified as
that would have permitted disclosures drug, device, or product or its use. One national priorities by issuing regulations
to government health data bases was commenter suggested including in the or express directions requiring such
overly broad, and we remove it from the regulation an illustrative list of disclosure; or if such disclosure is
final rule. We reviewed the important examples of FDA-related requirements, necessary for a product recall. For
purposes for which some commenters and stating in the preamble that all example, we believe it is appropriate to
said government agencies needed activities taken in furtherance of allow covered health care providers to
protected health information, and we compliance with FDA regulations are disclose to a medical device
believe that most of those needs can be ‘‘public health activities.’’ manufacturer recalling defective heart
met through the other categories of Response: We recognize that the FDA valves the names and last known
permitted uses and disclosures without conducts or oversees many activities addresses of patients in whom the
authorization allowed under the final that are critical to help ensure the safety provider implanted the valves. Thus, in
rule, including provisions permitting or effectiveness of the many products it the final rule, we allow covered entities
covered entities to disclose information regulates. These activities include, for to disclose protected health information
(subject to certain limitations) to example, reporting of adverse events, to entities subject to FDA jurisdiction
government agencies for public health, product defects and problems; product for the following activities: To report
health oversight, law enforcement, and tracking; and post-marketing adverse events (or similar reports with
respect to food or dietary supplements), spirit of OSHA. One commenter these comments requested that the
product defects or problems (including supported the permissibility of these Secretary delay the effective date of the
problems with the use or labeling of a types of uses and disclosures, but regulation until reviews of existing
product), or biological product warned that the regulation should not requirements are complete.
deviations, if the disclosure is made to grant employers unfettered access to the Response: As noted in the
the person required or directed to report entire medical record of employees for ‘‘Relationship to Other Federal Laws’’
such information to the FDA; to track the purpose of meeting OSHA section of the preamble, we are not
products if the disclosure is made to a requirements. Other commenters noted undertaking a complete review of all
person required or directed by the FDA that OSHA not only requires disclosures existing laws with which covered
to track the product; to enable product to the Occupational Safety and Health entities might have to comply. Instead
recalls, repairs, or replacement Administration, but also to third parties, we have described a general framework
(including locating and notifying such as employers and employee under which such laws may be
individuals who have received products representatives. Thus, this comment evaluated. We believe that adopting
of product recalls, withdrawals, or other asked HHS to clarify that disclosures to national standards to protect the privacy
problems); or to conduct post-marketing third parties required by OSHA are also of individually identifiable health
surveillance to comply with permissible under the regulation. information is an urgent national
requirements or at the direction of the Response: Employers as such are not priority. We do not believe that it is
FDA. The preamble above provides covered entities under HIPAA and we appropriate to delay the effective date of
further detail on the meaning of some of generally do not have authority over this regulation.
the terms in this list. Covered entities their actions. When an employer has a Comment: One commenter asserted
may disclose protected health health care component, such as an on- that the proposed regulation conflicted
information to entities for activities site medical clinic, and the components with the OSHA regulation requirement
other than those described above only as meets the requirements of a covered that when a designated representative
required by law; with authorization; or health care provider, health plan or (to whom the employee has already
if permissible under another section of health care clearinghouse, the uses and provided a written authorization to
this rule. disclosures of protected health obtain access) requests a release form for
We understand that many private information by the health care access to employee medical records, the
registries, such as pregnancy registries, component, including disclosures to the form must include the purpose for
currently obtain patient authorization larger employer entity, are covered by which the disclosure is sought, which
for data collection. We believe the this rule and must comply with its the proposed privacy regulation does
approach of § 164.512(b) strikes an provisions. not require.
appropriate balance between the A covered entity, including a covered
health care provider, may disclose Response: We do not agree that this
objective of promoting patient privacy
protected health information to OSHA difference creates a conflict for covered
and control over their health
under § 164.512(a), if the disclosure is entities. If an employer seeks to obtain
information and the objective of
required by law, or if the disclosure is a valid authorization under § 164.508, it
allowing private entities to collect data
a discretionary one for public health may add a purpose statement to the
that ultimately may have important
public health benefits. activities, under § 164.512(b). authorization so that it complies with
Comment: One commenter remarked Employers may also request employees OSHA’s requirements and is a valid
that our proposal may impede fetal/ to provide authorization for the authorization under § 164.508 upon
infant mortality and child fatality employer to obtain protected health which a covered entity may rely to make
reviews. information from covered entities to a disclosure of protected health
Response: The final rule permits a conduct analyses of work-related health information to the employer.
covered entity to disclose protected issues. See § 164.508. Comment: One commenter stated that
health information to a public health We also permit covered health care access to workplace medical records by
authority authorized by law to conduct providers who provide health care as a the occupational medical physicians is
public health activities, including the workforce member of an employer or at fundamental to workplace and
collection of data relevant to death or the request of an employer to disclose community health and safety. Access is
disease, in accordance with protected health information to the necessary whether it is a single location
§ 164.512(b). Such activities may also employer concerning work-related or multiple sites of the same company,
meet the definition of ‘‘health care injuries or illnesses or workplace such as production facilities of a
operations.’’ We therefore do not believe medical surveillance in situations where national company located throughout
this rule impedes these activities. the employer has a duty to keep records the country.
Comment: Several comments on or act on such information under the Response: We permit covered health
requested that the final regulation OSHA or similar laws. We added this care providers who provide health care
clarify that employers be permitted to provision to ensure that employers are as a workforce member of an employer
use and/or disclose protected health able to obtain the information that they or at the request of an employer to
information pursuant to the need to meet federal and state laws disclose protected health information to
requirements of the Occupational Safety designed to promote safer and healthier the employer concerning work-related
and Health Act and its accompanying workplaces. These laws are vital to injuries or illnesses or workplace
regulations (‘‘OSHA’’). A few comments protecting the health and safety of medical surveillance, as described in
asserted that the regulation should not workers and we permit specified this paragraph. Information obtained by
only permit employers to use and covered health care providers to an employer under this paragraph
disclose protected health information disclose protected health information as would be available for it to use,
without first obtaining an authorization necessary to carry out these purposes. consistent with other laws and
consistent with OSHA requirements, but Comment: A few comments suggested regulations, as it chooses and
also permit them to use and disclose that the final regulation clarify how it throughout the national company. We
protected health information if the use would interact with existing and do not regulate uses or disclosures of
or disclosure is consistent with the pending OSHA requirements. One of individually identifiable health
information by employers acting as § 164.512(c), on disclosures about to enforce the rule and to establish
employers. victims of abuse, neglect, or domestic individuals’ right to access their own
violence, and § 164.512(f)(3), on protected health information (see
Section 164.512(c)—Disclosures About
disclosures to law enforcement about § 164.502(a)(2)), we do not require
Victims of Abuse, Neglect, or Domestic
crime victims. disclosure of protected health
Violence
information to any person or entity. We
The NPRM did not include a Section 164.512(d)—Uses and
allow such disclosure for situations in
paragraph specifically addressing Disclosures for Health Oversight
which other laws require disclosure.
covered entities’ disclosures of Activities Comment: Some commenters were
protected health information regarding Comment: A couple of commenters concerned that the NPRM would have
victims of abuse, neglect, or domestic supported the NPRM’s approach to allowed health oversight agencies to re-
violence. Rather, the NPRM addressed health oversight. Several other use and redisclose protected health
disclosures about child abuse pursuant commenters generally supported the information to other entities, and they
to proposed § 164.510(b), which would NPRM’s approach to disclosure of were particularly concerned about re-
have allowed covered entities to report protected health information for disclosure to and re-use by law
child abuse to a public health authority national priority purposes, and they enforcement agencies. One commenter
or to another appropriate authority recommended some clarification believed that government agencies
authorized by law to receive reports of regarding disclosure for health would use the label of health oversight
child abuse or neglect. We respond to oversight. Two commenters to gain access to protected health
comments regarding victims of domestic recommended clarifying in the final rule information from covered entities—
violence or abuse throughout the final that disclosure is allowed to all federal, thereby avoiding the procedural
rule where relevant. (See responses to state, and local agencies that use requirements of the law enforcement
comments on §§ 164.502(g), 164.510(b), protected health information to carry section (proposed § 164.510(f)) and
164.512(f)(3), 164.522, and 164.524.) out legally mandated responsibilities. subsequently would turn over
Comment: Several commenters urged Response: The final rule permits information to law enforcement
us to require that victims of domestic disclosures to public agencies that meet officials. Thus, these groups were
violence be notified about requests for the definition of a health oversight concerned that the potential for
or disclosures of protected health agency and for oversight of the oversight access to protected health
information about them, so that victims particular areas described in the statute. information under the rule to become
could take safety precautions. Section 164.512(a) of the final rule the ‘‘back door’’ to law enforcement
Response: We agree that, in balancing permits disclosures that are required by access to such information.
the burdens on covered entities from law. As discussed in the responses to Based on their concerns, these
such a notification requirement against comments of § 164.512(a), we do not in commenters recommended establishing
the benefits to be gained, victims of the final rule permit disclosures merely a general prohibition on the re-use and
domestic abuse merit heightened authorized by other laws that do not fit re-disclosure of protected health
concern. For this reason, we generally within the other public policy purposes information obtained by health
require covered entities to inform the recognized by the rule. oversight agencies in actions against
individual when they disclose protected Comment: One commenter individuals. One health plan expressed
health information to authorized recommended clarifying in the final rule general concern about re-disclosure
government authorities. As the Family that covered entities are not required to among all of the public agencies covered
Violence Prevention Fund has noted in establish business partner contracts in the proposed § 164.510. It
its Health Privacy Principles for with health oversight agencies or public recommended building safeguards into
Protecting Victims of Domestic Violence health authorities to release the rule to prevent information gathered
(October 2000), victims of domestic individually identifiable information to for one purpose (for example, public
violence and abuse sometimes are them for purposes exempt from HIPAA health) from being used for another
subject to retaliatory violence. By and sanctioned by state law. purpose (such as health oversight).
informing a victim of abuse or domestic Response: The final rule does not Many of the commenters concerned
violence of a disclosure to law require covered entities to establish about re-disclosure of protected health
enforcement or other authorities, business associate contracts with health information obtained for oversight
covered entities give victims the oversight agencies when they disclose purposes said that if the Secretary
opportunity to take appropriate safety protected health information to these lacked statutory authority to regulate
precautions. See the above preamble agencies for oversight purposes. oversight agencies’ re-disclosure of
discussion of § 164.512(c) for more Comment: Two commenters protected health information and the re-
detail about the requirements for recommended clarifying in the use of this information by other agencies
disclosing protected health information regulation text that the health oversight covered in proposed § 164.510, the
about victims of domestic violence. section does not create a new right of President should issue an Executive
Comment: Some commenters argued access to protected health information. Order barring such re-disclosure and re-
that a consent requirement should apply Response: We agree and include such use. One of these groups specified that
at a minimum to disclosures involving a statement in the preamble of the Executive Order should bar re-use
victims of crime or victims of domestic § 164.512(d) of the final rule. and re-disclosure of protected health
violence. Comment: Several commenters were information in actions against
Response: We agree, and we modify concerned that the proposed oversight individuals.
the proposed rule to require covered section allowed but did not require In contrast, some commenters
entities to obtain an individual’s disclosure of protected health advocated information-sharing between
agreement prior to disclosing protected information to health oversight agencies law enforcement and oversight agencies.
health information in most instances for oversight activities. Most of these commenters recognized
involving victims of a crime or of abuse, Response: This rule’s purpose is to that the NPRM would have allowed re-
neglect, or domestic violence. See the protect the privacy of individually use and re-disclosure of protected
above preamble discussions of identifiable health information. Except health information from oversight to law
enforcement agencies, and they investigating the covered entity from disclosures to a health oversight agency,
supported this approach. which it is seeking information. law enforcement official, or for national
Response: We believe that the Comment: Several commenters security or intelligence purposes may be
language we have added to the rule, at believed that health oversight activities temporarily suspended for the time
§ 164.512(d)(2) and the corresponding could be conducted without access to specified by the agency or official. As
explanation in the preamble, to clarify individually identifiable health described in § 164.528(a)(2), for such a
the boundary between disclosures for information. Some of these groups suspension to occur, the agency or
health oversight and for law recommended requiring information official must provide the affected
enforcement purposes should partially provided to health oversight agencies to covered entity with a written request
address the concern expressed by some be de-identified to the extent possible. stating that an accounting to the
that oversight agencies will be the back Response: We encourage health individual would be reasonably likely to
door for access by law enforcement. In oversight agencies to use de-identified impede the agency’s activity. The
situations when the individual is the information whenever possible to request must specify the time for which
subject of an investigation or activity complete their investigations. We the suspension is required. We believe
and the investigation or activity is not recognize, however, that in some cases, that providing a permanent exemption
related to health care fraud, the health oversight agencies need to the right to accounting for disclosures
requirements for disclosure to law identifiable information to complete for health oversight purposes would fail
enforcement must be met, and an their investigations. For example, as to ensure that individuals are
oversight agency cannot request the noted in the preamble to the NPRM, to sufficiently informed about the extent of
information under its more general determine whether a hospital has disclosures of their protected health
oversight authority. engaged in fraudulent billing practices, information.
it may be necessary to examine billing Comment: One commenter
We acknowledge, however, that there
records for a set of individual cases. recommended making disclosures to
will be instances under the rule when
Similarly, to determine whether a health health oversight agencies subject to a
a health oversight agency (or a law
plan is complying with federal or state modified version of the NPRM’s
enforcement agency in its oversight
health care quality standards, it may be proposed three-part test governing
capacity) that has obtained protected
necessary to examine individually disclosure of protected health
health information appropriately will be
identifiable health information in information to law enforcement
able to redisclose the information to a
comparison with such standards. Thus, pursuant to an administrative request
law enforcement agency for law
to allow health oversight agencies to (as described in proposed
enforcement purposes. Under HIPAA,
conduct the activities that are central to § 164.510(f)(1)).
we have the authority to restrict re- their mission, the final rule does not Response: We disagree that it would
disclosure of protected health require covered entities to de-identify be appropriate to apply the procedural
information only by covered entities. protected health information before requirements for law enforcement to
Re-disclosures by public agencies such disclosing it to health oversight health oversight. We apply more
as oversight agencies are not within the organizations. extensive procedural requirements to
purview of this rule. We support the Comment: One commenter law enforcement disclosures than to
enactment of comprehensive privacy recommended requiring whistleblowers, disclosures for health oversight because
legislation that would govern such pursuant to proposed § 164.518(a)(4) of we believe that law enforcement
public agencies’ re-use and re-disclosure the NPRM, to raise the issue of a investigations more often involve
of this information. Furthermore, in an possible violation of law with the situations in which the individual is the
effort to prevent health oversight affected covered entity before disclosing subject of the investigation (and thus
provisions from becoming the back door such information to an oversight agency, could suffer adverse consequences), and
to law enforcement access to protected attorney, or law enforcement official. we believe that it is appropriate to
health information, the President is Response: We believe that such a provide greater protection to individuals
issuing an Executive Order that places requirement would be inappropriate, in such cases. Health oversight involves
strict limitations on the use of protected because it would create the potential for investigations of institutions that use
health information gathered in the covered entities that are the subject of health information as part of business
course of an oversight investigation for whistleblowing to take action to evade functions, or of individuals whose
law enforcement activities. For example, law enforcement and oversight action. health information has been used to
such use will be subject to review by the Comment: One commenter obtain a public benefit. These
Deputy Attorney General. recommended providing an exemption circumstances justify broader access to
Comment: Several commenters from the proposed rule’s requirements information.
recommended modifying the proposed for accounting for disclosures when
oversight section to require health such disclosures were for health Overlap Between Law Enforcement and
oversight officials to justify and oversight purposes. Oversight
document their need for identifiable Response: We recognize that in some Comment: Some commenters
information. cases, informing individuals that their expressed concern that the NPRM’s
Response: We encourage covered protected health information has been provisions permitting disclosures for
entities to work with health oversight disclosed to a law enforcement official health oversight and disclosures for law
agencies to determine the scope of or to a health oversight agency could enforcement overlapped, and that the
information needed for health oversight compromise the ability of law overlap could create confusion among
inquiries. However, we believe that enforcement and oversight officials to covered entities, members of the public,
requiring covered entities to obtain perform their duties appropriately. and government agencies. The
extensive documentation of health Therefore, in the final rule, we retain commenters identified particular factors
oversight information needs could the approach of proposed § 164.515 of that could lead to confusion, including
compromise health oversight agencies’ the NPRM. Section 164.528(a)(2) of the that (1) the phrase ‘‘criminal, civil, or
ability to complete investigations, final rule states that an individual’s administrative proceeding’’ appeared in
particularly when an oversight agency is right to receive an accounting of the definitions of both law enforcement
and oversight; (2) the examples of To clarify the boundary between law joint law enforcement/oversight
oversight agencies listed in the enforcement and oversight for purposes investigations involving suspected
preamble included a number of of complying with this rule, we add new health care fraud, the health oversight
organizations that also conduct law language in the final rule, at disclosures apply, even if the individual
enforcement activities; (3) the NPRM § 164.512(d)(2). This section indicates also is the subject of the investigation.
addressed the issue of disclosures to that health oversight activities do not We also recognize that in some cases,
investigate health care fraud in the law include an investigation or activity in health oversight agencies may conduct
enforcement section (§ 164.510(f)(5)), which the individual is the subject of joint investigations with other oversight
yet health care fraud investigations are the investigation or activity and the agencies involved in investigating
central to the mission of some health investigation or activity does not arise claims for benefits unrelated to health.
care oversight agencies; (4) the NPRM out of and is not directly related to For example, in some cases, a state
established more stringent rules for health care fraud. In this rule, we Medicaid agency may be working with
disclosure of protected health describe investigations involving officials of the Food Stamps program to
information pursuant to an suspected health care fraud as investigate suspected fraud involving
administrative subpoena issued for law investigations related to: (1) The receipt Medicaid and Food Stamps. While this
enforcement than for disclosure of health care; (2) a claim for public issue was not raised specifically in the
pursuant to an oversight agency’s benefits related to health; or (3) comments, we add new language
administrative subpoena; and (5) the qualification for, or receipt of public (§ 164.512(d)(3)) to provide guidance to
preamble, but not the NPRM regulation benefits or services where a patient’s covered entities in such situations.
text, indicated that agencies conducting health is integral to the claim for public Specifically, we clarify that if a health
both oversight and law enforcement benefits or services. In such cases, oversight investigation is conducted in
activities would be subject to the where the individual is the subject of conjunction with an oversight activity
oversight requirements when the investigation and the investigation related to a claim for benefits unrelated
conducting oversight activities. does not relate to health care fraud, to health, the joint activity or
Some commenters said that covered identified as investigations regarding investigation is considered health
entities would be confused by the issues (a) through (c), the rules oversight for purposes of the rule, and
overlap between law enforcement and regarding disclosure for law the covered entities may disclose
oversight and that this concern would enforcement purposes (see § 164.512(f)) protected health information pursuant
apply. to the health oversight provisions.
lead to litigation over which rules
Where the individual is not the Comment: An individual commenter
should apply when an entity engaged in
subject of the activity or investigation, recommended requiring authorization
more than one of the activities listed for disclosure of patient records in fraud
or where the investigation or activity
under the exceptions in proposed investigations, unless the individual
relates to health care fraud, a covered
§ 164.510. Other commenters believed was the subject or target of the
entity may make a disclosure pursuant
that covered entities could manipulate investigation. This commenter
to § 164.512(d)(1), allowing uses and
the NPRM’s ambiguities in their favor, recommended requiring a search
disclosures for health oversight
claim that the more stringent law warrant for cases in which the
activities. For example, when the U.S.
enforcement disclosure rules always individual was the subject and stating
Department of Labor’s Pension and
should apply, and thereby delay Welfare Benefits Administration that fraud investigators should have
investigations. A few comments (PWBA) needs to analyze protected access to the minimum necessary
suggested that the confusion could be health information about health plan patient information.
clarified by making the regulation text enrollees in order to conduct an audit or Response: As described above, we
consistent with the preamble, by stating investigation of the health plan (i.e., the recognize that in some cases, activities
that when agencies conducting both law enrollees are not subjects of the include elements of both law
enforcement and oversight seek investigation) to investigate potential enforcement and health oversight.
protected health information as part of fraud by the health plan, the health plan Because we consider both of these
their oversight activities, the oversight may disclose protected health activities to be critical national
rules would apply. information to the PWBA under the priorities, we do not require covered
Response: We agree that the boundary health oversight rules. entities to obtain authorization for
between disclosures for health oversight To clarify further that health oversight disclosure of protected health
and disclosures for law enforcement disclosure rules apply generally in information to law enforcement or
proposed in the NPRM could have been health care fraud investigations (subject health oversight agencies—including
more clear. Because many to the exception described above), in the those oversight activities related to
investigations, particularly final rule, we eliminate proposed health care fraud. We believe that
investigations involving public benefit § 164.510(f)(5)(i), which would have investigations involving health care
programs, have both health oversight established requirements for disclosure fraud represent health oversight rather
and law enforcement aspects to them, related to health fraud for law than law enforcement. Accordingly, as
and because the same agencies often enforcement purposes. All disclosures indicated above, we remove proposed
perform both functions, drawing any of protected health information that § 164.510(f)(5)(i) from the law
distinction between the two functions is would have been permitted under enforcement section of the proposed
necessarily difficult. For example, proposed § 164.510(f)(5)(i) are permitted rule and clarify that all disclosures of
traditional law enforcement agencies, under § 164.512(d). protected health information for health
such as the Federal Bureau of We also recognize that sections 201 oversight are permissible without
Investigation, have a significant role in and 202 of HIPAA, which established a authorization. As discussed in greater
health oversight. At the same time, federal Fraud and Abuse Control detail in § 164.514, the final rule’s
traditional health oversight agencies, Program and the Medicare Integrity minimum necessary standard applies to
such as federal Offices of Inspectors Program, identified health care fraud- disclosures under § 164.512 unless the
General, often participate in criminal fighting as a critical national priority. disclosure is required by law under
investigations. Accordingly, under the final rule, in § 164.512(a).
Comment: A large number of Section 164.512(e)—Disclosures for judicial proceedings, including rules of
commenters expressed concern about Judicial and Administrative Proceedings evidence and discovery. This
the potential for health oversight Comment: A few commenters commenter stated that the rule runs
agencies to become, in effect, the ‘‘back suggested that the final rule not permit afoul of state judicial procedures for
door’’ for law enforcement access to disclosures without an authorization for enforcement of subpoenas that require
such information. The commenters judicial and administrative proceedings. judicial involvement only when a party
suggested that health oversight agencies Response: We disagree. Protected seeks to enforce a subpoena.
could use their relatively unencumbered Response: We disagree with this
health information is necessary for a
access to protected health information comment. The final rule permits
variety of reasons in judicial and
to circumvent the more stringent covered entities to disclose protected
administrative proceedings. Often it
process requirements that otherwise health information for any judicial or
may be critical evidence that may or
would apply to disclosures for law administrative procedure in response to
may not be about a party. Requiring an
enforcement purposes. These a subpoena, discovery request, or other
authorization for all such disclosures
lawful process if the covered entity has
commenters urged us to prohibit health would severely impede the review of received satisfactory assurances that the
oversight agencies from re-disclosing legal and administrative claims. Thus, party seeking the disclosure has made
protected health information to law we have tried to balance the need for the reasonable efforts to ensure that the
enforcement. information with the individual’s individual has been given notice of the
Response: As indicated above, we do privacy. We believe the approach request or has made reasonable efforts to
not intend for the rule’s permissive described above provides individuals secure a qualified protective order from
approach to health oversight or the with the opportunity to object to a court or administrative tribunal. A
absence of specific documentation to disclosures and provides a mechanism covered entity may disclose protected
permit the government to gather large through which their privacy interests health information in response to a
amounts of protected health information are taken into account. subpoena, discovery request, or other
Comment: A few commenters sought lawful process without a satisfactory
for purposes unrelated to health
clarification about the interaction assurance if it has made reasonable
oversight as defined in the rule, and we
between permissible disclosures for efforts to provide the individual with
do not intend for these oversight
judicial and administrative proceedings, such notice or to seek a qualified
provisions to serve as a ‘‘back door’’ for
law enforcement, and health oversight. protected order itself. These rules do not
law enforcement access to protected Response: In the final rule, we state
health information. While we do not require covered entities or parties
that the provision permitting seeking the disclosure of protected
have the statutory authority to regulate disclosures without an authorization for
law enforcement and oversight agencies’ health information to involve the
judicial and administrative proceedings judiciary; they may choose the
re-use and re-disclosure of protected does not supersede other provisions in
health information, we strongly support notification option rather than seeking a
§ 164.512 that would otherwise permit qualified protective order.
enactment of comprehensive privacy or restrict the use or disclosure of Many states have already enacted
legislation that would govern public protected health information. laws that incorporate these concepts. In
agencies’ re-use and re-disclosure of this Additionally, in the descriptive California, for instance, an individual
information. Furthermore, in an effort to preamble of § 164.512, we provide must be given ten days notice that his
prevent health oversight provisions further explanation of how these or her medical records are being
from becoming the back door to law provisions relate to one another. subpoenaed from a health care provider
enforcement access to protected health Comments: Many commenters urged and state law requires that the party
information, the President is issuing an the Secretary to revise the rule to state seeking the records furnishes the health
Executive Order that places strict that it does not preempt or supersede care provider with proof that the notice
limitations on the use of protected existing rules and statutes governing was given to the individual. In Montana,
health information gathered in the judicial proceedings, including rules of a party seeking discovery or compulsory
course of an oversight investigation for evidence, procedure, and discovery. process of medical records must give
law enforcement activities. One commenter asserted that dishonest notice to the individual at least ten days
Comment: One commenter asked us health care providers and others should in advance of serving the request on a
to allow the requesting agency to decide not be able to withhold their records by health care provider, Service of the
whether a particular request for arguing that state subpoena and request must be accompanied by written
protected health information was for criminal discovery statutes compelling certification that the procedure has been
law enforcement or oversight purposes. disclosure are preempted by the privacy followed. In Rhode Island, an individual
regulation. Other commenters must be given notice that his or her
Response: As described above, we maintained that there is no need to medical records are being subpoenaed
clarify the overlap between law replace providers’ current practice, and notice of his or her right to object.
enforcement disclosures and health which typically requires either a signed The party serving the subpoena on the
oversight disclosures based on the authorization from the patient or a health care provider must provide
privacy and liberty interests of the subpoena to release medical written certification to the provider that:
individual (whether the individual also information. (1) This procedure has been followed,
is the subject of the official inquiry) and Response: These comments are (2) twenty days have passed from the
the nature of the public interest similar to many of the more general date of service, and (3) no challenge has
(whether the inquiry relates to health preemption comments we received. For been made to the disclosure or the court
care fraud or to another potential a full discussion of the Secretary’s has ordered disclosure after resolution
violation of law). We believe it is more response on preemption issues, see part of a legal court challenge. In
appropriate to establish these criteria 160—subpart B. Washington, an individual must be
than to leave the decision to the Comment: One commenter stated that given at least fourteen days from the
discretion of an agency that has a stake the proposed rule creates a conflict with date of service of notice that his or her
in the outcome of the investigation. existing rules and statutes governing health information is the subject of a
discovery request or compulsory These commenters stated that current the health information pertains. In
process to obtain a protective order. The practice is to obtain information using addition, they stated that the medical
notice must identify the health care subpoenas. condition or history of a deceased
provider from whom the information is Other commenters argued that person may be at issue when the
sought, specify the health care disclosure of protected health deceased person is not a party.
information that is sought, and the date information for judicial and Response: We disagree. Under the
by which a protective order must be administrative proceedings should final rule, a covered entity may disclose
obtained in order to prevent the require a court order and/or judicial protected health information without an
provider from disclosing the review unless the subject of the authorization pursuant to a court or
information. information consents to disclosure. administrative order. It may also
Comment: A few commenters These commenters believed that an disclose protected health information
expressed concern that the rule would attorney’s certification should not be with an authorization for judicial or
place unnecessary additional burdens considered sufficient authority to administrative proceedings in response
on health care providers because when override an individual’s privacy, and to a subpoena, discovery request, or
they receive a request for disclosure in that the proposed rule made it too easy other lawful process without a court
connection with an administrative or for a party to litigation to obtain order, if the party seeking the disclosure
judicial procedure, they would have to information about the other party. provides the covered entity with
determine whether the litigant’s health Response: As a general matter, we satisfactory assurances that it has made
was at issue before they made the agree with these comments. As noted, reasonable efforts to ensure that the
disclosure. A number of commenters the final rule deletes the provision that individual has been notified of the
complained that this requirement would would permit a covered entity to request or to seek a qualified protective
make it too easy for litigants to obtain disclose protected health information order. Additionally, a covered entity
protected health information. One pursuant to an attorney’s certification may disclose protected health
commenter argued that litigants should that the individual is a party to the information in response to a subpoena,
not be able to circumvent state litigation and has put his or her medical discovery request, or other lawful
evidentiary rules that would otherwise condition at issue. Under the final rule, process without a satisfactory assurance
govern disclosure of protected health covered entities may disclose protected if it makes reasonable efforts to provide
information simply upon counsel’s health information in response to a the individual with such notice or to
statement that the other party’s medical court or administrative order, provided seek a qualified protected order itself.
condition or history is at issue. that only the protected health Therefore, a party may obtain the
Other commenters, however, urged information expressly authorized by the information even if the subject of the
that disclosure without authorization order is disclosed. Covered entities may information is not a party to the
should be permitted whenever a patient also disclose protected health litigation or deceased.
places his or her medical condition or information in response to a subpoena, Comment: A few commenters argued
history at issue and recommended discovery request, or other lawful that disclosure of protected health
requiring the request for information to process without a court order, but only information should be limited only to
include a certification to this effect. if the covered entity receives those cases in which the individual has
Only if another party to litigation has satisfactory assurances that the party consented or a court order has been
raised a medical question, do these seeking disclosure has made reasonable issued compelling disclosure.
commenters believe a court order efforts to ensure that the individual has Response: The Secretary believes that
should be required. Similarly, one been notified of the request or that such an approach would impose an
commenter supported a general reasonable efforts have been made by unreasonable burden on covered entities
requirement that disclosure without the party seeking the information to and the judicial system and that greater
authorization be permitted only with a secure a qualified protective order. flexibility is necessary to assure that the
court order unless the patient has Additionally, a covered entity may judicial and administrative systems
placed his or her physical or mental disclose protected health information in function smoothly. We understand that
condition at issue. response to a subpoena, discovery even those states that have enacted
Response: We agree with the concerns request, or other lawful process without specific statutes to protect the privacy of
expressed by several commenters about a satisfactory assurance if it makes health information have not imposed
this provision and have eliminated this reasonable efforts to provide the requirements as strict as these
requirement from the final rule. individual with such notice or to seek commenters would suggest.
Comment: A number of commenters a qualified protected order itself. Comment: Many commenters asked
stated that the proposed rule should be We also note that the final rule that the final rule require the
modified to permit disclosure without specifically provides that nothing in notification of the disclosure be
authorization pursuant to a lawful Subchapter C should be construed to provided to the individual whose health
subpoena. One commenter argued that diminish the authority of any Inspector information is subject to disclosure
the provision would limit the scope of General, including authority provided prior to the disclosure as part of a
the Inspector General’s subpoena power in the Inspector General Act of 1978. judicial or administrative proceeding.
for judicial and administrative Comment: A number of commenters Most of these commenters also asked
proceedings to information concerning a expressed concern that the proposed that the rule require that the individual
litigant whose health condition or rule would not permit covered entities who is the subject of a disclosure be
history is at issue, and would impose a to introduce material evidence in given an opportunity to object to the
requirement that the Inspector General proceedings in which, for example, the disclosure. A few commenters suggested
provide a written certification to that provisions of an insurance contract are that patients be given ten days to object
effect. Other commenters stated that the at issue, or when a billing or payment before requested information may be
proposed rule would seriously impair issue is presented. They noted that disclosed and recommend that the rule
the ability of state agencies to conduct although the litigant may be the owner require the requester to provide a
administrative hearings on physician of an insurance policy, he or she may certification that notice has been
licensing and disciplinary matters. not be the insured individual to whom provided and that ten days have passed
with no objection from the subject of the honor that disclosure request is order might otherwise meet the
information. Some commenters unnecessary. minimum necessary requirement.
suggested that if a subpoena for Comment: Many commenters urged If the disclosure is pursuant to a
disclosure is not accompanied by a the Secretary to require specific criteria satisfactory assurance from the party
court order, the covered entities be for court and administrative orders. seeking the disclosure, at least a good
prohibited from disclosing protected Many of these commenters proposed faith attempt has been made to notify
health information unless the individual that a provision be added to the rule the individual in writing of the
has been given notice and an that would require court and disclosure before it is made or the
opportunity to object. Another administrative orders to safeguard the parties have sought a qualified
commenter recommended requiring, in disclosure and use of protected health protective order that prohibits them
most circumstances, notice and an information. These commenters urged from using or disclosing the protected
opportunity to object before a court that the information sought must be health information for any purpose
order is issued and requiring the relevant and material, as specific and other than the litigation or proceeding
requestor of information to provide a narrowly drawn as reasonably for which the information was requested
signed document attesting the date of practicable, and only disclosed if de- and that the information will be
notification and forbid disclosure until identified information could not returned to the covered entity or
ten days after notice is given. reasonably be used. destroyed at the end of the litigation or
Response: We agree that in some cases Response: The Secretary’s authority is the proceeding. Alternatively, the
the provision of notice with an limited to covered entities. Therefore, covered entity may seek such notice or
opportunity to object to the disclosure is we do not impose requirements on qualified protective order itself. This
appropriate. Thus, in the final rule we courts and administrative tribunals. approach provides the individual with
However, we note that the final rule protections and places the burden on
provide that a covered entity may
limits the permitted disclosures by the parties to resolve their differences
disclose protected health information in
covered entities in court or about the appropriateness and scope of
response to a subpoena, discovery
administrative proceedings to only that disclosure as part of the judicial or
request or other lawful process that is
information which is specified in the administrative procedure itself before
not accompanied by a court order if it
order from a court or an administrative the order is issued, rather than requiring
receives satisfactory assurance from the
body should provide a degree of the covered entity to get involved in
party seeking the request that the
protection for individuals from evaluating the merits of the dispute in
requesting party has made a good faith
unnecessary disclosure. order to determine whether or not the
attempt to provide written notice to the Comment: Several commenters asked particular request is appropriate or too
individual that includes sufficient that the ‘‘minimum necessary’’ standard broad. In these cases, the covered entity
information about the litigation or not apply to disclosures made pursuant must disclose only the protected health
proceeding to permit the individual to to a court order because individuals information that is the minimum
raise an objection to the court or could then use the rule to contest the amount necessary to achieve the
administrative tribunal and that the scope of discovery requests. However, purpose for which the information is
time for the individual to raise many other commenters recommended sought.
objections has elapsed (and that none that the rule permit disclosure only of We share the concern of the
were filed or all have been resolved). information ‘‘reasonably necessary’’ to commenters that covered entities should
Covered entities may make reasonable respond to a subpoena. These redact any information about third
efforts to provide such notice as well. commenters raised concerns with parties before disclosing an individual’s
In certain instances, however, the applying the ‘‘minimum necessary’’ protected health information. During the
final rule permits covered entities to standard in judicial and administrative fact-finding stage of our consideration of
disclose protected health information proceedings, but did not believe the revisions to the proposed rule, we
for judicial and administrative holder of protected health information discussed this issue with
proceedings without notice to the should have blanket authority to representatives of covered entities.
individual if the party seeking the disclose all protected health Currently, information about third
request has made reasonable efforts to information. Some of the commenters parties is sometimes redacted by
seek a qualified protective order, as urged that disclosure of any information medical records personnel responding
described in the rule. A covered entity about third parties that may be included to requests for information. In
may also make reasonable efforts to seek in the medical records of another particular, information regarding HIV
a qualified protective order in order to person— for example, the HIV status of status is treated with special sensitivity
make the disclosure. Additionally, a a partner—be prohibited. Finally, some by these professionals. Although we
covered entity may disclose protected commenters disagreed with the considered including a special
health information for judicial and proposed rule because it did not require provision in the final rule prohibiting
administrative proceedings in response covered entities to evaluate the validity such disclosure, we decided that the
to an order of a court or administrative of subpoenas and discovery requests to revisions made to the proposed rule
tribunal provided that the disclosure is determine whether these requests ask would provide sufficient protection. By
limited to only that information that is for the ‘‘minimum necessary’’ or restricting disclosure of protected health
expressly authorized by the order. The ‘‘reasonably necessary’’ amount of information to only that information
Secretary believes notice is not information. specified in a court or administrative
necessary in these instances because a Response: Under the final rule, if the order or released pursuant to other types
court or administrative tribunal is in the disclosure is pursuant to an order of a of lawful process only if the individual
best position to evaluate the merits of court or administrative tribunal, covered had notice and an opportunity to object
the arguments of the party seeking entities may disclose only the protected or if the information was subject to a
disclosure and the party who seeks to health information expressly authorized protective order, individuals who are
block it before it issues the order and by the order. In these instances, a concerned about disclosure of
that imposing further procedural covered entity is not required to make information concerning third parties
obstacles before a covered entity may a determination whether or not the will have the opportunity to raise that
issue prior to the request for disclosure of such events so they may be identified proposed rule would not permit
being presented to the covered entity. and addressed. According to the disclosure of protected health
We are reluctant to put the covered commenter, this is consistent with peer information pursuant to court order or
entity in the position of having to review protections afforded this subpoena if the disclosure is not
resolve disputes concerning the type of information by the states. allowed by state law. The commenter
information that may be disclosed when Response: The question of whether or requested clarification as to whether a
that dispute should more appropriately not such information should be subpoena in a federal civil action would
be settled through the judicial or protected is currently the subject of require disclosure if a state law
administrative procedure itself. debate in Congress and in the states. It prohibiting the release of public health
Comment: One commenter asked that would be premature for us to adopt a records existed.
the final regulation clarify that a court position on this issue until a clear Response: As explained above, the
order is not required when disclosure consensus emerges. Under the final rule, final rule permits, but does not require,
would otherwise be permitted under the no special protection against disclosure disclosure of protected health
rule. This commenter noted that the is provided for peer review information information pursuant to a court order.
preamble states that the requirement for of the type the commenter describes. Under the applicable preemption
a court order would not apply if the However, unless the request for provisions of HIPAA, state laws relating
disclosure would otherwise be disclosure fits within one of the to the privacy of medical information
permitted under the rule. For example, categories of permitted or required that are more stringent than the federal
disclosures of protected health disclosures under the regulation, it may rules are not preempted. To the extent
information pursuant to administrative, not be disclosed. For instance, if that an applicable state law precludes
civil, and criminal proceedings relating disclosure of peer review information is disclosure of protected health
to ‘‘health oversight’’ are permitted, required by another law (such as information that would otherwise be
even if no court or administrative orders Medicare or a state law), covered permitted under the final rule, state law
have been issued. However, the entities subject to that law may disclose governs.
commenter was concerned that this protected health information consistent Comment: A number of commenters
principle only appeared in the preamble with the law. expressed concern that the proposed
and not in the rule itself. Comment: One commenter stated that rule would negatively impact state and
Response: Section 164.512(e)(4) of the the requirements of this section are in federal benefits programs, particularly
final regulation contains this conflict with Medicare contractor social security and workers’
clarification. current practices, as defined by the compensation. One commenter
Comment: One commenter was HCFA Office of General Counsel and requested that the final rule remove any
concerned that the rule is unclear as to suggested that the final rule include possible ambiguity about application of
whether governmental entities are given more specific guidelines. the rule to the Social Security
a special right to ‘‘use’’ protected health Response: Because the commenter Administration’s (SSA) evidence
information that private parties do not failed to indicate the nature of these requests by permitting disclosure to all
have under the proposed regulation or conflicts, we are unable to respond. administrative level of benefit programs.
whether governmental entities that seek Comment: One commenter stated that In addition, several commenters stated
or use protected health information are the rule should require rather than that requiring SSA or states to provide
treated the same as private parties in permit disclosure pursuant to court the covered entity holding the protected
their use of such information. This orders. health information with an individual’s
commenter urged that we clarify our Response: Under the statutory consent before it could disclose the
intent regarding the use of protected framework adopted by Congress in information would create a huge
health information by governmental HIPAA, a presumption is established administrative and paperwork burden
entities. that the data contained in an with no added value to the individual.
Response: Generally governmental individual’s medical record belongs to In addition, several other commenters
entities are treated the same as private the individual and must be protected indicated that states that make disability
entities under the rule. In a few clearly from disclosure to third parties. The determinations for SSA also support
defined cases, a special rule applies. For only instance in which covered entities special accommodation for SSA’s
instance, under § 164.504(e)(3), when a holding that information must disclose determination process. They expressed
covered entity and its business associate it is if the individual requests access to concern that providers will narrowly
are both governmental entities, they the information himself or herself. In interpret the HIPAA requirements,
may enter into a memorandum of the final rule (as in the proposed rule), resulting in significant increases in
understanding or adopt a regulation covered entities may use or disclose processing time and program costs for
with the force and effect of law that protected health information under obtaining medical evidence (especially
incorporates the requirements of a certain enumerated circumstances, but purchased consultative examinations
business associate contract, rather than are not required to do so. We do not when evidence of record cannot be
having to negotiate a business associate believe that this basic principle should obtained). A few commenters were
contract itself. be compromised merely because a court especially concerned about the impact
Comment: One commenter order has been issued. Consistent with on states and SSA if the final rule were
recommended that final rule state that this principle, we provide covered to eliminate the NPRM’s provision for a
information developed as part of a entities with the flexibility to deal with broad consent for ‘‘all evidence from all
quality improvement or medical error circumstances in which the covered sources.’’
reduction program may not be disclosed entity may have valid reasons for Some commenters also note that it
under this provision. The commenter declining to release the protected health would be inappropriate for a provider to
explained that peer review information information without violating this make a minimum necessary
developed to identify and correct regulation. determination in response to a request
systemic problems in delivery of care Comment: One commenter noted that from SSA because the provider usually
must be protected from disclosure to in some states, public health records are will not know the legal parameters of
allow a full discussion of the root causes not subject to discovery, and that the SSA’s programs, or have access to the
individual’s other sources of evidence. appropriate and that covered entities fraud to violent assault, to provide
In addition, one commenter urged the should be responsible for ensuring that incriminating evidence or to exonerate a
Secretary to be sensitive to these they disclose only that protected health suspect, to determine what charges are
concerns about delay and other negative information that is necessary to achieve warranted and for bail decisions. For
impacts on the timely determination of the purpose for which the information example, one commenter argued that
disability by SSA for mentally impaired is sought. disclosure of protected health
individuals. Comment: In a similar vein, one information for law enforcement
Response: Under the final rule, commenter expressed concern that the purposes should be exempt from the
covered entities may disclose protected proposed rule would adversely affect rule, because the proposed regulation
health information pursuant to an the informal administrative process would hamper Drug Enforcement
administrative order so the flow of usually followed in processing workers’ Administration investigations. A few
protected health information from compensation claims. Using formal commenters argued that effective law
covered entities to SSA and the states discovery is not always possible, enforcement requires early access to as
should not be disrupted. because some programs do not permit it. much information as possible, to rule
Although some commenters urged The commenter urged that the final rule out suspects, assess severity of criminal
that special rules should be included for must permit administrative agencies, acts, and for other purposes. A few
state and federal agencies that need employers, and workers’ compensation commenters noted the difficulties
protected health information, the carriers to use less formal means to criminal investigators and prosecutors
Secretary rejects that suggestion obtain relevant medical evidence while face when fighting complex criminal
because, wherever possible, the public the matter is pending before the agency. schemes. In general, these commenters
and the private sectors should operate This commenter asked that the rule be argued that all disclosures of protected
under the same rules regarding the revised to permit covered entities to health information to law enforcement
disclosure of health information. To the disclose protected health information should be allowed, or for elimination of
extent the activities of SSA constitute an without authorization for purposes of the process requirements proposed in
actual administrative tribunal, covered federal or state benefits determinations § 164.510(f)(1).
entities must follow the requirements of at all levels of processing, from the Response: The importance and
§ 164.512(e), if they wish to disclose initial application through continuing legitimacy of law enforcement activities
protected health information to SSA in disability reviews. are beyond question, and they are not at
those circumstances. Not all Response: If the disclosure is required issue in this regulation. We permit
administrative inquiries are by a law relating to workers’ disclosure of protected health
administrative tribunals, however. If compensation, a covered entity may information to law enforcement officials
SSA’s request for protected health disclose protected health information as without authorization in some
information comes within another authorized by and to the extent situations precisely because of the
category of permissible exemptions, a necessary to comply with that law importance of these activities to public
covered entity, following the under § 164.512(l). If the request for safety. At the same time, individuals’
requirements of the applicable section, protected health information in privacy interests also are important and
may disclose the information to SSA. connection with a workers’ legitimate. As with all the other
For example, if SSA seeks information compensation claim is part of an disclosures of protected health
for purposes of health oversight, a administrative proceeding, a covered information permitted under this
covered entity that wishes to disclose entity must meet the requirements set regulation, the rules we impose attempt
the information to SSA may do so under forth in § 164.512(e), and discussed to balance competing and legitimate
§ 164.512(d) and not § 164.512(e). If the above, before disclosing the interests.
disclosure does not come within one of information. As noted, one permissible Comment: Law enforcement
the other permissible disclosures would manner by which a covered entity may representatives stated that law
a covered entity need to meet the disclose protected health information enforcement agencies had a good track
requirements of § 164.512(e). If the SSA under § 164.512(e) is if the party seeking
record of protecting patient privacy and
request does not come within another that additional restrictions on their
the disclosure makes reasonable efforts
permissible disclosure, the agency will access and use of information were not
to provide notice to the individual as
be treated like anyone else under the warranted. Some commenters argued
required by this provision. Under this
rules. that no new limitations on law
The Secretary recognizes that even method, the less formal process noted
enforcement access to protected health
under current circumstances, by the commenter would not be
information were necessary, because
professional medical records personnel disturbed. Covered entity may disclose
sufficient safeguards exist in state and
do not always respond unquestioningly protected health information in
federal laws to prevent inappropriate
to an agency’s request for health response to other types of requests only
disclosure of protected health
information. During the fact finding as permitted by this regulation.
information by law enforcement.
process, professionals charged with Section 164.512(f)—Disclosures for Law Response: Disclosure of protected
managing provider response to requests Enforcement Purposes health information by law enforcement
for protected health information is not at issue in this regulation. Law
indicated to us that when an agency’s General Comments on Proposed enforcement access to protected health
request for protected health information § 164.510(f) information in the first instance, absent
is over broad, the medical records Comment: Some commenters argued any re-disclosure by law enforcement,
professional will contact the agency and that current law enforcement use of impinges on individuals’ privacy
negotiate a more limited request. In protected health information was interests and must therefore be justified
balancing the interests of individuals legitimate and important. These by a public purpose that outweighs
against the need of governmental commenters cited examples of individuals’ privacy interests.
entities to receive protected health investigations and prosecutions for We do not agree that sufficient
information, we think that applying the which protected health information is safeguards already exist in this area. We
minimum necessary standard is needed, from white collar insurance are not aware of, and the comments did
not provide, evidence of a minimum set Where the information to be disclosed is when an exception to the rule of non-
of protections for individuals relating to about the victim of a crime, privacy disclosure is appropriate for law
access by law enforcement to their interests are heightened and we require enforcement purposes. There may be
protected health information. Federal the victim’s agreement prior to advantages, however, to legislation that
and state laws in this area vary disclosure in most instances. applies the appropriate standards
considerably, as they do for other areas In the limited circumstances where directly to judicial officers, prosecutors
addressed in this final rule. The need law enforcement interests are in grand juries, and to those making
for standards in this area is no less heightened, we allow disclosure of administrative or other requests for
critical than in the other areas addressed protected health information without protected health information, rather
by this rule. prior legal process or agreement, but we than to covered entities. These
Comment: Many commenters argued impose procedural protections such as advantages could include measures to
that no disclosures of protected health limits on the information that may hold officials accountable if they seek or
information should be made to law lawfully be disclosed, limits on the receive protected health information
enforcement (absent authorization) circumstances in which the information contrary to the legal standard. In
without a warrant issued by a judicial may be disclosed, and requirements for Congressional consideration of law
officer after a finding of probable cause. verifying the identity and authority of enforcement access, there have also
Others argued that a warrant or the person requesting the disclosures. been useful discussions of other topics,
subpoena should be required prior to For example, in some cases law such as limits on re-use of protected
disclosure of protected health enforcement officials may seek limited health information gathered in the
information unless the disclosure is for but focused information needed to course of health oversight activities. The
the purposes of identifying a suspect, obtain a warrant. A witness to a limitations on our regulatory authority
fugitive, material witness, or missing shooting may know the time of the provide additional reason to support
persons, as described in proposed incident and the fact that the perpetrator comprehensive medical privacy
§ 164.510(f)(2). Some commenters was shot in the left arm, but not the legislation.
argued that judicial review prior to identity of the perpetrator. Law Comment: A few commenters cited
release of protected health information enforcement would then have a existing sanctions for law enforcement
to law enforcement should be required legitimate need to ask local emergency officials who violate the rights of
absent the exigent and urgent rooms whether anyone had presented individuals in obtaining evidence,
circumstances identified in the NPRM with a bullet wound to the left arm near ranging from suppression of that
in § 164.510(f)(3) and (5), or absent ‘‘a the time of the incident. Law evidence to monetary penalties, and
compelling need’’ or similar enforcement may not have sufficient argued that such sanctions are sufficient
circumstances. information to obtain a warrant, but to protect patients’ privacy interests.
Response: In the final rule, we instead would be seeking such Response: After-the-fact sanctions are
attempt to match the level of procedural information. In such cases, when only important, but they are effective only
protection for privacy required by this limited identifying information is when coupled with laws that establish
rule with the nature of the law disclosed and the purpose is solely to the ground rules for appropriate
enforcement need for access, the ascertain the identity of a person, the behavior. That is, a sanction applies
existence of other procedural invasion of privacy would be only where some other rule has been
protections, and individuals’ privacy outweighed by the public interest. For violated. This regulation sets such basic
interests. Where other rules already such circumstances, we allow ground rules. Further, under the HIPAA
impose procedural protections, this rule disclosure of protected health statutory authority, we cannot impose
generally relies on those protections information in response to a law sanctions on law enforcement officials
rather than imposing new ones. Thus, enforcement inquiry where law or require suppression of evidence. We
where access to protected health enforcement is seeking to identify a must therefore rely on rules that
information is granted after review by suspect, fugitive, material witness, or regulate disclosure of protected health
an independent judicial officer (such as missing person, but allow only information by covered entities in the
a court order or court-ordered warrant, disclosure of a limited list of first instance.
or a subpoena or summons issued by a information. Comment: Several commenters argued
judicial officer), no further requirements Similarly, it is in the public interest that disclosure of protected health
are necessary. Similarly, because to allow covered entities to take information under § 164.510(f) should
information disclosed to a grand jury is appropriate steps to protect the integrity be mandatory, not just permitted. Others
vital to law enforcement purposes and and safety of their operations. Therefore, argued that we should mandate
is covered by secrecy protection, this we permit covered entities on their own disclosure of protected health
rule allows disclosure with no further initiative to disclose to law enforcement information in response to Inspector
process. officials protected health information General subpoenas. A few commenters
We set somewhat stricter standards for this purpose. However, we limit argued that we should require all
for disclosure of protected health such disclosures to protected health covered entities to include disclosure of
information pursuant to administrative information that the covered entity protected health information to law
process, such as administrative believes in good faith constitutes enforcement in their required notice of
subpoenas, summonses, and civil or evidence of criminal conduct that privacy practices.
authorized investigative demands. In occurred on the premises of the covered Response: The purpose of this
these cases, the level of existing entity. regulation is to protect individuals’
procedural protections is lower than for We shape the rule’s provisions with privacy interests, consistent with other
judicially-approved or grand jury respect to law enforcement according to important public activities. Other laws
disclosures. We therefore require a the limited scope of our regulatory set the rules governing those public
greater showing, specifically, the three- authority under HIPAA, which applies activities, including when health
part test described in § 164.512(f)(1)(ii), only to the covered entities and not to information is necessary for their
before the covered entity is permitted to law enforcement officials. We believe effective operation. See discussion of
release protected health information. the rule sets the correct standards for § 164.512(a).
Comment: Some commenters disclosure of protected health Health and Human Services, before the
questioned whether the Secretary had information unless the disclosure is for Senate Committee on Labor & Human
statutory authority to directly or the purposes of identifying a suspect, Resources, September 11, 1997).
indirectly impose new procedural or fugitive, material witness, or missing However, the limited jurisdiction
substantive requirements on otherwise persons, did so because they believed conferred on us by the HIPAA does not
lawful legal process issued under that such a rule would be consistent allow us to impose such restrictions on
existing federal and state rules. They with current state law practices. law enforcement officials or the courts.
argued that, while the provisions are Response: This regulation does not Comment: At least one commenter
imposed on ‘‘covered entities,’’ the rule expand current law enforcement access argued that the regulation should allow
would result in law enforcement to protected health information. We do current routine uses for law
officials being compelled to modify not mandate any disclosures of enforcement under the Privacy Act.
current practices to harmonize them protected health information to law Response: This issue is discussed in
with the requirements this rule imposes enforcement officials, nor do we make the ‘‘Relationship to Other Federal
on covered entities. A number of state lawful any disclosures of protected Laws’’ preamble discussion of the
law enforcement agencies argued that health information which are unlawful Privacy Act.
the rule would place new burdens on under other rules and regulations. Comment: A few commenters
state administrative subpoenas and Similarly, this regulation does not expressed concern that people will 8be
requests that are intrusive in state describe a set of ‘‘best practices.’’ less likely to provide protected health
functions. At least one commenter Nothing in this regulation should cause information for public health purposes
argued that the requirement for prior a covered entity to change practices that if they fear the information could be
process places unreasonable restrictions are more protective of privacy than the used for law enforcement purposes.
on the right of the states to regulate law floor of protections provided in this Response: This regulation does not
enforcement activities. regulation. affect law enforcement access to records
Response: This rule regulates the This regulation sets forth the held by public health authorities, nor
ability of health care clearinghouses, minimum practices which a covered does it expand current law enforcement
health plans, and covered health care entity must undertake in order to avoid access to records held by covered
providers to use and disclose health sanctions under the HIPAA. We expect entities. These agencies are for the most
information. It does not regulate the and encourage covered entities to part not covered entities under HIPAA.
behavior of law enforcement officials or exercise their judgment and professional Therefore, this regulation should not
the courts, nor does it prevent states ethics in using and disclosing health reduce current cooperation with public
from regulating law enforcement information, and to continue any health efforts.
officials. All regulations have some current practices that provide privacy
protections greater than those mandated Relationship to Other Provisions of This
effects on entities that are not directly
in this regulation. Regulation
regulated. We have considered those
effects in this instance and have Comment: Many commenters asserted Comment: Several commenters
determined that the provisions of the that, today, consent or judicial review pointed out an unintended interaction
rule are necessary to protect the privacy always is required prior to release of between proposed §§ 164.510(f) and
of individuals. protected health information to law 164.510(n). Because proposed
Comment: One commenter argued enforcement; therefore, they said that § 164.510(n), allowing disclosures
that state licensing boards should be the proposed rule would have lessened mandated by other laws, applied only if
exempt from restrictions placed on law existing privacy protections. the disclosure would not fall into one of
enforcement officials, because state Response: In many situations today, the categories of disclosures provided
licensing and law enforcement are law enforcement officials lawfully for in § 164.510 (b)–(m), disclosures of
different activities. obtain health information absent any protected health information mandated
Response: Each state’s law determines prior legal process and absent exigent for law enforcement purposes by other
what authorities are granted to state circumstances. The comments we law would have been preempted.
licensing boards. Because state laws received on the NPRM, both from law Response: We agree, and in the final
differ in this regard, we cannot make a enforcement and consumer advocacy rule we address this unintended
blanket determination that state groups, describe many such situations. interaction. It is not our intent to
licensing officials are or are not law Moreover, this rule sets forth minimum preempt these laws. To clarify the
enforcement officials under this privacy protections and does not interaction between these provisions, in
regulation. We note, however, that the preempt more stringent, pre-existing the final rule we have specifically added
oversight of licensed providers generally standards. language to the paragraph addressing
is included as a health oversight activity Comment: Some commenters argued disclosures for law enforcement that
at § 164.512(d). that health records should be entitled to permits covered entities to comply with
at least as much protection as cable legal mandates, and have included a
Relationship to Existing Rules and subscription records and video rental specific cross reference in the provision
Practices records. of the final rule that permits covered
Comment: Many commenters Response: We agree. The Secretary, in entities to make other disclosures
expressed concern that the proposed presenting her initial recommendations required by law. See § 164.512(a).
rule would have expanded current law on the protection of health information Comment: Several commenters argued
enforcement access to protected health to the Congress in 1997, stated that, that, when a victim of abuse or of a
information. Many commenters said ‘‘When Congress looked at the privacy crime has requested restrictions on
that the NPRM would have weakened threats to our credit records, our video disclosure, the restrictions should be
their current privacy practices with records, and our motor vehicle records, communicated to any law enforcement
respect to law enforcement access to it acted quickly to protect them. It is officials who receive that protected
health records. For example, some of the time to do the same with our health care health information.
commenters arguing that a warrant or records’ (Testimony of Donna E. Response: We do not have the
subpoena should be required prior to Shalala, Secretary, U. S. Department of authority to regulate law enforcement
use and disclosure of protected health judicial review prior to release of choice of obtaining records with or
information, and therefore we could not protected health information to law without a court order, and that law
enforce any such restrictions enforcement because this regulation enforcement ‘‘will choose the least
communicated to law enforcement cannot limit further uses or disclosures restrictive means of obtaining records,
officials. For this reason, we determined of protected health information once it those that do not require review by a
that the benefits to be gained from is in the hands of law enforcement judge or a prosecutor.’’ Several
requiring communication of restrictions agencies. commenters argued that this provision
would not outweigh the burdens such a Response: We agree that there are would have provided the illusion of
requirement would place on covered advantages to legislation that imposes barriers—but no real barriers—to law
entities. We expect that professional appropriate restrictions directly on the enforcement access to protected health
ethics will guide health care providers’ re-use and re-disclosure of protected information. A few argued that this
communications to law enforcement health information by many persons provision would have allowed law
officials about the welfare of victims of who may lawfully receive protected enforcement to regulate itself.
abuse or other crime. health information under this Response: We agree with commenters
Comment: Some commenters argued regulation, but whom we cannot that, in some cases, a law enforcement
against imposing the ‘‘minimum regulate under the HIPAA legislative official may have discretion to seek
necessary’’ requirement on disclosure of authority, including law enforcement health information under more than one
protected health information to law agencies. legal avenue. Allowing a choice in these
enforcement officials. Some law Comment: A few commenters circumstances does not mean an
enforcement commenters expressed expressed concern that protected health absence of real limits. Where law
concern that the ‘‘minimum necessary’’ information about persons who are not enforcement officials choose to obtain
test could be ‘‘manipulated’’ by a suspects may be used in court and protected health information through
covered entity that wished to withhold thereby become public knowledge. administrative process, they must meet
relevant evidence. A number of covered These commenters urged us to take the three-part test required by this
entities complained that they were ill- steps to minimize or prevent such regulation.
equipped to substitute their judgment protected health information from Comment: At least one commenter
for that of law enforcement for what was becoming part of the public record. argued for judicial review prior to
the minimum amount necessary, and Response: We agree that individuals disclosure of health information because
they also argued that the burden of should be protected from unnecessary the rule will become the ‘‘de facto’’
determining the ‘‘minimum public disclosure of health information standard for release of protected health
necessary’information should be about them. However, we do not have information.
transferred to law enforcement agencies. the statutory authority in this regulation Response: We do not intend for this
Some commenters argued that imposing to require courts to impose protective regulation to become the ‘‘de facto’’
such ‘‘uninformed’’ discretion on standard for release of protected health
orders. To the extent possible within the
covered entities would delay or thwart information. Nothing in this regulation
HIPAA statutory authority, we address
legitimate investigations, and would limits the ability of states and other
this problem in § 164.512(e), Judicial
result in withholding information that governmental authorities to impose
and Administrative Proceedings.
might exculpate an individual or might Comment: Some commenters argued stricter requirements on law
be necessary to present a defendant’s that evidence obtained in violation of enforcement access to protected health
case. One comment suggested that the regulation should be inadmissible at information. Similarly, we do not limit
covered entities have ‘‘immunity’’ for trial. the ability of covered entities to adopt
providing too much information to law Response: In this regulation, we do stricter policies for disclosure of
enforcement. not have the authority to regulate the protected health information not
Response: The ‘‘minimum necessary’’ courts. We can neither require nor mandated by other laws.
standard is discussed at § 164.514. Comment: A few commenters
prohibit courts from excluding evidence
Comment: A few commenters asked expressed concern that proposed
obtain in violation of this regulation.
us to clarify when a disclosure is for a § 164.510(f)(1) would have
‘‘Judicial or Administrative Proceeding’’ Comments Regarding Proposed overburdened the judicial system.
and when it is for ‘‘Law Enforcement’’ § 164.510(f)(1), Disclosures to Law Response: The comments did not
purposes. Enforcement Pursuant to Process provide any factual basis for evaluating
Response: In the final rule we have this concern.
Comments Supporting or Opposing a Comment: Some commenters argued
clarified that § 164.512(e) relating to
Requirement of Consent or Court Order that, while a court order should be
disclosures for judicial or administrative
proceedings does not supersede the Comment: Some commenters argued required, the standard of proof should
authority of a covered entity to make that a rule that required a court order for be something other than ‘‘probable
disclosures under other provisions of every instance that law enforcement cause.’’ For example, one commenter
the rule. sought protected health information argued that the court should apply the
would impose substantial financial and three-part test proposed in
Use of Protected Health Information administrative burdens on federal and § 164.510(f)(1)(i)(C). Another commenter
After Disclosure to Law Enforcement state law enforcement and courts. Other suggested a three-part test: The
Comment: Many commenters commenters argued that imposing a new information is necessary, the need
recommended that we restrict law requirement of prior judicial process cannot be met with non-identifiable
enforcement officials’ re-use and re- would compromise the time-sensitive information, and the need of law
disclosure of protected health nature of many investigations. enforcement outweighs the privacy
information. Some commenters asked us Response: We do not impose such a interest of the patient. Some
to impose such restrictions, while other requirement in this regulation. commenters suggested that we impose a
commenters noted that the need for Comment: Many commenters argued ‘‘clear and convincing’’ standard.
such restrictions underscores the need that proposed § 164.510(f)(1) would Another suggested that we require clear
for legislation. Another argued for have given law enforcement officials the and convincing evidence that: (1) The
information sought is relevant and information to its attorneys as needed, the information that may lawfully be
material to a legitimate criminal to perform health care operations, disclosed, the circumstances in which
investigation; (2) the request is as including to assess the covered entity’s the information may be disclosed, and
specific and narrow as is reasonably appropriate response to court orders. requirements for verifying the identity
practicable; (3) de-identified See definition of ‘‘health care and authority of the person requesting
information, for example coded records, operations’’ under § 164.501. the disclosures.
could not reasonably be used; (4) on Comment: Many commenters argued We also allow disclosure of protected
balance, the need for the information that the regulation should prohibit health information to law enforcement
outweighs the potential harm to the disclosures of protected health officials without consent when other
individuals and to patient care information to law enforcement absent law mandates the disclosures. When
generally; and (5) safeguards patient consent. such other law exists, another public
appropriate to the situation have been Response: We disagree with the entity has made the determination that
considered and imposed. This comment comment. Requiring consent prior to law enforcement interests outweigh the
also suggested the following as such any release of protected health individual’s privacy interests in the
appropriate safeguard: granting only the information to a law enforcement situations described in that other law,
right to inspect and take notes; allowing official would unduly jeopardize public and we do not upset that determination
copying of only certain portions of safety. Law enforcement officials need in this regulation.
records; prohibiting removing records protected health information for their Comment: Several commenters
from the premises; placing limits on investigations in a variety of recommended requiring that individuals
subsequent use and disclosure; and circumstances. The medical condition receive notice and opportunity to
requiring return or destruction of the of a defendant could be relevant to contest the validity of legal process
information at the earliest possible whether a crime was committed, or to under which their protected health
time.) Others said the court order the seriousness of a crime. The medical information will be disclosed, prior to
should impose a ‘‘minimum necessary’’ condition of a witness could be relevant disclosure of their records to law
standard. to the reliability of that witness. Health enforcement. Some of these commenters
Response: We have not revised the information may be needed from recommended adding this requirement
regulation in response to comments emergency rooms to locate a fleeing to provisions proposed in the NPRM,
suggesting that we impose additional prison escapee or criminal suspect who while others recommended establishing
standards relating to disclosures to was injured and is believed to have this requirement as part of a new
comply with court orders. Unlike stopped to seek medical care. requirement for a judicial warrant prior
administrative subpoenas, where there These and other uses of medical to all disclosures of protected health
is no independent review of the order, information are in the public interest. information to law enforcement. At least
court orders are issued by an Requiring the authorization of the one of these commenters proposed an
independent judicial officer, and we subject prior to disclosure could make exception to such a notice requirement
believe that covered entities should be apprehension or conviction of some where notice might lead to destruction
permitted under this rule to comply criminals difficult or impossible. In of the records.
with them. Court orders are issued in a many instances, it would not be Response: Above we discuss the
wide variety of cases, and we do not possible to obtain such consent, for reasons why we believe it is
know what hardships might arise by example because the subject of the inappropriate to require consent or a
imposing standards that would require information could not be located in time judicial order prior to any release of
judicial officers to make specific (or at all). In other instances, the protected health information to law
findings related to privacy. covered entity may not wish to enforcement. Many of those reasons
Comment: At least one commenter undertake the burden of obtaining the apply here, and they lead us not to
argued that the proposed rule would consent. Rather than an across-the-board impose such a notice requirement.
have placed too much burden on consent requirement, to protect Comment: A few commenters
covered entities to evaluate whether to individuals’ privacy interests while also believed that the proposed requirements
release information in response to a promoting public safety, we impose a in § 164.510(f)(1) would hinder
court order. This comment suggested set of procedural safeguards (described investigations under the Civil Rights for
that the regulation allow disclosure to in more detail elsewhere in this Institutionalized Persons Act (CRIPA).
attorneys for assessment of what the regulation) that covered entities must Response: We did not intend that
covered entity should release in ensure are met before disclosing provision to apply to investigations
response to a court order. protected health information to law under CRIPA, and we clarify in the final
Response: This regulation does not enforcement officials. rule that covered entities may disclose
change current requirements on or In most instances, such procedural protected health information for such
rights of covered entities with respect to safeguards consist of some prior legal investigations under the health
court orders for the release of health process, such as a warrant, grand jury oversight provisions of this regulation
information. Where such disclosures are subpoena, or an administrative (see § 164.512(d) for further detail).
required today, they continue to be subpoena that meets a three-part test for
required under this rule. Where other protecting privacy interests. When the Comments Suggesting Changes to the
law allows a covered entity to challenge information to be disclosed is about the Proposed Three-Part Test
a court order today, this rule will not victim of a crime, privacy interests are Comment: Many commenters argued
reduce the ability of a covered entity to heightened and we require the victim’s for changes to the proposed three-part
mount such a challenge. Under agreement prior to disclosure in most test that would make the test more
§ 164.514, a covered entity will be instances. In the limited circumstances difficult to meet. Many of these urged
permitted to rely on the face of a court where law enforcement interests are greater, but unspecified, restrictions.
order to meet this rule’s requirements heightened and we allow disclosure of Others argued that the proposed test
for verification of the legal authority of protected health information without was too stringent, and that it would
the request for information. A covered prior legal process or agreement, the have hampered criminal investigations
entity may disclose protected health procedural protections include limits on and prosecutions. Some argued that it
was too difficult for law enforcement to have required its subpoenas to be is not disturbed by this rule. When,
be specific at the beginning of an approved by a judicial officer. however, an existing standard for
investigation. Some argued that there Response: This rule does not require issuing administrative process provides
was no need to change current practices, judicial approval of administrative less protection, this rule imposes new
and they asked for elimination of the subpoenas. Administrative agencies can requirements.
three-part test because it was ‘‘more avoid the need for judicial review under Comment: Some covered entities said
stringent’’ than current practices and this regulation by issuing subpoenas for that they should not have been asked to
would make protected health protected health information only where determine whether the proposed three-
information more difficult to obtain for the three-part test has been met. part test has been met. Some argued that
law enforcement purposes. These Comment: Some commenters they were ill-equipped to make a
commenters urged elimination of the suggested alternative requirements for judgment on whether an administrative
three-part test so that administrative law enforcement access to protected subpoena actually met the three-part
bodies could continue current practices health information. A few suggested test, or that it was unfair to place the
without additional restrictions. Some of replacing the three-part test with a burden of making such determinations
these argued for elimination of the requirement that the request for on covered entities. Some argued that
three-part test for all administrative protected health information from law the burden should have been on law
subpoenas; others argued for enforcement be in writing and signed by enforcement, and that it was
elimination of the three-part test for a supervisory official, and/or that the inappropriate to shift the burden to
administrative subpoenas from various request ‘‘provide enough information covered entities. Other commenters
Inspectors General offices. A few about their needs to allow application of argued that the proposal would have
commenters argued that the provisions the minimum purpose rule.’’ given too much discretion to the record
in proposed § 164.510(f)(1) should be Response: A rule requiring only that
holders to withhold evidence without
eliminated because they would have the request for information be in writing
having sufficient expertise or
burdened criminal investigations and and signed fails to impose appropriate
information on which to make such
substantive standards for release of
prosecutions but would have served ‘‘no judgments. At least one comment said
health information. A rule requiring
useful public purpose.’’ that this aspect of the proposal would
only sufficient information for the
Response: We designed the proposed have caused delay and expense in the
covered entity to make a ‘‘minimum
three-part test to require proof that the detection and prevention of health care
necessary’’ determination would leave
government’s interest in the health fraud. The commenter believed that this
these decisions entirely to covered
information was sufficiently important delay and expense could be prevented
entities’ discretion. We believe that
and sufficiently focused to overcome the by shifting to law enforcement and
protection of individuals’ privacy
individual’s privacy interest. If the test health care oversight the responsibility
interests must start with a minimum
were weakened or eliminated, the to determine whether standards have
floor of protections applicable to all. We
individual’s privacy interest would be been met.
believe that while covered entities may
insufficiently protected. At the same At least one commenter
be free to provide additional protections
time, if the test were significantly more recommended eliminating the three-part
(within the limits of the law), they
difficult to meet, law enforcement’s test for disclosures of protected health
should not have the ability to allow
ability to protect the public interest information by small providers.
unjustified access to health information.
could be unduly compromised. Comment: Some commenters argued Some commenters argued that
Comment: At least one comment that the requirement for an unspecified allowing covered entities to rely on law
argued that, in the absence of a judicial ‘‘finding’’ for a court order should be enforcement representation that the
order, protected health information removed from the proposed rule, three-part test has been met would
should be released only pursuant to because it would have been confusing render the test meaningless.
specific statutory authority. and would have provided no guidance Response: Because the statute does
Response: It is impossible to predict to a court as to what finding would be not bring law enforcement officials
all the facts and circumstances, for sufficient. within the scope of this regulation, the
today and into the future, in which law Response: We agree that the rule must rely on covered entities to
enforcement’s interest in health requirement would have been implement standards that protect
information outweigh individuals’ confusing, and we delete this language individuals’ privacy interests, including
privacy interests. Recognizing this, from the final regulation. the three-part test for disclosure
states and other governments have not Comment: A few commenters argued pursuant to administrative subpoenas.
acted to list all the instances in which that the proposed three-part test should To reduce the burden on covered
health information should be available not be applied where existing federal or entities, we do not require a covered
to law enforcement officials. Rather, state law established a standard for entity to second-guess representations
they specify some such instances, and issuing administrative process. by law enforcement officials that the
rely on statutory, constitutional, and Response: It is the content of such a three part test has been met. Rather, we
other limitations to place boundaries on standard, not its mere existence, that allow covered entities to disclose
the activities of law enforcement determines whether the standard strikes protected health information to law
officials. Since the statutory authority to an appropriate balance between enforcement when the subpoena or
which the commenter refers does not individuals’ privacy interests and the other administrative request indicates
often exist, many uses of protected public interest in effective law on its face that the three-part test has
health information that are in the public enforcement activities. We assume that been met, or where a separate document
interest (described above in more detail) current authorities to issue so indicates. Because we allow such
would not be possible under such an administrative subpoena are all subject reliance, we do not believe that it is
approach. to some standards. When an existing necessary or appropriate to reduce
Comment: At least one commenter, an standard provides at least as much privacy protections for individuals who
administrative agency, expressed protection as the three-part test imposed obtain care from small health care
concern that the proposed rule would by this regulation, the existing standard providers.
Comment: Some commenters ask for entities and law enforcement officials, significant changes to this provision, to
modification of the three-part test to and would become obsolete over time. narrow the information that may be
include a balancing of the interests of Thus, we believe it would not be disclosed and make clear the limited
law enforcement and the privacy of the appropriate to specify when de- purpose of the provision. For example,
individual, pointing to such provisions identified information can or cannot be the proposed rule did not state
in the Leahy-Kennedy bill. used to meet legitimate law enforcement explicitly whether covered entities
Response: We agree with the needs. would have been allowed to initiate—in
comment that the balancing of these In the final rule, we allow the covered the absence of a request from law
interests is important in this entity to rely on a representation on the enforcement—disclosure of protected
circumstance. We designed the face of the subpoena (or similar health information to law enforcement
regulation’s three-part test to document) that the three-part test, officials for the purpose of identifying a
accomplish that result. including the ‘‘could not reasonably be suspect, fugitive, material witness or
Comment: At least one commenter used’’ criteria, is met. If a covered entity missing person. In the final rule, we
recommended that ‘‘relevant and believes that a subpoena is not valid, it clarify that covered entities may
material’’ be changed to ‘‘relevant,’’ may challenge that subpoena in court disclose protected health information
because ‘‘relevant’’ is a term at the core just as it may challenge today any for identifying purposes only in
of civil discovery rules and is thus well subpoena that it believes is not lawfully response to a request by a law
understood, and because it would be issued. This is true regardless of the enforcement official or agency. A
difficult to determine whether specific test that a subpoena must meet, ‘‘request by a law enforcement official
information is ‘‘material’’ prior to seeing and it is not a function of the ‘‘could not or agency’’ is not limited to direct
the documents. As an alternative, this reasonably be used’’ criteria. requests, but also includes oral or
commenter suggested explaining what written requests by individuals acting
we meant by ‘‘material.’’ Comments Regarding Proposed
§ 164.510(f)(2), Limited Information for on behalf of a law enforcement agency,
Response: Like the term ‘‘relevant,’’ such as a media organization
the term ‘‘material’’ is commonly used Identifying Purposes
broadcasting a request for the public’s
in legal standards and well understood. Comment: A number of commenters assistance in identifying a suspect on
Comment: At least one commenter recommended deletion of this the evening news. It includes ‘‘Wanted’’
suggested deleting the phrase provision. These commenters argued posters, public announcements, and
‘‘reasonably practical’’ from the second that the legal process requirements in similar requests to the general public for
prong of the test, because, the proposed § 164.510(f)(1) should apply assistance in locating suspects or
commenter believed, it was not clear when protected health information is fugitives.
who would decide what is ‘‘reasonably disclosed for identification purposes. At Comment: A few commenters
practical’’ if the law enforcement agency least one privacy group recommended recommended additional restrictions on
and covered entity disagreed. that if the provision were not eliminated disclosure of protected health
Response: We allow covered entities in its entirety, ‘‘suspects’’ should be information for identification purposes.
to rely on a representation on the face removed from the list of individuals For example, one commenter
of the subpoena that the three-part test, whose protected health information may recommended that the provision should
including the ‘‘reasonably practical’’ be disclosed for identifying purposes. either (1) require that the information to
criteria, is met. If a covered entity Many commenters expressed concern be disclosed for identifying purposes be
believes that a subpoena is not valid, it that this provision would allow relevant and material to a legitimate law
may challenge that subpoena in court compilation of large data bases of health enforcement inquiry and that the
just as it may challenge any subpoena information that could be use for request be as specific and narrowly
that today it believes is not lawfully purposes beyond those specified in this drawn as possible; or (2) limit
issued. This is true regardless of the provision. disclosures to circumstances in which
specific test that a subpoena must meet, Response: We retain this provision in (a) a crime of violence has occurred and
and is not a function of the ‘‘reasonably the final rule. We continue to believe the perpetrator is at large, (b) the
practical’’ criteria. that identifying fugitives, material perpetrator received an injury during
Comment: Some commenters witnesses, missing persons, and the commission of the crime, (c) the
requested elimination of the third prong suspects is an important national inquiry states with specificity the type
of the test. One of these commenters priority and that allowing disclosure of of injury received and the time period
suggested that the regulation should limited identifying information for this during which treatment would have
specify when de-identified information purpose is in the public interest. been provided, and (d) ‘‘probable cause’’
could not be used. Another Eliminating this provision—or exists to believe the perpetrator received
recommended deleting the phrase eliminating suspects from the list of treatment from the provider.
‘‘could not reasonably be used’’ from the types of individuals about whom Response: We do not agree that these
third prong of the test, because the disclosure of protected health additional restrictions are appropriate
commenter believed it was not clear information to law enforcement is for disclosures of limited identifying
who would determine whether de- allowed—would impede law information for purposes of locating or
identified information ‘‘could enforcement agencies’’ ability to identifying suspects, fugitives, material
reasonably be used’’ if the law apprehend fugitives and suspects and to witnesses or missing persons. The
enforcement agency and covered entity identify material witnesses and missing purpose of this provision is to permit
disagreed. persons. As a result, criminals could law enforcement to obtain limited time-
Response: We cannot anticipate in remain at large for longer periods of sensitive information without the
regulation all the facts and time, thereby posing a threat to public process requirements applicable to
circumstances surrounding every law safety, and missing persons could be disclosures for other purposes. Only
enforcement activity today, or in the more difficult to locate and thus limited information may be disclosed
future as technologies change. Such a endangered. under this provision, and disclosure is
rigid approach could not account for the However, as described above and in permitted only in limited
variety of situations faced by covered the following paragraphs, we make circumstances. We believe that these
safeguards are sufficient, and that of tissues and bodily fluids other than from such use of SSNs. For example,
creating additional restrictions would blood (e.g., saliva) cannot be disclosed SSNs can help law enforcement officials
undermine the purpose of the provision for the location and identification identify suspects are using aliases.
and that it would hinder law purposes described in this section.
Comments Regarding Proposed
enforcement’s ability to obtain essential, Allowing disclosure of this information
§ 164.510(f)(3), Information About a
time-sensitive information. is not necessary to accomplish the
Comment: A number of law Victim of Crime or Abuse
purpose of this provision, and would be
enforcement agencies recommended substantially more intrusive into Comment: Some law enforcement
that the provision in the proposed rule individuals’ privacy. In addition, we organizations expressed concern that
be broadened to permit disclosure to understand commenters’ concern about proposed § 164.510(f)(3) could inhibit
law enforcement officials for the the potential for such information to be compliance with state mandatory
purpose of ‘‘locating’’ as well as compiled in law enforcement data reporting laws.
‘‘identifying’’ a suspect, fugitive, bases. Allowing disclosure of such Response: We recognize that the
material witness or missing person. information could make individuals NPRM could have preempted such state
Response: We agree with the reluctant to seek care out of fear that mandatory reporting laws, due to the
comment and have changed the health information about them could be combined impact of proposed
provision in the final rule. We believe compiled in such a data base. §§ 164.510(m) and 164.510(f). As
that locating suspects, fugitives, Comment: Many commenters argued explained in detail in § 164.512(a)
material witnesses and missing persons that proposed § 164.510(f)(2) should be above, we did not intend that result, and
is an important public policy priority, deleted because it would permit law we modify the final rule to make clear
and that it can be critical to identifying enforcement to engage in ‘‘fishing that this rule does not preempt state
these individuals. Further, efforts to expeditions’’ or to create large data mandatory reporting laws.
locate suspects, fugitives, material bases that could be searched for Comment: Many commenters,
witnesses, and missing persons can be suspects and others. including consumer and provider
at least as time-sensitive as identifying Response: Some of this fear may have groups, expressed concern that allowing
such individuals. stemmed from the inclusion of the covered entities to disclose protected
Comment: Several law enforcement phrase ‘‘other distinguishing health information without
agencies requested that the provision be characteristic’’—which could be authorization to law enforcement
broadened to permit disclosure of construed broadly—in the list of items regarding victims of crime, abuse, and
additional pieces of identifying that could have been disclosed pursuant other harm could endanger victims,
information, such as ABO blood type to this section. In the final rule, we particularly victims of domestic
and Rh factor, DNA information, dental delete the phrase ‘‘other distinguishing violence, who could suffer further abuse
records, fingerprints, and/or body fluid characteristic’’ from the list of items that if their abuser learned that the
and tissue typing, samples and analysis. can be disclosed pursuant to information had been reported. Provider
These commenters stated that additional § 164.512(f)(2). In its place, we allow groups also expressed concern about
identifying information may be disclosure of a description of undermining provider-patient
necessary to permit identification of distinguishing physical characteristics, relationships. Some law enforcement
suspects, fugitives, material witnesses or such as scars, tattoos, height, weight, representatives noted that in many
missing persons. On the other hand, gender, race, hair and eye color, and the cases, health care providers’ voluntary
privacy and consumer advocates, as presence or absence of facial hair such reports of abuse or harm can be critical
well as many individuals, were as a beard or moustache. We believe that for the successful prosecution of violent
concerned that this section would allow such a change, in addition to the crime. They argued, that by precluding
all computerized medical records to be changes described in the paragraph providers from voluntarily reporting to
stored in a large law enforcement data above, responds to commenters’ concern law enforcement evidence of potential
base that could be scanned for matches that the NPRM would have allowed abuse, the proposed rule could make it
of blood, DNA, or other individually creation of a government data base of more difficult to apprehend and
identifiable information. personal identifying information. prosecute criminals.
Response: The final rule seeks to Further, this modification provides Response: We recognize the need for
strike a balance in protecting privacy additional guidance to covered entities heightened sensitivity to the danger
and facilitating legitimate law regarding the type of information that facing victims of crime in general, and
enforcement inquiries. Specifically, we may be disclosed under this provision. victims of domestic abuse or neglect in
have broadened the NPRM’s list of data Comment: At least one commenter particular. As discussed above, the final
elements that may be disclosed recommended removing social security rule includes a new section
pursuant to this section, to include numbers (SSNs) from the list of items (§ 164.512(c)) establishing strict
disclosure of ABO blood type and rh that may be disclosed pursuant to conditions for disclosure of protected
factor for the purpose of identifying or proposed § 164.510(f)(2). The health information about victims of
locating suspects, fugitives, material commenter was concerned that abuse, neglect, and domestic violence.
witnesses or missing persons. We agree including SSNs in the (f)(2) list would Victims of crime other than abuse,
with the commenters that these pieces cause law enforcement agencies to neglect, or domestic violence can also
of information are important to law demand that providers collect SSNs. In be placed in further danger by
enforcement investigations and are no addition, the commenter was concerned disclosure of protected health
more invasive of privacy than the other that allowing disclosure of SSNs could information relating to the crime. In
pieces of protected health information lead to theft of identity by unscrupulous § 164.512(f)(3) of the final rule, we
that may be disclosed under this persons in policy departments and establish conditions for disclosure of
provision. health care organizations. protected health information in these
However, as explained below, Response: We disagree. We believe circumstances, and we make significant
protected health information associated that on balance, the potential benefits modifications to the proposed rule’s
with DNA and DNA analysis; dental from use of SSNs for this purpose provision for such disclosures. Under
records; or typing, samples or analyses outweigh the potential privacy intrusion the final rule, unless a state or other
government authority has enacted a law to law enforcement officials only if such Response: We do not impose this
requiring disclosure of protected health disclosure is required under a state requirement in the final rule. We believe
information about a victim to law mandatory reporting law. In other that such a requirement would not
enforcement officials, in most instances, circumstances, plans and providers may provide significant new protection for
covered entities must obtain the victim’s disclose protected health information victims and would unduly impede the
agreement before disclosing such only in response to a request from a law completion of legitimate law
information to law enforcement enforcement official. We believe that enforcement investigations.
officials. This requirement gives victims such an approach recognizes the Comment: A provider group was
control over decision making about their importance of promoting trust between concerned that it would be difficult for
health information where their safety victims and their health care providers. covered entities to evaluate law
could be at issue, helps promote trust If providers could initiate reports of enforcement officials’ claims that
between patients and providers, and is victim information to law enforcement information is needed and that law
consistent with health care providers’ officials absent a legal reporting enforcement activity may be necessary.
ethical obligation to seek patient mandate, victims may avoid give their Some comments from providers and
authorization whenever possible before providers health information that could individuals expressed concern that the
disclosing protected health information. facilitate their treatment, or they may proposed rule would have provided
At the same time, the rule strikes a avoid seeking treatment completely. open-ended access by law enforcement
balance between protecting victims and Comment: Many commenters believed to victims’ medical records because of
providing law enforcement access to that access to medical records pursuant this difficulty in evaluating law
information about potential crimes that to this provision should occur only after enforcement claims of their need for the
cause harm to individuals, by waiving judicial review. Others believed that it information.
the requirement for agreement in two should occur only with patient consent Response: We modify the NPRM in
situations. In allowing covered entities or after notifying the patient of the several ways that reduce covered
to disclose protected health information disclosure to law enforcement. entities’ decisionmaking burdens. The
about a crime victim pursuant to a state final rule clarifies that covered entities
Similarly, some commenters said that
or other mandatory reporting law, we may disclose protected health
the minimum necessary standard
defer to other governmental bodies’ information about a victim of crime
should apply to this provision, and they
judgments on when certain public where a report is required by state or
recommended restrictions on law
policy objectives are important enough other law, and it requires the victim’s
enforcement agencies’ re-use of the
to warrant mandatory disclosure of agreement for disclosure in most other
information.
protected health information to law instances. The covered entity must
Response: As discussed above, the make the decision whether to disclose
enforcement. While some mandatory
final rule generally requires individual only in limited circumstances: when
reporting laws are written more broadly
agreement as a condition for disclosure there is no mandatory reporting law; or
than others, we believe that it is neither
of a victim’s health information; this when the victim is unable to provide
appropriate nor practicable to
distinguish in federal regulations requirement provides greater privacy agreement and the law enforcement
between what we consider overly broad protection and individual control than official represents that: the protected
and sufficiently focused mandatory would a requirement for judicial review. health information is needed to
reporting laws. We also discuss above the situations in determine whether a violation of law by
The final rule waives the requirement which this requirement for agreement a person other than the victim has
for agreement if the covered entity is may be waived, and why that is occurred, that the information will not
unable to obtain the individual’s appropriate. The requirement that be used against the victim, and that
agreement due to incapacity or other covered entities disclose the minimum immediate law enforcement activity that
emergency circumstance, and (1) the necessary protected health information depends on such information would be
law enforcement official represents that consistent with the purpose of the materially and adversely affected by
the information is needed to determine disclosure applies to disclosures of waiting until the individual is able to
whether a violation of law by a person protected health information about agree to the disclosure. In these
other than the victim has occurred and victims to law enforcement, unless the circumstances, we believe it is
the information is not intended to be disclosure is required by law. (See appropriate to rely on the covered
used against the victim; (2) the law § 164.514 for more detail on the entity, in the exercise of professional
enforcement official represents that requirements for minimum necessary judgment, to determine whether the
immediate law enforcement activity that use and disclosure of protected health disclosure is in the individual’s best
depends on the disclosure would be information.) As described above, interests. Other sections of this rule
materially and adversely affected by HIPAA does not provide statutory allow covered entities to reasonably rely
waiting until the individual is able to authority for HHS to regulate law on certain representations by law
agree to the disclosure; and (3) the enforcement agencies’ re-use of enforcement officials (see § 164.514,
covered entity determines, in the protected health information that they regarding verification,) and require
exercise of professional judgment, that obtain pursuant to this rule. disclosure of the minimum necessary
the disclosure is in the individual’s best Comment: A few commenters protected health information for this
interests. By allowing covered entities, expressed concern that the NPRM purpose. Together, these provisions do
in the exercise of professional judgment, would not have required law not allow open-ended access or place
to determine whether such disclosures enforcement agencies’ requests for undue responsibility on providers.
are in the individual’s best interests, the protected health information about
final rule recognizes the importance of victims to be in writing. They believed Comments Regarding Proposed
the provider-patient relationship. that written requests could promote § 164.510(f)(4), Intelligence and
In addition, the final rule allows clarity in law enforcement requests, as National Security Activities
covered entities to initiate disclosures of well as greater accountability among In the final rule, we recognize that
protected health information about law enforcement officials seeking disclosures for intelligence and national
victims without the victim’s permission information. security activities do not always involve
law enforcement. Therefore, we delete in its belief that the information is family information to determine what
the provisions of proposed evidence of a violation of law, the would be done with the deceased after
§ 164.510(f)(4), and we address covered entity will not be subject to their post-mortem investigation is
disclosures for intelligence and national sanction under this regulation. completed.
security activities in § 164.512(k), on Response: We recognize the burden
Section 164.512(g)—Uses and associated with redacting medical
uses and disclosures for specialized
government functions. Comments and Disclosures About Decedents records to remove the names of persons
responses on these issues are included Coroners and Medical Examiners other than the patient. In addition, as
below, in the comments for that section. stated in the preamble to the NPRM, we
Comment: We received several
recognize that there is a limited time
Comments Regarding Proposed comments, for example, from state and
period after death within which an
§ 164.510(f)(5), Health Care Fraud, county health departments, a private
autopsy must be conducted. We believe
Crimes on the Premises, and Crimes foundation, and a provider organization,
that the delay associated with this
Witnessed by the Covered Entity’s in support of the NPRM provision burden could make it impossible to
Workforce allowing disclosure without conduct a post-mortem investigation
Comment: Many commenters noted authorization to coroners and medical within the required time frame. In
that proposed § 164.510(f)(5)(i), which examiners. addition, we agree that health plans and
covered disclosures for investigations Response: The final rule retains the
covered health care providers may lack
and prosecutions of health care fraud, NPRM’s basic approach to disclosure of the training necessary to determine the
overlapped with proposed § 164.510(c) coroners and medical examiners. It identifiable information necessary for
which covered disclosures for health allows covered entities to disclose coroners and medical examiners to do
oversight activities. protected health information without thorough investigations. Thus, in the
Response: As discussed more fully in authorization to coroners and medical final rule, we do not require health
§ 164.512(d) of this preamble, above, we examiners, for identification of a plans or covered providers to redact
agree that proposed § 164.510(f)(5)(i) deceased person, determining cause of information about persons other than
created confusion because all death, or other duties authorized by law. the patient who may be identified in a
disclosures covered by that provision Comment: In the preamble to the patient’s medical record before
were already permitted under proposed NPRM, we said we had considered but disclosing the record to a coroner or
§ 164.510(c) without prior process. In rejected the option of requiring covered medical examiner.
the final rule, therefore, we delete entities to redact from individuals’ Comment: One commenter said that
proposed § 164.510(f)(5)(i). medical records any information medical records sent to coroners and
Comment: One commenter was identifying other persons before medical examiners were considered
concerned the proposed provision disclosing the record to a coroner or their work product and thus were not
would not have allowed an emergency medical examiner. We solicited released from their offices to anyone
room physician to report evidence of comment on whether health care else. The commenter recommended that
abuse when the suspected abuse had not providers routinely identify other HHS establish regulations on how to
been committed on the covered entity’s persons specifically in an individual’s dispose of medical records and that we
premises. medical record and if so, whether in the create a ‘‘no re-release’’ statement to
Response: Crimes on the premises are final rule we should require health care ensure that individual privacy is
only one type of crime that providers providers to redact information about maintained without compromising
may report to law enforcement officials. the other person before providing it to coroners’ or medical examiners’ access
The rules for reporting evidence of a coroner or medical examiner. to protected health information. The
abuse to law enforcement officials are A few commenters said that medical organization said that such a policy
described in § 164.512(c) of the rule, records typically do not include should apply regardless of whether the
and described in detail in § 164.512(c) information about persons other than investigation was civil or criminal.
of the preamble. An emergency room the patient. One commenter said that Response: HIPAA does not provide
physician may report evidence of abuse patient medical records occasionally HHS with statutory authority to regulate
if the conditions in § 164.512(c) are met, reference others such as relatives or coroners’ or medical examiners’ re-use
regardless of where the abuse occurred. employers. These commenters or re-disclosure of protected health
Comment: One commenter argued recommended requiring redaction of information unless the coroner or
that covered entities should be such information in any report sent to medical examiner is also a covered
permitted to disclose information that a coroner or medical examiner. On the entity. However, we consistently have
‘‘indicates the potential existence’’ of other hand, other commenters said that supported comprehensive privacy
evidence, not just information that redaction should not be required. These legislation to regulate disclosure and
‘‘constitutes evidence’’ of crimes on the commenters generally based their use of individually identifiable health
premises or crimes witnessed by a recommendation on the burden and information by all entities that have
member of the covered entity’s delay associated with redaction. In access to it.
workforce. addition to citing the complexity and
Response: We agree that covered time involved in redaction of medical Funeral Directors
entities should not be required to guess records provided to coroners, one Comment: One commenter
correctly whether information will be commenter said that health plans and recommended modifying the proposed
admitted to court as evidence. For this covered health care providers were not rule to allow disclosure without
reason, we include a good-faith standard trained to determine the identifiable authorization to funeral directors. To
in this provision. Covered entities may information necessary for coroners and accomplish this change, the commenter
disclose information that it believes in medical examiners to do thorough suggested either: (1) Adding another
good faith constitutes evidence of a investigations. Another commenter said subsection to proposed § 164.510 of the
crime on the premises. If the covered that redaction should not be required NPRM, to allow disclosure without
entity discloses protected health because coroners and medical authorization to funeral directors as
information in good faith but is wrong examiners needed some additional needed to make arrangements for
funeral services and for disposition of a the disclosure of protected health general belief that the uses of such
deceased person’s remains; or (2) information, including psychotherapy information were important to improve
revising proposed § 164.510(e) to allow notes, to medical examiners and and protect the health of the public.
disclosure of protected health coroners. However, in the absence of a Commenters said that state agencies
information to both coroners and state law requiring such disclosure, we used the information from government
funeral directors. According to this do not intend to prohibit coroners or health data systems to contribute to the
commenter, funeral directors often need medical examiners from obtaining the improvement of the health care system
certain protected health information for protected health information necessary by helping prevent fraud and abuse and
the embalming process, because a to determine an individual’s cause of helping improve health care quality,
person’s medical condition may affect death. efficiency, and cost-effectiveness.
the way in which embalming is Commenters asserted that state agencies
Section 164.512(h)—Uses and
performed. For example, the commenter take action to ensure that data they
Disclosures for Organ Donation and
noted, funeral directors increasingly release based on these data systems do
Transplantation Purposes
receive bodies after organ and tissue not identify individuals
donation, which has implications for Comment: Commenters noted that We also received a large volume of
funeral home staff duties associated under the organ donation system, comments opposed to the exception for
with embalming. information about a patient is disclosed use and disclosure of protected health
Response: We agree with the before seeking consent for donation information for government health data
commenter. In the final rule, we permit from families. These commenters systems. Many commenters expressed
covered entities to disclose protected offered suggestions for ensuring that the general concern that the provision
health information to funeral directors, system could continue to operate threatened their privacy, and many
consistent with applicable law, as without consent for information sharing believed that their health information
necessary to carry out their duties with with organ procurement organizations would be subject to abuse by
respect to a decedent. When necessary and tissue banks. Commenters suggested government employees. Commenters
for funeral directors to carry out their that organ and tissue procurement expressed concern that the provision
duties, covered entities may disclose organizations should be ‘‘covered would facilitate collection of protected
protected health information prior to entities’’ or that the procurement of health information in one large,
and in reasonable anticipation of the organs and tissues be included in the centralized government health database
individual’s death. definition of health care operations or that could threaten privacy. Others
Comment: One commenter treatment, or in the definition of argued that the proposed rule would
recommended clarifying in the final rule emergency circumstances. facilitate law enforcement access to
that it does not restrict law enforcement Response: We agree that organ and protected health information and could,
agencies’ release of medical information tissue donation is a special situation in fact, become a database for law
that many state records laws require to due to the need to protect potential enforcement use.
be reported, for example, as part of donors’ families from the stress of Many commenters asserted that this
autopsy reports. The commenter considering whether their loved one provision would make individuals
recommended stating that law should be a donor before a concerned about confiding in their
enforcement officials may determination has been made that health care providers. Some
independently gather medical donation would be medically suitable. commenters argued that the government
information, that such information Rather than list the entities that are should not be allowed to collect
would not be covered by these rules, ‘‘covered entities’’ or modify the individually identifiable health
and that it would continue to be covered definitions of health care operations and information without patient consent,
under applicable state and federal treatment or emergency circumstances and that the government could use de-
access laws. to explicitly include organ procurement identified data to perform the public
Response: HIPAA does not give HHS organizations and tissue banks, we have policy analyses. Many individual
statutory authority to regulate law modified § 164.512 to permit covered commenters said that HHS lacked
enforcement officials’ use or disclosure entities to use or disclose protected statutory and Constitutional authority to
of protected health information. As health information to organ give the government access and control
stated elsewhere, we continue to procurement organizations or other of their medical records without
support enactment of comprehensive entities engaged in the procurement, consent.
privacy legislation to cover disclosure banking, or transplantation of cadaveric Many commenters believed that the
and use of all individually identifiable organs, eyes, or tissues. NPRM language on government health
health information. Comment: Commenters asked that the data systems was too broad and would
Comment: One commenter rule clarify that organ procurement allow virtually any government
recommended prohibiting health plans organizations are health care providers collection of data to be covered. They
and covered health care providers from but not business partners of the argued that the government health data
disclosing psychotherapy notes to hospitals. system exception was unnecessary
coroners or medical examiners. Response: We agree that organ because there were other provisions in
Response: We disagree with the procurement organizations and tissue the proposed rules providing sufficient
commenter who asserted that banks are generally not business authority for government agencies to
psychotherapy notes should only be associates of hospitals. obtain the information they need.
used by or disclosed to coroners and Some commenters were concerned
medical examiners with authorization. Disclosures and Uses for Government that the NPRM’s government health data
Psychotherapy notes are sometimes Health Data Systems system provisions would allow
needed by coroners and medical Comment: We received a number of disclosure of protected health
examiners to determine cause of death, comments supporting the exception for information for purposes unrelated to
such as in cases where suicide is disclosure of protected health health care. These commenters
suspected as the cause of death. We information to government health data recommended narrowing the provision
understand that several states require systems. Some supporters stated a to allow disclosure of protected health
information without consent to Response: We eliminate the exception Section 164.512(i)—Uses and
government health data systems in for government health data systems Disclosures for Research Purposes
support of health care-related policy, because it was over broad and the uses
Documentation Requirements of IRB or
planning, regulatory, or management and disclosures we were trying to
Privacy Board Approval of Waiver
functions. Others recommended permit are permitted by other
narrowing the exception to allow use provisions. We note that private Comment: A number of commenters
and disclosure of protected health organizations may use or disclose argued that the proposed research
information for government health protected health information pursuant requirements of § 164.510(j) exceeded
databases only when a specific statute to multiple provisions of the rule. the Secretary’s authority under section
or regulation has authorized collection Comment: One commenter 246(c) of HIPAA. In particular, several
of protected health information for a recommended clarifying in the final rule commenters argued that the Department
specific purpose. that the government health data system was proposing to extend the Common
Response: We agree with the provisions apply to: (1) Manufacturers Rule and the use of the IRB or privacy
commenters who suggested that the providing data to HCFA and its boards beyond federally-funded
proposed provision that would have contractors to help the agency make research projects, without the necessary
permitted disclosures to government reimbursement and related decisions; authority under HIPAA to do so. One
health data bases was overly broad, and and to (2) third-party payors that must commenter stated that, ‘‘Section 246(c)
we remove it from the final rule. provide data collected by device of HIPAA requires the Secretary to issue
We reviewed the important purposes manufacturers to HCFA to help the a regulation setting privacy standards
identified in the comments for agency make reimbursement and related for individually identifiable health
government access to protected health decisions. information transmitted in connection
information, and believe that the with the transactions described in
Response: The decision to eliminate
disclosures of protected health section 1173(a),’’ and thus concluded
the general provision permitting
information that should appropriately that the disclosure of health information
disclosures to government health data
be made without individuals’ to researchers is not covered. Some of
systems makes this issue moot with
authorization can be achieved through these commenters also argued that the
respect to such disclosures. We note documentation requirements of
the other disclosures provided for in the
that the information used by proposed § 164.510(j), did not shield the
final rule, including provisions
manufacturers to support coverage NPRM from having the effect of
permitting covered entities to disclose
determinations often is gathered regulating research by placing the onus
information (subject to certain
limitations) to government agencies for pursuant to patient authorization (as on covered health care providers to seek
public health, research, health part of informed consent for research) or documentation that certain standards
oversight, law enforcement, and as an approved research project. There had been satisfied before providing
otherwise as required by law. For also are many cases in which protected health information to
example, the final rule continues to information can be de-identified before researchers. These commenters argued
allow a covered entity to disclose it is disclosed. Where HCFA hires a that the proposed rule had the clear and
protected health information without contractor to collect such protected intended effect of directly regulating
authorization to a public health health information, the contractor may researchers who wish to obtain
authority to monitor trends in the do so under HCFA’s authority, subject protected health information from a
spread of infectious disease, morbidity, to the business associate provisions of covered entity.
and mortality. Under the rule’s health this rule. Response: As discussed above, we do
oversight provision, covered entities can Comment: One commenter not agree with commenters that the
continue to disclose protected health recommended stating in the final rule Secretary’s authority is limited to
information to public agencies for that de-identified information from individually identifiable health
purposes such as analyzing the cost and government health data systems can be information transmitted in connection
quality of services provided by covered disclosed to other entities. with the transactions described in
entities; evaluating the effectiveness of Response: HHS does not have the section 1173(a) of HIPAA. We also
federal, state, and local public programs; authority to regulate re-use or re- disagree that the proposed research
examining trends in health insurance disclosure of information by agencies or documentation requirements would
coverage of the population; and institutions that are not covered entities have constituted the unauthorized
analyzing variations in access to health under the rule. However, we support the regulation of researchers. The proposed
coverage among various segments of the policies and procedures that public requirements established conditions for
population. We believe that it is better agencies already have implemented to the use of protected health information
to remove the proposed provision for de-identify any information that they by covered entities for research and the
government health data systems redisclose, and we encourage the disclosure of protected health
generally and to rely on other, more continuation of these activities. information by covered entities to
narrowly tailored provisions in the rule researchers. HIPAA authorizes the
Disclosures for Payment Processes
to authorize appropriate disclosures to Secretary to regulate such uses and
government agencies. Proposed § 164.510(j) of the NPRM disclosures, and the final rule retains
Comment: Some provider groups, would have allowed disclosure of documentation requirements similar to
private companies, and industry protected health information without those proposed.
organizations recommended expanding authorization for banking and payment Comment: Several commenters
the exception for government health processes. In the final rule, we eliminate believed that the NPRM was proposing
data systems to include data collected this provision. Disclosures that would either directly or indirectly to modify
by private entities. These commenters have been allowed under it, as well as the Common Rule and, therefore, stated
said that such an expansion would be comments received on proposed that such modification was beyond the
justified, because private entities often § 164.510(j), are addressed under Secretary’s authority under HIPAA.
perform the same functions as public § 164.501 of the final rule, under the Many of these commenters arrived at
agencies collecting health data. definition of ‘‘payment.’’ this conclusion because the waiver of
authorization criteria proposed in privately funded research. In addition, board approval for an alteration or
§ 164.510(j) differed from the Common several commenters explicitly argued waiver of authorization may perpetuate
Rule’s criteria for the waiver of that the option to use a privacy board, the unequal mechanisms of protecting
informed consent (Common Rule, in lieu of an IRB, must be maintained the privacy of human research subjects
§l .116(d)). because requiring IRB review to include for federally-funded versus publically-
Response: We do not agree that the all aspects of patient privacy could funded research, the final rule is limited
proposed provision relating to research diffuse focus and significantly by HIPAA to addressing only the use
would have modified the Common Rule. compromise an IRB’s ability to execute and disclosure of protected health
The provisions that we proposed and its primary patient protection role. information by covered entities, not the
provisions that we include in the final Furthermore, several commenters protection of human research subjects
rule place conditions that must be met believed that privacy board review more generally. Therefore, the rule
before a covered entity may use or should be permitted, but wanted equal cannot standardize human subjects
disclose protected health information. oversight and accountability for privacy protections throughout the country.
Those conditions are in addition to any boards and IRBs. Given the limited scope of the final rule
conditions required of research entities Many other commenters agreed that with regard to research, the Department
under the Common Rule. Covered the research use and disclosure should believes that the option to obtain
entities will certainly be subject to laws not require authorization, but disagreed documentation of privacy board
and regulations in addition to the rule, with the proposed rule’s approach and approval for an alteration or waiver of
but the rule does not require compliance proposed alternative models. Several of authorization in lieu of IRB approval
with these other laws or regulations. For these commenters argued that the final provides covered entities with needed
covered health care providers and rule should eliminate the option for flexibility. Therefore, in the final rule
health plans that are subject to both the privacy board review and that all we have retained the option for covered
final rule and the Common Rule, both research to be subject to IRB review. entities to rely on documentation of
sets of regulations will need to be These commenters stated that having privacy board approval that specified
followed. separate and unequal systems to criteria have been met.
Comment: A few commenters approve research based on its funding We disagree with the rationale
suggested that the Common Rule should source would complicate compliance suggested by commenters who argued
be extended to all research, regardless of and go against the spirit of the that the option for privacy board review
funding source. regulations. Several of these must be maintained because requiring
Response: We generally agree with the commenters, many from patient and IRB review to include all aspects of
commenters on the need to provide provider organizations, opposed the patient privacy could diffuse focus and
protections to all human subjects permitted use of privacy boards to significantly compromise an IRB’s
research, regardless of funding source. review research studies and instead ability to execute its primary patient
HIPAA, however, did not provide the argued that IRB review should be protection role. For research that
Department with authority to extend the required for all studies involving the use involves the use of individually
Common Rule beyond its current or disclosure of protected health identifiable health information,
purview. For research that relies on the information. These commenters argued assessing the risk to the privacy of
use or disclosure of protected health that although privacy board research subjects is currently one of the
information by covered entities without requirements would be similar, they are key risks that must be assessed and
authorization, the final rule applies the not equitable; for example, only three of addressed by IRBs. In fact, we expect
Common Rule’s principles for the Common Rule’s six requirements for that it will be appropriate for many
protecting research subjects by, in most the membership of IRBs were proposed research organizations that have existing
instances, requiring documentation of to be required for the membership on IRBs to rely on these IRBs to meet the
independent board review, and a privacy boards, and there was no documentation requirements of
finding that specified criteria designed proposed requirement for annual review § 164.512(i).
to protect the privacy of prospective of ongoing research studies that used Comment: One health care provider
research subjects have been met. protected health information. Several organization recommended that the IRB
Comment: A large number of commenters were concerned that the or privacy board mechanism of review
commenters agreed that the research use proposed option to obtain should be applied to non-research uses
and disclosure of protected health documentation of privacy board review, and disclosures.
information should not require in lieu of IRB review, would perpetuate Response: We disagree. Imposing
authorization. Of these commenters, the divide in the oversight of federally- documentation of privacy board
many supported the proposed rule’s funded versus publically-funded approval for other public policy uses
approach to research uses and research, rather than eliminate the and disclosures permitted by § 164.512
disclosures without authorization, differential oversight of publically-and would result in undue delays in the use
including many from health care privately-funded research, with the or disclosure of protected health
provider organizations, the mental former still being held to a stricter information that could harm individuals
health community, and members of standard. Some of these commenters and the public. For example, requiring
Congress. Others, while they agreed that argued that these unequal protections that covered health care providers
the research use and disclosure should would be especially apparent for the obtain third-party review before
not require authorization disagreed with disclosure of research with permitting them to alert a public health
the NPRM’s approach and proposed authorization, since under the Common authority that an individual was
alternative models. Rule, IRB review of human subjects infected with a serious communicable
The commenters who supported the studies is required, regardless of the disease could cause delay appropriate
NPRM’s approach to permitting subject’s consent, before the study may intervention by a public health
researchers access to protected health be conducted. authority and could present a serious
information without authorization Response: Although we share the threat to the health of many individuals.
argued that it was appropriate to apply concern raised by commenters that the Comment: A number of commenters,
‘‘Common Rule-like’’ provisions to option for the documentation of privacy including several members of Congress,
argued that since the research Health Services Research,’’ and the Joint research shall be given deference by
provisions in proposed § 164.510(j) were Commission on Accreditation of other IRBs or privacy boards. This
modeled on the existing system of Healthcare Organizations and the commenter also recommended that to
human subjects protections, they were National Committee for Quality determine whether IRBs or privacy
inadequate and would shatter public Assurance in their report entitled, boards were giving such deference to
trust if implemented. Similarly, some ‘‘Protecting Personal Health prior IRB or privacy board review, HHS
commenters, asserted that IRBs are not Information: A Framework for Meeting should monitor the disapproval rate by
accustomed to reviewing and approving the Challenges in a Managed Care IRB or privacy boards conducting
utilization reviews, outcomes research, Environment.’’ Both of these reports secondary reviews.
or disease management programs and, similarly concluded that health services Response: As the largest federal
therefore, IRB review may not be an research that involves the use of sponsor of medical research, we
effective tool for protecting patient individually identifiable health understand the important role of
privacy in connection with these information should undergo IRB review research in improving our Nation’s
activities. Some of these commenters or review by another board with health. However, the benefits of
noted that proposed § 164.510(j) would sufficient expertise in privacy and research must be balanced against the
exacerbate the problems inherent in the confidentiality protection. risks, including the privacy risks, for
current federal human subjects Furthermore, it is important to those who participate in research. An
protection system especially in light of recognize that the Common Rule applies individual’s rights and welfare must
the recent GAO reports that indicate the not only to interventional research, but never be sacrificed for scientific or
IRB system is already over-extended. also to research that uses individually medical progress. We believe that the
Furthermore, a few commenters argued identifiable health information, requirements for the use and disclosure
that the Common Rule’s requirements including archival research and health of protected health information for
may be suited for interventional services research. The National research without authorization provides
research involving human subjects, but Bioethics Advisory Commission (NBAC) an appropriate balance. We understand
is ill suited to the archival and health is currently developing a report on the that some covered health care providers
services research typically performed federal oversight of human subjects and health plans may conclude that the
using medical records without research, which is expected to address rule’s documentation requirements for
authorization. Therefore, these the unique issues raised by non- research uses and disclosures are too
commenters concluded that extending interventional human subjects research. burdensome.
‘‘Common Rule-like’’ provisions to the The Department looks forward to
We rejected the recommendation that
private sector would be inadequate to receiving NBAC’s report, and carefully
documentation of IRB or privacy board
protect human subjects and would considering the Commission’s
approval of the waiver of authorization
result in significant and unnecessary recommendations. This final rule is the
should only be required if the research
cost increases. first step in enhancing patients’ privacy
were to be ‘‘broadly published.’’
and we will propose modifications to
Response: While the vast majority of Research findings that are published in
the rule if changes are warranted by the
government-supported and regulated de-identified form have little influence
Commission’s findings and
research adheres to strict protocols and on the privacy interests of individuals.
recommendations.
the highest ethical standards, we agree Comment: Many commenters argued We believe that it is the use or
that the federal system of human that the proposed research provision disclosure of individually identifiable
subjects protections can and must be would have a chilling affect on the health information to a researcher that
strengthened. To work toward this goal, willingness of health plans and covered poses the greater risk to individuals’
on May 23, the Secretary announced providers to participate in research privacy, not publication of de-identified
several additional initiatives to enhance because of the criminal and civil information.
the safety of subjects in clinical trials, penalties that could be imposed for We agree with the commenters that
strengthen government oversight of failing to meet the requirements that IRB or privacy board review should
medical research, and reinforce clinical would have been required by proposed address the privacy interests of
researchers’ responsibility to follow § 164.510(j). Some of these commenters individuals and not institutions. This
federal guidelines. As part of this cautioned, that over time, research provision is intended to protect
initiative, the National Institutes of could be severely hindered if covered individuals from unnecessary uses and
Health have undertaken an aggressive entities choose not to disclose protected disclosures of their health information
effort to ensure IRB members and IRB health information to researchers. In and does not address institutional
staff receive appropriate training in addition, one commenter recommended privacy.
bioethics and other issues related to that a more reasonable approach would We disagree with the comment that
research involving human subjects, be to require IRB or privacy board documentation of IRB or privacy board
including research that involves the use approval only if the results of the approval of the waiver of authorization
of individually identifiable health research were to be broadly published. should be given deference by other IRBs
information. With these added Another commenter expressed concern or privacy boards conducting secondary
improvements, we believe that the that the privacy rule could influence reviews. We do not believe that it is
federal system of human subjects IRBs or privacy boards to refuse to appropriate to restrict the deliberations
protections continues to be a good recognize the validity of decisions by or judgments of privacy boards, nor do
model to protect the privacy of other IRBs or privacy boards and we have the authority under this rule to
individually identifiable health specifically recommended that the instruct IRBs on this issue. Instead, we
information that is used for research privacy rule include a preamble reiterate that all disclosures for research
purposes. This model of privacy statement that: (1) The ‘‘risk’’ balancing purposes under § 164.512(i) are
protection is also consistent with the consider only the risk to the patient, not voluntary, and that institutions may
recent recommendations of both the the risk to the institution, and (2) add choose to impose more stringent
Institute of Medicine in their report a phrase that the decision by the initial requirements for any use and disclosure
entitled, ‘‘Protecting Data Privacy in IRB or privacy board to approve the permitted under § 164.512.
Comment: Some commenters were protection of human subjects need for and value of greater uniformity
concerned about the implications of regulations, and that patients’ and public accountability in the review
proposed § 164.510(j) on multi-center authorization will also be sought for the and approval process, HHS, with
research. These commenters argued that use or disclosure of protected health support from the Office of Human
for multi-center research, researchers information for such studies. Therefore, Research Protection, National Institutes
may require protected health it should be noted that the minimum of Health, Food and Drug
information from multiple covered necessary requirements do not apply for Administration, Centers for Disease
entities, each of whom may have uses or disclosures made with an Control and Prevention, and Agency for
different requirements for the authorization. In addition, the final rule Health Care Research and Quality, has
documentation of IRB or privacy board allows a covered health care provider or engaged the Institute of Medicine to
review. Therefore, there was concern health plan to use or disclose protected recommend uniform performance
that documentation that may suffice for health information pursuant to an resource-based standards for private,
one covered entity, may not for another, authorization that was approved by a voluntary accreditation of IRBs. This
thereby hindering multi-center research. single IRB or privacy board, provided effort will draw upon work already
Response: Since § 164.512(i) the authorization met the requirements undertaken by major national
establishes minimum documentation of § 164.508. The final rule does not, organizations to develop and test these
standards for covered health care however, require IRB or privacy board standards by the spring of 2001,
providers and health plans using or review for the use or disclosure of followed by initiation of a formal
disclosing protected health information protected health information for accreditation process before the end of
for research purposes, we understand research conducted with individuals’ next year. Once the Department has
that some covered providers and health authorization. received the Institute of Medicine’s
plans may choose to require additional Comment: Some commenters believed recommended accreditation standards
documentation requirements for that proposed § 164.510(j) would have and process for IRBs, we plan to
researchers. We note, however, that required documentation of both IRB and consider whether this accreditation
nothing in the final rule would preclude privacy board review before a covered model would also be applicable to
a covered health care provider or health entity would be permitted to disclose privacy boards.
plan from developing the consistent protected health information for Comment: A few commenters also
documentation requirements provided research purposes without an noted that if both an IRB and a privacy
they meet the requirements of individual’s authorization. board reviewed a research study and
§ 164.512(i). Response: This is incorrect. Section came to conflicting decisions, proposed
Comment: One commenter who was 164.512(i)(1)(i) of the final rule requires § 164.510(j) was unclear about which
also concerned that the minimum documentation of alteration or waiver board’s decision would prevail.
necessary requirements of proposed approval by either an IRB or a privacy Response: The final rule does not
§ 164.506(b) would negatively affect board. stipulate which board’s decision would
multi-center research because covered Comment: Some commenters believed prevail if an IRB and a privacy board
entities participating in multi-site that the proposed rule would have came to conflicting decisions. The final
research studies would no longer be required that patients be notified rule requires covered entities to obtain
permitted to rely upon the consent form whenever protected health information documentation that one IRB or privacy
approved by a central IRB, and nor about themselves was disclosed for board has approved of the alteration or
would participating entities be research purposes. waiver of authorization. The covered
permitted to report data to the Response: This is incorrect. Covered entity, however, has discretion to
researcher using the case report form entities are not required to inform request information about the findings
approved by the central IRB to guide individuals that protected health of all IRBs and/or privacy boards that
what data points to include. This information about themselves has been have reviewed a research proposal. We
commenter noted that the requirement disclosed for research purposes. strongly encourage researchers to notify
that each site would need to undertake However, as required in § 164.520 of the IRBs and privacy boards of any prior
a separate minimum necessary review final rule, the covered entity must IRB or privacy board review of a
for each disclosure would erect include research disclosures in their research protocol.
significant barriers to the conduct of notice of information practices. In Comment: Many commenters noted
research and may compromise the addition, as required by § 164.528 of the that the NPRM included no guidance on
integrity and validity of data combined rule, covered health care providers and how the privacy board should approve
from multiple sites. This commenter health plans must provide individuals, or deny researchers’ requests. Some of
recommended that the Secretary absolve upon request, with an accounting of these commenters recommended that
a covered entity of the responsibility to disclosures made of protected health the regulation stipulate that privacy
make its own individual minimum information about the individual. boards be required to follow the same
necessary determinations if the entity is Comment: One commenter voting rules as required under the
disclosing information pursuant to an recommended that IRB and privacy Common Rule.
IRB or privacy board-approved protocol. boards also be required to be accredited. Response: We agree that the Common
Response: The minimum necessary Response: While we agree that the Rule (§ __.108(b)) provides a good model
requirements in the final rule have been issue of accrediting IRBs and privacy of voting procedures for privacy boards
revised to permit covered entities to rely boards deserves further consideration, and incorporate such procedures to the
on the documentation of IRB or privacy we believe it is premature to require extent they are relevant. In the final
board approval as meeting the minimum covered entities to ensure that the IRB rule, we require that the documentation
necessary requirements of § 164.514. or privacy board that approves an of alteration or waiver of authorization
However, we anticipate that much alteration or waiver of authorization is state that the alteration or waiver has
multi-site research, such as multi-site accredited. Currently, there are no been reviewed and approved by either
clinical trials, will be conducted with accepted accreditation standards for (1) an IRB that has followed the voting
patients’ informed consent as required IRBs or privacy boards, nor a designated requirements of the Common Rule
by the Common Rule and FDA’s accreditation body. Recognizing the (§ __.108(b)), or the expedited review
procedures of the Common Rule with respect to research uses of medical that the research proposal meets the
(§ __.110); or (2) unless an expedited information collected in the course of requirements of § 164.512(i).
review procedure is used, a privacy treatment or health care operations, and Comment: One commenter
board that has reviewed the proposed not with respect to clinical research. recommended that IRBs be required to
research at a convened meeting at which Similarly, one commenter maintain web sites with information on
a majority of the privacy board members recommended that IRBs and privacy proposed and approved projects.
are present, including at least one boards be authorized to review privacy Response: We agree that it could be
member who is not affiliated with the issues only, not the entire research useful for IRBs and privacy boards to
covered entity, not affiliated with any project. These commenters were maintain web sites with information on
entity conducting or sponsoring the concerned that by granting waiver proposed and approved projects.
research, and not related to any person authority to privacy boards and IRBs, However, requiring this of IRBs and
who is affiliated with any such entities, and by incorporating the Common Rule privacy boards is beyond the scope of
and the alteration or waiver of waiver criteria into the waiver criteria our authority under HIPAA. In addition,
authorization is approved by the included in the proposed rule, the this recommendation raises concerns
majority of privacy board members Secretary has set the stage for privacy that would need to be addressed,
present at the meeting. boards to review and approve waivers in including concerns about protecting the
Comment: A few commenters were circumstances that involve confidentiality of research participants
concerned that the research provisions interventional research that is not and propriety information that may be
would be especially onerous for small subject to the Common Rule. contained in research proposals. For
non-governmental entities, furthering Response: We agree with the these reasons, we decided not to
the federal monopoly on research. commenters who recommended that the incorporate this requirement into the
Response: We understand that the final rule clarify that the documentation final rule.
documentation requirements of of IRB or privacy board approval of the Comment: One commenter
§ 164.512(i), as well as other provisions waiver of authorization would be based recommended that HHS collect data on
in the final rule, may be more onerous only on an assessment of the privacy research-related breaches of
for small entities than for larger entities. confidentiality and investigate existing
risks associated with a research study,
We believe, however, that when anecdotal reports of such breaches.
not an assessment of all relevant risks to
protected health information is to be Response: This recommendation is
participants. In the final rule, we have
used or disclosed for research without beyond HHS’ legal authority, since
amended the language in the waiver
an individual’s authorization, the HIPAA did not give us the authority to
criteria to make clear that these criteria
additional privacy protections in regulate researchers. Therefore, this
relate only to the privacy interests of the
§ 164.512(i) are essential to reduce the recommendation was not included in
individual. We anticipate, however, that
risk of harm to the individual. the final rule.
Comment: One commenter believed the vast majority of uses and disclosures
Comment: A number of commenters
that it was paradoxical that, under the of protected health information for
were concerned that HIPAA did not give
proposed rule, the disclosure of interventional research will be made
the Secretary the authority to protect
protected health information for with individuals’ authorization.
information once it was disclosed to
research conducted with an Therefore, we expect it will be rare that
researchers who were not covered
authorization would have been more a researcher will seek IRB or privacy
entities.
heavily burdened than research that was board approval for the alteration or Response: The Secretary shares these
conducted without authorization, which waiver of authorization, but seek commenters’ concerns about the
they reasoned was far less likely to bring informed consent for participation for Department’s limited authority under
personal benefit to the research subjects. the interventional component of the HIPAA. We strongly support the
Response: It was not our intent to research study. Furthermore, we believe enactment of additional federal
impose more requirements on covered that interventional research, such as legislation to fill these crucial gaps in
entities using or disclosing protected most clinical trials, could not meet the the Secretary’s authority.
health information for research waiver criteria in the final rule Comment: One commenter
conducted with authorization than for (§ 164.512(i)(2)(ii)(C)), which states ‘‘the recommended that covered entities
research conducted without research could not practicably be should be required to retain the IRB’s or
authorization. In fact, the proposed rule conducted without the alteration or privacy board’s documentation of
would have required only authorization waiver.’’ If a researcher is to have direct approval of the waiver of individuals’
as stipulated in proposed § 164.508 for contact with research subjects, the authorization for at least six years from
research disclosures made with researcher should in virtually all cases when the waiver was obtained.
authorization, and would have been be able to seek and obtain patients’ Response: We agree with this
exempt from the documentation authorization for the use and disclosure comment and have included such a
requirements in proposed § 164.510(j). of protected health information about requirement in the final rule. See
We retain this treatment in the final themselves for the research study. § 164.530(j).
rule. We disagree with the commenter Comment: A few commenters Comment: One commenter
who asserted that the requirements for recommended that the rule explicitly recommended that whenever health
research conducted with authorization state that covered entities would be information is used for research or
are more burdensome for covered health permitted to rely upon an IRB or privacy administrative purposes, a plan is in
care providers and plans than the boards’ representation that the research place to evaluate whether to and how to
documentation provisions of this proposal meets the requirements of feed patient-specific information back
paragraph. proposed § 164.510(j). into the health system to benefit an
Comment: A number of comments, Response: We agree with this individual or group of patients from
mostly from the pharmaceutical comment. The final rule clarifies that whom the health information was
industry, recommended that the final covered health care providers and derived.
rule state that privacy boards be health plans are allowed to rely on an Response: While we agree that this
permitted to waive authorization only IRB’s or privacy board’s representation recommendation is consistent with the
responsible conduct of research, HIPAA contractual requirement would be too the human experimentation conducted
did not give us the authority to regulate onerous for covered entities and by the Nazis, and was one of the first
research. Therefore, this researchers and would hinder or halt documents setting forth principles for
recommendation was not included in important research. the ethical conduct of human subjects
the final rule. Response: We agree with the research. The acts of atrocious cruelty
Comment: A few commenters arguments raised by these commenters, that the Nuremberg Code was developed
recommended that contracts between and thus, the final rule does not require to address, focused on preventing the
covered entities and researcher be contracts between covered entities and violations to human rights and dignity
pursued. Comments received in favor of researchers as a condition of using or that occurred in the name of ‘‘medical
requiring contractual agreements argued disclosing protected health information advancement.’’ The Code, however, did
that such a contract would be for research purposes without not directly address the ethical conduct
enforceable under law, and should authorization. of non-interventional research, such as
prohibit secondary disclosures by Comment: A large number of medical records research, where the risk
researchers. Some of these commenters commenters strongly supported of harm to participants can be unlike
recommended that contracts between requiring patient consent before those associated with clinical research.
covered entities and researchers should protected health information could be We believe that the our proposed
be the same as, or modeled on, the used or disclosed, including but not requirements for the use or disclosure of
proposed requirements for business limited to use and disclosure for protected health information for
partners. In addition, some commenters research purposes. These commenters research are consistent with the ethical
argued that contracts between covered argued that the unconsented-to use of principles of ‘‘respect for persons,’’
entities and researchers should be their medical records abridged their ‘‘beneficence,’’ and ‘‘justice,’’ which
required as a means of placing equal autonomy right to decide whether or not were established by the Belmont Report
responsibility on the researcher for to participate in research. A few in 1978, and are now accepted as the
protecting protected health information referenced the Nuremberg Code in quintessential requirements for the
and for not improperly re-identifying support of their view, noting that the ethical conduct of research involving
information. Nuremberg Code required individual human subjects, including research
Response: In the final rule, we have consent for participation in research. using individually identifiable health
added an additional waiver criteria to Response: We agree that it is of information. These ethical principles
require that there are adequate written foremost importance that individuals’ formed the foundation for the
assurances from the researcher that privacy rights and welfare be requirements in the Common Rule, on
protected health information will not be safeguarded when protected health which our proposed requirements for
re-used or disclosed to any other person information about themselves is used or research uses and disclosures were
or entity, except as required by law, for disclosed for research studies. We also modeled.
authorized oversight of the research strongly believe that continued Comment: Many commenters
project, or for other research for which improvements in the nation’s health recommended that the privacy rule
the use or disclosure of protected health requires that researchers be permitted permit individuals to opt out of having
information would be permitted by this access to protected health information their records used for the identified
subpart. We believe that this additional without authorization in certain ‘‘important’’ public policy purposes in
waiver criteria provides additional circumstances. Additional privacy § 164.510, including for research
assurance that protected health protections are needed, however, and purposes. These commenters asserted
information will not be misused by we have included several in the final that permitting the use and disclosure of
researchers, while not imposing the rule. If covered entities plan to disclose their protected health information
additional burdens of a contractual protected health without individuals’ without their consent, or without an
requirement on covered health care authorization for research purposes, opportunity to ‘‘opt out’’ of having their
providers and health plans. We were not individuals must be informed of this information used or disclosed, abridged
persuaded by the comments received through the covered entity’s notice to individuals’ right to decide who should
that contractual requirements would patients of their information practices. be permitted access to their medical
provide necessary additional In addition, before covered health care records. In addition, one commenter
protections, that would not also be providers or health plans may use or argued that although the research
provided by the less burdensome waiver disclose protected health information community has been sharply critical of
criteria for adequate written assurance for research without authorization, they a Minnesota law that limits access to
that the researcher will not re-use or must obtain documentation that an IRB health records (Minnesota Statute
disclose protected health information, or privacy board has found that Section 144.335 (1998)), researchers
with few exceptions. Our intent was to specified waiver criteria have been met, have cited a lack of response to mailed
strengthen and extend existing privacy unless the research will include consent forms as the primary factor
safeguards for protected health protected health information about behind a decrease in the percentage of
information that is used or disclosed for deceased individuals only, or is solely medical records available for research.
research, while not creating unnecessary for reviews that are preparatory to This commenter argued that an opt-out
disincentives to covered health care research. provision would not be subject to this
providers and health plans who choose While it is true that the first provision ‘‘nonresponder’’ problem.
to use or disclose protected health of the Nuremberg Code states that ‘‘the Response: We believe that a
information for research purposes. voluntary consent of the human subject meaningful right to ‘‘opt out’’ of a
Comment: Some commenters is absolutely essential,’’ it is important research study requires that individuals
explicitly opposed requiring contracts to understand the context of this be contacted and informed about the
between covered entities and important document in the history of study for which protected health
researchers as a condition of permitting protecting human subjects research from information about themselves is being
the use or disclosure of protected health harm. The Nuremberg Code was requested by a researcher. We
information for research purposes. developed for the Nuremberg Military concluded, therefore, that an ‘‘opt out’’
These commenters argued that such a Tribunal as standards by which to judge provision of this nature may suffer from
the same decliner bias that has been regulation require that privacy boards be conflict of interest among board
experienced by researchers who are based at the covered entity. These members. The final rule requires that
subject to laws that require patient comments argued that ‘‘if the privacy documentation of alteration or waiver
consent for medical records research. board is to be based at the entity from a privacy board, is only valid
Furthermore, evidence on the effect of a receiving data, and that entity is not a under § 164.512(i) if the privacy board
mandatory ‘‘opt out’’ provision for covered entity, there will be little ability includes at least one member who is not
medical records research is only to enforce the regulation or study the affiliated with the covered entity, not
fragmentary at this time, but at least one effectiveness of the standards.’’ affiliated with any entity conducting or
study has preliminarily suggested that Response: We agree with the sponsoring the research, and not related
those who refuse to consent for research comment supporting the proposed rule’s to a person who is affiliated with such
access to their medical records may provision to impose no requirements for entities.
differ in statistically significant ways the location or sponsorship of the IRB Comment: One commenter
from those who consent with respect to or privacy board that was convened to recommended that privacy boards be
variables such as age and disease review a research proposal for the required to include more than one
category (SJ Jacobsen et al. ‘‘Potential alteration or waiver of authorization unaffiliated member to address concerns
Effect of Authorization Bias on Medical criteria. In the absence of a rationale, we about conflict of interest among
Records Research.’’ Mayo Clin Proc 74: were not persuaded by the comments members.
(1999) 330–338). For these reasons, we asserting that the IRB or privacy board Response: We disagree that privacy
disagree with the commenters who should be convened outside of the boards should be required to include
recommended that an ‘‘opt out’’ covered entity. In addition, while we more than one unaffiliated member. We
provision be included in the final rule. agree with the comments that asserted believe that the revised membership
In the final rule, we do require covered HHS would have a greater ability to criterion for the unaffiliated member of
entities to include research disclosures enforce the rule if a privacy board was the privacy board, and the criterion that
in their notice of information practices. established at the covered entity rather requires that the board have no member
Therefore, individuals who do not wish than an uncovered entity, we concluded participating in a review of any project
for protected health information about that the additional burden that such a in which the member has a conflict of
themselves to be disclosed for research requirement would place on covered interest, are sufficient to ensure that no
purposes without their authorization entities was unwarranted. Furthermore, member of the board has a conflict of
could select a health care provider or under the Common Rule and FDA’s interest in a research proposal under
health plan on this basis. In addition, protection of human subjects their review.
the final rule also permits covered regulations, IRB review often occurs at
Comment: Many commenters also
health care providers or health plans to the site of the recipient researchers’
recommended that the membership of
agree not to disclose protected health institution, and it was not our intent to
privacy boards be required to be more
information for research purposes, even change this practice. Therefore, in the
similar to that of IRBs. These
if research disclosures would otherwise final rule, we continue to impose no
commenters were concerned that
be permitted under their notice of requirements for the location or
privacy boards, as described in the
information practices. Such an sponsorship of the IRB or privacy board.
proposed rule, would not have the
agreement between a covered health Privacy Board Membership needed expertise to adequately review
care provider or health plan and an
Comment: Some commenters were and oversee research involving the use
individual would not be enforceable
concerned that the proposed of protected health information. A few
under the final rule, but might be
composition of the privacy board did of these commenters also recommended
enforceable under applicable state law.
Comment: Some commenters not adequately address potential that IRBs be required to have at least
explicitly recommended that there conflicts of interest of the board one member trained in privacy or
should be no provision permitting members, particularly since the security matters.
individuals to opt out of having their proposed rule would have permitted the Response: We disagree with the
information used for research purposes. board’s ‘‘unaffiliated’’ member to be comments asserting that the
Response: We agree with these affiliated with the entity disclosing the membership of privacy boards should
commenters for the reasons discussed protected health information for be required be more similar to IRBs.
above. research purposes. To address this Unlike IRBs, privacy boards only have
concern, some commenters responsibility for reviewing research
IRB and Privacy Board Review recommended that the required proposals that involve the use or
Comments: The NPRM imposed no composition of privacy boards be disclosure of protected health
requirements for the location or modified to require ‘‘* * * at least one information without authorization. We
sponsorship of the IRB or privacy board. member who is not affiliated with the agree, however, that the proposed rule
One commenter supported the proposed entity receiving or disclosing protected may not have ensured that the privacy
approach to permit covered entities to health information.’’ These commenters board had the necessary expertise to
rely on documentation of a waiver by a believed that this addition would be protect adequately individuals’ privacy
IRB or privacy board that was convened more sound and more consistent with rights and interests. Therefore, in the
by the covered entity, the researcher, or the Common Rule’s requirements for the final rule, we have modified one of the
another entity. composition of IRBs. Furthermore, it membership criteria for privacy board to
In contrast, a few commenters was argued that this requirement would require that the board has members with
recommended that the NPRM require prohibit covered entities from creating a varying backgrounds and appropriate
that the IRB or privacy board be outside privacy board comprised entirely of its professional competency as necessary to
of the entity conducting the research, own employees. review the effect of the research
although the rationale for these Response: We agree with these protocol on the individual’s privacy
recommendations was not provided. comments. In the final rule we have rights and related interests.
Several industry and consumer groups revised the proposed membership for Comment: Two commenters
alternatively recommended that the privacy board to reduce potential recommended that IRBs and privacy
boards be required to include patient Privacy Training for IRB and Privacy Response: We agree with these
advocates. Boards comments, but believe that the
Response: The Secretary’s legal Comment: A few commenters requirement to consider the type and
authority under HIPAA does not permit expressed support for training IRB sensitivity of protected health
HHS to modify the membership of IRBs. members and chairs about privacy information was already encompassed
Moreover, we disagree with the issues, recommending that such training by the proposed waiver criteria. We
comments recommending that IRBs and either be required or that it be encourage and expect that IRBs and
privacy board should be required to encouraged in the final rule. privacy boards will take into
include patient advocates. We were not Response: We agree with these consideration the type and sensitivity of
persuaded that patient advocates are the comments and thus encourage protected health information, as
only persons with the needed expertise institutions that administer IRBs and appropriate, in considering the waiver
to protect patients’ privacy rights and privacy boards to ensure that the criteria included in the final rule.
interests. Therefore, in the final rule, we members of these boards are adequately Comment: Many commenters were
do not require that patient advocates be trained to protect the privacy rights and concerned that the criteria were not
included as members of a privacy board. welfare of individuals about whom appropriate in the context of privacy
However, under the final rule, IRBs and protected health information is used for risks and recommended that the waiver
privacy board members could include research purposes. In the final rule, we criteria be rewritten to more precisely
patient advocates provided they met the require that privacy board members focus on the protection of patient
required membership criteria in have varying backgrounds and privacy. In addition, some commenters
§ 164.512(i). appropriate professional competency as argued that the proposed waiver criteria
necessary to review the effect of the were redundant with the Common Rule
Comment: A few commenters
research protocol on the individual’s and were confusing because they mix
requested clarification of the term
privacy rights and related interests. We elements of the Common Rule’s waiver
‘‘conflict of interest’’ as it pertained to
believe that this criterion for privacy criteria—some of which they argued
the proposed rule’s criteria for IRB and
board membership requires that were relevant only to interventional
privacy board membership. In
members already have the necessary research. In particular, a number of
particular, some commenters
knowledge or that they be trained to commenters raised these concerns about
recommended that the final rule clarify
address privacy issues that arise in the proposed criterion (ii). Some of these
what degree of involvement in a
conduct of research that involves the commenters suggested that the word
research project by a privacy board
use of protected health information. In ‘‘privacy’’ be inserted before ‘‘rights.’’
member would constitute a conflict,
thereby precluding that individual’s addition, we note that the Common Rule Response: We agree with these
participation in a review. One (§ ll.107(a)) already imposes a general comments. To focus all of the criterion
commenter specifically requested requirement that IRB members posses on individuals’ privacy interests, in the
clarification about whether employment adequate training and experience to final rule, we have modified one of the
by the covered entity constituted a adequately evaluate the research which proposed waiver criteria, eliminated one
conflict of interest, particularly if the it reviews. IRBs are also authorized to proposed criterion, and added an
covered entity is receiving a financial obtain the services of consultants additional criterion : (1) the proposed
gain from the conduct of the research. (§ ll.107(f)) to provide expertise not criterion which stated, ‘‘the waiver will
available on the IRB. We believe that not adversely affect the rights and
Response: We understand that welfare of the subjects,’’ has been
these existing requirements in the
determining what constitutes conflict of revised in the final rule as follows: ‘‘the
Common Rule already require that an
interest can be complex. We do not alteration or waiver will not adversely
IRB have the necessary privacy
believe that employees of covered affect the privacy rights and the welfare
expertise.
entities or employees of the research of the individuals;’’ (2) the proposed
institution requesting protected health Waiver Criteria criterion which stated, ‘‘whenever
information for research purposes are Comment: A large number of appropriate, the subjects will be
necessarily conflicted, even if those comments supported the proposed provided with additional pertinent
employees may benefit financially from rule’s criteria for the waiver of information after participation,’’ has
the research. However, there are many authorization by an IRB or privacy been eliminated; and (3) a criterion has
factors that should be considered in board. been added in the final rule which
assessing whether a member of an IRB Response: While we agree that several states, ‘‘there are adequate written
has a conflict of interest, including of the waiver criteria should be retained assurances that the protected health
financial and intellectual conflicts. in the final rule, we have made changes information will not be re-used or
As part of a separate, but related effort to the waiver criteria to address some of disclosed to any other person or entity,
to the final rule, during the summer of the comments we received on specific except as required by law, for
2000, HHS held a conference on human criteria. These reason for these changes authorized oversight of the research
subject protection and financial are discussed in the response to project, or for other research for which
conflicts of interest. In addition, HHS comments below. the use or disclosure of protected health
solicited comments from the public Comment: In addition to the proposed information would be permitted by this
about financial conflicts of interest waiver criteria, several commenters subpart.’’ In addressing these criteria,
associated with human subjects research recommended that the final rule also we expect that IRBs and privacy boards
for researchers, IRB members and staff, instruct IRBs and privacy boards to will not only consider the immediate
and research sponsors. The findings consider the type of protected health privacy interests of the individual that
from the conference and the public information and the sensitivity of the would arise from the proposed research
comments received are forming the information to be disclosed in study, but also the possible implications
basis for guidance that HHS is now determining whether to grant a waiver, from a loss of privacy, such as the loss
developing on financial conflicts of in whole or in part, of the authorization of employment, loss or change in cost of
interest. requirements. health insurance, and social stigma.
Comment: A number of commenters the Commission’s report, and the the waiver,’’ be modified to eliminate
were concerned about the interaction Department looks forward to receiving the term ‘‘practicably.’’ These
between the proposed rule and the the Commission’s recommendations. commenters believed that determining
Common Rule. One commenter opposed ‘‘practicably’’ was subjective and that its
Concerns About Specific Waiver Criteria
the four proposed waiver criteria which elimination would facilitate IRBs’ and
differed from the Common Rule’s Comment: One commenter argued privacy boards’ implementation of this
criteria for the waiver of informed that the term ‘‘welfare’’ was vague and criterion. In addition, one commenter
consent (§ ll.116(d)) on the grounds recommended that it be deleted from was concerned that this term could be
that the four criteria proposed in the proposed waiver of authorization construed to require authorization if
addition to the Common Rule’s waiver criterion which stated, ‘‘the waiver will enough weight is given to a privacy
criteria would apply only to the not adversely affect the rights and interest, and little weight is given to cost
research use and disclosure of protected welfare of the subjects.’’ or administrative burden. This
health information by covered entities. Response: We disagree with the commenter recommended that the
This commenter argued that this would comment recommending that the final criterion be changed to allow a waiver
lead to different standards for the rule eliminate the term ‘‘welfare’’ from if the ‘‘disclosure is necessary to
protection of other kinds of individually this waiver criterion. As discussed in accomplish the research or statistical
identifiable health information used in the National Bioethics Advisory purpose for which the disclosure is to
research that will fall outside of the Commission’s 1999 report entitled, be made.’’
scope of the final rule. This commenter ‘‘Research Involving Human Biological Response: We disagree with the
concluded that this inconsistency Materials: Ethical Issues and Policy comments recommending that the term
would be difficult for IRBs to Guidance,’’ ‘‘Failure to obtain consent ‘‘practicability’’ be deleted from this
administer, difficult for IRB members to may adversely affect the rights and waiver criterion. We believe that an
distinguish, and would be ethically welfare of subjects in two basic ways. assessment of practicability is necessary
questionable. For these reasons, many First, the subject may be improperly to account for research that may be
commenters recommended that the final denied the opportunity to choose possible to conduct with authorization
rule should permit the waiver criteria of whether to assume the risks that the but that would be impracticable if
the Common Rule, to be used in lieu of research presents, and second, the authorization were required. For
the waiver criteria identified in the subject may be harmed or wronged as a example, in research study that involves
proposed rule. result of his or her involvement in thousands of records, it may be possible
Response: We disagree with the research to which he or she has not to track down all potential subjects, but
comments recommending that the consented * * *. Subjects’ interest in doing so may entail costs that would
waiver criteria of the Common Rule controlling information about make the research impracticable. In
should be permitted to be used in lieu themselves is tied to their interest in, for addition, IRBs have experience
of the waiver criteria identified in the example, not being stigmatized and not implementing this criterion since it is
proposed rule. The Common Rule’s being discriminated against in nearly identical to a waiver criterion in
waiver criteria were designed to protect employment and insurance.’’ Although the Common Rule (§ __.116(d)(3)).
research subjects from all harms this statement by the Commission was We also disagree with the
associated with research, not made in the context of research recommendation to change the criterion
specifically to protect individuals’ involving human biological materials, to state, ‘‘disclosure is necessary to
privacy interests. We understand that we believe research that involves the accomplish the research or statistical
the waiver criteria in the final rule may use of protected health information purpose for which the disclosure is to
initially cause confusion for IRBs and similarly requires that social and be made.’’ We believe it is essential that
researchers that must attend to both the psychological harms be considered consideration be given as to whether it
final rule and the Common Rule, but we when assessing whether an alteration or would be practicable for research to be
believe that the additional waiver waiver will adversely affect the privacy conducted with authorization in
criteria adopted in the final rule are rights and welfare of individuals. We determining whether a waiver of
essential to ensure that individuals’ believe it would be insufficient to attend authorization is justified. If the research
privacy rights and welfare are only to individuals’ privacy ‘‘rights’’ could practicably be conducted with
adequately safeguarded when protected since some of the harms that could authorization, then authorization must
health information about themselves is result from a breach of privacy, such as be sought. Authorization must not be
used for research without their stigmatization, and discrimination in waived simply for convenience.
authorization. We agree that ensuring employment or insurance, may not be Therefore, in the final rule, we have
that the privacy rights and welfare of all tied directly to an individuals’ ‘‘rights,’’ retained this criterion and clarified that
human subjects—involved in all forms but would have a significant impact on it also applies to alterations of
of research—is ethically required, and their welfare. Therefore, in the final authorization. This waiver criterion in
the new Office of Human Research rule, we have retained the term the final rule states, ‘‘the research could
Protection will immediately initiate ‘‘welfare’’ in this criterion for the not practicably be conducted without
plans to review the confidentiality alteration or waiver of authorization but the alteration or waiver.’’
provisions of the Common Rule. modified the criterion as follows to Comment: Some commenters argued
In addition, at the request of the focus more specifically on privacy that the criterion which stated,
President, the National Bioethics concerns and to clarify that it pertains ‘‘whenever appropriate, the subjects
Advisory Commission has begun an to alterations of authorization: ‘‘the will be provided with additional
examination of the current federal alteration or waiver will not adversely pertinent information after
human system for the protection of affect the privacy rights and the welfare participation,’’ should be deleted. Some
human subjects in research. The current of the individual.’’ comments recommended that the
scope of the federal regulatory Comment: A few commenters criterion should be deleted for privacy
protections for protecting human recommended that the proposed waiver reasons, arguing that it would be
subjects in research is just one of the criteria that stated, ‘‘the research could inappropriate to create a reason for the
issues that will be addressed in the by not practicably be conducted without researcher to contact the individual
whose data were analyzed, without IRB authorization, the final rule also privacy risks to individuals whose
review of the proposed contact as a requires that the documentation of IRB protected health information is to be
patient intervention. Other commenters or privacy board approval of the used or disclosed are reasonable in
argued for the deletion of the criterion alteration or waiver describe the relation to the anticipated benefits if any
on grounds that requiring researchers to protected health information for which to the individuals, and the importance
contact patients whose records were use or access has been determined to be of the knowledge that may reasonably
used for archival research would be necessary. be expected to result from the research.’’
unduly burdensome, while adding little Comment: A large number of Comment: One commenter asserted
to the patient’s base of information. comments objected to the proposed that as long as the research organization
Several commenters also argued that the waiver criterion, which stated that, ‘‘the has adequate privacy protections in
criterion was not pertinent to non- research is of sufficient importance so as place to keep the information from
interventional retrospective research to outweigh the intrusion of the privacy being further disclosed, it is
requiring access to archived protected of the individual whose information is unnecessary for the IRB or privacy
health information. subject to the disclosure.’’ The majority board to make a judgment on whether
In addition, one commenter asserted of these commenters argued that the the value of the research outweighs the
that this criterion was inconsistent with criterion was overly subjective, and that privacy intrusion.
the Secretary’s rationale for prohibiting due to its subjectivity, IRBs and privacy Response: The Department disagrees
disclosures of ‘‘research information boards would inevitably apply it with the assertion that adequate
unrelated to treatment’’ for purposes inconsistently. Several commenters safeguards of protected health
other than research. This commenter asserted that this criterion was unsound information are sufficient to ensure that
argued that the privacy regulations in that it would impose on reviewing the privacy rights and welfare of
should not mandate that a covered bodies the explicit requirement to form individuals are adequately protected.
entity provide information with and debate conflicting value judgments We believe it is imperative that there be
unknown validity or utility directly to about the relative weights of the an assessment of the privacy risks and
patients. This commenter recommended research proposal versus an individual’s anticipated benefits of a research study
that a patient’s physician, not the right to privacy. Furthermore these that proposes to use protected health
researcher, should be the one to contact commenters argued that this criterion information without authorization. For
a patient to discuss the significance of was also unnecessary because the example, if a research study was so
new research findings for that Common Rule already has a scientifically flawed that it would
individual patient’s care. requirement that deals with this issue provide no useful knowledge, any risk
Response: Although we disagree with more appropriately. In addition, one to patient privacy that might result from
the arguments made by commenters commenter argued that the rule the use or disclosure of protected health
recommending that this criterion be eliminate this criterion because information without individuals’
eliminated in the final rule, we common purposes should not override authorization would be too great.
concluded that the criterion was not individual rights in a democratic Comment: A few commenters asserted
directly related to ensuring the privacy society. Based on these arguments, these that the proposed criterion requiring
rights and welfare of individuals. commenters recommended that this ‘‘an adequate plan to destroy the
Therefore, we eliminated this criterion criterion be deleted. identifiers at the earliest opportunity
in the final rule. Response: We disagree that it is consistent with the conduct of the
Comment: A few commenters inappropriate to ask IRBs and privacy research, unless there is a health or
recommended that the criterion, which boards to ensure that there is a just research justification for retaining
required that ‘‘the research would be balance between the expected benefits identifiers,’’ conflicted with the
impracticable to conduct without access and risks to individual participants from regulations of the FDA on clinical
to and use of the protected health the research. As noted by several record keeping (21 CFR 812.140(d)) and
information,’’ be deleted because it commenters, IRBs currently conduct the International Standard Organization
would be too subjective to be such a balancing of risks and benefits on control of quality records (ISO
meaningful. because the Common Rule contains a 13483, 4.16), which require that relevant
Response: We disagree with similar criterion for the approval of data be kept for the life of a device.
comments asserting that this proposed human subjects research (§ __.111(a)(2)). In addition, one commenter asserted
criterion would be too subjective. We However, we disagree with the that this criterion could prevent follow
believe that researchers should be comments asserting that the proposed up care. Similarly, other commenters
required to demonstrate to an IRB or criterion was unnecessary because the argued that the new waiver criteria
privacy board why protected health Common Rule already contains a similar would be likely to confuse IRBs and
information is necessary for their criterion. The Common Rule does not may impair researchers’ ability to go
research proposal. If a researcher could explicitly address the privacy interests back to IRBs to request extensions of
practicably use de-identified health of research participants and does not time for which samples or data can be
information for a research study, apply to all research that involves the stored if researchers are unable to
protected health information should not use or disclosure of protected health anticipate future uses of the data.
be used or disclosed for the study information. However, we agree that the Response: We do not agree with the
without individuals’ authorization. relevant Common Rule criterion for the comment that there is a conflict between
Therefore, we retain this criterion in the approval of human subjects research either the FDA or the ISO regulations
final rule. In considering this criterion, provides better guidance to IRBs and and the proposed waiver criteria in the
we expect IRBs and privacy boards to privacy boards for assessing the privacy rule. We believe that compliance with
consider the amount of information that risks and benefits of a research proposal. such recordkeeping requirements would
is needed for the study. To ensure the Therefore, in the final rule, we modeled be ‘‘consistent with the conduct of
covered health care provider or health the criterion on the relevant Common research’’ which is subject to such
plan is informed of what information Rule requirement for the approval of requirements. Nonetheless, to avoid any
the IRB or privacy board has determined human subjects research, and revised confusion, in the final rule we have
may be used or disclosed without the proposed criterion to state: ‘‘the added the phrase ‘‘or such retention is
otherwise required by law’’ to this Expedited Review consumer groups, argued that the
waiver criterion. Comment: One commenter asserted proposed rule would establish a two-
We also disagree with the comments that the proposed rule would prohibit tiered system for public and private
that this criterion would prevent follow expedited review as permitted under the research. Privately funded research
up care to individuals or unduly impair Common Rule. Many commenters conducted with an authorization for the
researchers from retaining identifiers on supported the proposal in the rule to use or disclosure of protected health
data for future research. We believe that incorporate the Common Rule’s information would not require IRB or
patient care would qualify as a ‘‘health provision for expedited review, and privacy board review, while publically
* * * justification for retaining strongly recommended that this funded research conducted with
identifiers.’’ In addition, we understand provision be retained in the final rule. authorization would require IRB review
that researchers may not always be able Several of these commenters argued that as required by the Common Rule. Many
to anticipate that the protected health the expedited review mechanism of these commenters argued that
information they receive from a covered provides IRBs with the much-needed authorization is insufficient to protect
health care provider or health plan for flexibility to focus volunteer-IRB patients involved in research studies
one research project may be useful for members’ limited resources. and recommended that IRB or privacy
the conduct of future research studies. Response: We agree that expedited board review should be required for all
However, we believe that the review should be available, and research regardless of sponsor. These
included a provision permitting commenters asserted that it is not
concomitant risk to patient privacy of
expedited review under specified sufficient to obtain authorization, and
permitting researchers to retain
conditions. We understand that the that IRBs and privacy boards should
identifiers they obtained without
National Bioethics Advisory review the authorization document, and
authorization would undermine patient
Commission is currently developing a assess the risks and benefits to
trust, unless researchers could identify
report on the federal oversight of human individuals posed by the research.
a health or research justification for Response: For the reasons we rejected
retaining the identifiers. In the final subjects research, which is expected to
address the Common Rule’s the recommendation that we eliminate
rule, an IRB or privacy board is not the option for privacy board review and
required to establish a time limit on a requirements for expedited review. HHS
looks forward to receiving the National require IRB review for the waiver of
researcher’s retention of identifiers. authorization, we also decided against
Bioethics Advisory Commission’s
Additional Waiver Criteria report, and will modify the provisions requiring documentation of IRB or
for expedited review in the privacy rule privacy board approval for research
Comment: A few comments conducted with authorization. HHS
if changes are warranted by the
recommended that there be a additional strongly agrees that IRB review is
Commission’s findings and
waiver criterion to safeguard or limit essential for the adequate protection of
recommendations.
subsequent use or disclosure of human subjects involved in research,
protected health information by the Required Signature regardless of whether informed consent
researcher. Comment: A few commenters asserted and/or individuals’ authorization is
Response: We agree with these that the proposed requirement that the obtained. In fact, IRB review may be
comments. In the final rule, we include written documentation of IRB or privacy even more important for research
a waiver criterion requiring ‘‘there are board approval be signed by the chair of conducted with subjects’ informed
adequate written assurances that the the IRB or the privacy board was too consent and authorization since such
protected health information will not be restrictive. Some commenters research may present greater than
re-used or disclosed to any other person recommended that the final rule permit minimal risk to participants. However,
or entity, except as required by law, for the documentation of IRB or privacy HHS’ authority under HIPAA is limited
authorized oversight of the research board approval to be signed by persons to safeguarding the privacy of protected
project, or for other research for which other than the IRB or privacy board health information, and does not extend
the use or disclosure of protected health chair, including: (1) Any person to protecting human subjects more
information would be permitted by this authorized to exercise executive broadly. Therefore, in the final rule we
subpart.’’ authority under IRB’s or privacy board’s have not required documentation of IRB
written procedures; (2) the IRB’s or or privacy board review for the research
Waiving Authorization, in Whole or in privacy board’s acting chair or vice use or disclosure of protected health
Part chair in the absence of the chair, if information conducted with
permitted by IRB procedures; and (3) individuals’ authorization. As
Comment: A few commenters
the covered entity’s privacy official. mentioned above, HHS looks forward to
requested that the final rule clarify what
Response: We agree with the receiving the recommendations of the
‘‘in whole or in part’’ means if
commenters who argued that the final National Bioethics Advisory
authorization is waived or altered.
rule should permit the documentation Commission, which is currently
Response: In the proposed rule, it was of IRB or privacy board approval to be examining the current scope of federal
HHS’ intent to permit IRBs and privacy signed by someone other than the chair regulatory protections for protecting
boards to either waive all of the of the board. In the final rule, we permit human subjects in research as part of its
elements for authorization, or the documentation of alteration or overarching report on the federal
alternatively, waive only some of the waiver of authorization to be signed by oversight of human subjects protections.
elements of authorization. Furthermore, the chair or other member, as designated Comment: Due to concern about
we also intended to permit IRBs and by the chair of the IRB or privacy board, several of the elements of authorization,
privacy boards to alter the authorization as applicable. many commenters recommended that
requirements. Therefore, in the final the final rule stipulate that ‘‘informed
rule, we clarify that the alteration to and Research Use and Disclosure With consent’’ obtained pursuant to the
waiver of authorization, in whole or in Authorization Common Rule be deemed to meet the
part, are permitted as stipulated in Comment: Some commenters, requirements for ‘‘authorization.’’ These
§ 164.512(i). including several industry and commenters argued that the NPRM’s
additional authorization requirements reasonably be expected from the trials, the retrieval of individually
offered no additional protection to research (Common Rule, § __.116(a)). identifiable health information that has
research participants but would be a Response: While we agree that the already been blinded and anonymized,
substantive impediment to research. ethical conduct of research requires the is not only burdensome, but should this
Response: We disagree with the voluntary informed consent of research become a widespread practice, would
comments asserting that the proposed subjects, as stipulated in the Common render the trial invalid. One commenter
requirements for authorization for the Rule, as we have stated elsewhere, the suggested that the Secretary modify the
use or disclosure of protected health privacy rule is limited to protecting the proposed regulation to allow IRBs or
information would have offered confidentiality of individually privacy boards to determine the
research subjects no additional privacy identifiable health information, and not duration of authorizations and the
protection. Because the purposes of protecting human subjects more circumstances under which a research
authorization and informed consent broadly. Therefore, we believe it would participant should be permitted to
differ, the proposed rule’s requirements not be within the scope of the final rule retroactively revoke his or her
for authorization pursuant to a request to require informed consent as authorization to use data already
from a researcher (§ 164.508) and the stipulated by the Common Rule for collected by the researcher.
Common Rule’s requirements for research uses and disclosures of Response: We agree with these
informed consent (Common Rule, protected health information. concerns. In the final rule we have
§ __.116) contain important differences. Comment: Several commenters clarified that an individual cannot
For example, unlike the Common Rule, specifically objected to the revoke an authorization to the extent
the proposed rule would have required authorization requirement for a that action has been taken in reliance on
that the authorization include a ‘‘expiration date.’’ To remedy this the authorization. Therefore, if a
description of the information to be concern, many of these commenters covered entity has already used or
used or disclosed that identifies the proposed that the rule exempt research disclosed protected health information
information in a specific and from the requirement for an expiration for a research study pursuant to an
date if an IRB has reviewed and authorization obtained as required by
meaningful way, an expiration date, and
approved the research study. In § 164.508, the covered entity is not
where, use of disclosure of the
particular, some commenters asserted required under the rule, unless it agreed
requested information will result in
that the requirement for an expiration otherwise, to destroy protected health
financial gain to the entity, a statement
date would be impracticable in the information that was collected, nor
that such gain will result. We believe
context of clinical trials, where the retrieve protected health information
that the authorization requirements
duration of the study depends on that was disclosed under such an
provide individuals with information
several different factors that cannot be authorization. However, once an
necessary to determine whether to
predicted in advance. These individual has revoked an
authorize a specific use or disclosure of
commenters argued that determining an authorization, no additional protected
protected health information about exact date would be impossible due to health information may be used or
themselves, that are not required by the the legal requirements that disclosed unless otherwise permitted by
Common Rule. manufactures and the Food and Drug this rule.
Therefore, in the final rule, we retain Administration be able to Comment: Some commenters were
the requirement for authorization for all retrospectively audit the source concerned that the authorization
uses and disclosures of protected health documents when patient data are used requirement to disclose ‘‘financial gain’’
information not otherwise permitted in clinical trials. In addition, some would be problematic as it would
without authorization by the rule. Some commenters asserted that a requirement pertain to research. These commenters
of the proposed requirements for for an expiration date would force asserted that this requirement could
authorization were modified in the final researchers to designate specific mislead patients and would make it
rule as discussed in the preamble on expiration dates so far into the future as more difficult to attract volunteers to
§ 164.508. The comments received on to render them meaningless. participate in research. One commenter
specific proposed elements of Response: We agree with commenters recommended that the statement be
authorization as they would have that an expiration date is not always revised to state ‘‘that the clinical
pertained to research are addressed possible or meaningful. In the final rule, investigator will be compensated for the
below. we continue to require an identifiable value of his/her services in
Comment: A number of commenters, expiration, but permit it to be a specific administrating this clinical trial.’’
including several from industry and date or an event directly relevant to the Another commenter recommended that
consumer groups, recommended that individual or the purpose of the the authorization requirement for
the final rule require patients’ informed authorization (e.g., for the duration of a disclosure of financial gain be defined
consent as stipulated in the Common specific research study) in which the in accordance with FDA’s financial
Rule. These commenters asserted that individual is a participant. disclosure rules.
the proposed authorization document Comment: A number of commenters, Response: We strongly believe that a
was inadequate for research uses and including those from the requirement for the disclosure of
disclosures of protected health pharmaceutical industry, were financial gain is imperative to ensure
information since it included fewer concerned about the authorization that individuals are informed about how
elements than required for informed requirement that gave patients the right and why protected health information
consent under the Common Rule, to revoke consent for participation in about themselves will be used or
including for example, the Common clinical research. These commenters disclosed. We agree, however, that the
Rule’s requirement that the informed argued that such a right to revoke language of the proposed requirement
consent document include: (1) A authorization for the use of their could cause confusion, because most
description of any reasonably protected health information would activities involve some type of financial
foreseeable risks or discomforts to the require complete elimination of the gain. Therefore, in the final rule, we
subject; (2) a description of any benefits information from the record. Some have modified the language to provide
to the subject or to others which may stated that in the conduct of clinical that when the covered entity initiates
the authorization and the covered entity research hypotheses that require access They believed that in many cases the
will receive direct or indirect to protected health information before a risk of identification was greater in the
remuneration (rather than financial formal protocol can be developed and research context because researchers
gain) from a third party in exchange for brought to an IRB or privacy board for may attempt to identify genetic and
using or disclosing the health approval. To avoid this unintended hereditary conditions of the deceased.
information, the authorization must result, the final rule permits covered Finally, they argued that while
include a statement that such health care providers and health plans information of the deceased does not
remuneration will result. to use or disclose protected health necessarily identify living relatives by
Comment: A few commenters asserted information for research if the covered name, living relatives could be
that the requirement to include a entity obtains from the researcher identified and suffer the same harm as
statement in which the patient representations that: (1) Use or if their own medical records were used
acknowledged that information used or disclosure is sought solely to review or disclosed for research purposes.
disclosed to any entity other than a protected health information as Another commenter stated that the
health plan or health care provider may necessary to prepare a research protocol exception was unnecessary, and that
no longer be protected by federal or for similar purposes preparatory to existing research could and should
privacy law would be inconsistent with research; (2) no protected health proceed under the requirements in
existing protections implemented by information is to be removed from the proposed § 164.510 that dictated the
IRBs under the Common Rule. In covered entity by the researcher in the IRB/privacy board approval process or
particular they stated that this course of the review; and (3) the be conducted using de-identified
inconsistency exists because IRBs are protected health information for which information. This commenter further
required to consider the protections in use or access is sought is necessary for stated that in this way, at least there
place to protect patients’ confidential the research purposes. would be some degree of assurance that
information and that IRBs are charged Comment: A few commenters asserted all reasonable steps are taken to protect
with ensuring that researchers comply that the final rule should eliminate the deceased persons’ and their families’
with the confidentiality provisions of possibility that research requiring access confidentiality.
the informed consent document. to protected health information could be Response: Although we understand
Response: We disagree that this determined to be ‘‘exempt’’ from IRB the concerns raised by commenters, we
proposed requirement would pose a review, as provided by the Common believe those concerns are outweighed
conflict with the Common Rule since Rule (§ __.101(b)(4)). by the need to keep the research-related
the requirement was for a statement that Response: The rule did not propose
policies in this rule as consistent as
the ‘‘information may no longer be nor intend to modify any aspect of the
possible with standard research practice
protected by the federal privacy law.’’ Common Rule, including the provision
This statement does not pertain to the that exempts from coverage, ‘‘research under the Common Rule, which does
protections provided under the involving the collection or study of not consider deceased persons to be
Common Rule. In addition, while we existing data, documents, records, ‘‘human subjects.’’ Thus, we retain the
anticipate that IRBs and privacy boards pathological specimens, or diagnostic exception in the final rule. With regard
will most often waive all or none of the specimens, if these sources are to the protected health information
authorization requirements, we clarify publically available, or if the about a deceased individual, therefore,
an IRB or privacy board could alter this information is recorded by the a covered entity is permitted to use or
requirement, among others, if the investigator in such a manner that disclose such information for research
documentation requirements of subjects cannot be identified, directly or purposes without obtaining
§ 164.512(i) have been met. indirectly through identifiers linked to authorization from a personal
the subjects’ (§ __.101(b)(4)). For the representative and absent approval by
Reviews Preparatory to Research an IRB or privacy board as governed by
reasons discussed above, we have
Comment: Some industry groups included a provision in the final rule for § 164.512(i). We note that the National
expressed concern that the research reviews preparatory to research that was Bioethics Advisory Committee (NBAC)
provision would prohibit physicians modeled on this exemption to the is currently considering revising the
from using patient information to recruit Common Rule. Common Rule’s definition of ‘‘human
subjects into clinical trials. These subject’’ with regard to coverage of the
commenters recommended that Deceased Persons Exception for deceased. However, at this time,
researchers continue to have access to Research NBAC’s deliberations on this issue are
hospitals’ and clinics’ patient Comment: A few commenters not yet completed and any reliance on
information in order to recruit patients expressed support for the proposal to such discussions would be premature.
for studies. allow use and disclosure of protected The final rule requires at
Response: Under the proposed rule, health information about decedents for § 164.512(i)(1)(iii) that covered entities
even if the researcher only viewed the research purposes without the obtain from the researcher (1)
medical record at the site of the covered protections afforded to the protected representation that the use or disclosure
entity and did not record the protected health information of living individuals. is sought solely for research on the
health information in a manner that One commenter, for example, explained protected health information of
patients could be identified, such an that it extensively uses such information decedents; (2) documentation, at the
activity would have constituted a use or in its research, and any restrictions were request of the covered entity, of the
disclosure that would have been subject likely to impede its efforts. Alternately, death of such individuals; and (3)
to proposed § 164.508 or proposed a number of commenters provided representation that the protected health
§ 164.510. Based on the comments arguments for eliminating the research information for which use or disclosure
received and the fact finding we exception for deceased persons. They is sought is necessary for the research
conducted with the research commented that the same concerns purposes. It is our intention with this
community, we concluded that regarding use and disclosure of genetic change to reduce the burden and
documentation of IRB or privacy board and hereditary information for other ambiguity on the part of the covered
approval could halt the development of purposes apply in the research context. entity to determine whether or not the
request is for protected health recommended that the rule be changed documentation from an IRB. Health
information of a deceased individual. to eliminate such a punitive result. plans and covered health providers will
Comment: Some commenters, in their Specifically, the comment only be penalized for their own errors
support of the research exception, recommended that the existing Common or omissions in following the
requested that HHS clarify in the final Rule structure be preserved for IRB- requirements of the rule, and not those
rule that protected health information approved research, and that the waiver of the IRB.
obtained during the donation process of of authorization criteria for privacy
eyes and eye tissue could continue to be purposes be kept separate from the other Use Versus Disclosure
used or disclosed to or by eye banks for functions of the IRB. Comment: Many of the comments
research purposes without an Response: We disagree with the supported the proposed rule’s provision
authorization and without IRB approval. comments asserting the proposed rule that would have imposed the same
They expressed concern over the attempted to change the Common Rule. requirements for both research uses and
impediments to this type of research It was not our intent to modify or amend research disclosures of protected health
these approvals would impose, such as the Common Rule or to regulate the information.
added administrative burden and activities of the IRBs with respect to the Response: We agree with these
vulnerabilities to the time sensitive underlying research. We therefore reject comments. In the final rule we retain
nature of the process. the comments about legal deficiencies identical use and disclosure
Another commenter similarly in the rule which are based on the requirements for research uses and
expressed the position that, with regard mistaken perception that the Common disclosures of protected health
to uses and disclosures of protected Rule was being amended. The proposed information by covered entities.
health information for tissue, fluid, or rule established new requirements for Comment: In contrast, a few
organ donation, the regulation should covered entities before they could use or commenters recommended that there be
not present an obstacle to the transfer of disclose protected health information fewer requirements on covered entities
donations unsuitable for transplant to for research without authorization. The for internal research uses of protected
the research community. However, they proposed rule provided that one method health information.
believed that consent can be obtained by which a covered entity could obtain Response: For the reasons discussed
for such purposes since the donor or the necessary documentation was to above in § 164.501 on the definition of
donor’s family must generally consent receive it from an IRB. We did not ‘‘research,’’ we disagree that an
to any transplant purposes, it would mandate IRBs to perform such reviews, individual’s privacy interest is of less
seem to be a minimal additional and we expressly provided for means concern when covered entities use
obligation to seek consent for research other than through IRBs for covered protected health information for
purposes at the same time, should the entities to obtain the required research purposes than when covered
material be unsuitable for transplant. documentation. entities disclose protected health
Response: Protected health In the final rule, we also have information for research purposes.
information about a deceased clarified our intent not to interfere with Therefore, in the final rule, the research-
individual, including information existing requirements for IRBs by related requirements of § 164.512(i)
related to eyes and eye tissue, can be amending the language in the waiver apply to both uses and disclosures of
used or disclosed further for research criteria to make clear that these criteria protected health information for
purposes by a covered entity in relate to the privacy interests of the research purposes without
accordance with § 164.512(i)(1)(iii) individual and are separate from the authorization.
without authorization or IRB or privacy criteria that would be applied by an IRB
board approval. This rule does not to any evaluation of the underlying Additional Resources for IRBs
address whether organs unsuitable for research. Moreover, we have Comment: A few commenters
transplant may be transferred to restructured the final rule to also make recommended that HHS work to provide
researchers with or without consent. clear that we are regulating only the additional resources to IRBs to assist
content and conditions of the them in meeting their new
Modification of the Common Rule documentation upon which a covered responsibilities.
Comment: We received a number of entity may rely in making a disclosure Response: This recommendation is
comments that interpreted the proposed of protected health information for beyond our statutory authority under
rule as having unnecessarily and research purposes. HIPAA, and therefore, cannot be
inappropriately amended the Common We cannot and do not purport to addressed by the final rule. However,
Rule. Assuming that the Common Rule regulate IRBs or modify the Common we fully agree that steps should be taken
was being modified, these comments Rule through this regulation. We cannot to moderate the workload of IRBs and to
argued that the rule was legally under this rule penalize an IRB for ensure adequate resources for their
deficient under the Administrative failure to comply with the Common activities. Through the Office for Human
Procedures Act, the Regulatory Rule, nor can we sanction an IRB based Research Protections, the Department is
Flexibility Act, and other controlling on the documentation requirements in committed to working with institutions
Executive orders or laws. the rule. Health plans and covered and IRBs to identify efficient ways to
In addition, one research organization health care providers may rely on optimize utilization of resources, and is
expressed concern that, by involving documentation from an IRB or privacy committed to developing guidelines for
IRBs in the process of approving a board concerning the alteration or appropriate staffing and workload levels
waiver of authorization for disclosure waiver of authorization for the for IRBs.
purposes and establishing new criteria disclosure of protected health
for such waiver approvals, the proposed information for research purposes, Additional Suggested Requirements
rule would have subjected covered provided the documentation, on its face, Comment: One commenter
entities whose IRBs failed to comply meets the requirements in the rule. recommended that the documentation
with the requirements for reviewing and Health plans and covered health care of IRB or privacy board approval also be
approving research to potential providers will not be penalized for required to state that, ‘‘the health
sanctions under HIPAA. The comment relying on facially adequate researcher has fully disclosed which of
the protected health information to be proposed provision would apply in rare provision, when such disclosures were
collected or created would be linked to circumstances. We clarify, however, that made in good faith, based on credible
other protected health information, and we did not intend for the proposed representation by a person with
that appropriate safeguards be employed provision to apply to emergency apparent knowledge or authority. Some
to protect information against re- treatment scenarios as discussed below. commenters recommended that this
identification or subsequent In the final rule, to avoid confusion over standard be applied to all permissible
unauthorized linkages.’’ the circumstances in which we intend disclosures without consent or to such
Response: The proposed provision for this section to apply, we retitle it ‘‘Uses disclosures to law enforcement officials.
the use or disclosure of protected health and Disclosures to Avert a Serious Alternatively, a group representing
information for research purposes Threat to Health or Safety.’’ health care provider management firms
without authorization only pertained to We do not believe it would be believed that the proposed presumption
individually identifiable health appropriate to narrow further the scope of reasonable belief would not have
information. Therefore, since the of permissible disclosures under this provided covered entities with
information to be obtained would be section to respond to specifically sufficient protection from liability
individually identifiable, we concluded identified ‘‘imminent threats,’’ a ‘‘public exposure associated with improper uses
that it was illogical to require IRBs and health emergency,’’ or a ‘‘national or disclosures. This commenter
privacy boards document that the emergency.’’ We believe it would be recommended that a general good-faith
researcher had ‘‘fully disclosed that impossible to enumerate all of the standard apply to covered entities’
* * * appropriate safeguards be scenarios that may warrant disclosure of decisions to disclose protected health
employed to protect information against protected health information pursuant information to law enforcement
re-identification or subsequent to this section. Such cases may involve officials. A health plan said that HHS
unauthorized linkages.’’ Therefore, we a small number of people and may not should consider applying the standard
did not incorporate this necessarily involve a public health of reasonable belief to all uses and
recommendation into the final rule. emergency or a national emergency. disclosures that would have been
Furthermore, in response to
Section 164.512(j)—Uses and allowed under proposed § 164.510.
comments arguing that the proposed
Disclosures To Avert a Serious Threat to Another commenter questioned how the
provision was too broad, we note that
Health or Safety good-faith presumption would apply if
under both the NPRM and the final rule,
Comment: Several commenters the information came from a
we allow but do not require disclosures
generally stated support for proposed confidential informant or from a person
in situations involving serious and
§ 164.510(k), which was titled ‘‘Uses rather than a doctor, law enforcement
imminent threats to health or safety.
and Disclosures in Emergency official, or government official. (The
Health plans and covered health care
Circumstances.’’ One commenter said providers may make the disclosures NPRM listed doctors, law enforcement
that ‘‘narrow exceptions to allowed under § 164.512(j) consistent officials, and other government officials
confidentiality should be permitted for with applicable law and standards of as examples of persons who may make
emergency situations such as duty to ethical conduct. credible representations pursuant to this
warn, duty to protect, and urgent law As indicated in the preamble to the section.)
enforcement needs.’’ Another NPRM, the proposed approach is Response: As discussed above, this
commented that the standard ‘‘ * * * consistent with statutory and case law provision is intended to apply in rare
based on a reasonable belief that the addressing this issue. The most well- circumstances—circumstances that
disclosures are necessary to prevent or known case on the topic is Tarasoff v. occur much less frequently than those
lessen a serious and imminent threat to Regents of the University of California, described in other parts of the rule. Due
the health or safety of an individual’’ 17 Cal. 3d 425 (1976), which established to the importance of averting serious
would apply in only narrow treatment a duty to warn those at risk of harm and imminent threats to health and
circumstances. Some commenters when a therapist’s patient made credible safety, we believe it is appropriate to
suggested that the provision be further threats against the physical safety of a apply a presumption of good faith to
narrowed, for example, with language specific person. The Supreme Court of covered entities disclosing protected
specifically identifying ‘‘imminent California found that the therapist health information under this section.
threats’’ and a ‘‘chain-of-command involved in the case had an obligation We believe that the extremely time-
clearance process,’’ or by limiting to use reasonable care to protect the sensitive and urgent conditions
permissible disclosures under this intended victim of his patient against surrounding the need to avert a serious
provision to ‘‘public health danger, including warning the victim of and imminent threat to the health or
emergencies,’’ or ‘‘national the peril. Many states have adopted, in safety are fundamentally different from
emergencies.’’ Others proposed statute or through case law, versions of those involved in disclosures that may
procedural requirements, such as the Tarasoff duty to warn or protect. be made pursuant to other sections of
specifying that such determinations may Although Tarasoff involved a the rule. Therefore, we do not believe it
only be made by the patient’s treating psychiatrist, this provision is not would be appropriate to apply to other
physician, a licensed mental health care limited to disclosures by psychiatrists or sections of the rule the presumption of
professional, or as validated by three other mental health professionals. As good faith that applies in § 164.512(j).
physicians. One commenter stated in the preamble of the NPRM, we We clarify that we intend for the
recommended stating that the rule is not clarify that § 164.512(j) is not intended presumption of good faith to apply if the
intended to create a duty to warn or to to create a duty to warn or disclose disclosure is made in good faith based
disclose protected health information protected health information. upon a credible representation by any
but rather permits such disclosure in Comment: Several comments person with apparent knowledge or
emergency circumstances, consistent addressed the portion of proposed authority—not just by doctors, law
with other applicable legal or ethical § 164.510(k) that would have provided a enforcement or other government
standards. presumption of reasonable belief to officials. Our listing of these persons in
Response: We agree with the covered entities that disclosed protected the NPRM was illustrative only, and it
commenters who noted that the health information pursuant to this was not intended to limit the types of
persons who could make such a credible disclosures should not modify ‘‘duty to activities considered necessary by
representation to a covered entity. warn’’ case law or statutes. appropriate military command
Comment: One commenter questioned Response: The rule does not affect authorities to assure the proper
under what circumstances proposed case law or statutes regarding ‘‘duty to execution of the military mission. In
§ 164.510(k) would apply instead of warn.’’ In § 164.512(j), we specifically order for the military mission to be
proposed § 164.510(f)(5), ‘‘Urgent permit covered entities to disclose achieved and maintained, military
Circumstances,’’ which permitted protected health information without command authorities need protected
covered entities to disclose protected authorization for the purpose of health information to make
health information to law enforcement protecting individuals from imminent determinations regarding individuals’
officials about individuals who are or threats to health and safety, consistent medical fitness to perform assigned
are suspected to be victims of a crime, with state laws and ethical obligations. military duties.
abuse, or other harm, if the law The proposed rule required the
Section 164.512(k)—Uses and
enforcement official represents that the Department of Defense (DoD) to publish
Disclosures for Specialized Government
information is needed to determine a notice in the Federal Register
Functions
whether a violation of law by a person identifying its intended uses and
other than the victim has occurred and Military Purposes disclosures of protected health
immediate law enforcement activity that Armed Forces Personnel and Veterans information, and we have retained this
depends upon obtaining such approach in the final rule. This notice
information may be necessary. Comment: A few comments opposed
the proposed rule’s provisions on the will serve to limit command authorities’
Response: First, we note that access to protected health information
inclusion of this provision as military, believing that they were too
broad. Although acknowledging that the to circumstances in which disclosure of
§ 164.510(f)(5) was a drafting error protected health information is
which subsequently was clarified in Armed Forces may have legitimate
needs for access to protected health necessary to assure proper execution of
technical corrections to the NPRM. In the military mission.
fact, proposed § 164.510(f)(3) addressed data, the commenters believed that the
rule failed to provide adequate With respect to comments regarding
the identical circumstances, which in
procedural protections to individuals. A the lack of procedural safeguards for
this subsection were titled ‘‘Information
few comments said that, except in individuals, including those who are
about a Victim of Crime or Abuse.’’ The
scenarios described under limited circumstances or emergencies, victims of domestic violence and abuse,
§ 164.510(f)(3) may or may not involve covered entities should be required to we note that the rule does not provide
serious and imminent threats to health obtain authorization before using or new authority for covered entities
or safety. disclosing protected health information. providing health care to individuals
Second, as discussed in the main A few comments also expressed concern who are Armed Forces personnel to use
section of the preamble to § 164.512(j), over the proposed rule’s lack of specific and disclose protected health
we recognize that in some situations, safeguards to protect the health information. Rather, the rule allows the
more than one section of this rule information of victims of domestic Armed Forces to use and disclose such
potentially could apply with respect to violence and abuse. While the information only for those military
a covered entity’s potential disclosure of commenters said they understood why mission purposes which will be
protected health information. We clarify the military needed access to health published separately in the Federal
that if a situation fits one section of the information, they did not believe the Register. In addition, we note that the
rule (e.g., § 164.512(j) on serious and rule would impede such access by Privacy Act of 1974, as implemented by
imminent threats to health or safety), providing safeguards for victims of the DoD, provides numerous protections
health plans and covered health care domestic violence or abuse. to individuals.
providers may disclose protected health Response: We note that the military We modify the proposal to publish
information pursuant to that section, comprises a unique society and that privacy rules for the military in the
regardless of whether the disclosure also members of the Armed Forces do not Federal Register. The NPRM would
could be made pursuant to another have the same freedoms as do civilians. have required this notice to include
section (e.g., §§ 164.512(f)(2) or The Supreme Court held in Goldman v. information on the activities for which
164.512(f)(3), regarding disclosure of Weinberger, 475 US 503 (1986), that the use or disclosure of protected health
protected health information about military must be able to command its information would occur in order to
suspects or victims to law enforcement members to sacrifice a great many assure proper execution of the military
officials), except as otherwise stated in freedoms enjoyed by civilians and to mission. We believe that this proposed
the rule. endure certain limits on the freedoms portion of the notice is redundant and
Comment: A state health department they do enjoy. The Supreme Court also thus unnecessary in light the rule’s
indicated that the disclosures permitted held in Parker v. Levy, 417 US 733 application to military services. In the
under this section may be seen as (1974), that the different character of the final rule, we eliminate this proposed
conflicting with existing law in many military community and its mission section of the notice, and we state that
states. required a different application of health plans and covered health care
Response: As indicated in the Constitutional protections. What is providers may use and disclose
regulation text for § 164.512(j), this permissible in the civilian world may be protected health information of Armed
section allows disclosure consistent impermissible in the military. We also Forces personnel for activities
with applicable law and standards of note that individuals entering military considered necessary by appropriate
ethical conduct. We do not preempt any service are aware that they will not military command authorities to assure
state law that would prohibit disclosure have, and enjoy, the same rights as the proper execution of a military
of protected health information in the others. mission, where the appropriate military
circumstances to which this section The proposed rule would have authority has published a Federal
applies. (See Part 160, Subpart B.) authorized covered entities to use and Register notice identifying: (1) The
Comment: Many commenters stated disclose protected health information appropriate military command
that the rule should require that any about armed forces personnel only for authorities; and (2) the purposes for
which protected health information may Department of Transportation (DoT) and such information with other agencies.
be used or disclosed. the Department of Veterans Affairs Other agencies may obtain this
Comment: A few commenters, operate an analogous transfer program information only with authorization,
members of the affected beneficiary with respect to United States Coast subject to the requirements of § 164.508.
class, which numbers approximately 2.6 Guard personnel, who comprise part of
million (active duty and reserve military Foreign Military Personnel
the U.S. Armed Forces. The protected
personnel), opposed proposed health information involved the DoD/ Comments: A few comments opposed
§ 164.510(m) because it would have DVA transfer program is being disclosed the exclusion of foreign diplomatic and
allowed a non-governmental covered and used for a limited purpose that military personnel from coverage under
entity to provide protected health directly benefits the individual. This the rule. These commenters said that the
information without authorization to the information is covered by, and thus mechanisms that would be necessary to
military. These commenters were subject to the protections of, the Privacy identify these personnel for the purpose
concerned that military officials could Act. For these reasons, the final rule of exempting them from the rule’s
use the information as the basis for retains the DoD/DVA transfer program standards would create significant
taking action against individuals. proposed in the NPRM. In addition, we administrative difficulties. In addition,
Response: The Secretary does not expand the NPRM’s proposed they believed that this provision would
have the authority under HIPAA to provisions regarding the Department of have prohibited covered entities from
regulate the military’s re-use or re- Veterans Affairs to include the DoT/ making disclosures allowed under the
disclosure of protected health DVA program, to authorize the rule. Some commenters were concerned
information obtained from health plans continued transfer of these records. that implementation of the proposed
and covered health care providers. This Comment: The Department of provision would result in disparate
provision’s primary intent is to ensure Veterans Affairs supported the NPRM’s treatment of foreign military and
that proper military command proposal to allow it to use and disclose diplomatic personnel with regard to
authorities can obtain needed medical protected health information among other laws, and that it would allow
information held by covered entities so components of the Department so that it exploitation of these individuals’ health
that they can make appropriate could make determinations on whether information. These commenters
determinations regarding the an individual was entitled to benefits believed that the proposed rule’s
individual’s medical fitness or under laws administered by the exclusion of foreign military and
suitability for military service. Department. Some commenters said that diplomatic personnel was unnecessarily
Determination that an individual is not the permissible disclosure pursuant to broad and that it should be narrowed to
medically qualified for military service this section appeared to be sufficiently meet a perceived need. Finally, they
would lead to his or her discharge from narrow in scope, to respond to an noted that the proposed exclusion could
or rejection for service in the military. apparent need. Some commenters also be affected by the European Union’s
Such actions are necessary in order for said that the DVA’s ability to make Data Protection Directive.
the Armed Forces to have medically benefit determinations would be Response: We agree with the
qualified personnel, ready to perform hampered if an individual declined to commenters’ statement that the NPRM’s
assigned duties. Medically unqualified authorize release of his or her protected exclusion of foreign military and
personnel not only jeopardize the health information. A few commenters, diplomatic personnel from the rule’s
possible success of a mission, but also however, questioned whether such an provisions was overly broad. Thus, the
pose an unacceptable risk or danger to exchange of information currently final rule’s protections apply to these
others. We have allowed such uses and occurs between the components. A few personnel. The rule covers foreign
disclosures for military activities commenters also believed the proposed military personnel under the same
because it is in the Nation’s interest. rule should be expanded to permit provisions that apply to all other
sharing of information with other members of the U.S. Armed Forces, as
Separation or Discharge from Military described above. Foreign military
agencies that administer benefit
Service authorities need access to protected
programs.
Comment: The preamble to the NPRM Response: The final rule retains the health information for the same reason
solicited comments on the proposal to NPRM’s approach regarding use and as must United States military
permit the DoD to transfer, without disclosure of protected health authorities: to ensure that members of
authorization, a service member’s information without authorization the armed services are medically
military medical record to the among components of the DVA for the qualified to perform their assigned
Department of Veterans Affairs (DVA) purpose of making eligibility duties. Under the final rule, foreign
when the individual completed his or determinations based on commenters’ diplomatic personnel have the same
her term of military service. A few assessment that the provision was protections as other individuals.
commenters opposed the proposal, narrow in scope and that an alternative
believing that authorization should be approach could negatively affect benefit Intelligence Community
obtained. Both the DoD and the DVA determinations for veterans. We modify Comments: A few commenters
supported the proposal, noting that the NPRM language slightly, to clarify opposed the NPRM’s provisions
transfer allows the DVA to make timely that it refers to a health plan or covered regarding protected health information
determinations as to whether a veteran health care provider that is a component of intelligence community employees
is eligible for benefits under programs of the DVA. These component entities and their dependents being considered
administered by the DVA. may use or disclose protected health for postings overseas, on the grounds
Response: We note that the transfer information without authorization that the scope of permissible disclosure
program was established based on among various components of the without authorization was too broad.
recommendations by Congress, veterans Department to determine eligibility for While acknowledging that the
groups, and veterans; that it has existed or entitlement to veterans’ benefits. The intelligence community may have
for many years; and that there has been final rule does not expand the scope of legitimate needs for its employees’
no objection to, or problems associated permissible disclosures under this protected health information, the
with, the program. We also note that the provision to allow the DVA to share commenters believed that the NPRM
failed to provide adequate procedural this section are limited to those Presidential protective functions are not
protections for the employees’ authorized under current law and law enforcement officials. Therefore, the
information. A few comments also said regulation (e.g., for intelligence final rule allows covered entities to
that the intelligence community should activities, 50 U.S.C. 401, et seq., disclose protected health information
be able to obtain their employees’ health Executive Order 12333, and agency pursuant to this provision not only to
information only with authorization. In implementing regulatory authorities). law enforcement officials, but to all
addition, commenters said that the For example, the provision regarding federal officials authorized by law to
intelligence community should make national security activities pertains only carry out the relevant activities. In
disclosure of protected health to foreign persons that are the subjects addition, we remove this provision from
information a condition of employment. of legitimate and lawful intelligence, the law enforcement section and
Response: Again, we agree that the counterintelligence, or other national include it in § 164.512(k) on uses and
NPRM’s provision allowing disclosure security activities. In addition, the disclosures for specialized government
of the protected health information of provision regarding protective services functions
intelligence community employees pertains only to those persons who are
without authorization was overly broad. Medical Suitability Determinations
the subjects of legitimate investigations
Thus we eliminate it in the final rule. for threatening or otherwise exhibiting Comment: A few comments opposed
The intelligence community can obtain an inappropriate direction of interest the NPRM’s provision allowing the
this information with authorization toward U.S. Secret Service protectees Department of State to use protected
(pursuant to § 164.508), for example, pursuant to 18 U.S.C. 871, 879, and health information for medical
when employees or their family 3056. Finally, the rule leaves intact the clearance determinations. These
members are being considered for an existing State Department regulations commenters believed that the scope of
oversees assignment and when that strictly limit the disclosure of permissible disclosures under the
individuals are applying for health information pertaining to proposed provision was too broad.
employment with or seeking a contract employees (e.g., Privacy Issuances at While acknowledging that the
from an intelligence community agency. State-24 Medical Records). Department may have legitimate needs
We believe that because intelligence/ for access to protected health data, the
National Security and Intelligence commenters believed that
national security activities and
Activities and Protective Services for the implementation of the proposed
Presidential/other protective service
President and Others provision would not have provided
activities are discrete functions serving
Comment: A number of comments different purposes, they should be adequate procedural safeguards for the
opposed the proposed ‘‘intelligence and treated consistently but separately affected State Department employees. A
national security activities’’ provision of under the rule. For example, medical few comments said that the State
the law enforcement section information is used as a complement to Department should be able to obtain
(§ 164.510(f)(4)), suggesting that it was other investigative data that are protected health information for
overly broad. These commenters were pertinent to conducting comprehensive medical clearance determinations only
concerned that the provision lacked threat assessment and risk prevention with authorization. A few comments
sufficient procedural safeguards to activities pursuant to 18 U.S.C. 3056. In also said that the Department should be
prevent abuse of protected health addition, information on the health of able to disclose such information only
information. The Central Intelligence world leaders is important for the when required for national security
Agency (CIA) and the Department of provision of protective services and purposes. Some commenters believed
Defense (DoD) also expressed concern other functions. Thus, § 164.512(k) of that the State Department should be
over the provision’s scope. The agencies the final rule includes separate subject to the Federal Register notice
said that if implemented as written, the subsections for national security/ requirement that the NPRM would have
provision would have failed to intelligence activities and for applied to the Department of Defense. A
accomplish fully its intended purpose of disclosures related to protective services few comments also opposed the
allowing the disclosure of protected to the President and others. proposed provision on the basis that it
health information to officials carrying We note that the rule does not require would conflict with the Rehabilitation
out intelligence and national security or compel a health plan or covered Act of 1973 or that it appeared to
activities other than law enforcement health care provider to disclose represent an invitation to discriminate
activities. The CIA and DoD believed protected health information. Rather, against individuals with mental
that the provision should be moved to two subsections of § 164.512(k) allow disorders.
another section of the rule, possibly to covered entities to disclose information Response: We agree with commenters
proposed § 164.510(m) on specialized for intelligence and national security who believed that the NPRM’s provision
classes, so that authorized intelligence activities and for protective services to regarding the State Department’s use of
and national security officials could the President and others only to protected health information without
obtain individuals’ protected health authorized federal officials conducting authorization was unnecessarily broad.
information without authorization when these activities, when such officials are Therefore, in the final rule, we restrict
lawfully engaged in intelligence and performing functions authorized by law. significantly the scope of protected
national security activities. We agree with DoD and CIA that the health information that the State
Response: In the final rule, we clarify NPRM, by including these provisions in Department may use and disclose
that this provision does not provide new the law enforcement section (proposed without authorization. First, we allow
authority for intelligence and national § 164.510(f)), would have allowed health plans and covered health care
security officials to acquire health covered entities to disclose protected providers that are a component of the
information that they otherwise would health information for national security, State Department to use and disclose
not be able to obtain. Furthermore, the intelligence, and Presidential protective protected health information without
rule does not confer new authority for activities only to law enforcement authorization when making medical
intelligence, national security, or officials. We recognize that many suitability determinations for security
Presidential protective service activities. officials authorized by law to carry out clearance purposes. For the purposes of
Rather, the activities permissible under intelligence, national security, and a security investigation, these
components may disclose to authorized restrict the Department’s access to disclosure of protected health
State Department officials whether or information at such a crucial time due information to officials who need
not the individual was determined to be to a lack of employee authorization protected health information to
medically suitable. Furthermore, we leaves the Department no option but to determine whether a family member can
note that the rule does not confer suspend the employee’s security accompany a Foreign Service member
authority on the Department to disclose clearance. This action automatically abroad.
such information that it did not would result in an immediate forced Given the limited applicability of the
previously possess. The Department departure from post, which negatively rule, we believe it is not necessary for
remains subject to applicable law would affect both the Department, due the State Department to publish a notice
regarding such disclosures, including to the unexpected loss of personnel, and in the Federal Register to identify the
the Rehabilitation Act of 1973. the individual, due to the fact that a purposes for which the information may
The preamble to the NPRM solicited forced departure can have a long-term be used or disclosed. The final rule
comment on whether there was a need impact on his or her career in the identifies these purposes, as described
to add national security determinations Foreign Service. above.
under Executive Order 10450 to the For this reason, the rule contains a
Correctional Institutions
rule’s provision on State Department limited security clearance exemption for
uses and disclosures of protected health the Department of State. The exemption Comments about the rule’s
information for security determinations. allows the Department’s own medical application to correctional institutions
While we did not receive comment on staff to continue to have access to an are addressed in § 164.501, under the
this issue, we believe that a limited employee’s medical file for the purpose definition of ‘‘individual.’’
addition is warranted and appropriate. of making a medical suitability Section 164.512(l)—Disclosures for
Executive Orders 10450 and 12968 determination for security purposes. Workers’ Compensation
direct Executive branch agencies to The medical staff can convey a simple
make certain determinations regarding ‘‘yes’’ or ‘‘no’’ response to those Comment: Several commenters stated
whether their employees’ access to individuals conducting the security that workers’ compensation carriers are
classified information is consistent with investigation within the Department. In excepted under the HIPAA definition of
the national security interests of the this way, the Department is able to make group health plan and therefore we have
United States. Specifically, the security determinations in exigent no authority to regulate them in this
Executive Orders state that access to circumstances without disclosing any rule. These commenters suggested
classified information shall be granted specific medical information to any clarifying that the provisions of the
only to those individuals whose employees other than the medical proposed rule did not apply to certain
personal and professional history personnel who otherwise have routine types of insurance entities, such as
affirmatively indicates, inter alia, access to these same medical records in workers’ compensation carriers, and
strength of character, trustworthiness, an everyday non-security context. that such non-covered entities should
reliability, and sound judgment. In Second, and similarly, the final rule have full access to protected health
reviewing the personal history of an establishes a similar system for information without meeting the
individual, Executive branch agencies disclosures of protected health requirements of the rule. Other
may investigate and consider any information necessary to determine commenters argued that a complete
matter, including a mental health issue worldwide availability or availability for exemption for workers’ compensation
or other medical condition, that relates mandatory service abroad under carriers was inappropriate.
directly to any of the enumerated sections 101(a)(4) and 504 of the Foreign Response: We agree with commenters
factors. Service Act. The Act requires that that the proposed rule did not intend to
In the vast majority of cases, Foreign Service members be suitable for regulate workers’ compensation carriers.
Executive agencies require their security posting throughout the world and for In the final rule we have incorporated
clearance investigators to obtain the certain specific assignments. For this a provision that clarifies that the term
individual’s express consent in the form reason, we permit a limited exemption ‘‘health plan’’ excludes ‘‘any policy,
of a medical release, pursuant to which to serve the purposes of the statute. plan, or program to the extent that it
the agency can conduct its background Again, the medical staff can convey provides, or pays for the cost of,
investigation and obtain any necessary availability determinations to State excepted benefits as defined in section
health information. This rule does not Department officials who need to know 2791(c)(1) of the PHS Act.’’ See
interfere with agencies’ ability to require if certain Foreign Service members are discussion above under the definition of
medical releases for purposes of security available to serve at post. ‘‘health plan’’ in § 164.501.
clearances under these Executive Third, and finally, the final rule Comment: Some commenters argued
Orders. recognizes the special statutory that the privacy rule should defer to
In the case of the Department of State, obligations that the State Department other laws that regulate the disclosure of
however, it may be impracticable or has regarding family members of information to employers and workers’
infeasible to obtain an employee’s Foreign Service members under sections compensation carriers. They
authorization when exigent 101(b)(5) and 904 of the Foreign Service commented that many states have laws
circumstances arise overseas. For Act. Section 101(b)(5) of the Foreign that require sharing of information—
example, when a Foreign Service Officer Service Act requires the Department of without consent—between providers
is serving at an overseas post and he or State to mitigate the impact of and employers or workers’
she develops a critical medical problem hardships, disruptions, and other compensation carriers.
which may or may not require a medical unusual conditions on families of Response: We agree that the privacy
evacuation or other equally severe Foreign Service Officers. Section 904 rule should permit disclosures
response, the Department’s medical staff requires the Department to establish a necessary for the administration of state
have access to the employee’s medical health care program to promote and and other workers’ compensation
records for the purpose of making a maintain the physical and mental health systems. To assure that workers’
medical suitability determination under of Foreign Service member family compensations systems are not
Executive Orders 10450 and 12968. To members. The final rule permits disrupted, we have added a new
provisions to the final rule. The new if the workers’ compensation insurer driver’s license lists, that would enable
§ 164.512(l) permits covered entities to has secured an authorization from the someone to match (and identify) records
disclose protected health information as individual for the release of protected that otherwise appear to be not
authorized by and to the extent health information, the covered entity identifiable.
necessary to comply with workers’ may release the protected health Response: In the final rule, we
compensation or other similar programs information described in the reformulate the method for de-
established by law that provide benefits authorization. identification to more explicitly use the
for work-related injuries or illnesses statutory standard of ‘‘a reasonable basis
Section 164.514 Requirements for to believe that the information can be
without regard to fault. We also note
Uses and Disclosures used to identify the individual’’—just as
that where a state or other law requires
a use or disclosure of protected health Section 164.514(a)–(c)—De- information is ‘‘individually
information under a workers’ identification identifiable’’ if there is a reasonable
compensation or similar scheme, the basis to believe that it can be used to
General Approach identify the individual, it is ‘‘de-
disclosure would be permitted under
§ 164.512(a). Comments: The comments on this identified’’ if there is no reasonable
Comment: Several commenters stated topic almost unanimously supported the basis to believe it can be so used. We
that if workers’ compensation carriers concept of de-identification and efforts also define more precisely how the
are to receive protected health to expand its use. Although a few standard should be applied.
information, they should only receive comments suggested deleting one of the We did not accept comments that
the minimum necessary as required in proposed methods or the other, most suggested that we allow only one
§ 164.514. The commenters argued that appeared to support the two method method of de-identifying information.
employers and workers’ compensation approach for entities with differing We find support for both methods in the
carriers should not have access to the levels of statistical expertise. comments but find no compelling logic
entire medical history or portions of the Many of the comments argued that the for how the competing interests could
medical history that have nothing to do standard for creation of de-identified be met cost-effectively with only one
with the injury in question. Further, the information should be whether there is method.
covered provider and not the employer a ‘‘reasonable basis to believe’’ that the We also disagree with the comments
or carrier should determine minimum information has been de-identified. that advocated using a standard which
necessary since the provider is a Others suggested that the ‘‘reasonable required removing only the direct
covered entity and only covered entities basis’’ standard was too vague. identifiers. Although such an approach
are subject to sanctions for violations of A few commenters suggested that we may be more convenient for covered
the rule. These commenters stated that consider information to be de-identified entities, we judged that the resulting
the rule should clearly indicate the if all personal identifiers that directly information would often remain
ability of covered entities to refuse to reveal the identity of the individual or identifiable, and its dissemination could
disclose protected health information if provide a direct means of identifying result in significant violations of
it went beyond the scope of the injury. individuals have been removed, privacy. While we encourage covered
Workers’ compensation carriers, on the encrypted or replaced with a code. entities to remove direct identifiers
other hand, argued that permitting Essentially, this recommendation would whenever possible as a method of
providers to determine the minimum require only removal of ‘‘direct’’ enhancing privacy, we do not believe
necessary was inappropriate because identifiers (e.g., name, address, and ID that the resulting information is
determining eligibility for benefits is an numbers) and allow retention of all sufficiently blinded as to permit its
insurance function, not a medical ‘‘indirect’’ identifiers (e.g., zip code and general dissemination without the
function. They stated that workers’ birth date) in ‘‘de-identified’’ protections provided by this rule.
compensation carriers need access to information. These comments did not We agree with the comments that said
the full range of information regarding suggest a list or further definition of that records of information about
treatment for the injury underlying the what identifiers should be considered individuals cannot be truly de-
claim, the claimants’ current condition, ‘‘direct’’ identifiers. identified, if that means that the
and any preexisting conditions that can Some commenters suggested that the probability of attribution to an
either mitigate the claim or aggravate standard be modified to reflect a single individual must be absolutely zero.
the impact of the injury. standard that applies to all covered However, the statutory standard does
Response: Under the final rule, entities in the interest of reducing not allow us to take such a position, but
covered entities must comply with the uncertainty and complexity. According envisions a reasonable balance between
minimum necessary provisions unless to these comments, the standard for risk of identification and usefulness of
the disclosure is required by law. Our covered entities to meet for de- the information.
review of state workers’ compensation identification of protected health We disagree with those comments
laws suggests that many of these laws information should be generally that advocated releasing only truly
address the issue of the scope of accepted standards in the scientific and anonymous information (which has
information that is available to carriers statistical community, rather than been changed sufficiently so that it no
and employers. The rule permits a focusing on a specified list of identifiers longer represents actual information
provider to disclose information that is that must be removed. about real individuals) and those that
authorized by such a law to the extent A few commenters believed that no supported using only sophisticated
necessary to comply with such law. record of information about an statistical analysis before allowing
Where the law is silent, the workers’ individual can be truly de-identified uncontrolled disclosures. Although
compensation carrier and covered and that all such information should be these approaches would provide a
health care provider will need to treated and protected as identifiable marginally higher level of privacy
discuss what information is necessary because more and more information protection, they would preclude many
for the carrier to administer the claim, about individuals is being made of the laudable and valuable uses
and the health care provider may available to the public, such as voter discussed in the NPRM (in § 164.506(d))
disclose that information. We note that registration lists and motor vehicle and and would impose too great a burden on
less sophisticated covered entities to be without having to follow the policies, release 16 we attempt here to provide
justified by the small decrease in an procedures, and documentation some guidance for the method of de-
already small risk of identification. required to use individually identifiable identification.
We conclude that compared to the health information should provide an As requested by some commenters,
alternatives advanced by the comments, incentive to encourage its use where we include in the final rule a
the approach proposed in the NPRM, as appropriate. We disagree with the requirement that covered entities (not
refined and modified below in response comment suggesting that we require an following the safe harbor approach)
to the comments, most closely meets the assessment of whether de-identified apply generally accepted statistical and
intent of the statute. information could be used for each use scientific principles and methods for
Comments: A few comments or disclosure. We believe that such a rendering information not individually
complained that the proposed standards requirement would be too burdensome identifiable when determining if
were so strict that they would expose on covered entities, particularly with information is de-identified. Although
covered entities to liability because respect to internal uses, where entire such guidance will change over time to
arguably no information could ever be records are often used by medical and keep up with technology and the
de-identified. other personnel. For disclosures, we current availability of public
Response: In the final rule we have believe that such an assessment would information from other sources, as a
modified the mechanisms by which a add little to the protection provided by starting point the Secretary approves the
covered entity may demonstrate that it the minimum necessary requirements in use of the following as guidance to such
has complied with the standard in ways this final rule. generally accepted statistical and
that provide greater certainty. In the Comments: One commenter asked if scientific principles and methods:
standard method for de-identification, de-identification was equivalent to (1) Statistical Policy Working Paper
we have clarified the professional destruction of the protected health 22—Report on Statistical Disclosure
standard to be used, and anticipate information (as required under several Limitation Methodology (http://
issuing further guidance for covered of the provisions of this final rule). www.fcsm.gov/working-papers/
entities to use in applying the standard. Response: The process of de- wp22.html) (prepared by the
In the safe harbor method, we reduced identification creates a new dataset in Subcommittee on Disclosure Limitation
the amount of judgment that a covered addition to the source dataset Methodology, Federal Committee on
entity must apply. We believe that these containing the protected health Statistical Methodology, Office of
mechanisms for de-identification are information. This process does not Management and Budget); and
sufficiently well-defined to protect substitute for actual destruction of the (2) The Checklist on Disclosure
covered entities that follow them from source data. Potential of Proposed Data Releases
undue liability. (http://www.fcsm.gov/docs/
Comments: Several comments Modifications to the Proposed Standard
for De-Identification checklistl799.doc) (prepared by the
suggested that the rule prohibit any Confidentiality and Data Access
linking of de-identified data, regardless Comments: Several commenters Committee, Federal Committee on
of the probability of identification. called for clarification of proposed Statistical Methodology, Office of
Response: Since our methods of de- language in the NPRM that would have Management and Budget).
identification include consideration of permitted a covered entity to treat We agree with commenters that such
how the information might be used in information as de-identified, even if guidance will need to be updated over
combination with other information, we specified identifiers were retained, as time and we will provide such guidance
believe that linking de-identified long as the probability of identifying in the future.
information does not pose a subject individuals would be very low. According to the Statistical Policy
significantly increased risk of privacy Commenters expressed concern that the Working Paper 22, the two main sources
violations. In addition, since our ‘‘very low’’ standard was vague. These of disclosure risk for de-identified
authority extends only to the regulation comments expressed concern that records about individuals are the
of individually identifiable health covered entities would not have a clear existence of records with very unique
information, we cannot regulate de- and easy way to know when characteristics (e.g., unusual occupation
identified information because it no information meets this part of the or very high salary or age) and the
longer meets the definition of standard. existence of external sources of records
individually identifiable health Response: We agree with the
with matching data elements which can
information. We also have no authority comments that covered entities may
be used to link with the de-identified
to regulate entities that might receive need additional guidance on the types
information and identify individuals
and desire to link such information yet of analyses that they should perform in
(e.g., voter registration records or
that are not covered entities; thus such determining when the probability of re-
driver’s license records). The risk of
a prohibition would have little identification of information is very
disclosure increases as the number of
protective effect. low. We note that in the final rule, we
variables common to both types of
Comments: Several commenters reformulate the standard somewhat to
records increases, as the accuracy or
suggested that we create incentives for require that a person with appropriate
resolution of the data increases, and as
covered entities to use de-identified knowledge and experience apply
the number of external sources
information. One commenter suggested generally accepted statistical and
increases. As outlined in Statistical
that we mandate an assessment to see if scientific methods relevant to the task to
Policy Working Paper 22, an expert
de-identified information could be used make a determination that the risk of re-
disclosure analysis would also consider
before the use or disclosure of identified identification is very small. In this
the probability that an individual who
information would be allowed. context, we do not view the difference
is the target of an attempt at re-
Response: We believe that this final between a very low probability and a
identification is represented on both
rule establishes a reasonable mechanism very small risk to be substantive. After
for the creation of de-identified consulting representatives of the federal 16 Confidentiality and Data Access Committee,
information and the fact that this de- agencies that routinely de-identify and Federal Committee on Statistical Methodology,
identified information can be used anonymize information for public Office of Management and Budget.
files, the probability that the matching that they would not be able to continue Committee on Statistical Methodology,
variables are recorded identically on the current activities such as development Office of Management and Budget, we
two types of records, the probability that of service provider networks, concluded that in general, age is
the target individual is unique in the conducting ‘‘analysis’’ on behalf of the sufficiently broad to be allowed in de-
population for the matching variables, plan, studying use of medication and identified information, although all
and the degree of confidence that a medical devices, community studies, dates that might be directly related to
match would correctly identify a unique marketing and strategic planning, the subject of the information must be
person. childhood immunization initiatives, removed or aggregated to the level of
Statistical Policy Working Paper 22 patient satisfaction surveys, and year to prevent deduction of birth dates.
also describes many techniques that can solicitation of contributions. The Extreme ages—90 and over—must be
be used to reduce the risk of disclosure requirements in the NPRM to strip off aggregated further (to a category of 90+,
that should be considered by an expert zip code and date of birth were of for example) to avoid identification of
when de-identifying health information. particular concern. These commenters very old individuals (because they are
In addition to removing all direct stated that their ability to do research relatively rare). This reflects the
identifiers, these include the obvious and quality analysis with this data minimum requirement of the current
choices based on the above causes of the would be compromised without access recommendations of the Bureau of the
risk; namely, reducing the number of to some level of information about Census.18 For research or other studies
variables on which a match might be patient age and/or geographic location. relating to young children or infants, we
made and limiting the distribution of Response: While we understand that note that the rule would not prohibit age
the records through a ‘‘data use removing the specified identifiers may of an individual from being expressed as
agreement’’ or ‘‘restricted access reduce the usefulness of the resulting an age in months, days, or hours.
agreement’’ in which the recipient data to third parties, we remain For geographic area, we specify that
agrees to limits on who can use/receive convinced by the evidence found in the the initial three digits of zip codes may
the data. The techniques also include MIT study that we referred to in the be retained for any three-digit zip code
more sophisticated manipulations: preamble to the proposed rule 17 and the that contains more than 20,000 people
recoding variables into fewer categories analyses discussed below that there as determined by the Bureau of the
to provide less precise detail (including remains a significant risk of Census. As discussed more below, there
rounding of continuous variables); identification of the subjects of health are currently only 18 three-digit zip
setting top-codes and bottom-codes to information from the inclusion of codes containing fewer than 20,000
limit details for extreme values; indirect identifiers such as birth date people. We note that this number may
disturbing the data by adding noise by and zip code and that in many cases change when information from the 2000
swapping certain variables between there will be a reasonable basis to Decennial Census is analyzed.
records, replacing some variables in believe that such information remains In response to concerns expressed in
random records with mathematically identifiable. We note that a covered the comments about the need for
imputed values or averages across small entity not relying on the safe harbor may information on geographic area, we
random groups of records, or randomly determine that information from which investigated the potential of allowing 5-
deleting or duplicating a small sample sufficient other identifiers have been digit zip codes or 3-digit zip codes to
of records; and replacing actual records removed but which retains birth date or remain in the de-identified information.
with synthetic records that preserve zip code is not reasonably identifiable. According to 1990 Census data, the
certain statistical properties of the As discussed above, such a
populations in geographical areas
original data. determination must be made by a
delineated by 3-digit zip codes vary a
person with appropriate knowledge and
Modifications to the ‘‘Safe Harbor’’ great deal, from a low of 394 to a high
expertise applying generally accepted
Comments: Many commenters argued of 3,006,997, with an average size of
statistical and scientific methods for
that stripping all 19 identifiers is 282,304. There are two 3-digit zip codes
rendering information not identifiable.
unnecessary for purposes of de- Although we have determined that all containing fewer than 500 people and
identification. They felt that such items of the specified identifiers must be six 3-digit zip codes containing fewer
as zip code, city (or county), and birth removed before a covered entity meets than 10,000 people each.19 Of the total
date, for example, do not identify the the safe harbor requirements, we made of 881 3-digit zip codes, there are 18
individual and only such identifiers as modifications in the final rule to the with fewer than 20,000 people, 71 with
name, street address, phone numbers, specified identifiers on the list to permit fewer than 50,000 people, and 215
fax numbers, email, Social Security some information about age and containing fewer than 100,000
number, driver’s license number, voter geographic area to be retained in de- population. We also looked at two-digit
registration number, motor vehicle identified information. zip codes (the first 2 digits of the 5-digit
registration, identifiable photographs, For age, we specify that, in most zip code) and found that the smallest of
finger prints, voice prints, web universal cases, year of birth may be retained, the 98 2-digit zip codes contains
resource locator, and Internet protocol which can be combined with the age of 188,638 people.
address number need to be removed to the subject to provide sufficient We also investigated the practices of
reasonably believe that data has been information about age for most uses. several other federal agencies which are
de-identified. After considering current and evolving mandated by Congress to release data
Other commenters felt that removing practices and consulting with federal
18 The U.S. Census Bureau’s Recommendations
the full list of identifiers would experts on this topic, including
Concerning the Census 2000 Public Use Microdata
significantly reduce the usefulness of members of the Confidentiality and Data Sample (PUMS) Files [http://www.ipums.org/
the data. Many of these comments Access Committee of the Federal ∼census2000/2000pumslbureau.pdf], Population
focused on research and, to a lesser Division, U.S. Census Bureau, November 3, 2000.
19 Figures derived from US Census data on 1990
extent, marketing and undefined 17 Sweeney, L. Guaranteeing Anonymity when
Sharing Medical Data, the Datafly System. Masys, Decennial Census of Population and Housing,
‘‘statistical analysis.’’ Commenters who D., Ed. Proceedings, American Medical Informatics Summary Tape File 3B (STF3B). These data are
represented various industries and Association, Nashville, TN: Hanley & Belfus, Inc., available to the public (for a fee) at http://
research institutions expressed concern 1997:51–55. www.census.gov/mp/www/rom/msrom6af.html.
from national surveys while preserving support could be found for a permitting geographic identifiers that
confidentiality and which have been compromise. The study took random define populations of greater than
dealing with these issues for decades. samples from populations of different 20,000 individuals is an appropriate
The problems and solutions being used sizes and then compared the samples to standard that balances privacy interests
by these agencies are laid out in detail the whole population to see how many against desirable uses of de-identified
in the Statistical Policy Working Paper records were identifiable, that is, data. In making this determination, we
22 cited earlier. matched uniquely to a unique person in focused on the studies by the Bureau of
To protect the privacy of individuals the whole population on the basis of 9 Census cited above which seemed to
providing information to the Bureau of demographic variables: Age (85 indicate that a population size of 20,000
Census, the Bureau has determined that categories), race (4 categories), gender (2 was an appropriate cut off if there were
a geographical region must contain at categories), ethnicity (2 categories), relatively few (6) demographic variables
least 100,000 people.20 This standard marital status (3 categories), income (3 in the database. Our belief is that, after
has been used by the Bureau of the categories), employment status (2 removing the required identifiers to
Census for many years and is supported categories), working class (4 categories), meet the safe harbor standards, the
by simulation studies using Census and occupation (42 categories). Even number of demographic variables
data.21 These studies showed that after when some of the variables are retained in the databases will be
a certain point, increasing the size of a aggregated or coded, from the relatively small, so that it is appropriate
geographic area does not significantly perspective of a large statistical agency to accept a relatively low number as a
decrease the percentage of unique desiring to release data to the public, the minimum geographic size.
study concluded that a population size In applying this provision, covered
records (i.e., those that could be
of 500,000 was not sufficient to provide entities must replace the (currently 18)
identified if sampled), but that the point
a reasonable guarantee that certain forbidden 3-digit zip codes with zeros
of diminishing returns is dependent on
individuals could not be identified. and thus treat them as a single
the number and type of demographic geographic area (with >20,000
About 2.5 % of the sample from the
variables on which matching might population). The list of the forbidden 3-
population of 500,000 was uniquely
occur. For a small number of digit zip codes will be maintained as
identifiable, regardless of sample size.
demographic variables (6), this point part of the updated Secretarial guidance
This percentage rose as the size of the
was quite low (about 20,000 referred to above. Currently, they are:
population decreased, to about 14% for
population), but it rose quickly to about 022, 036, 059, 102, 203, 555, 556, 692,
a population of 100,000 and to about
50,000 for 10 variables and to about 821, 823, 830, 831, 878, 879, 884, 893,
25% for a population of 25,000.
80,000 for 15 variables. The Bureau of 987, and 994. This will result in an
Eliminating the occupation variable
the Census releases sets of data to the (which is less likely to be found in average 3-digit zip code area population
public that it considers safe from re- health data) reduced this percentage of 287,858 which should result in an
identification because it limits significantly to about 0.4 %, 3%, and average of about 4% unique records
geographical areas to those containing at 10% respectively. These percentages of using the 6 variables described above
least 100,000 people and limits the unique records (and thus the potentials from the Census Short Form. Although
number and detail of the demographic for re-identification) are highly this level of unique records will be
variables in the data. At the point of dependent on the number of variables much higher in the smaller geographic
approximately 100,000 population, (which must also be available in other areas, the actual risk of identification
7.3% of records were unique (and databases which are identified to be will be much lower because of the
therefore potentially identifiable) on 6 considered in a disclosure risk analysis), limited availability of comparable data
demographic variables from the 1990 the categorical breakdowns of those in publically available, identified
Census Short Form: Age in years (90 variables, and the level of geographic databases, and will be further reduced
categories), race (up to 180 categories), detail included. by the low probability that someone will
sex (2 categories), relationship to With respect to how we might clarify expend the resources to try to identify
householder (14 categories), Hispanic (2 the requirement to achieve a ‘‘low records when the chance of success is
categories), and tenure (owner vs. renter probability’’ that information could be so small and uncertain. We think this
in 5 categories). Using 6 variables identified, the Statistical Policy compromise will meet the current need
derived from the Long Form data, age Working Paper 22 referenced above for an easy method to identify
(10 categories), race (6 categories), sex (2 discusses the attempts of several geographic area while providing
categories), marital status (5 categories), researchers to define mathematical adequate protection from re-
occupation (54 categories), and personal measures of disclosure risk only to identification. If a greater level of
income (10 categories), raised the conclude that ‘‘more research into geographical detail is required for a
percentage to 9.8%. defining a computable measure of risk is particular use, the information will have
We also examined the results of an necessary.’’ When we considered to be obtained through another
NCHS simulation study using national whether we could specify a maximum permitted mechanism or be subjected to
survey data22 to see if some scientific level of risk of disclosure with some a specific de-identification
precision (such as a probability or risk determination as described above. We
20 Statistical Policy Working Paper 22—Report on
of identification of <0.01), we will monitor the availability of
Statistical Disclosure Limitation Methodology concluded that it is premature to assign identified public data and the
(http://www.fcsm.gov/working-papers/wp22.html) concomitant re-identification risks, both
(prepared by the Subcommittee on Disclosure mathematical precision to the ‘‘art’’ of
Limitation Methodology, Federal Committee on de-identification. theoretical and actual, and adjust this
Statistical Methodology, Office of Management and After evaluating current practices and safe harbor in the future as necessary.
Budget). recognizing the expressed need for some As we stated above, we understand
21 The Geographic Component of Disclosure Risk
geographic indicators in otherwise de- that many commenters would prefer a
for Microdata. Brian Greenberg and Laura Voshell. looser standard for determining when
Bureau of the Census Statistical Research Division identified databases, we concluded that
Report: Census/SRD/RR–90–13, October, 1990. information is de-identified, both
22 A Simulation Study of the Identifiability of Residence is Known. John Horm, Natonal Center for generally and with respect to the
Survey Respondents when their Community of Health Statistics, 2000. standards for identifying geographic
area. However, because public databases unstructured text fields have little or no identifier or serial number’’ and must be
(such as voter records or driver’s license value in a de-identified information set removed. We considered the request to
records) that include demographic and would be removed in any case. remove all proper nouns to be very
information about a geographically With time, we expect that such burdensome to implement for very little
defined population are available, a identifiers will be kept out of places increase in privacy and likely to be
surprisingly large percentage of records where they are hard to locate and arbitrary in operation, and so it is not
of health information that contain expunge. included in the final rule.
similar demographic information can be Comments: Some commenters
asserted that this requirement creates a Re-Identification
identified. Although the number of
these databases seems to be increasing, disincentive for covered entities to de- Comments: One commenter wanted to
the number of demographic variables identify data and would compromise know if the rule requires that covered
within them still appears to be fairly the Secretary’s desire to see de- entities retain the ability to re-identify
limited. The number of cases of privacy identified data used for a multitude of de-identified information.
violation from health records which purposes. Others stated that the ‘‘no Response: The rule does not require
have been identified in this way is small reason to believe’’ test creates an covered entities to retain the ability to
to date. However, the risk of unreasonable burden on covered re-identify de-identified information,
identification increases with decreasing entities, and would actually chill the but it does allow them to retain this
population size, with increasing release of de-identified information, and ability.
amounts of demographic information set an impossible standard. Comments: A few commenters asked
(both in level of detail and number of Response: We recognize that the us to prohibit anyone from re-
variables), and with the uniqueness of proposed standards might have imposed identifying de-identified health
the combination of such information in a burden that could have prevented the information.
the population. That is, an 18-year-old widespread use of de-identified Response: We do not have the
single white male student is not at risk information. We believe that our authority to regulate persons other than
of identification in a database from a modifications to the final rule discussed covered entities, so we cannot affect
large city such as New York. However, above will make the process less attempts by entities outside of this rule
if the database were about a small town burdensome and remove some of the to re-identify information. Under the
where most of the inhabitants were disincentive. However, we could not rule, we permit the covered entity that
older, retired people of a specific loosen the standards as far as many created the de-identified information to
minority race or ethnic group, that same commenters wanted without seriously re-identify it. However, we include a
person might be unique in that jeopardizing the privacy of the subjects requirement that, when a unique record
community and easily identified. We of the information. As discussed above, identifier is included in the de-
believe that the policy that we have we modify the ‘‘no reason to know’’ identified information, such identifier
articulated reaches the appropriate standard that was part of the safe harbor must not be such that someone other
balance between reasonably protecting provision and replace it in the final rule than the covered entity could use it to
privacy and providing a sufficient level with an ‘‘actual knowledge’’ standard. identify the individual (such as when a
of information to make de-identified We believe that this change provides derivative of the individual’s name is
databases useful. additional certainty to covered entities used as the unique record identifier).
Comments: Some comments noted using the safe harbor and should
Section 164.514(d)—Minimum
that identifiers that accompany eliminate any chilling effect.
Comments: Although most Necessary
photographic images are often needed to
interpret the image and that it would be commenters wanted to see data Comment: A large number of
difficult to use the image alone to elements taken off the list, there were a commenters objected to the application
identify the individual. small number of commenters that of the proposed ‘‘minimum necessary’’
Response: We agree that our proposed wanted to see data items added to the standard for uses and disclosures of
requirement to remove all photographic list. They believed that it is also protected health information to uses and
images was more than necessary. Many necessary to remove clinical trial record disclosures for treatment purposes.
photographs of lesions, for example, numbers, device model serial numbers, Some suggested that the final regulation
which cannot usually be used alone to and all proper nouns from the records. should establish a good faith exception
identify an individual, are included in Response: In response to these or safe harbor for disclosures made for
health records. In this final rule, the requests, we have slightly revised the treatment.
only absolute requirement is the list of identifiers that must be removed The overwhelming majority of
removal of full-face photographs, and under the safe harbor provision. Clinical commenters, generally from the medical
we depend on the ‘‘catch-all’’ of ‘‘any trial record numbers are included in the community, argued that application of
other unique * * * characteristic * * * general category of ‘‘any other unique the proposed standard would be
’’ to pick up the unusual case where identifying number, characteristic, or contrary to sound medical practice,
another type of photographic image code.’’ These record numbers cannot be increase medical errors, and lead to an
might be used to identify an individual. included with de-identified information increase in liability. Some likened the
Comments: A number of commenters because, although the availability of standard to a ‘‘gag clause’’ in that it
felt that the proposed bar for removal clinical trial numbers may be limited, limited the exchange of information
had been set too high; that the removal they are used for other purposes besides critical for quality patient care. They
of these 19 identifiers created a difficult de-identification/re-identification, such found the standard unworkable in daily
standard, since some identifiers may be as identifying clinical trial records, and treatment situations. They argued that
buried in lengthy text fields. may be disclosed under certain this standard would be potentially
Response: We understand that some circumstances. Thus, they do not meet dangerous in that it could cause
of the identifiers on our list for removal the criteria in the rule for use as a practitioners to withhold information
may be buried in text fields, but we see unique record identifier for de- that could be essential for later care.
no alternative that protects privacy. In identified records. Device model serial Commenters asserted that caregivers
addition, we believe that such numbers are included in ‘‘any device need to be able to give and receive a
complete picture of the patient’s health health information in the treatment argued that the standard with regard to
to make a diagnosis and develop a setting. However, we believe that the ‘‘uses’’ would be impossible to
treatment plan. arguments for excepting disclosures of implement and prohibitively expensive,
Other commenters noted that the protected health information for requiring both medical and legal input
complexity of medicine is such that it treatment purposes from application of to each disclosure decision.
is unreasonable to think that anyone the minimum necessary standard are Some commenters recommended
will know the exact parameters of the also persuasive with respect to mental deletion of the minimum necessary
information another caregiver will need health information. An individual’s standard with regard to ‘‘uses.’’ Other
for proper diagnosis and treatment or mental health can interact with proper commenters specifically recommended
that a plan will need to support quality treatment for other conditions in many deletion of the requirement that the
assurance and improvement activities. ways. Psychoactive medications may standard be applied on an individual,
They therefore suggested that the have harmful interactions with drugs case-by-case basis. Rather, they
minimum necessary standard be applied routinely prescribed for other purposes; suggested that the covered entity be
instead as an administrative an individual’s mental health history allowed to establish general policies to
requirement. may help another health care provider meet the requirement. Another
Providers also emphasized that they understand the individual’s ability to commenter similarly urged that the
already have an ethical duty to limit the abide by a complicated treatment standard not apply to internal
sharing of unnecessary medical regimen. For these reasons, it is also not disclosures or for internal health care
information, and most already have reasonable to presume that, in every operations such as quality
well-developed guidelines and practice case, a health care provider will not improvement/assurance activities. The
standards in place. Concerns were also need to know an individual’s mental commenter recommended that medical
voiced that attempts to provide the health status to provide appropriate groups be allowed to develop their own
minimum necessary information in the treatment. standards to ensure that these activities
treatment setting would lead to multiple Providers’ comments noted existing are carried out in a manner that best
editions of a record or creation of ethical duties to limit the sharing of helps the group and its patients.
summaries that turn out to omit crucial unnecessary medical information, and Other commenters expressed
information resulting in confusion and well-developed guidelines and practice confusion and requested clarification as
error. standards for this purpose. Under this to how the standard as proposed would
Response: In response to these rule, providers may use these tools to actually work in day-to-day operations
concerns, we substantially revise the guide their discretion in disclosing within an entity.
minimum necessary requirements. As health information for treatment. Response: Commenters’ arguments
suggested by certain commenters, we Comment: Several commenters urged regarding the workability of this
provide, in § 164.502(b), that disclosures that covered entities should be required standard as proposed were persuasive,
of protected health information to or to conspicuously label records to show and we therefore make significant
requests by health care providers for that they are not complete. They argued modification to address these comments
treatment are not subject to the that absent such labeling, patient care and improve the workability of the
minimum necessary standard. We also could be compromised. standard. For all uses and many
modify the requirements for uses of Response: We believe that the final disclosures, we require covered entities
protected health information. This final policy to except disclosures of protected to include in their policies and
rule requires covered entities to make health information for treatment procedures (see § 164.530), which may
determinations of minimum necessary purposes from application of the be standard protocols, for ‘‘minimum
use, including use for treatment minimum necessary standard addresses necessary’’ uses and disclosures. We
purposes, based on the role of the these commenters’ concerns. require implementation of such policies
person or class of workforce members Comment: Some commenters argued in lieu of making the ‘‘minimum
rather than at the level of specific uses. that the audit exception to the minimum necessary’’ determination for each
A covered entity must establish policies necessary requirements needs to be separate use and disclosure.
and procedures that identify the types of clarified or expanded, because ‘‘audit’’ For uses, covered entities must
persons who are to have access to and ‘‘payment’’ are essentially the same implement policies and procedures that
designated categories of information and thing. restrict access to and use of protected
the conditions, if any, of that access. We Response: We eliminate this health information based on the specific
establish no requirements specific to a exception. The proposed exclusion of professional roles of members of the
particular use of information. Covered disclosures to health plans for audit covered entity’s workforce. The policies
entities are responsible for establishing purposes is replaced with a general and procedures must identify the
and documenting these policies and requirement that covered entities must persons or classes of persons in the
procedures. This approach is consistent limit requests to other covered entities entity’s workforce who need access to
with the argument of many commenters for individually identifiable health protected health information to carry
that guidelines and practice standards information to what is reasonably out their duties and the category or
are appropriate means for protecting the necessary for the purpose intended. categories of protected health
privacy of patient information. Comment: Many commenters argued information to which such persons or
Comment: Some commenters argued that the proposed standard was classes need access. These role-based
that the standard should be retained in unworkable as applied to ‘‘uses’’ by a access rules must also identify the
the treatment setting for uses and covered entity’s employees, because the conditions, as appropriate, that would
disclosures pertaining to mental health proposal appeared not to allow apply to such access. For example, an
information. Some of these commenters providers to create general policy as to institutional health care provider could
asserted that other providers do not the types of records that particular allow physicians access to all records
need to know the mental status of a employees may have access to but under the condition that the viewing of
patient for treatment purposes. instead required that each decision be medical records of patients not under
Response: We agree that the standard made ‘‘individually,’’ which providers their care is recorded and reviewed.
should be retained for uses of mental interpret as ‘‘case-by-case.’’ Commenters Other health professionals’ access could
be limited to time periods when they are Comment: The minimum necessary comments, we provide further guidance
on duty. Information available to staff standard should not be applied to uses on how a covered entity can develop its
who are responsible for scheduling and disclosures for payment or health policies for the minimum necessary use
surgical procedures could be limited to care operations. and disclosure of protected health
certain data. In many instances, use of Response: Commenter’s arguments for information. We do not abandon this
order forms or selective copying of exempting these uses and disclosures standard for the reasons described
relevant portions of a record may be from the minimum necessary standard above. We remain concerned about the
appropriate policies to meet this were not compelling. We believe that number of persons who have access to
requirement. our modifications to application of the identifiable health information, and
Routine disclosures also are not minimum necessary standard to internal believe that causing covered entities to
subject to individual review; instead, uses of protected health information, examine their practices will have
covered entities must implement and to routine disclosures, address significant privacy benefits.
policies and procedures (which may be many of the concerns raised, Comment: Some commenters asked
standard protocols) to limit the particularly the concerns about that the minimum necessary standard
protected health information in routine administrative burdens and the should not be applied to disclosures to
disclosures to the minimum information concerns about having the information business partners. Many of these
reasonably necessary to achieve the necessary for day-to-day operations. We commenters articulated the burdens
purpose of that type of disclosure. For do not eliminate this standard in part they would bear if every disclosure to a
non-routine disclosures, a covered because we also remain concerned that business partner was required to meet
entity must develop reasonable criteria covered entities may be tempted to the minimum necessary standard.
to limit the protected health information disclose an entire medical record when Response: We do not agree. In this
disclosed to the minimum necessary to only a few items of information are final rule, we minimize the burden on
accomplish the purpose for which necessary, to avoid the administrative covered entities in the following ways:
disclosure is sought, and to implement step of extracting the necessary in circumstances where disclosures are
procedures for review of disclosures on information (or redacting the made on a routine, recurring basis, such
an individual basis. unnecessary information). We also as in on-going relationships between
We modify the proposed standard to believe this standard will cause covered covered entities and their business
require the covered entity to make entities to assess their privacy practices, associates, individual review of each
‘‘reasonable efforts’’ to meet the give the privacy interests of their routine disclosure has been eliminated;
minimum necessary standard (not patients and enrollees greater attention, covered entities are required only to
‘‘all’reasonable efforts, as proposed). and make improvements that might develop standard protocols to apply to
What is reasonable will vary with the otherwise not have been made. For this such routine disclosures made to
circumstances. When it is practical to reason, the privacy benefits of retaining business associates (or types of business
use order forms or selective copying of the minimum necessary standard for associates). In addition, we allow
relevant portions of the record, the these purposes outweigh the burdens covered entities to rely on the
covered entity is required to do so. involved. We note that the minimum representation of a professional hired to
Similarly, this flexibility in the standard necessary standard is tied to the provide professional services as to what
takes into account the ability of the purpose of the disclosure; thus, information is the minimum necessary
covered entity to configure its record providers may disclose protected health for that purpose.
system to allow selective access to only information as necessary to obtain Comment: Some commenters were
certain fields, and the practicality of payment. concerned that applying the standard in
organizing systems to allow this Comment: Other commenters urged research settings will result in providers
capacity. It might be reasonable for a us to apply a ‘‘good faith’’ provision to declining to participate in research
covered entity with a highly all disclosures subject to the minimum protocols.
computerized information system to necessary standard. Commenters Response: We have modified the
implement a system under which presented a range of options to modify proposal to reduce the burden on
employees with certain functions have the proposed provisions which, in their covered entities that wish to disclose
access to only limited fields in a patient view, would have mitigated their protected health information for
records, while other employees have liability if they failed to comply with research purposes. The final rule
access to the complete records. Such a minimum necessary standard. requires covered entities to obtain
system might not be reasonable for a Response: We believe that the documentation or statements from
covered entity with a largely paper modifications to this standard, persons requesting protected health
records system. described above, substantially address information for research that, among
Covered entities’ policies and these commenters’ concerns. In addition other things, describe the information
procedures must provide that disclosure to allowing the covered entity to use necessary for the research. We allow
of an entire medical record will not be standard protocols for routine covered entities to reasonably rely on
made except pursuant to policies which disclosures, we modify the standard to the documentation or statements as
specifically justify why the entire require a covered entity to make describing the minimum necessary
medical record is needed. ‘‘reasonable efforts,’’ not ‘‘all’’ disclosure.
We believe that these modifications reasonable efforts as proposed, in Comment: Some commenters argued
significantly improve the workability of making the ‘‘minimum necessary’’ that government requests should not be
this standard. At the same time, we disclosure. subject to the minimum necessary
believe that asking covered entities to Comments: Some commenters standard, whether or not they are
assess their practices and establish rules complained that language in the ‘‘authorized by law.’’
for themselves will lead to significant proposed rule was vague and provided Response: We found no compelling
improvements in the privacy of health little guidance, and should be reason to exempt government requests
information. See the preamble for abandoned. from this standard, other than when a
§ 164.514 for a more detailed Response: In the preamble for disclosure is required by law. (See
discussion. § 164.504 and these responses to preamble to § 164.512(a) for the
rationale behind this policy). When a reasonable reliance on the professional services as to what
disclosure is required by law, the representations of public officials. information is the minimum necessary
minimum necessary standard does not Comment: Some commenters argued for that purpose.
apply, whether the recipient of the that it is inappropriate to require Comment: Commenters from the law
information is a government official or covered entities to distinguish between enforcement community expressed
a private individual. disclosures that are ‘‘required by law’’ concern that providers may attempt to
At the same time, we understand that and those that are merely ‘‘authorized misuse the minimum necessary
when certain government officials make by law,’’ for the purposes of determining standard as a means to restrict access to
requests for protected health when the standard applies. information, particularly with regard to
information, some covered entities Response: We do not agree. Covered disclosures for health oversight or to
might feel pressure to comply that might entities have an independent duty to be law enforcement officials.
not be present when the request is from aware of their legal obligations to Response: The minimum necessary
a private individuals. For this reason, federal, state, local and territorial or standard does not apply to disclosures
we allow (but do not require) covered tribal authorities. In addition, required by law. Since the disclosures to
entities to reasonably rely on the § 164.514(h) allows covered entities to law enforcement officials to which this
representations of public officials as to reasonably rely on the oral or written standard applies are all voluntary, there
the minimum necessary information for representation of public officials that a would be no need for a covered entity
the purpose. disclosure is required by law. to ‘‘manipulate’’ the standard; it could
Comment: The minimum necessary decline to make the disclosure.
Comment: Some commenters argued
standard should not be applied to Comment: Some commenters argued
that requests under proposed § 164.510
pharmacists, or to emergency services. that the only exception to the
should not be subject to the minimum Response: We believe that the final application of the standard should be
necessary standard, whether or not they rule’s exemption of disclosures of when an individual requests access to
are ‘‘authorized by law.’’ Others argued protected health information to health his or her own information. Many of
that for disclosures made for care providers for treatment purposes these commenters expressed specific
administrative proceedings pursuant to from the minimum necessary standard concerns about victims of domestic
proposed § 164.510, the minimum addresses these commenters concerns violence and other forms of abuse.
necessary standard should apply unless about emergency services. Together Response: We do not agree with the
they are subject to a court order. with the other changes we make to the general assertion that disclosure to the
Response: We found no compelling proposed standard, we believe we have individual is the only appropriate
reason to exempt disclosures for also addressed most of the commenters’ exception to the minimum necessary
purposes listed in the regulation from concerns about pharmacists. With standard. There are other, limited,
this standard, other than for disclosures respect to pharmacists, the comments circumstances in which application of
required by law. When there is no such offered no persuasive reasons to treat the minimum necessary standard could
legal mandate, the disclosure is pharmacists differently from other cause significant harm. For reasons
voluntary on the part of the covered health care providers. Our reasons for described above, disclosures of
entity, and it is therefore reasonable to retaining this standard for other uses protected health information for
expect the covered entity to make some and disclosures of protected health treatment purposes are not subject to
effort to protect privacy before making information are explained above. this standard. Similarly, as described in
such a disclosure. If the covered entity Comment: A number of commenters detail in the preamble to § 164.512(a),
finds that redacting unnecessary argued that the standard should not where another public body has
information, or extracting the requested apply to disclosures to attorneys, mandated the disclosure of health
information, prior to making the because it would interfere with the information, upsetting that judgment in
disclosure, is too burdensome, it need professional duties and judgment of this regulation would not be
not make the disclosure. Where there is attorneys in their representation of appropriate.
ambiguity regarding what information is covered entities. Commenters stated that The more specific concerns expressed
needed, some effort on the part of the if a layperson within a covered entity about victims of domestic violence and
covered entity can be expected in these makes an improper decision as to what other forms of abuse are addressed in a
circumstances. the minimum necessary information is new provision regarding disclosure of
We also found no compelling reason in regard to a request by the entity’s protected health information related to
to limit the exemption for disclosures attorney, the attorney may end up domestic violence and abuse (see
‘‘required by law’’ to those made lacking information that is vital to § 164.512(c)), and in new limitations on
pursuant to a court order. The judgment representation. These commenters disclosures to persons involved in the
of a state legislature or regulatory body stated that attorneys are usually going to individual’s care (see § 164.510(b)). We
that a disclosure is required is entitled be in a better position to determine what believe that the limitations we place on
to no less deference than the same information is truly the minimum disclosure of health information in
decision made by a court. For further necessary for effective counsel and those circumstances address the
rationale for this policy, see the representation of the client. concerns of these commenters.
preamble to § 164.512(a). Response: We found no compelling Comment: Some commenters argued
Comment: Some commenters argued reason to treat attorneys differently from that disclosures to next of kin should be
that, in cases where a request for other business associates. However, to restricted to minimum necessary
disclosure is not required by law, ensure that this rule does not protected health information, and to
covered entities should be permitted to inadvertently cause covered entities to protected health information about only
rely on the representations by public second-guess the professional judgment the current medical condition.
officials, that they have requested no of the attorneys and other professionals Response: In the final regulation, we
more than the minimum amount they hire, we modify the proposed change the proposed provision
necessary. policies to explicitly allow covered regarding ‘‘next of kin’’ to more clearly
Response: We agree, and retain the entities to rely on the representation of focus on the disclosures we intended to
proposed provision which allows a professional hired to provide target: Disclosures to persons involved
in the individual’s care. We allow such Response: We agree that data Comment: A few commenters
disclosure only with the agreement of elements that are required or suggested that there should be a process
the individual, or where the covered situationally required in the standard for resolving disputes between covered
entity has offered the individual the transactions should not be, and are not, entities over what constitutes the
opportunity to object to the disclosure subject to this standard. However, in ‘‘minimum necessary’’ information.
and the individual did not object. If the many cases, covered entities have Response: We do not intend that this
opportunity to object cannot practicably significant discretion as to the rule change the way covered entities
be provided because of the incapacity of information included in these currently handle their differences
the individual or other emergency, we transactions. Therefore, this standard regarding the disclosure of health
require covered entities to exercise does apply to those optional data information. We understand that the
professional judgment in the best elements. scope of information requested from
interest of the patient in deciding Comment: Some commenters asked providers by health plans is a source of
whether to disclose information. In such for clarification to understand how the tension in the industry today, and we
cases, we permit disclosure only of that minimum necessary standard is believe it would not be appropriate to
information directly relevant to the intended to interact with the security use this regulation to affect that debate.
person’s involvement with the NPRM. As discussed above, we require both the
individual’s health care. (This provision Response: The proposed Security requesting and the disclosing covered
also includes limited disclosure to Rule included requirements for entity to take privacy concerns into
certain persons seeking to identify or electronic health information systems to account, but do not inject additional
locate an individual.) See § 164.510(b). include access management controls. tension into the on-going discussions.
Some additional concerns expressed Under this regulation, the covered Section 164.514(e)—Marketing
about victims of domestic violence and entity’s privacy policies will determine
other forms of abuse are also addressed Comment: Many commenters
who has access to what protected health requested clarification of the boundaries
in a new section on disclosure of information. We will make every effort
protected health information related to between treatment, payment, health care
to ensure consistency prior to operations, and marketing. Some of
domestic violence and abuse. See publishing the final Security Rule.
§ 164.512(c). We believe that the these commenters requested
Comment: Many commenters, clarification of the apparent
limitations we place on disclosure of
representing health care providers, inconsistency between language in
health information in these provisions
argued that if the request was being proposed § 164.506(a)(1)(i) (a covered
address the concerns of these
made by a health plan, the health plan entity is permitted to use or disclose
commenters.
Comment: Some commenters argued should be required to request only the protected health information without
that covered entities should be required minimum protected health information authorization ‘‘to carry out’’ treatment,
to determine whether de-identified necessary. Some of these commenters payment, or health care operations) and
information could be used before stated that the requestor is in a better proposed § 164.508(a)(2)(A) (a covered
disclosing information under the position to know the minimum amount entity must obtain an authorization for
minimum necessary standard. of information needed for their all uses and disclosures that are not
Response: We believe that requiring purposes. Some of these commenters ‘‘compatible with or directly related to’’
covered entities’ policies and argued that the minimum necessary treatment, payment, and health care
procedures for minimum necessary standard should be imposed only on the operations). They suggested retaining
disclosures to address whether de- requesting entity. A few of these the language in proposed
identified information could be used in commenters argued that both the § 164.508(a)(2)(A), which would permit
all instances would impose burdens on disclosing and the requesting entity a broader range of uses and disclosures
some covered entities that could should be subject to the minimum without authorization, in order to
outweigh the benefits of such a necessary standard, to create ‘‘internal engage in health promotion activities
requirement. There is significant tension’’ to assure the standard is that might otherwise be considered
variation in the sophistication of honored. marketing.
covered entities’ information systems. Response: We agree, and in the final Response: In the final rule, we make
Some covered entities can reasonably rule we require that a request for several changes to the definitions of
implement policies and procedures that protected health information made by treatment, payment, and health care
make significant use of de-identified one covered entity to another covered operations that are intended to clarify
information; other covered entities entity must be limited to the minimum the uses and disclosures of protected
would find such a requirement amount necessary for the purpose. As health information that may be made for
excessively burdensome. For this with uses and disclosures of protected each purpose. See § 164.501 and the
reason, we chose instead to require health information, covered entities may corresponding preamble discussion
‘‘reasonable efforts,’’ which can vary have standard protocols for routine regarding the definitions of these terms.
according to the situation of each requests. Similarly, this requirement We also have added a definition of the
covered entity. does not apply to requests made to term ‘‘marketing’’ to help establish the
In addition, we believe that the fact health care providers for treatment boundary between marketing and
that we allow de-identified information purposes. We modify the rule to balance treatment, payment, and health care
to be disclosed without regard to the this provision; that is, it now applies operations. See § 164.501. We also
policies, procedures, and both to disclosure of and requests for clarify the conditions under which
documentation required for disclosure protected health information. We also authorization is or is not required for
of identifiable health information will allow, but do not require, the covered uses and disclosures of protected health
provide an incentive to encourage its entity releasing the information to information for marketing purposes. See
use where appropriate. reasonably rely on the assertion of a § 164.514(e). Due to these changes, we
Comment: Several commenters argued requesting covered entity that it is believe it is appropriate to retain the
that standard transactions should not be requesting only the minimum protected wording from proposed
subject to the standard. health information necessary. § 164.506(a)(1)(i).
Comment: We received a wide variety remuneration. The exceptions to the information, including seeking or acting
of suggestions with respect to definition of marketing fall within the on an authorization, to the extent their
authorization for uses and disclosures of definitions of treatment and/or health contracts allow them to do so. When a
protected health information for care operations, and therefore uses, or clearinghouse creates or receives
marketing purposes. Some commenters disclosures to a business associate, of protected health information other than
supported requiring authorization for all protected health information for these as a business associate of a covered
such uses and disclosures. Other purposes are permissible under the rule entity, it is permitted and required to
commenters suggested permitting all without authorization. obtain authorizations to the same extent
such uses and disclosures without The final rule also permits covered as any other covered entity.
authorization. entities to use protected health Comment: A few commenters
Some commenters suggested we information to market health-related suggested we require covered entities to
distinguish between marketing to products and services, whether they are publicly disclose, on the covered
benefit the covered entity and marketing the products and services of the covered entity’s website or upon request, all of
to benefit a third party. For example, a entity or of a third party, subject to a their marketing arrangements.
few commenters suggested we should number of limitations. See § 164.514(e). Response: While we agree that such a
prohibit covered entities from seeking We permit these uses to allow entities requirement would provide individuals
authorization for any use or disclosure in the health sector to inform their with additional information about how
for marketing purposes that benefit a patients and enrollees about products their information would be used, we do
third party. These commenters argued that may benefit them. The final rule not feel that such a significant intrusion
that the third parties should be required contains significant restrictions, into the business practices of the
to obtain the individual’s authorization including requirements that the covered covered entity is warranted.
directly from the individual, not entity disclose itself as the source of a Comment: Some commenters argued
through a covered entity, due to the marketing communication, that it that if an activity falls within the scope
potential for conflicts of interest. disclose any direct or indirect of payment, it should not be considered
While a few commenters suggested remuneration from third parties for marketing. Commenters strongly
that we require covered entities to making the disclosure, and that, except supported an approach which would
obtain authorization to use or disclose in the cases of general communications bar an activity from being construed as
protected health information for the such as a newsletter, the ‘‘marketing’’ even if performing that
purpose of marketing its own products communication disclose how the activity would result in financial gain to
and services, the majority argued these individual can opt-out of receiving the covered entity. In a similar vein, we
types of marketing activities are vital to additional marketing communications. were urged to adopt the position that if
covered entities and their customers and Additional requirements are imposed if an activity was considered payment,
should therefore be permitted to occur the communication is targeted based on treatment or health care operations, it
without authorization. For example, the health status or condition of the could not be further evaluated to
commenters suggested covered entities proposed recipients. determine whether it should be
should be able to use and disclose We believe that these modifications excluded as marketing.
protected health information without address many of the issues raised by Response: We considered the
authorization in order to provide commenters and provide a substantial approach offered by commenters but
appointment reminders, newsletters, amount of flexibility as to when a decided against it. Some activities, such
information about new initiatives, and covered entity may communicate about as the marketing of a covered entity’s
program bulletins. a health-related product or service to a own health-related products or services,
Finally, many commenters argued we patient or enrollee. These are now included in the definition of
should not require authorization for the communications may include health care operations, provided certain
use or disclosure of protected health appointment reminders, newsletters, requirements are met. Other types of
information to market any health-related and information about new health activities, such as the sale of a patient
goods and services, even if those goods products. These changes, however, do list to a marketing firm, would not be
and services are offered by a third party. not permit a covered entity to disclose permitted under this rule without
Some of these commenters suggested protected health information to third authorization from the individual. We
that individuals should have an parties for marketing (other than to a do not believe that we can envision
opportunity to opt out of these types of business associate to make a marketing every possible disclosure of health
marketing activities rather than communication on behalf of the covered information that would violate the
requiring authorization. entity) without authorization under privacy of an individual, so any list
Response: We have modified the final § 164.508. would be incomplete. Therefore,
rule in ways that address a number of Comment: A few commenters whether or not a particular activity is
the issues raised in the comments. First, suggested we prohibit health care considered marketing, payment,
the final rule defines the term clearinghouses from seeking treatment or health care operations will
marketing, and excepts certain authorization for the use or disclosure of be a fact-based determination based on
communications from the definition. protected health information for the activity’s congruence with the
See § 164.501. These exceptions include marketing purposes. particular definition.
communications made by covered Response: We do not prohibit Comment: Some industry groups
entities for the purpose of describing clearinghouses from seeking stated that if an activity involves selling
network providers or other available authorizations for these purposes. We products, it is not disease management.
products, services, or benefits and believe, however, that health care They suggested we adopt a definition of
communications made by covered clearinghouses will almost always disease management that differentiates
entities for certain treatment-related create or obtain protected health use of information for the best interests
purposes. These exceptions only apply information in a business associate of patient from uses undertaken for
to oral communications or to written capacity. Business associates may only ‘‘ulterior purposes’’ such as advertising,
communications for which the covered engage in activities involving the use or marketing, or promoting separate
entity receives no third-party disclosure of protected health products.
Response: We agree in general that the in order to carry out their fundraising and as such, they should be exempt
sale of unrelated products to individuals campaigns. They stated that a limited from the authorization requirement
is not a population-based activity that data set restricted to name, address, and while for-profit organizations should
supports treatment and payment. telephone number would be sufficient have to comply with the requirement.
However, in certain circumstances to meet their needs. Several commenters Response: We do not agree that the
marketing activities are permitted as a suggested that we create a voluntary profit status of a covered entity should
health care operation; see the definition opt-out provision so people can avoid determine its allowable use of protected
of ‘‘health care operations’’ in § 164.501 solicitations. health information for fundraising.
and the related marketing requirements Response: We agree with commenters Many for-profit entities provide the
of § 164.514. that our proposal could have adversely same services and have similar missions
Comment: Some commenters effected charitable giving, and to not-for-profit entities. Therefore, the
complained that the absence of a accordingly make several modifications final rule does not make this distinction.
definition for disease management to the proposal. First, the final rule Comment: Several commenters
created uncertainty, in view of the allows a covered entity to use or suggested that the final rule should
proposed rule’s requirement to get disclose to a business associate allow the internal use of protected
authorization for marketing. They protected health information without health information for fundraising,
expressed concern that the effect would authorization to identify individuals for without authorization, but not
be to require patient consent for many fundraising for its own benefit. disclosure for fundraising. These
activities that are desirable, not Permissible fundraising activities commenters suggested that by limiting
practicably done if authorization is include appeals for money, sponsorship access of protected health information
required, and otherwise classifiable as of events, etc. They do not include to only internal development offices
treatment, payment, or health care royalties or remittances for the sale of concerns about misuse would be
operations. Examples provided include products of third parties (except reduced.
reminders for appointments, reminders auctions, rummage sales, etc). Response: We do not agree. A number
to get preventive services like Second, the final rule allows a of commenters noted that they have
mammograms, and information about covered entity to disclose protected related charitable foundations that raise
home management of chronic illnesses. health information without funds for the covered entity, and we
They also stated that the proposed rule authorization to an institutionally permit disclosures to such foundations
would prevent many disease related foundation that has as its to ensure that this rule does not
management and preventive health mission to benefit the covered entity. interfere with charitable giving.
activities. This special provision is necessary to Comment: Several commenters asked
Response: We agree that the accommodate tax code provisions us to address the content of fundraising
distinction in the NPRM between which may not allow such foundations letters. They pointed out that disease or
disease management and marketing was to be business associates of their condition-specific letters requesting
unclear. Rather than provide a associated covered entity. contributions, if opened by the wrong
definition of disease management, this We also agree that broad access to person, could reveal personal
final rule defines marketing. We note protected health information is information about the intended
that overlap between disease unnecessary for fundraising and recipient.
management and marketing exists today unnecessarily intrudes on individual Response: We agree that such
in practice and they cannot be privacy. The final rule limits protected communications raise privacy concerns.
distinguished easily with a definitional health information to be used or In the final rule, we limit the
label. However, for purposes of this disclosed for fundraising to information that can be used or
rule, the revised language makes clear demographic information and the date disclosed for fundraising, and exclude
for what activities an authorization is that treatment occurred. Demographic information about diagnosis, nature of
required. We note that under this rule information is not defined in the rule, services, or treatment.
many of the activities mentioned by but will generally include in this
commenters will not require context name, address and other contact Section 164.514(g)—Verification
authorizations under most information, age, gender, and insurance Comment: A few commenters
circumstances. See the discussion of status. The term does not include any suggested that verification guidelines
disease management under the information about the illness or may need to be different as they apply
definition of ‘‘treatment’’ in § 164.501. treatment. to emergency clinical situations as
We also agree that a voluntary opt-out opposed to routine data collection
Section 164.514(f)—Fundraising is an appropriate protection, and require where delays do not threaten health.
Comment: Many comments objected in § 164.520 that covered entities Response: We agree, and make special
to the requirement that an authorization provide information on their provisions in §§ 164.510 and 164.512 for
from the individual be obtained for use fundraising activities in their ‘‘Notice of disclosures of protected health
and disclosure of protected health Information Practices.’’ As part of the information by a covered entity without
information for fundraising purposes. notice and in any fundraising materials, authorization where the individual is
They argued that, in the case of not-for- covered entities must provide unable to agree or object to disclosure
profit health care providers, having to information explaining how individuals due to incapacity or other emergency
obtain authorization would be time may opt out of fundraising circumstance.
consuming and costly, and that such a communications. For example, a health care provider
requirement would lead to a decrease in Comment: Some commenters stated may need to make disclosures to family
charitable giving. The commenters also that use and disclosure of protected members, close personal friends, and
urged that fundraising be included health information for fundraising, others involved in the individual’s care
within the definition of health care without authorization should be limited in emergency situations. Similarly, a
operations. Numerous commenters to not-for-profit entities. They suggested health care provider may need to
suggested that they did not need that not-for-profit entities were in respond to a request from a hospital
unfettered access to patient information greater need of charitable contributions seeking protected health information in
a circumstance described as an created a presumption that ‘‘a request Requiring written proof of identity in
emergency. In each case, we require for disclosure made by official legal many of these situations, such as when
only that the covered entity exercise process issued by a[n] administrative a family member is seeking to locate a
professional judgment, in the best body’’ is reasonable legal authority to relative in an emergency or disaster
interest of the patient, in deciding disclose the protected health situation, would create enormous
whether to make a disclosure. Based on information. The commenter was burden without a corresponding
the comments and our fact finding, this concerned that this provision could be enhancement of privacy, and could
reflects current practice. interpreted to permit a state agency to cause unnecessary delays in these
Comment: A few commenters stated demand the disclosure of protected situations. We therefore believe that
the rules should include provisions for health information merely on the basis reliance on professional judgment
electronic verification of identity (such of a letter signed by an agency provides a better framework for
as Public Key Infrastructure (PKI)) as representative. The commenter believed balancing the need for privacy with the
established in the regulations on that the rule specifically should defer to need to locate and identify individuals.
Security and Electronic Signatures. One state or federal law on the disclosure of Comment: A few commenters stated
commenter suggested that some kind of protected health information pursuant that the verification requirements will
PKI credentialing certificate should be to legal process. provide great uncertainty to providers
required. Response: The verification provisions who receive authorizations from life,
Response: This regulation does not in this rule are minimum requirements disability income and long-term care
address specific technical protocols that covered entities must meet before insurers in the course of underwriting
utilized to meet the verification disclosing protected health information and claims investigation. They are
requirements. If the requirements of the under this regulation. They do not unaware of any breaches of
rule are otherwise met, the mechanism mandate disclosure, nor do they confidentiality associated with these
for meeting them can be determined by preempt state laws which impose circumstances and believe the rule
the covered entity. additional restrictions on disclosure. creates a solution to a non-existent
Comment: A few commenters wanted Where state law regarding disclosures is problem. Another commenter stated that
more clarification on the verification more stringent, the covered entity must it is too burdensome for health care
procedures. One commenter wanted to adhere to state law. providers to verify requests that are
know if contract number is enough for Comment: A few commenters wanted normally received verbally or via fax.
verification. A few commenters wanted the verification requirements to apply to Response: This rule requires covered
to know if a callback or authorization on disclosures of protected health health care providers to adhere to
a letterhead is acceptable. A few information for treatment, payment and current best practices for verification.
commenters wanted to know if plans are operations purposes. That is, when the requester is not
considered to ‘‘routinely do business’’ Response: We agree. This verification known to the covered provider, the
with all of their members. requirement applies to all disclosures of provider makes a reasonable effort to
Response: In the final rule, we modify protected health information permitted determine that the protected health
the proposed provision and require by this rule, including for treatment, information is being sent to the entity
covered entities to have policies and payment and operations, where the authorized to receive it. Our fact finding
procedures reasonably designed to identity of the recipient is not known to reveals that this is often done by
verify the identify and authority of the covered entity. Routine sending the information to a
persons requesting protected health communications between providers, recognizable organizational address or if
information. Whether knowledge of a where existing relationships have been being transmitted by fax or phone by
contract number is reasonable evidence established, do not require special calling the requester back through the
of authority and identity will depend on verification procedures. main organization switchboard rather
the circumstances. Call-backs and Comment: A few commenters were than through a direct phone number.
letterhead are typically used today for concerned that a verbal inquiry for next We agree that these procedures seem to
verification, and are acceptable under of kin verification is not consistent with work reasonably well in current practice
this rule if reasonable under the the verification guidelines of this and are sufficient to meet the relevant
circumstances. For communications verification subsection and that verbal requirements in the final rule.
with health plan members, the covered inquiry would create problems because Comments: One comment suggested
entity will already have information anyone who purports to be a next of kin requiring a form of photo identification
about each individual, collected during could easily obtain information under such as a driver’s license or certain
enrollment, that can be used to establish false pretenses. personal information such as date of
identity, especially for verbal or Response: In the final rule in birth to verify the identity of the
electronic inquiries. For example, today § 164.514, we require the covered entity individual.
many health plans ask for the social to verify the identity and authority of Response: These are exactly the types
security or policy number of individuals persons requesting protected health of standard procedures for verifying the
seeking information or assistance by information, where the identity and identity of individuals that are
telephone. How this verification is done authority of such person is not known envisioned by the final rule. Most health
is left up to the covered entity. to the covered entity. This applies to care entities already conduct such
Comment: One commenter expressed next of kin situations. Procedures for procedures successfully. However, it is
the need for consistency on verification disclosures to next of kin, other family unwise to prescribe specific means of
requirements between this rule and the members and persons assisting in an verification for all situations. Instead,
Security regulation. individual’s care are also discussed in we require policies and procedures
Response: We will make every effort § 164.510(b), which allows the covered reasonably designed for purposes of
to ensure consistency prior to entity to exercise professional judgment verification.
publishing the final Security Rule. as to whether the disclosure is in the Comment: One professional
Comment: One commenter stated that individual’s best interest when the association said that the example
the verification language in proposed individual is not available to agree to procedure described in the NPRM for
§ 164.518(c)(2)(ii)(B)(1) would have the disclosure or is incapacitated. asking questions to verify that an adult
acting for a young child had the routine disclosures under business may be disclosed without his
requisite relationship to the child would associate agreements, with, for example, authorization, and the types of
be quite complex and difficult in medical records copy services. Nothing information that may be disclosed; [and]
practice. The comment asked for in the verification provisions would * * * the procedures whereby the
specific guidance as to what questions preclude those activities, nor have we individual may correct, amend, delete,
would constitute an adequate attempt to significantly modified the NPRM or dispute any resulting record about
verify such a relationship. provision on this issue. himself.’’ 24 The Privacy Act (5 U.S.C.
Response: The final rule requires the 552a) requires government agencies to
covered entity to implement policies Section 164.520—Notice of Privacy provide notice of the routine uses of
and procedures that are reasonably Practices for Protected Health information the agency collects and the
designed to comply with the verification Information rights individuals have with respect to
requirement in § 164.514. It would not Comment: Many commenters that information. In its report ‘‘Best
be possible to create the requested supported the proposal to require Principles for Health Privacy,’’ the
specific guidance which could deal with covered entities to produce a notice of Health Privacy Working Group stated,
the infinite variety of situations that information practices. They stated that ‘‘Individuals should be given notice
providers must face, especially the such notice would improve individuals’ about the use and disclosure of their
complex ones such as that described by understanding of how their information health information and their rights with
the commenter. As with many of the may be used and disclosed and would regard to that information.’’ 25 The
requirements of this final rule, health help to build trust between individuals National Association of Insurance
care providers are given latitude and and covered entities. A few comments, Commissioners’ Health Information
expected to make decisions regarding however, argued that the notice Privacy Model Act requires carriers to
disclosures, based on their professional requirement would be administratively provide a written notice of health
judgment and experience with common burdensome and expensive without information policies, standards, and
practice, in the best interest of the providing significant benefit to procedures, including a description of
individual. individuals. the uses and disclosures prohibited and
Comment: One commenter asserted Response: We retain the requirement permitted by the Act, the procedures for
that ascertaining whether a requestor for covered health care providers and authorizing and limiting disclosures and
has the appropriate legal authority is health plans to produce a notice of for revoking authorizations, and the
beyond the scope of the training or information practices. We additionally procedures for accessing and amending
expertise of most employees in a require health care clearinghouses that protected health information.
physician’s office. They believe that create or receive protected health Some states require additional notice.
health care providers must be able to information other than as a business For example, Hawaii requires health
reasonably rely on the authority of the associate of another covered entity to care providers and health plans, among
requestor. produce a notice. We believe the notice others, to produce a notice of
Response: In the final regulation we will provide individuals with a clearer confidentiality practices, including a
require covered entities to have policies understanding of how their information description of the individual’s privacy
and procedures reasonably designed to may be used and disclosed and is rights and a description of the uses and
verify the identify and authority of essential to inform individuals of their disclosures of protected health
persons requesting health information. privacy rights. The notice will focus information permitted under state law
Where the requester is a public official individuals on privacy issues, and without the individual’s authorization.
and legal authority is at issue, we prompt individuals to have discussions (HRS section 323C–13)
provide detailed descriptions of the about privacy issues with their health Today, health plan hand books and
acceptable methods for such verification plans, health care providers, and other evidences of coverage include some of
in the final rule. For others, the covered persons. what is required to be in the notice.
entity must implement policies and The importance of providing Industry and standard-setting
procedures that are reasonably designed individuals with notice of the uses and organizations have also developed
to comply with the requirement to disclosures of their information and of notice requirements. The National
verify the identity and authority of a their rights with respect to that Committee for Quality Assurance
requestor, but only if the requestor is information is well supported by accreditation guidelines state that an
unknown to the covered entity. As industry groups, and is recognized in accredited managed care organization
described above, we expect these current state and federal law. The July ‘‘communicates to prospective members
policies and procedures to document 1977 Report of the Privacy Protection its policies and practices regarding the
currently used best practices and Study Commission recommended that collection, use, and disclosure of
reliance on professional judgment in the ‘‘each medical-care provider be required medical information [and] * * *
best interest of the individual. to notify an individual on whom it informs members * * * of its policies
Comment: One commenter expressed maintains a medical record of the and procedures on * * * allowing
concern that the verification/ disclosures that may be made of members access to their medical
identification procedures may eliminate information in the record without the records.’’ 26 Standards of the American
or significantly reduce their ability to individual’s express authorization.’’ 23 Society for Testing and Materials state,
utilize medical records copy services. The Commission also recommended
As written, they believe the NPRM that ‘‘an insurance institution * * *
24 Privacy Protection Study Commission,
provides the latitude to set up copy ‘‘Personal Privacy in an Information Society,’’ July
notify (an applicant or principal 1977, p. 192.
service arrangements, but any change insured) as to: * * * the types of parties 25 Health Privacy Working Group, ‘‘Best
that would add restrictions would to whom and circumstances under Principles for Health Privacy,’’ Health Privacy
adversely affect their ability to process which information about the individual
Project, Institute for Health Care Research and
an individual’s disability claim. Policy, Georgetown University, July 1999, p.19.
26 National Committee on Quality Assurance,
Response: The covered entity can 23 Privacy Protection Study Commission, ‘‘Surveyor Guidelines for the Accreditation of
establish reasonable policies and ‘‘Personal Privacy in an Information Society,’’ July MCOs,’’ effective July 1, 2000—June 30, 2001, p.
procedures to address verification in 1977, p. 313. 324.
‘‘Organizations and individuals who mechanism for helping covered entities disclose protected health information
collect, process, handle, or maintain design their notices than the regulation under this rule and other applicable law
health information should provide itself. After the rule is published, we without individual consent or
individuals and the public with a notice can provide guidance on notice content authorization. Specifically, covered
of information practices.’’ They and format tailored to different types of entities must describe the types of uses
recommend that the notice include, health plans and providers. We believe and disclosures they are permitted to
among other elements, ‘‘a description of such specially designed guidance will make for treatment, payment, and health
the rights of individuals, including the be more useful than a one-size-fits-all care operations. They must also describe
right to inspect and copy information model notice we might publish with each of the purposes for which the
and the right to seek amendments [and] this regulation. covered entity is permitted or required
a description of the types of uses and Comment: Commenters suggested that by this subpart to use or disclose
disclosures that are permitted or the rule should require that the notice protected health information without
required by law without the individual’s regarding privacy practices include the individual’s written consent or
authorization.’’ 27 We build on this well- specific provisions related to health authorization (even if they do not plan
established principle in this final rule. information of unemancipated minors. to make a permissive use or disclosure).
Comment: We received many Response: Although we agree that We believe this requirement provides
comments on the model notice provided minors and their parents should be individuals with sufficient information
in the proposed rule. Some commenters made aware of practices related to to understand how information about
argued that patients seeing similar confidentiality of protected health them can be used and disclosed and to
documents would be less likely to information of unemancipated minors, prompt them to ask for additional
become disoriented when examining a we do not require covered entities that information to obtain a clearer
new notice. Other commenters, treat minors or use their protected understanding, while minimizing
however, opposed the inclusion of a health information to include provisions covered entities’ burden.
model notice or expressed concern in their notice that are not required of A notice that stated only that the
about particular language included in other covered entities. In general, the covered entity would make all
the model. They maintained that a content of notice requirements in disclosures required by law, as
uniform model notice would never § 164.520(b) do not vary based on the suggested by some of these commenters,
capture the varying practices of covered status of the individual being served. would fail to inform individuals of the
entities. Many commenters opposed We have decided to maintain uses and disclosures of information
requirements for a particular format or consistency by declining to prescribe about them that are permitted, but not
specific language in the notice. They specific notice requirements for minors. required, by law. We clarify that each
stated that covered entities should be The rule does permit a covered entity to and every disclosure required by law
afforded maximum flexibility in provide individuals with notice of its need not be listed on the notice. Rather,
fashioning their notices. Other policies and procedures with respect to the covered entity can include a general
commenters requested inclusion of anticipated uses and disclosures of statement that disclosures required by
specific language as a header to indicate protected health information law will be made.
(§ 164.520(b)(2)), and providers are Comment: Some comments argued
the importance of the notice. A few
encouraged to do so. that the covered entity should not have
commenters recommended specific
Comment: Some commenters argued to provide notice about uses and
formatting requirements, such as font that covered entities should not be disclosures that are permitted under the
size or type. required to distinguish between those
Response: On the whole, we found rule without authorization. Other
uses and disclosures that are required comments suggested that the notice
commenters’ arguments for flexibility in
by law and those that are permitted by should inform individuals about all of
the regulation more persuasive than
law without authorization, because the uses and disclosures that may be
those arguing for more standardization. these distinctions may not always be made, with or without the individual’s
We agree that a uniform notice would clear and will vary across jurisdictions. authorization.
not capture the wide variation in Some commenters maintained that Response: When the individual’s
information practices across covered simply stating that the covered entity permission is not required for uses and
entities. We therefore do not include a would make all disclosures required by disclosures of information, we believe
model notice in the final rule, and do law would be sufficient. Other providing the required notice is the
not require inclusion of specific comments suggested that covered most effective means of ensuring that
language in the notice (except for a entities should be able to produce very individuals are aware of how
standard header). We also do not require broadly stated notices so that repeated information about them may be shared.
particular formatting. We do, however, revisions and mailings of those The notice need not describe uses and
require the notice to be written in plain revisions would not be necessary. disclosures for which the individual’s
language. (See above for guidance on Response: While we believe that permission is required, because the
writing documents in plain language.) covered entities have an independent individual will be informed of these at
We also agree with commenters that the duty to understand the laws to which the time permission to use or disclose
notice should contain a standard header they are subject, we also recognize that the information is requested.
to draw the individual’s attention to the it could be difficult to convey such legal We additionally require covered
notice and facilitate the individual’s distinctions clearly and concisely in a entities, even those required to obtain
ability to recognize the notice across notice. We therefore eliminate the the individual’s consent for use and
covered entities. proposed requirement for covered disclosure of protected health
We believe that post-publication entities to distinguish between those information for treatment, payment, and
guidance will be a more effective uses and disclosures that are required health care operations, to describe those
by and those that are permitted by law. uses and disclosures in their notice.
Privacy, Access and Data Security, Principles for
We instead require that covered entities (See § 164.506 and the corresponding
Health Information Including Computer-Based describe each purpose for which they preamble discussion regarding consent
Patient Records,’’ E 1869–97, § 9.2. are permitted or required to use or requirements.) We require these uses
and disclosures to be described in the information obtained prior to the implement revised information policies
notice in part in order to reduce the change. They argued that requiring and procedures before properly
administrative burden on covered different protections for information documenting the revisions and updating
providers that are required to obtain obtained at different times would be their notice. See § 164.530(i). Because in
consent. Rather than obtaining a new inefficient and extremely difficult to the final rule we require the notice to
consent each time the covered administer. Some comments supported include all disclosures that may be
provider’s information policies and requiring covered entities to state in the made, not only those the covered entity
procedures are materially revised, notice that the information policies and intends to make, we no longer need this
covered providers may revise and procedures are subject to change. provision to accommodate emergencies.
redistribute their notice. We also expect Response: We agree. In the final rule, Comment: Some comments suggested
that the description of how information we provide a mechanism by which that we require covered entities to
may be used to carry out treatment, covered entities may revise their privacy maintain a log of all past notices, with
payment, and health care operations in practices and apply those revisions to changes from the previous notice
the notice will be more detailed than in protected health information they highlighted. They further suggested we
the more general consent document. already maintain. We permit, but do not require covered entities to post this log
Comment: Some commenters argued require, covered entities to reserve the on their web sites.
that covered entities should not be right to change their practices and apply Response: In accordance with
required to provide notice of the right to the revised practices to information § 164.530(j)(2), a covered entity must
request restrictions, because doing so previously created or obtained. If a retain for six years a copy of each notice
would be burdensome to the covered covered entity wishes to reserve this it issues. We do not require highlighting
entity and distracting to the individual; right, it must make a statement to that of changes to the notice or posting of
because individuals have the right effect in its notice. If it does not make prior notices, due to the associated
whether they are informed of such right such a statement, the covered entity administrative burdens and the
or not; and because the requirement may still revise its privacy practices, but complexity such a requirement would
would be unlikely to improve patient it may apply the revised practices only build into the notice over time. We
care. to protected health information created encourage covered entities, however, to
Response: We disagree. We believe or obtained after the effective date of the make such materials available upon
that the ability of an individual to notice in which the revised practices are request.
request restrictions is an important reflected. See § 164.530(i) and the Comment: Several commenters
privacy right and that informing people corresponding preamble discussion of requested clarification about when,
of their rights improves their ability to requirements regarding changes to relative to the compliance date, covered
exercise those rights. We do not believe information policies and procedures. entities are required to produce their
that adding a sentence to the notice is Comment: Some commenters notice. One commenter suggested that
burdensome to covered entities. requested clarification of the term covered entities be allowed a period not
Comment: We received comments ‘‘material changes’’ so that entities will less than 180 days after adoption of the
supporting inclusion of a contact point be comfortable that they act properly final rule to develop and distribute the
in the notice, so that individuals will after making changes to their notice. Other comments requested that
not be forced to make multiple calls to information practices. Some comments the notice compliance date be consistent
find someone who can assist them with stated that entities should notify with other HIPAA regulations.
the issues in the notice. individuals whenever a new category of Response: We require covered entities
Response: We retain the requirement, disclosures to be made without to have a notice available upon request
but clarify that the title of the contact authorization is created. as of the compliance date of this rule (or
person is sufficient. A person’s name is Response: The concept of ‘‘material the compliance date of the covered
not required. change’’ appears in other notice laws, entity if such date is later). See
Comment: Some commenters argued such as the ERISA requirements for § 164.534 and the corresponding
that we could facilitate compliance by summary plan descriptions. We preamble discussion of the compliance
requiring the notice to include the therefore retain the ‘‘materiality’’ date.
proposed requirement that covered condition for revision of notices, and Comment: Some commenters
entities use and disclose only the encourage covered entities to draw on suggested that covered entities,
minimum necessary protected health the concept as it has developed through particularly covered health care
information. those other laws. We agree that the providers, should be required to discuss
Response: We do not agree that addition of a new category of use or the notice with individuals. They
adding such a requirement would disclosure of health information that argued that posting a notice or
strengthen the notice. The purpose of may be made without authorization otherwise providing the notice in
the notice is to inform individuals of would likely qualify as a material writing may not achieve the goal of
their privacy rights, and of the purposes change. informing individuals of how their
for which protected health information Comment: We proposed to permit information will be handled, because
about them may be used or disclosed. covered entities to implement revised some individuals may not be literate or
Informing individuals that covered policies and procedures without first able to function at the reading level
entities may use and disclose only the revising the notice if a compelling used in the notice. Others argued that
minimum necessary protected health reason existed to do so. Some entities should have the flexibility to
information for a purpose would not commenters objected to this proposal choose alternative modes of
increase individuals’ understanding of because they were concerned that the communicating the information in the
their rights or the purposes for which ‘‘compelling reason’’ exception would notice, including voice disclosure. In
information may be used or disclosed. give covered entities broad discretion to contrast, some commenters were
Comment: A few commenters engage in post hoc violations of its own concerned that requirements to provide
supported allowing covered entities to information practices. the notice in plain language or in
apply changes in their information Response: We agree and eliminate this languages other than English would be
practices to protected health provision. Covered entities may not overly burdensome.
Response: We require covered entities plans should only be required to sponsors for delivery to employees.
to write the notice in plain language so distribute their notice annually or upon Others requested clarification that
that the average reader will be able to re-enrollment. Some suggested that covered health care providers are only
understand the notice. We encourage, health plans should only have to required to distribute their own notice
but do not require, covered entities to distribute their notice upon initial and that health plans should be
consider alternative means of enrollment, not re-enrollment. Other prohibited from using their affiliated
communicating with certain commenters supported the proposed providers to distribute the health plan’s
populations. We note that any covered approach. notice.
entity that is a recipient of federal Response: We agree that the notice Response: We require health plans to
financial assistance is generally distribution requirements for health distribute their notice to individuals
obligated under Title VI of the Civil plans can be less burdensome than in covered by the health plan. Health plans
Rights Act of 1964 to provide material the NPRM while still being effective. In may elect to hire or otherwise arrange
ordinarily distributed to the public in the final rule, we reduce health plans’ for others, including group health plan
the primary languages of persons with distribution burden in several ways. sponsors and health care providers
limited English proficiency in the First, we require health plans to remind affiliated with the health plan, to carry
recipients’ service areas. While we individuals every three years of the out this distribution. We require
believe the notice will prompt availability of the notice and of how to covered providers to distribute only
individuals to initiate discussions with obtain a copy of the notice, rather than their own notices, and neither require
their health plans and health care requiring the notice to be distributed nor prohibit health plans and health
providers about the use and disclosure every three years as proposed. Second, care providers from devising whatever
of health information, we believe this we clarify that health plans only have to arrangements they find suitable to meet
should be a matter left to each distribute the notice to new enrollees on the requirements of this rule. However,
individual and that requiring covered enrollment, not to current members of if a covered entity arranges for another
entities to initiate discussions with each the health plan upon re-enrollment. person or entity to distribute the
individual would be overly Third, we specifically allow all covered covered entity’s notice on its behalf and
burdensome. entities to distribute the notice individuals do not receive such notice,
Comment: Some commenters electronically in accordance with the covered entity would be in violation
suggested that covered entities, § 164.520(c)(3). of the rule.
particularly health plans, should be We retain the requirement for health Comment: Some comments stated that
permitted to distribute their notice in a plans to distribute the notice within 60 covered providers without direct patient
newsletter or other communication with days of a material revision. We believe contact, such as clinical laboratories,
individuals. the revised distribution requirements might not have sufficient patient contact
Response: We agree, so long as the will ensure that individuals are information to be able to mail the
notice is sufficiently separate from other adequately informed of health plans’ notice. They suggested we require or
important documents. We therefore information practices and any changes allow such providers to form
prohibit covered entities from to those procedures, without unduly agreements with referring providers or
combining the notice in a single burdening health plans. other entities to distribute notices on
document with either a consent Comment: Many commenters argued their behalf or to include their practices
(§ 164.506) or an authorization that health plans should not be required in the referring entity’s own notice.
(§ 164.508), but do not otherwise to distribute their notice to every person Response: We agree with commenters’
prohibit covered entities from including covered by the plan. They argued that concerns about the potential
the notice in or with other documents distributing the notice to every family administrative and financial burdens of
the covered entity shares with member would be unnecessarily requiring covered providers that have
individuals. duplicative, costly, and difficult to indirect treatment relationships with
Comment: Some comments suggested administer. They suggested that health individuals, such as clinical
that covered entities should not be plans only be required to distribute the laboratories, to distribute the notice.
required to respond to requests for the notice to the primary participant or to Therefore, we require these covered
notice from the general public. These each household with one or more providers to provide the notice only
comments indicated that the insured individuals. upon request. In addition, these covered
requirement would place an undue Response: We agree, and clarify in the providers may elect to reach agreements
burden on covered entities without final rule that a health plan may satisfy with other entities distribute their
benefitting individuals. the distribution requirement by notice on their behalf, or to participate
Response: We proposed that the providing the notice to the named in an organized health care arrangement
notice be publicly available so that insured on behalf of the dependents of that produces a joint notice. See
individuals may use the notice to that named insured. For example, a § 164.520(d) and the corresponding
compare covered entities’ privacy group health plan may satisfy its notice preamble discussion of joint notice
practices and to select a health plan or requirement by providing a single notice requirements.
health care provider accordingly. We to each covered employee of the plan Comment: Some commenters
therefore retain the proposed sponsor. We do not require the group requested that covered health care
requirement for covered entities to health plan to distribute the notice to providers be permitted to distribute
provide the notice to any person who each covered employee and to each their notice prior to an individual’s
requests a copy, including members of covered dependent of those employees. initial visit so that patients could review
the general public. Comment: Many comments requested the information in advance of the visit.
Comment: Many commenters argued clarification about health plans’ ability They suggested that distribution in
that the distribution requirements for to distribute the notice via other advance would reduce the amount of
health plans should be less burdensome. entities. Some commenters suggested time covered health care providers’ staff
Some suggested requiring distribution that group health plans should be able would have to spend explaining the
upon material revision, but not every to satisfy the distribution requirement notice to patients in the office. Other
three years. Some suggested that health by providing copies of the notice to plan comments argued that providers should
distribute their notice to patients at the must be clear and conspicuous to give mail. They argued that covered entities
time the individual visits the provider, individuals meaningful and effective are increasingly using electronic
because providers lack the notice of their rights. Other commenters technology to communicate with
administrative infrastructure necessary noted that posting the notice will not patients and otherwise administer
to develop and distribute mass inform former patients who no longer benefits. They also noted that other
communications and generally have see the provider. regulations permit similar documents,
difficulty identifying active patients. Response: We clarify in the final rule such as ERISA-required summary plan
Response: In the final rule, we clarify that the requirement to post a notice descriptions, to be delivered
that covered providers with direct does not substitute for the requirement electronically. Some commenters
treatment relationships must provide to give individuals a notice or make suggested that electronic distribution
the notice to patients no later than the notices available upon request. Covered should be permitted unless the
first service delivery to the patient after providers with direct treatment individual specifically requests a hard
the compliance date. For the reasons relationships, including covered copy or lacks electronic access. Some
identified by these commenters, we do hospitals, must give a copy of the notice argued that entities should be able to
not require covered providers to send to the individual as of first service choose a least-cost alternative that
their notice to the patient in advance of delivery after the compliance date. After allows for periodic changes without
the patient’s visit. We do not prohibit giving the individual a copy of the excessive mailing costs. A few
distribution in advance, but only require notice as of that first visit, the covered commenters suggested requiring
distribution to the patient as of the time provider has no other obligation to covered entities to distribute notices
of the visit. We believe this flexibility actively distribute the notice. We electronically.
will allow each covered provider to believe it is unnecessarily burdensome Response: We clarify in the final rule
develop procedures that best meet its to require covered providers to mail the that covered entities may elect to
and its patients’ needs. notice to all current and former patients distribute their notice electronically,
Comment: Some comments suggested each time the notice is revised, because provided the individual agrees to
that covered providers should be unlike health plans, providers may have receiving the notice electronically and
required to distribute the notice as of a difficult time identifying active has not withdrawn such agreement. We
the compliance date. They noted that if patients. All individuals, including do not require any particular form of
the covered provider waited to those who no longer see the covered agreement. For example, a covered
distribute the notice until first service provider, have the right to receive a provider could ask an individual at the
delivery, it would be possible (pursuant copy of the notice on request. time the individual requests a copy of
to the rule) for a use or disclosure to be If the covered provider maintains a the notice whether she prefers to receive
made without the individual’s physical delivery site, it must also post it in hard copy or electronic form. A
authorization, but before the individual the notice (including revisions to the health plan could ask an individual
receives the notice. notice) in a clear and prominent applying for coverage to provide an e-
Response: Because health care location where it is reasonable to expect mail address where the health plan can
providers generally lack the individuals seeking service from the send the individual information. If the
administrative infrastructure necessary covered provider to be able to read the individual provides an e-mail address,
to develop and distribute mass notice. The covered provider must also the health plan can infer agreement to
communications and generally have have the notice available on site for obtain information electronically.
difficulty identifying active patients, we individuals to be able to request and An individual who has agreed to
do not require covered providers to take with them. receive the notice electronically,
distribute the notice until the first Comment: Some comments requested however, retains the right to request a
service delivery after the compliance clarification about the distribution hard copy of the notice. This right must
date. We acknowledge that this policy requirements for a covered entity that is be described in the notice. In addition,
allows uses and disclosure of health a health plan and a covered health care if the covered entity knows that
information without individuals’ provider. electronic transmission of the notice has
consent or authorization before the Response: Under § 164.504(g), failed, the covered entity must produce
individual receives the notice. We discussed above, covered entities that a hard copy of the notice. We believe
require covered entities, including conduct multiple types of covered this provision allows covered entities
covered providers, to have the notice functions, such as the kind of entities flexibility to provide the notice in the
available upon request as of the described in the above comments, are form that best meets their needs without
compliance date of the rule. Individuals required to comply with the provisions compromising individuals’ right to
may request a copy of the notice from applicable to a particular type of health adequate notice of covered entities’
their provider at any time. care function when acting in that information practices.
Comment: Many commenters were capacity. Thus, in the example We note that covered entities may
concerned with the requirement that described above, the covered entity is also be subject to the Electronic
covered providers post their notice. required by § 164.504(g) to follow the Signatures in Global and National
Some commenters suggested that requirements for health plans with Commerce Act. This rule is not
covered hospital-based providers should respect to its actions as a health plan intended to alter covered entities’
be able to satisfy the distribution and to follow the requirements for requirements under that Act.
requirements by posting their notice in health care providers with respect to its Comment: Some commenters were
multiple locations at the hospital, rather actions as a health care provider. concerned that covered providers with
than handing the notice to patients— Comment: We received many ‘‘face-to-face’’ patient contact would
particularly with respect to distribution comments about the ability of covered have a competitive disadvantage against
after material revisions have been made. entities to distribute their notices covered internet-based providers,
Some additionally suggested that these electronically. Many commenters because the face-to-face providers
covered providers should have copies of suggested that we permit covered would be required to distribute the
the notice available on site. Some entities to distribute the notice notice in hard copy while internet-based
commenters emphasized that the notice electronically, either via a web site or e- providers could satisfy the requirement
by requiring review of the notice on the correctional institution that is a covered patients, inconsistent with other notice
web site before processing an order. entity and a group health plan that requirements under other laws,
They suggested allowing face-to-face provides benefits only through one or misleading to individuals who might
covered providers to satisfy the more contracts of insurance with health interpret their signature as an
distribution requirement by asking insurance issuers or HMOs. agreement, inimical to the concept of
patients to review the notice posted on We clarify in § 164.504(d), however, permitting uses and disclosures without
site. that affiliated covered entities under authorization, and an insufficient
Response: We clarify in the final rule common ownership or control may substitute for authorization.
that covered health care providers that designate themselves as a single covered Response: We agree with the majority
provide services to individuals over the entity for purposes of this rule. An of commenters and do not require
internet have direct treatment affiliated covered entity is only required covered entities to obtain the
relationships with those individuals. to produce a single notice. individual’s signed acknowledgment of
Covered internet-based providers, In addition, covered entities that receipt of the notice. We believe that we
therefore, must distribute the notice at participate in an organized health care satisfied most of the arguments in
the first service delivery after the arrangement—which could include support of requiring a signature with the
compliance date by automatically and hospitals and their associated new policy requiring covered health
contemporaneously providing the notice physicians—may choose to produce a care providers with direct treatment
electronically in response to the single, joint notice, if certain relationships to obtain a consent for
individual’s first request for service, requirements are met. See § 164.501 and uses and disclosures of protected health
provided the individual agrees to the corresponding preamble discussion information to carry out treatment,
receiving the notice electronically. of organized health care arrangements. payment, and health care operations.
Even though we require all covered We clarify that each covered entity See § 164.506 and the corresponding
entity web sites to post the entity’s included in a joint notice must meet the preamble discussion of consent
notice prominently, we note that such applicable distribution requirements. If requirements. We note that this rule
posting is not sufficient to meet the any one of the covered entities, does not preempt other applicable laws
distribution requirements. A covered however, provides the notice to a given that require a signed notice and does not
internet-based provider must send the individual, the distribution requirement prohibit a covered entity from
notice electronically at the individual’s with respect to that individual is met for requesting an individual to sign the
first request for service, just as other all of the covered entities included in notice.
covered providers with direct treatment the joint notice. For example, a covered Comment: Some commenters
relationships must give individuals a hospital and its attending physicians supported requiring covered entities to
copy of the notice as of the first service may elect to produce a joint notice. adhere to their privacy practices, as
delivery after the compliance date. When an individual is first seen at the described in their notice. They argued
We do not intend to create hospital, the hospital must provide the that the notice is meaningless if a
competitive advantages among covered individual with a copy of the joint covered entity does not actually have to
providers. A web-based and a non-web- notice. Once the hospital has done so, follow the practices contained in its
based covered provider each have the the notice distribution requirement for notice. Other commenters were
same alternatives available for all of the attending physicians that concerned that the rule would prevent
distribution of the notice. Both types of provide treatment to the individual at a covered entity from using or
covered providers may provide either a the hospital and that are included in the disclosing protected health information
paper copy or an electronic copy of the joint notice is satisfied. in otherwise lawful and legitimate ways
notice. Comment: We solicited and received because of an intentional or inadvertent
Comment: We received several comments on whether to require omission from its published notice.
comments suggesting that some covered covered entities to obtain the Some of these commenters suggested
entities should be exempted from the individual’s signature on the notice. requiring the notice to include a
notice requirement or permitted to Some commenters suggested that description of some or all disclosures
combine notices with other covered requiring a signature would convey the that are required or permitted by law.
entities. Many comments argued that importance of the notice, would make it Some commenters stated that the
the notice requirement would be more likely that individuals read the adherence requirement should be
burdensome for hospital-based notice, and could have some of the same eliminated because it would generally
physicians and result in numerous, benefits of a consent. They noted that at inhibit covered entities’ ability to
duplicative notices that would be least one state already requires entities innovate and would be burdensome.
meaningless or confusing to patients. to make a reasonable effort to obtain a Response: We agree that the value of
Other comments suggested that multiple signed notice. Other comments noted the notice would be significantly
health plans offered through the same that the signature would be useful for diminished absent a requirement that
employer should be permitted to compliance and risk management covered entities adhere to the
produce a single notice. purposes because it would document statements they make in their notices.
Response: We retain the requirement that the individual had received the We therefore retain the requirement for
for all covered health care providers and notice. covered entities to adhere to the terms
health plans to produce a notice of The majority of commenters on this of the notice. See § 164.502(i).
information practices. Health care topic, however, argued that a signed Many of these commenters’ concerns
clearinghouses are required to produce acknowledgment would be regarding a covered entity’s inability to
a notice of information practices only to administratively burdensome, use or disclose protected health
the extent the clearinghouse creates or inconsistent with the intent of the information due to an intentional or
receives protected health information Administrative Simplification inadvertent omission from the notice are
other than as a business associate of a requirements of HIPAA, impossible to addressed in our revisions to the
covered entity. See § 164.500(b)(2). Two achieve for incapacitated individuals, proposed content requirements for the
other types of covered entities are not difficult to achieve for covered entities notice. Rather than require covered
required to produce a notice: a that do not have direct contact with entities to describe only those uses and
disclosures they anticipate making, as commenters that presented this position many state laws restrict disclosures for
proposed, we require covered entities to asserted that the framework of giving certain types of health information
describe all uses and disclosures they patients control over the use or without patient’s authorization. Even if
are required or permitted to make under disclosure of their information is there is no mandated requirement to
the rule without the individual’s contrary to good patient care because restrict disclosures of health
consent or authorization. We permit a incomplete medical records may lead to information, providers may agree to
covered entity to provide a statement medical errors, misdiagnoses, or requests for restrictions of disclosures
that it will disclose protected health inappropriate treatment decisions. when a patient expresses particular
information that is otherwise required Other commenters asserted that covered sensitivity and concern for the
by law, as permitted in § 164.512(a), entities need complete data sets on the disclosure of health information.
without requiring them to list all state populations they serve to effectively We agree that there may be instances
laws that may require disclosure. conduct research and quality in which a restriction could negatively
Because the notice must describe all improvement projects and that affect patient care. Therefore, we
legally permissible uses and disclosures, restrictions would hinder research, include protections against this
the notice will not generally preclude skew findings, impede quality occurrence. First, the right to request
covered entities from making any uses improvement, and compromise restrictions is a right of individuals to
or disclosures they could otherwise accreditation and performance make the request. A covered entity may
make without individual consent or measurement. refuse to restrict uses and disclosures or
authorization. This change will also Response: We acknowledge that may agree only to certain aspects of the
ensure that individuals are aware of all widespread restrictions on the use and individual’s request if there is concern
possible uses and disclosures that may disclosure of protected health for the quality of patient care in the
occur without their consent or information could result in some future. For example, if a covered
authorization, regardless of the covered difficulties related to payment, research, provider believes that it is not in the
entity’s current practices. quality assurance, etc. However, in our patient’s best medical interest to have
We encourage covered entities, efforts to protect the privacy of health such a restriction, the provider may
however, to additionally describe the information about individuals, we have discuss the request for restriction with
more limited uses and disclosures they sought a balance in determining the the patient and give the patient the
actually anticipate making in order to appropriate level of individual control opportunity to explain the concern for
give individuals a more accurate and the smooth operation of the health disclosure. Also, a covered provider
understanding of how information about care system. In the final rule, we require
who is concerned about the
them will be shared. We expect that certain covered providers and permit all
implications on future treatment can
certain covered entities will want to covered entities to obtain consent from
agree to use and disclose sensitive
distinguish themselves on the basis of individuals for use and disclosure of
protected health information for
their privacy protections. We note that protected health information for
treatment purposes only and agree not
a covered entity that chooses to exercise treatment, payment, and health care
to disclose information for payment and
this option must clearly state that, at a operations (see § 164.506). In order to
operation purposes. Second, a covered
minimum, the covered entity may make give individuals some control over their
provider need not comply with a
disclosures that are required by law and health information for uses and
restriction that has been agreed to if the
that are necessary to avert a serious and disclosures of protected health
information for treatment, payment, and individual who requested the restriction
imminent threat to health or safety. is in need of emergency treatment and
health care operations, we provide
Section 164.522—Rights To Request individuals with the opportunity to the restricted protected health
Privacy Protection for Protected Health request restrictions of such uses and information is needed to provide the
Information disclosures. emergency treatment. This exception
Because the right to request should limit the harm to health that may
Section 164.522(a)—Right of an otherwise result from restricting the use
restrictions encourages discussions
Individual To Request Restriction of or disclosure of protected health
about how protected health information
Uses and Disclosures information. We encourage covered
may be used and disclosed and about an
Comment: Several commenters individual’s concerns about such uses providers to discuss with individuals
supported the language in the NPRM and disclosures, it may improve that the information may be used or
regarding the right to request communications between a provider disclosed in emergencies. We require
restrictions. One commenter specifically and patient and thereby improve care. that the covered entity that discloses
stated that this is a balanced approach According to a 1999 survey on the restricted protected health information
that addresses the needs of the few who Confidentiality of Medical Records by in an emergency request that the health
would have reason to restrict the California HealthCare Foundation, care provider that receives such
disclosures without negatively affecting one out of every six people engage in information not further use or re-
the majority of individuals. At least one behavior to protect themselves from disclose the information.
commenter explained that if we unwanted disclosures of health Comment: Some health plans stated
required consent or authorization for information, such as lying to providers that an institutionalized right to restrict
use and disclosure of protected health or avoiding seeking care. This indicates can interfere with proper payment and
information for treatment, payment, and that, without the ability to request can make it easier for unscrupulous
health care operations then we must restrictions, individuals would have providers or patients to commit fraud on
also have a right to request restrictions incentives to remain silent about insurance plans. They were concerned
of such disclosure in order to make the important health information that could that individuals could enter into
consent meaningful. have an effect on their health and health restrictions with providers to withhold
Many commenters requested that we care, rather than consulting a health information to insurance companies so
delete this provision, claiming it would care provider. that the insurance company would not
interfere with patient care, payment, Further, this policy is not a dramatic know about certain conditions when
and data integrity. Most of the change from the status quo. Today, underwriting a policy.
Response: This rule does not enhance protection may be impossible. Others the information for treatment. If the
the ability of unscrupulous patients or stated that the administrative burden individual does not agree to terminate
health care providers to engage in would make providers unable to or modify the restriction, however, the
deceptive or fraudulent withholding of accommodate restrictions, and would provider must continue to honor the
information. This rule grants a right to therefore give patients false expectations restriction with respect to protected
request a restriction, not an absolute that their right to request restrictions health information that was created or
right to restrict. Individuals can make may be acted upon. One commenter received subject to the restriction. We
such requests today. Other laws expressed concern that large covered note that if the restricted protected
criminalize insurance fraud; this providers would have a particularly health information is needed to provide
regulation does not change those laws. difficult time establishing a policy emergency treatment to the individual
Comment: One commenter asserted whereby the covered entity could agree who requested the restriction, the
that patients cannot anticipate the to restrictions and would have an even covered entity may use or disclose such
significance that one aspect of their more difficult time implementing the information for such treatment.
medical information will have on restrictions since records may be kept in Comment: Commenters asked that we
treatment of other medical conditions, multiple locations and accessed by require covered entities to keep an
and therefore, allowing them to restrict multiple people within the organization. accounting of the requests for
use or disclosure of some information is Still other commenters believed that the restrictions and to report this
contrary to the patient’s best interest. right to request restrictions would invite information to the Department in order
Response: We agree that patients may argument, delay, and litigation. for the Department to determine
find it difficult to make such a calculus, Response: We do not believe that this whether covered entities are showing
and that it is incumbent on health care requirement is a significant change from ‘‘good faith’’ in dealing with these
providers to help them do so. Health current practice. Providers already requests.
care providers may deny requests for or respond to requests by patients Response: We require that covered
limit the scope of the restriction regarding sensitive information, and are entities that agree to restrictions with
requested if they believe the restriction subject to state law requirements not to individuals document such restrictions.
is not in the patient’s best interest. disclose certain types of information A covered entity must retain such
Comment: One commenter asked without authorization. This right to documentation for six years from the
whether an individual’s restriction to request is permissive so that covered date of its creation or the date when it
disclosure of information will be a bar entities can balance the needs of last was in effect, whichever is later. We
to liability for misdiagnosis or failure to particular individuals with the entity’s do not require covered entities to keep
diagnose by a covered entity who can ability to manage specific a record of all requests made, including
trace its error back to the lack of accommodations. those not agreed to, nor that they report
information resulting from such Comment: Some commenters were such requests to the Department. The
restriction. concerned that a covered entity would decision to agree to restrictions is that
Response: Decisions regarding agree to a restriction and then realize of the covered entity. Because there is
liability and professional standards are later that the information must be no requirement to agree to a restriction,
determined by state and other law. This disclosed to another caregiver for there is no reason to impose the burden
rule does not establish or limit liability important medical care purposes. to document requests that are denied.
for covered entities under those laws. Response: Some individuals seek Any reporting requirement could
We expect that the individual’s request treatment only on the condition that undermine the purpose of this provision
to restrict the disclosure of their information about that treatment will by causing the sharing, or appearance of
protected health information would be not be shared with others. We believe it sharing, of information for which
considered in the decision of whether or is necessary and appropriate, therefore, individuals are seeking extra protection.
not a covered entity is liable. that when a covered provider agrees to Comment: One commenter asserted
Comment: One commenter requested such a restriction, the individual must that providers that currently allow such
that we allow health plans to deny be able to rely on that promise. We restrictions will choose not to do so
coverage or reimbursement when a strongly encourage covered providers to under the rule based on the guidance of
covered health care provider’s consider future treatment implications legal counsel and loss prevention
agreement to restrict use or disclosure of agreeing to a restriction. We managers, and suggested that the
prevents the plan from getting the encourage covered entities to inform Secretary promote competition among
information that is necessary to others of the existence of a restriction providers with respect to privacy by
determine eligibility or coverage. when appropriate, provided that such developing a third-party ranking
Response: In this rule, we do not notice does not amount to a de facto mechanism.
modify insurers’ rules regarding disclosure of the restricted information. Response: We believe that providers
information necessary for payment. We If the covered provider subject to the will do what is best for their patients,
recognize that restricting the disclosure restriction believes that disclosing the in accordance with their ethics codes,
of information may result in a denial of protected health information that was and will continue to find ways to
payment. We expect covered providers created or obtained subject to the accommodate requested restrictions
to explain this possibility to individuals restriction is necessary to avert harm when they believe that it is in the
when considering their requests for (and it is not for emergency treatment), patients’ best interests. We anticipate
restrictions and to make alternative the provider must ask the individual for that providers who find such action to
payment arrangements with individuals permission to terminate or modify the be of commercial benefit will notify
if necessary. restriction. If the individual agrees to consumers of their willingness to be
Comment: Some commenters the termination of the restriction, the responsive to such requests. Involving
discussed the administrative burden provider must document this third parties could undermine the
and cost of the requirement that termination by noting this agreement in purpose of this provision, by causing
individuals have the right to request the medical record or by obtaining a the sharing, or appearance of sharing, of
restrictions and that trying to segregate written agreement of termination from information for which individuals are
certain portions of information for the individual and may use or disclose seeking extra protection.
Comment: One commenter said that individual’s care in accordance with the to abide by a restriction would be
any agreement regarding patient- rule will be enforceable under the rule. tantamount to forcing them to agree to
requested restrictions should be in Comment: A few commenters raised a request to which they otherwise may
writing before a covered provider would the question of the effect of a restriction not have agreed. Second, some covered
be held to standards for compliance. agreed to by one covered entity that is entities have information systems which
Response: We agree that agreed to part of a larger covered entity, will allow them to accommodate such
restrictions must be documented in particularly a hospital. Commenters requests, while others do not. If the
writing, and we require that covered were also concerned about who may downstream provider is in the latter
entities that agree to restrictions speak on behalf of the covered entity. category, the administrative burden of
document those restrictions in Response: All covered entities are such a requirement would be
accordance with § 164.530(j). The required to establish policies and unmanageable.
writing need not be formal; a notation procedures for providing individuals We encourage covered entities to
in the medical record will suffice. We the right to request restrictions, explain this limitation to individuals
disagree with the request that an agreed including policies for who may agree to when they agree to restrictions, so
to restriction be reduced to writing in such restrictions on the covered entity’s individuals will understand that they
order to be enforced. If we adopted the behalf. Hospitals and other large entities need to ask all their health plans and
requested policy, a covered entity could that are concerned about employees providers for desired restrictions. We
agree to a restriction with an individual, agreeing to restrictions on behalf of the also require that a covered entity that
but avoid being held to this agreed to organization will have to make sure that discloses protected health information
restriction under the rule by failing to their policies are communicated to a health care provider for emergency
document the restriction. This would appropriately to those employees. The treatment, in accordance with § 164.522
give a covered entity the opportunity to circumstances under which members of (a)(iii), to request that the recipient not
agree to a restriction and then, at its sole a covered entity’s workforce can bind further use or disclose the information.
discretion, determine if it is enforceable the covered entity are a function of Comment: One commenter requested
by deciding whether or not to make a other law, not of this regulation.
that agreed-to restrictions of a covered
note of the restriction in the record Comment: Commenters expressed
entity not be applied to business
about the individual. Because the confusion about the intended effect of
any agreed-upon restrictions on associates.
covered entity has the ability to agree or
downstream covered entities. They Response: As stated in § 164.504(e)(2),
fail to agree to a restriction, we believe
asserted that it would be extremely business associates are acting on behalf
that once the restriction is agreed to, the
difficult for a requested restriction to be of, or performing services for, the
covered entity must honor the
followed through the health care system covered entity and may not, with two
agreement. Any other result would be
and that it would be unfair to hold narrow exceptions, use or disclose
deceptive to the individual and could
covered entities to a restriction when protected health information in a
lead an individual to disclose health
they did not agree to such restriction. manner that would violate this rule if
information under the assumption that
Specifically, commenters asked whether done by the covered entity. Business
the uses and disclosures will be
a covered provider that receives associates are agents of the covered
restricted. Under § 164.522, a covered
entity could be found to be in violation protected health information in entity with respect to protected health
of the rule if it fails to put an agreed- compliance with this rule from a information they obtain through the
upon restriction in writing and also if it physician or medical group that has business relationship. If the covered
uses or discloses protected health agreed to limit certain uses of the entity agrees to a restriction and,
information inconsistent with the information must comply with the therefore, is bound to such restriction,
restriction. original restriction. Other commenters the business associate will also be
Comment: Some commenters said that expressed concern that not applying a required to comply with the restriction.
the right to request restrictions should restriction to downstream covered If the covered entity has agreed to a
be extended to some of the uses and entities is a loophole and that all restriction, the satisfactory assurances
disclosures permitted without downstream covered providers and from the business associate, as required
authorization in § 164.510 of the NPRM, health plans should be bound by the in § 164.504(e), must include assurances
such as disclosures to next of kin, for restrictions. that protected health information will
judicial and administrative proceedings, Response: Under the final rule, a not be used or disclosed in violation of
for law enforcement, and for restriction that is agreed to between an an agreed to restriction.
governmental health data systems. individual and a covered entity is only Comment: One commenter requested
Other commenters said that these uses binding on the covered entity that clarification that the right to request
and disclosures should be preserved agreed to the restriction and not on restrictions cannot be used to restrict
without an opportunity for individuals downstream entities. It would also be the creation of de-identified
to opt out. binding on any business associate of the information.
Response: We have not extended the covered entity since a business associate Response: We found no reason to treat
right to request restrictions under this can not use or disclose protected health the use of protected health information
rule to disclosures permitted in information in any manner that a to create de-identified information
§ 164.512 of the final rule. However, we covered entity would not be permitted different from other uses of protected
do not preempt other law that would to use or disclose such information. We health information. The right to request
enforce such agreed-upon restrictions. realize that this may limit the ability of restriction applies to any use or
As discussed in more detail, above, we an individual to successfully restrict a disclosure of protected health
have extended the right to request use or disclosure under all information to carry out treatment,
restrictions to disclosures to persons circumstances, but we take this payment, or health care operations. If
assisting in the individual’s care, such approach for two reasons. First, we the covered entity uses protected health
as next of kin, under § 164.510(b). Any allow covered entities to refuse information to create de-identified
restriction that a covered entity agrees to individuals’ requests for restrictions. information, the covered entity need not
with respect to persons assisting in the Requiring downstream covered entities agree to a restriction of this use.
Comment: Some commenters stated they believe is particularly sensitive. If accommodations may be requested as
that individuals should be given a true a covered entity would like to revoke or well, such as requesting that a covered
right to restrict uses and disclosures of modify an agreed-upon restriction, the provider never contact the individual by
protected health information in certain covered entity must renegotiate the a phone, but only contact her by
defined circumstances (such as for agreement with the individual. If the electronic mail. A provider must
sensitive information) rather than a right individual agrees to modify or terminate accommodate an individual’s request
to request restrictions. the restriction, the covered entity must for confidential communications, under
Response: We are concerned that a get written agreement from the this section, without requiring an
right to restrict could create conflicts individual or must document the oral explanation as to the reason for the
with the professional ethical obligations agreement. If the individual does not request as a condition of
of providers and others. We believe it is agree to terminate or modify the accommodating the request. The
better policy to allow covered entities to restriction, the covered entity must individual does not need to be in an
refuse to honor restrictions that they inform the individual that it is abusive situation to make such requests
believe are not appropriate and leave modifying or terminating its agreement of a covered provider. The only
the individual with the option of to the restriction and any modification conditions that a covered provider may
seeking service from a different covered or termination would apply only with place on an individual is that the
entity. In addition, many covered respect to protected health information request be reasonable with respect to the
entities have information systems that created or received after the covered administrative burden on the provider,
would make it difficult or impossible to entity informed the individual of the the request to be in writing, the request
accommodate certain restrictions. termination. Any protected health specify an alternative address or other
Comment: Some commenters information created or received during method of contact, and that (where
requested that self-pay patients have the time between when the restriction relevant) the individual provide
additional rights to restrict protected was agreed to and when the covered information about how payment will be
health information. Others believed that entity informed the individual or such handled. What is reasonable may vary
this policy would result in de facto modification or termination remains by the size or type of covered entity;
discrimination against those patients subject to the restriction. however, additional modest cost to the
that could not afford to pay out-of- Comment: Many commenters provider would not be unreasonable.
pocket. advocated for stronger rights to request An individual also has a right to
Response: Under the final rule, the restrictions, particularly that victims of restrict communications from a health
decision whether to tie an agreement to domestic violence should have an plan. The right is the same as with
restrict to the way the individual pays absolute right to restrict disclosure of covered providers except it is limited to
for services is left to each covered information. cases where the disclosure of
entity. We have not provided self-pay Response: We address restrictions for information could endanger the
patients with any special rights under disclosures in two different ways, the individual. A health plan may require
the rule. right to request restrictions an individual to state this fact as a
Comment: Some commenters (§ 164.522(a)) and confidential condition of accommodating the
suggested that we require restrictions to communications (§ 164.522(b)). We have individual’s request for confidential
be clearly noted so that insurers and provided all individuals with a right to communications. This would provide
other providers would be aware that request restrictions on uses or victims of domestic violence the right to
they were not being provided with disclosures of treatment, payment, and control such disclosures.
complete information. health care operations. This is not an Comment: Commenters opposed the
Response: Under the final rule, we do absolute right to restrict. Covered provision of the NPRM
not require or prohibit a covered entity entities are not required to agree to (§ 164.506(c)(1)(ii)(B)) stating that an
to note the existence of an omission of requested restrictions; however, if they individual’s right to request restrictions
information. We encourage covered do, the rule would require them to act on use or disclosure of protected health
entities to inform others of the existence in accordance with the restrictions. (See information would not apply in
of a restriction, in accordance with the preamble regarding § 164.522 for a emergency situations as set forth in
professional practice and ethics, when more comprehensive discussion of the proposed § 164.510(k). Commenters
appropriate to do so. In deciding right to request restrictions.) asserted that victims who have been
whether or not to disclose the existence In the final rule, we create a new harmed by violence may first turn to
of a restriction, we encourage the provision that provides individuals with emergency services for help and that, in
covered entity to carefully consider a right to confidential communications, such situations, the victim should be
whether disclosing the existence is in response to these comments. This able to request that the perpetrator not
tantamount to disclosure of the provision grants individuals with a right be told of his or her condition or
restricted protected health information to restrict disclosures of information whereabouts.
so as to not violate the agreed to related to communications made by a Response: We agree with some of the
restriction. covered entity to the individual, by commenters’ concerns. In the final rule,
Comment: A few commenters said allowing the individual to request that the right to request restrictions is
that covered entities should have the such communications be made to the available to all individuals regardless of
right to modify or revoke an agreement person at an alternative location or by the circumstance or the setting in which
to restrict use or disclosure of protected an alternative means. For example, a the individual is obtaining care. For
health information. woman who lives with an abusive man example, an individual that seeks care
Response: We agree that, as and is concerned that his knowledge of in an emergency room has the same
circumstances change, covered entities her health care treatment may lead to right to request a restriction as an
should be able to revisit restrictions to additional abuse can request that any individual seeking care in the office of
which they had previously agreed. At mail from the provider be sent to a a covered physician.
the same time, individuals should be friend’s home or that telephone calls by However, we continue to permit a
able to rely on agreements to restrict the a covered provider be made to her at covered entity to disclose protected
use or disclosure of information that work. Other reasonable health information to a health care
provider in an emergency treatment surrounding disclosure of protected absolute and not contingent on the
situation if the restricted protected health information about victims of reason for the request because we
health information is needed to provide abuse, neglect, and domestic violence. wanted to make it relatively easy for
the emergency treatment or if the victims of domestic violence, who face
disclosure is necessary to avoid serious real safety concerns by disclosures of
and imminent threats to public health health information, to limit the potential
and safety. Although we understand the Comment: Several commenters for such disclosures.
concern of the commenters, we believe requested that we add a new section to The standard we created for health
that these exceptions are limited and prevent disclosure of sensitive health plans is different from the requirement
will not cause a covered entity to care services to members of the patient’s for covered providers, in that we only
disclose information to a perpetrator of family through communications to the require health plans to make requested
a crime. We are concerned that a individual’s home, such as appointment accommodations for confidential
covered provider would be required to notices, confirmation or scheduling of communications when the individual
delay necessary care if a covered entity appointments, or mailing a bill or asserts that disclosure could be
had to determine if a restriction exists explanation of benefits, by requiring dangerous to the individual. We address
at the time of such emergency. Even if covered entities to agree to correspond health plan requirements in this way
a covered entity knew that there was a with the patient in another way. Some because health plans are often issued to
restriction, we permitted this limited commenters stated that this is necessary a family member (the employee), rather
exception for emergency situations in order to protect inadvertent than to each individual member of a
because, as we had stated in the disclosure of sensitive information and family, and therefore, health plans tend
preamble for § 164.506 of the NPRM, an to protect victims of domestic violence to communicate with the named insured
emergency situation may not provide from disclosure to an abuser. A few rather than with individual family
sufficient opportunity for a patient and commenters suggested that a covered members. Requiring plans to
health care provider to discuss the entity should be required to obtain an accommodate a restriction for one
potential implications of restricting use individual’s authorization prior to individual could be administratively
and disclosure of protected health communicating with the individual at more difficult than it is for providers
information on that emergency. We also the individual’s home with respect to that regularly communicate with
believe that the importance of avoiding health care relating to sensitive subjects individuals. However, in the case of
such as reproductive health, sexually domestic violence or potential abuse,
serious and imminent threats to health
transmissible diseases, substance abuse the level of harm that can result from a
and safety and the ethical and legal
or mental health. disclosure of protected health
obligations of covered health care Response: We agree with commenters’
providers’ to make disclosures for these information tips the balance in favor of
concerns regarding covered entities’ requiring such restriction to prevent
purposes is so significant that it is not communications with individuals. We
appropriate to apply the right to request inadvertent disclosure. We have
created a new provision, § 164.522(b), to adopted the policy recommended by the
restrictions on such disclosures. address confidential communications by National Association of Insurance
We note that we have included other covered entities. This provision gives Commissioners in the Health
provisions in the final rule intended to individuals the right to request that they Information Policy Model Act (1998) as
avoid or minimize harm to victims of receive communications from covered this best reflects the balance of the
domestic violence. Specifically, we entities at an alternative address or by appropriate level of regulation of the
include provisions in the final rule that an alternative means, regardless of the industry compared with the need to
allow individuals to opt out of certain nature of the protected health protect individuals from harm that may
types of disclosures and require covered information involved. Covered result from inadvertent disclosure of
entities to use professional judgment to providers are required to accommodate information. This policy is also
determine whether disclosure of reasonable requests by individuals and consistent with recommendations made
protected health information is in a may not require the individual to in the Family Violence Prevention
patient’s best interest (see § 164.510(a) explain the basis for the request as a Fund’s publication ‘‘Health Privacy
on use and disclosure for facility condition of accommodation. Health Principles for Protecting Victims of
directories and § 164.510(b) on uses and plans are required to accommodate Domestic Violence’’ (October 2000). Of
disclosures for assisting in an reasonable requests by individuals as course, health plans may accommodate
individual’s care and notification well; however, they may require the requests for confidential
purposes). Although an agreed to individual to provide a statement that communications without requiring a
restriction under § 164.522 would apply disclosure of the information could statement that the individual would be
to uses and disclosures for assisting in endanger the individual, and they may in danger from disclosure of protected
an individual’s care, the opt out condition the accommodation on the health information.
provision in § 164.510(b) can be more receipt of such statement. Comment: One commenter requested
helpful to a person who is a victim of Under the rule, we have required that we create a standard that all
domestic violence because the covered providers to accommodate information from a health plan be sent
individual can opt out of such requests for communications to to the patient and not the policyholder
disclosure without obtaining the alternative addresses or by alternative or subscriber.
agreement of the covered provider. We means, regardless of the reason, to limit Response: We require health plans to
permit a covered entity to elect not to risk of harm. Providers have more accommodate certain requests that
treat a person as a personal frequent one-on-one communications information not be sent to a particular
representative (see § 164.502(g)) or to with patients, making the safety location or by particular means. A
deny access to a personal representative concerns from an inadvertent disclosure health plan must accommodate
(see § 164.524(a)(3)(iii)) where there are more substantial and the need for reasonable requests by individuals that
concerns related to abuse. We also confidential communications more protected health information about them
include a new § 164.512(c) which compelling. We have made the be sent directly to them and not to a
recognizes the unique circumstances requirement for covered providers policyholder or subscriber, if the
individual states that he or she may be of information, but also with the individual. (See § 164.502(g)(5)
in danger from disclosure of such individual and the particular situation regarding personal representatives.)
information. We did not generally faced by the individual. This is • Covered entities may deny access to
require health plans to send information demonstrated by the different types of protected health information when there
to the patient and not the policyholder information that commenters singled are concerns that the access may result
or subscriber because we believed it out as meriting special protection, and in varying levels of harm. (See
would be administratively burdensome in the great variation among state laws § 164.524(a)(3) regarding denial of
and because the named insured may in defining and protecting sensitive access.)
have a valid need for such information information. Most states have a law • Covered health care providers may,
to manage payment and benefits. providing heightened protection for in some circumstances and consistent
some type of health information. with any known prior preferences of the
Sensitive Subjects individual, exercise professional
However, even though most states have
Comment: Many commenters considered the issue of sensitive judgment in the individual’s best
requested that additional protections be information, the variation among states interest to not disclose directory
placed on sensitive information, in the type of information that is information. (See § 164.510(a) regarding
including information regarding HIV/ specially protected and the directory information.)
AIDS, sexually transmitted diseases, requirements for permissible disclosure • Covered entities may, in some
mental health, substance abuse, of such information demonstrates that circumstances, exercise professional
reproductive health, and genetics. Many there is no national consensus. judgment in the individual’s best
requested that we ensure the regulation Where, as in this case, most states interest to limit disclosure to persons
adequately protects victims of domestic have acted and there is no predominant assisting in the individual’s care. (See
violence. They asserted that the concern rule that emerges from the state § 164.510(b) regarding persons assisting
for discrimination or stigma resulting experience with this issue, we have in the individual’s care.)
from disclosure of sensitive health decided to let state law predominate. This approach allows for state law
information could dissuade a person The final rule only provides a floor of and personal variation in this area.
from seeking needed treatment. Some The only type of protected health
protection for health information and
commenters noted that many state laws information that we treat with
does not preempt state laws that provide
provide additional protections for heightened protection is psychotherapy
greater protection than the rule. Where
various types of information. They notes. We provide a different level of
states have decided to treat certain
requested that we develop federal protection because they are unique
information as more sensitive than other
standards to have consistent rules types of protected health information
information, we do not preempt those
regarding the protection of sensitive that typically are not used or required
laws.
information to achieve the goals of cost for treatment, payment, or health care
savings and patient protection. Others To address the variation in the
operations other than by the mental
requested that we require patient sensitivity of protected health
health professional that created the
consent or special authorization before information without defining specially
notes. (See § 164.508(a)(2) regarding
certain types of sensitive information sensitive information, we incorporate
psychotherapy notes.)
was disclosed, even for treatment, opportunities for individuals and
payment, and health care operations, covered entities to address specific Section 164.524—Access of Individuals
and some thought we should require a sensitivities and concerns about uses to Protected Health Information
separate request for each disclosure. and disclosures of certain protected Comment: Some commenters
Some commenters requested that the health information that the patient and recommended that there be no access to
right to request restrictions be replaced provider believe are particularly disease registries.
with a requirement for an authorization sensitive, as follows: Response: Most entities that maintain
for specific types of sensitive • Covered entities are required to disease registries are not covered
information. There were provide individuals with notice of their entities under this regulation; examples
recommendations that we require privacy practices and give individuals of such non-covered entities are public
covered entities to develop internal the opportunity to request restrictions of health agencies and pharmaceutical
policies to address sensitive the use and disclosure of protected companies. If, however, a disease
information. health information by the covered registry is maintained by a covered
Other commenters argued that entity. (See § 164.522(a) regarding right entity and is used to make decisions
sensitive information should not be to request restrictions.) about individuals, this rule requires the
segregated from the record because it • Individuals have the right to covered entity to provide access to
may limit a future provider’s access to request, and in some cases require, that information about a requesting
information necessary for treatment of communications from the covered entity individual unless one of the rule’s
the individual and it could further to them be made to an alternative conditions for denial of access is met.
stigmatize a patient by labeling him or address or by an alternative means than We found no persuasive reasons why
her as someone with sensitive health the covered entity would otherwise use. disease registries should be given
care issues. These commenters further (See § 164.522(b) regarding confidential special treatment compared with other
maintained that segregation of particular communications.) information that may be used to make
types of information could negatively • Covered entities have the decisions about an individual.
affect analysis of community needs, opportunity to decide not to treat a Comment: Some commenters stated
research, and would lead to higher costs person as a personal representative that covered entities should be held
of health care delivery. when the covered entity has a accountable for access to information
Response: We generally do not reasonable belief that an individual has held by business partners so that
differentiate among types of protected been subjected to domestic violence, individuals would not have the burden
health information, because all health abuse, or neglect by such person or that of tracking down their protected health
information is sensitive. The level of treating such person as a personal information from a business partner.
sensitivity varies not only with the type representative could endanger the Many commenters, including insurers
and academic medical centers, associates of covered entities, and they information pursuant to such
recommended that, to reduce burden must provide access only to protected authorizations because the focus of the
and duplication, only the provider who health information that they maintain rule is privacy of protected health
created the protected health information (or that their business associates information. Requiring disclosures in all
should be required to provide maintain). It would not be efficient to circumstances would be counter to this
individuals access to the information. require a covered entity to compare goal. In addition, a requirement of
Commenters also asked that other another entity’s information with that of disclosing protected health information
entities, including business associates, the entity to which the request was to a third party is not a necessary
the Medicare program, and pharmacy addressed. (See the discussion regarding substitute for the right of access to
benefit managers, not be required to covered entities for information about individuals, because we allow denial of
provide access, in part because they do whether a pharmacy benefit manager is access to individuals under rare
not know what information the covered a covered entity.) circumstances. However, if the third
entity already has and they may not We disagree with the fourth point: a party is a personal representative of the
have all the information requested. A billing company will be required by its individual in accordance with
few commenters also argued that billing business associate contract only to § 164.502(g) and there is no concern
companies should not have to provide provide the requested protected health regarding abuse or harm to the
access because they have a fiduciary information to its physician client. This individual or another person, we require
responsibility to their physician clients action will not violate any fiduciary the covered entity to provide access to
to maintain the confidentiality of responsibility. The physician client that third party on the individual’s
records. would in turn be required by the rule to behalf, subject to specific limitations.
Response: A general principle in provide access to the individual. We note that a personal representative
responding to all of these points is that Comment: Some commenters asked may obtain access on the individual’s
a covered entity is required to provide for clarification that the clearinghouse behalf in some cases where covered
access to protected health information function of turning non-standardized entity may deny access to the
in accordance with the rule regardless of data into standardized data does not individual. For example, an inmate may
whether the covered entity created such create non-duplicative data and that be denied a copy of protected health
information or not. Thus, we agree with ‘‘duplicate’’ does not mean ‘‘identical.’’ information, but a personal
the first point: in order to meet its A few commenters suggested that representative may be able to obtain a
requirements for providing access, a duplicated information in a covered copy on the individual’s behalf. See
covered entity must not only provide entity’s designated record set be § 164.502(g) and the corresponding
access to such protected health supplied only once per request. preamble discussion regarding the
information it holds, but must also Response: We consider as duplicative ability of a personal representative to act
provide access to such information in a information the same information in on an individual’s behalf.
designated record set of its business different formats, media, or Comment: The majority of
associate, pursuant to its business presentations, or which have been commenters supported granting
associate contract, unless the standardized. Business associates who individuals the right to access protected
information is the same as information have materially altered protected health health information for as long as the
maintained directly by the covered information are obligated to provide covered entity maintains the protected
entity. We require this because an individuals access to it. Summary health information; commenters argued
individual may not be aware of business information and reports, including those that to do otherwise would interfere
associate relationships. Requiring an of lab results, are not the same as the with existing record retention laws.
individual to track down protected underlying information on which the Some commenters advocated for
health information held by a business summaries or reports were based. A limiting the right to information that is
associate would significantly limit clean document is not a duplicate of the less than one or two years old. A few
access. In addition, we do not permit a same document with notations. If the commenters explained that frequent
covered entity to limit its duty to same information is kept in more than changes in technology makes it more
provide access by giving protected one location, the covered entity has to difficult to access stored data. The
health information to a business produce the information only once per commenters noted that the information
associate. request for access. obtained prior to the effective date of
We disagree with the second point: if Comment: A few commenters the rule should not be required to be
the individual directs an access request suggested requiring covered entities to accessible.
to a covered entity that has the disclose to third parties without Response: We agree with the majority
protected health information requested, exception at the requests of individuals. of commenters and retain the proposal
the covered entity must provide access It was argued that this would facilitate to require covered entities to provide
(unless it may deny access in disability determinations when third access for as long as the entity maintains
accordance with this rule). In order to parties need information to evaluate the protected health information. We do
assure that an individual can exercise individuals’ entitlement to benefits. not agree that information created prior
his or her access rights, we do not Commenters argued that since covered to the effective date of the rule should
require the individual to make a entities may deny access to individuals not be accessible. The reasons for
separate request to each originating under certain circumstances, granting individuals access to
provider. The originating provider may individuals must have another method information about them do not vary
no longer be in business or may no of providing third parties with their with the date the information was
longer have the information, or the non- protected health information. created.
originating provider may have the Response: We allow covered entities Comment: A few commenters argued
information in a modified or enhanced to forward protected health information that there should be no grounds for
form. about an individual to a third party, denying access, stating that individuals
We disagree with the third point: pursuant to the individual’s should always have the right to inspect
other entities must provide access only authorization under § 164.508. We do and copy their protected health
if they are covered entities or business not require covered entities to disclose information.
Response: While we agree that in the personal representative of the access and a licensed health care
vast majority of instances individuals individual and the harm may be professional has determined, in the
should have access to information about inflicted on the individual or another exercise of professional judgment, that
them, we cannot agree that a blanket person. providing access to such personal
rule would be appropriate. For example, We generally agree with the representative could result in
where a professional familiar with the commenters concerns that denying substantial harm to the individual or
particular circumstances believes that access specifically to mental health another person. Access can be denied
providing such access is likely to records could create distrust. To balance even if the potential harm may be
endanger a person’s life or physical this concern with other commenters’ inflicted by someone other than the
safety, or where granting such access concerns about the potential for personal representative.
would violate the privacy of other psychological harm, however, we This provision is designed to strike a
individuals, the benefits of allowing exclude psychotherapy notes from the balance between the competing interests
access may not outweigh the harm. right of access. This is the only of ensuring access to protected health
Similarly, we allow denial of access distinction we make between mental information and protecting the
where disclosure would reveal the health information and other types of individual or others from harm. The
source of confidential information protected health information in the ‘‘substantial harm’’ standard will ensure
because we do not want to interfere access provisions of this rule. Unlike that a covered entity cannot deny access
with a covered entity’s ability to other types of protected health in cases where the harm is de minimus.
maintain implicit or explicit promises of information, these notes are not widely The amount of discretion that a
confidence. disseminated through the health care covered entity has to deny access to a
We create narrow exceptions to the system. We believe that the individual’s personal representative is generally
rule of open access, and we expect privacy interests in having access to greater than the amount of discretion
covered entities to employ these these notes, therefore, are outweighed that a covered entity has to deny access
exceptions rarely, if at all. Moreover, we by the potential harm caused by such to an individual. Under the final rule, a
require covered entities to provide access. We encourage covered entities covered entity may deny access to an
access to any protected health that maintain psychotherapy notes, individual if a licensed health care
information requested after excluding however, to provide individuals access professional determines that the access
only the information that is subject to a to these notes when they believe it is requested is reasonably likely to
denial. The categories of permissible appropriate to do so. endanger the life or physical safety of
denials are not mandatory, but are a Comment: Some commenters believed the individual or another person. In this
means of preserving the flexibility and that there is a potential for abuse of the case, concerns about psychological or
judgment of covered entities under provision allowing denial of access emotional harm would not be sufficient
appropriate circumstances. because of likely harm to self. They to justify denial of access. We establish
Comment: Many commenters questioned whether there is any a relatively high threshold because we
supported our proposal to allow covered experience from the Privacy Act of 1974 want to assure that individuals have
entities to deny an individual access to to suggest that patients who requested broad access to health information about
protected health information if a and received their records have ever them, and due to the potential harm that
professional determines either that such endangered themselves as a result. comes from denial of access, we believe
access is likely to endanger the life or Response: We are unaware of such denials should be permitted only in
physical safety of a person or, if the problems from access to records that limited circumstances.
information is about another person, have been provided under the Privacy The final rule grants covered entities
access is reasonably likely to cause Act but, since these are private matters, greater discretion to deny access to a
substantial harm to such person. such problems might not come to our personal representative than to an
Some commenters requested that the attention. We believe it is more prudent individual in order to provide
rule also permit covered entities to deny to preserve the flexibility and judgment protection to those vulnerable people
a request if access might be reasonably of health care professionals familiar who depend on others to exercise their
likely to cause psychological or mental with the individuals and facts rights under the rule and who may be
harm, or emotional distress. Other surrounding a request for records than subjected to abuse or neglect. This
commenters, however, were particularly to impose the blanket rule suggested by provision applies to personal
concerned about access to mental health these commenters. representatives of minors as well as
information, stating that the lack of Comment: Commenters asserted that other individuals. The same standard
access creates resentment and distrust the NPRM did not adequately protect for denial of access on the basis of
in patients. vulnerable individuals who depend on potential harm that applies to personal
Response: We disagree with the others to exercise their rights under the representatives also applies when an
comments suggesting that we expand rule. They requested that the rule permit individual is seeking access to his or her
the grounds for denial of access to an a covered entity to deny access when protected health information, and the
individual to include a likelihood of the information is requested by someone information makes reference to another
psychological or mental harm of the other than the subject of the information person. Under these circumstances, a
individual. We did not find persuasive and, in the opinion of a licensed health covered entity may deny a request for
evidence that this is a problem care professional, access to the access if such access is reasonably likely
sufficient to outweigh the reasons for information could harm the individual to cause substantial harm to such other
providing open access. We do allow a or another person. person. The standard for this provision
denial for access based on a likelihood Response: We agree with the and for the provision regarding access
of substantial psychological or mental commenters that such protection is by personal representatives is the same
harm, but only if the protected health warranted and add a provision in because both circumstances involve one
information includes information about § 164.524(a)(3), which permits a covered person obtaining information about
another person and the harm may be health care provider to deny access if a another person, and in both cases the
inflicted on such other person or if the personal representative of the covered entity is balancing the right of
person requesting the access is a individual is making the request for access of one person against the right of
a second person not to be harmed by the believe that any health professional, not information in the access provisions in
disclosure. just one of the individual’s choice, will this rule.
Under any of these grounds for denial exercise appropriate professional Comment: A few commenters
of access to protected health judgment. To address some of these supported the proposed provision
information, the covered entity is not concerns, however, we add a provision temporarily denying access to
required to deny access to a personal for the review of denials requiring the information obtained during a clinical
representative under these exercise of professional judgment. If a trial if participants agreed to the denial
circumstances, but has the discretion to covered entity denies access based on of access when consenting to participate
do so. harm to self or others, the individual in the trial. Some commenters believed
In addition to denial of access rights, has the right to have the denial there should be no access to any
we also address the concerns raised by reviewed by another health care research information. Other commenters
abusive or potentially abusive situations professional who did not participate in believed denial should occur only if the
in the section regarding personal the original decision to deny access. trial would be compromised. Several
representatives by giving covered Comment: A few commenters recommended conditioning the
entities discretion to not recognize a objected to the proposal to allow provision. Some recommended that
person as a personal representative of an covered entities to deny a request for access expires upon completion of the
individual if the covered entity has a access to health information if the trial unless there is a health risk. A few
reasonable belief that the individual has information was obtained from a commenters suggested that access
been subjected to domestic violence, confidential source that may be revealed should be allowed only if it is included
abuse, or neglect by or would be in upon the individual’s access. They in the informed consent and that the
danger from a person seeking to act as argued that this could be subject to informed consent should note that some
the personal representative. (See abuse and the information could be information may not be released to the
§ 164.502(g)) inherently less reliable, making the individual, particularly research
Comment: A number of commenters information that has not yet been
patient’s access to it even more
were concerned that this provision validated. Other commenters believed
important.
would lead to liability for covered that there should be access if the
entities if the release of information Response: While we acknowledge that
information provided by confidential research is not subject to IRB or privacy
results in harm to individuals. board review or if the information can
Commenters requested a ‘‘good faith’’ sources could be inaccurate, we are
be disclosed to third parties.
standard in this provision to relieve concerned that allowing unfettered
covered entities of liability if access to such information could
commenters that support temporary
individuals suffer harm as a result of undermine the trust between a health denial of access to information from
seeing their protected health care provider and patients other than research that includes treatment if the
information or if the information is the individual. We retain the proposed subject has agreed in advance, and with
found to be erroneous. A few policy because we do not want to those who suggested that the denial of
commenters suggested requiring interfere with a covered entity’s ability access expire upon completion of the
providers (when applicable) to include to obtain important information that can research, and retain these provisions in
with any disclosure to a third party a assist in the provision of health care or the final rule. We disagree with the
statement that, in the provider’s to maintain implicit or explicit promises commenters who advocate for further
opinion, the information should not be of confidence, which may be necessary denial of this information. These
disclosed to the patient. to obtain such information. We believe comments did not explain why an
Response: We do not intend to create the concerns raised about abuse are individual’s interest in access to health
a new duty to withhold information nor mitigated by the fact that the provision information used to make decisions
to affect other laws on this issue. Some does not apply to promises of about them is less compelling with
state laws include policies similar to confidentiality made to a health care respect to research information. Under
this rule, and we are not aware of provider. We note that a covered entity this rule, all protected health
liability arising as a result. may provide access to such information. information for research is subject either
Comment: Some commenters Comment: Some commenters were to privacy board or IRB review unless a
suggested that both the individual’s concerned that the NPRM did not allow specific authorization to use protected
health care professional and a second access to information unrelated to health information for research is
professional in the relevant field of treatment, and thus did not permit obtained from the individual. Thus, this
medicine should review each request. access to research information. is not a criterion we can use to
Many commenters suggested that Response: In the final rule, we determine access rights.
individuals have a right to have an eliminate the proposed special Comment: A few commenters
independent review of any denial of provision for ‘‘research information believed that it would be ‘‘extremely
access, e.g., review by a health care unrelated to treatment.’’ The only disruptive of and dangerous’’ to patients
professional of the individual’s choice. restriction on access to research to have access to records regarding their
Response: We agree with the information in this rule applies where current care and that state law provides
commenters who suggest that denial on the individual agrees in advance to sufficient protection of patients’ rights
grounds of harm to self or others should denial of access when consenting to in this regard.
be determined by a health professional, participate in research that includes Response: We do not agree.
and retain this requirement in the final treatment. In this circumstance, the Information about current care has
rule. We disagree, however, that all individual’s right of access to protected immediate and direct impact on
denials should be reviewed by a health information created in the course individuals. Where a health care
professional of the individual’s choice. of the research may be suspended for as professional familiar with the
We are concerned that the burden such long as the research is in progress, but circumstances believes that it is
a requirement would place on covered access rights resume after such time. In reasonably likely that access to records
entities would be significantly greater other instances, we make no distinction would endanger the life or physical
than any benefits to the individual. We between research information and other safety of the individual or another
person, the regulation allows the a finite time period, suggesting the the individual’s agreement to the fee in
professional to withhold access. response time be based on mutual advance.
Comment: Several commenters convenience of covered entities and Comment: Though there were
requested clarification that a patient not individuals, reasonableness, and recommendations that fees be limited to
be denied access to protected health exigencies. Commenters also varied on the costs of copying, the majority of
information because of failure to pay a suggested extension periods, from one commenters on this topic requested that
bill. A few commenters requested 30-day extension to three 30-day covered entities be able to charge a
clarification that entities may not deny extensions to one 90-day extension, reasonable, cost-based fee. Commenters
requests simply because producing the with special provisions for off-site suggested that calculation of access
information would be too burdensome. records. costs involve factors such as labor costs
Response: We agree with these Response: We are imposing a time for verification of requests, labor and
comments, and confirm that neither limit because individuals are entitled to software costs for logging of requests,
failure to pay a bill nor burden are know when to expect a response. labor costs for retrieval, labor costs for
lawful reasons to deny access under this Timely access to protected health copying, expense costs for copying,
rule. Covered entities may deny access information is important because such capital cost for copying, expense costs
only for the reasons provided in the information may be necessary for the for mailing, postal costs for mailing,
rule. individual to obtain additional health billing and bad-debt expenses, and labor
Comment: Some commenters care services, insurance coverage, or costs for refiling. Several commenters
requested that the final rule not include recommended specific fee structures.
disability benefits, and the covered
detailed procedural requirements about Response: We agree that covered
entity may be the only source for such
how to respond to requests for access. entities should be able to recoup their
information. To provide additional
Others made specific recommendations reasonable costs for copying of
flexibility, we eliminate the requirement
on the procedures for providing access, protected health information, and
that access be provided as soon as
including requiring written requests, include such provision in the
possible and we lengthen the deadline
requiring specific requests instead of regulation. We are not specifying a set
for access to off-site records. For on-site
blanket requests, and limiting the fee because copying costs could vary
records, covered entities must act on a
frequency of requests. Commenters significantly depending on the size of
request within 30 days of receipt of the
generally argued against requiring the covered entity and the form of such
covered entities to acknowledge request. For off-site records, entities
copy (e.g., paper, electronic, film).
requests, except under certain must complete action within 60 days.
Rather, covered entities are permitted to
circumstances, because of the potential We also permit covered entities to
charge a reasonable, cost-based fee for
burden on entities. extend the deadline by up to 30 days if
copying (including the costs of supplies
Response: We intend to provide they are unable to complete action on
and labor), postage, and summary or
sufficient procedural guidelines to the request within the standard
explanation (if requested and agreed to
ensure that individuals have access to deadline. These time limits are intended by the individual) of information
their protected health information, to be an outside deadline rather than an supplied. The rule limits the types of
while maintaining the flexibility for expectation. We expect covered entities costs that may be imposed for providing
covered entities to implement policies to be attentive to the circumstances access to protected health information,
and procedures that are appropriate to surrounding each request and respond but does not preempt applicable state
their needs and capabilities. We believe in an appropriate time frame. laws regarding specific allowable fees
that a limit on the frequency of requests Comment: A few commenters for such costs. The inclusion of a
individuals may make would arbitrarily suggested that, upon individuals’ copying fee is not intended to impede
infringe on the individual’s right of requests, covered entities should be the ability of individuals to copy their
access and have, therefore, not included required to provide protected health records.
such a limitation. To limit covered information in a format that would be Comment: Many commenters stated
entities’ burden, we do not require understandable to a patient, including that if a covered entity denies a request
covered entities to acknowledge receipt explanations of codes or abbreviations. for access because the entity does not
of the individuals’ requests, other than The commenters suggested that covered hold the protected health information
to notify the individual once a decision entities be permitted to provide requested, the covered entity should
on the request has been made. We also summaries of pertinent information provide, if known, the name and
permit a covered entity to require an instead of full copies of records; for address of the entity that holds the
individual to make a request for access example, a summary may be more information. Some of these commenters
in writing and to discuss a request with helpful for the patient’s purpose than a additionally noted that the Uniform
an individual to clarify which series of indecipherable billing codes. Insurance Information and Patient
information the individual is actually Response: We agree with these Protection Act, adopted by 16 states,
requesting. If individuals agree, covered commenters’ point that some health already imposes this notification
entities may provide access to a subset information is difficult to interpret. We requirement on insurance entities. Some
of information rather than all protected clarify, therefore, that the covered entity commenters also suggested requiring
health information in a designated may provide summary information in providers who leave practice or move
record set. We believe these changes lieu of the underlying records. A offices to inform individuals of that fact
provide covered entities with greater summary may only be provided if the and of how to obtain their records.
flexibility without compromising covered entity and the individual agree, Response: We agree that, when
individuals’ access rights. in advance, to the summary and to any covered entities deny requests for access
Comment: Commenters offered fees imposed by the covered entity for because they do not hold the protected
varying suggestions for required providing such summary. We similarly health information requested, they
response time, ranging from 48 hours permit a covered entity to provide an should inform individuals of the holder
because of the convenience of electronic explanation of the information. If the of the information, if known; we include
records to 60 days because of the covered entity charges a fee for this provision in the final rule. We do
potential burden. Others argued against providing an explanation, it must obtain not require health care providers to
notify all patients when they move or amend the information.28 The Privacy policies for amendment of health
leave practice, because the volume of Act (5 U.S.C. 552a) requires government information. The National Committee
such notifications would be unduly agencies to permit individuals to for Quality Assurance and the Joint
burdensome. request amendment of any record the Commission on Accreditation of
individual believes is not accurate, Healthcare Organizations issued
Section 164.526—Amendment of
relevant, timely, or complete. In its recommendations stating, ‘‘The
report ‘‘Best Principles for Health opportunity for patients to review their
Comment: Many commenters strongly Privacy,’’ the Health Privacy Working records will enable them to correct any
encouraged the Secretary to adopt Group recommended, ‘‘An individual errors and may provide them with a
‘‘appendment’’ rather than ‘‘amendment should have the right to supplement his better understanding of their health
and correction’’ procedures. They or her own medical record. status and treatment. Amending records
argued that the term ‘‘correction’’ Supplementation should not be implied does not erase the original information.
implies a deletion of information and to mean deletion or alteration of the It inserts the correct information with a
that the proposed rule would have medical record.’’ 29 The National notation about the date the correct
allowed covered entities to remove Association of Insurance information was available and any
portions of the record at their discretion. Commissioners’ Health Information explanation about the reason for the
Commenters indicated that appendment Privacy Model Act establishes the right error.’’ 30 Standards of the American
rather than correction procedures will of an individual who is the subject of Society for Testing and Materials state,
ensure the integrity of the medical protected health information to amend ‘‘An individual has a right to amend by
record and allow subsequent health care protected health information to correct adding information to his or her record
providers access to the original any inaccuracies. The National or database to correct inaccurate
information as well as the appended Conference of Commissioners on information in his or her patient record
information. They also indicated Uniform State Laws’ Uniform Health and in secondary records and databases
appendment procedures will protect Care Information Act states, ‘‘Because which contain patient identifiable
both individuals and covered entities accurate health-care information is not health information.’’ 31 We build on this
since medical records are sometimes only important to the delivery of health well-established principle in this final
needed for litigation or other legal care, but for patient applications for life, rule.
proceedings. disability and health insurance, Comment: Some commenters
Response: We agree with commenters’ employment, and a great many other supported the proposal to allow
concerns about the term ‘‘correction.’’ issues that might be involved in civil individuals to request amendment for as
We have revised the rule and deleted litigation, this Act allows a patient to long as the covered provider or plan
‘‘correction’’ from this provision in request an amendment in his record.’’
order to clarify that covered entities are maintains the information. A few argued
Some states also establish a right for that the provision should be time-
not required by this rule to delete any individuals to amend health
information from the designated record limited, e.g., that covered entities
information about them. For example, should not have to amend protected
set. We do not intend to alter medical Hawaii law (HRS section 323C–12)
record retention laws or current health information that is more than two
states, ‘‘An individual or the years old. Other comments suggested
practice, except to require covered individual’s authorized representative
entities to append information as that the provision should only be
may request in writing that a health care applied to protected health information
requested to ensure that a record is provider that generated certain health
accurate and complete. If a covered created after the compliance date of the
care information append additional
entity prefers to comply with this regulation.
information to the record in order to
provision by deleting the erroneous Response: The purpose of this
improve the accuracy or completeness
information, and applicable record provision is to create a mechanism
of the information; provided that
retention laws allow such deletion, the whereby individuals can ensure that
appending this information does not
entity may do so. For example, an information about them is as accurate as
erase or obliterate any of the original
individual may inform the entity that possible as it travels through the health
information.’’ Montana law (MCA
someone else’s X-rays are in the care system and is used to make
section 50–16–543) states, ‘‘For
individual’s medical record. If the entity decisions, including treatment
purposes of accuracy or completeness, a
agrees that the X-ray is inaccurately patient may request in writing that a decisions, about them. To achieve this
filed, the entity may choose to so health care provider correct or amend result, individuals must have the ability
indicate and note where in the record its record of the patient’s health care to request amendment for as long as the
the correct X-ray can be found. information to which he has access.’’ information used to make decisions
Alternatively, the entity may choose to Connecticut, Georgia, and Maine about them exists. We therefore retain
remove the X-ray from the record and provide individuals a right to request the proposed approach. For these
replace it with the correct X-ray, if correction, amendment, or deletion of reasons, we also require covered entities
applicable law allows the entity to do recorded personal information about to address requests for amendment of all
so. We intend the term ‘‘amendment’’ to them maintained by an insurance protected health information within
encompass either action. institution. Many other states have designated record sets, including
We believe this approach is consistent similar provisions. information created or obtained prior to
with well-established privacy Industry and standard-setting 30 National Committee on Quality Assurance and
principles, with other law, and with organizations have also developed the Joint Commission on Accreditation of
industry standards and ethical Healthcare Organizations, ‘‘Protecting Personal
guidelines. The July 1977 Report of the 28 Privacy Protection Study Commission, Health Information: A Framework for Meeting the
Privacy Protection Study Commission ‘‘Personal Privacy in an Information Society,’’ July Challenges in a Managed Care Environment,’’1998,
recommended that health care providers 1977, p. 300–303. p. 25.
29 Health Privacy Working Group, ‘‘Best 31 ASTM, ‘‘Standard Guide for Confidentiality,
and other organizations that maintain Principles for Health Privacy,’’ Health Privacy Privacy, Access and Data Security, Principles for
medical-record information have Project, Institute for Health Care Research and Health Information Including Computer-Based
procedures for individuals to correct or Policy, Georgetown University, July 1999. Patient Records,’’ E 1869–97, § 11.1.1.
the compliance date, for as long as the were concerned about the burden this provision is necessary to preserve an
entity maintains the information. provision will create due to the volume individual’s right to amend protected
Comment: A few commenters were of information that will be available for health information about them in
concerned that the proposal implied amendment. They were primarily certain circumstances.
that the individual is in control of and concerned with the potential for Comment: Some commenters stated
may personally change the medical frivolous, minor, or technical requests. that the written contract between a
record. These commenters opposed They argued that for purposes of covered entity and its business associate
such an approach. amendment, this definition should be should stipulate that the business
Response: We do not give individuals limited to information used to make associate is required to amend protected
the right to alter their medical records. medical or treatment decisions about health information in accordance with
Individuals may request amendment, the individual. A few commenters the amendment provisions. Otherwise,
but they have no authority to determine requested clarification that individuals these commenters argued, there would
the final outcome of the request and do not have a right to seek amendment be a gap in the individual’s right to have
may not make actual changes to the unless there is verifiable information to erroneous information corrected,
medical record. The covered entity must support their claim or they can because the covered entity could deny
review the individual’s request and otherwise convince the entity that the a request for amendment of information
make appropriate decisions. We have information is inaccurate or incomplete. created by a business associate.
clarified this intent in § 164.526(a)(1) by Response: We believe that the same Response: We agree that information
stating that individuals have a right to information available for inspection created by the covered entity or by the
have a covered entity amend protected should also be subject to requests for covered entity’s business associates
health information and in amendment, because the purpose of should be subject to amendment. This
§ 164.526(b)(2) by stating that covered these provisions is the same: To give requirement is consistent with the
entities must act on an individual’s consumers access to and the chance to requirement to make information
request for amendment. correct errors in information that may be created by a business associate available
Comment: Some comments argued used to make decisions that affect their for inspection and copying. We have
that there is no free-text field in some interests. We thus retain use of the revised the rule to require covered
current transaction formats that would ‘‘designated record set’’ in this entities to specify in the business
accommodate the extra text required to provision. However, we share associate contract that the business
comply with the amendment provisions commenters’’ concerns about the associate will make protected health
(e.g., sending statements of potential for minor or technical information available for amendment
disagreement along with all future requests. To address this concern, we and will incorporate amendments
disclosures of the information at issue). have clarified that covered entities may accordingly. (See § 164.504(e).)
Commenters argued that this provision deny a request for amendment if the Comment: One commenter argued
will burden the efficient transmission of request is not in writing and does not that covered entities should be required
information, contrary to HIPAA articulate a reason to support the to presume information must be
requirements. request, as long as the covered entity corrected where an individual informs
Response: We believe that most informs the individual of these the entity that an adjudicative process
amendments can be incorporated into requirements in advance. has made a finding of medical identity
the standard transactions as corrections Comment: Many commenters noted theft.
of erroneous data. We agree that some the potentially negative impact of the Response: Identity theft is one of
of the standard transactions cannot proposal to allow covered entities to many reasons why protected health
currently accommodate additional deny a request for amendment if the information may be inaccurate, and is
material such as statements of covered entity did not create the one of many subjects that may result in
disagreement and rebuttals to such information at issue. Some commenters an adjudicative process relevant to the
statements. To accommodate these rare pointed out that the originator of the accuracy of protective health
situations, we modify the requirements information may no longer exist or the information. We believe that this
in § 164.526(d)(iii). The provision now individual may not know who created provision accommodates this situation
states that if a standard transaction does the information in question. Other without a special provision for identity
not permit the inclusion of the commenters supported the proposal that theft.
additional material required by this only the originator of the information is Comment: Some commenters asserted
section, the covered entity may responsible for amendments to it. They that the proposed rule’s requirement
separately transmit the additional argued that any extension of this that action must be taken on
material to the recipient of the standard provision requiring covered entities to individuals’ requests within 60 days of
transaction. Commenters interested in amend information they have not the receipt of the request was
modifying the standard transactions to created is administratively and unreasonable and burdensome. A few
allow the incorporation of additional financially burdensome. commenters proposed up to three 30-
materials may also bring the issue up for Response: In light of the comments, day extensions for ‘‘extraordinary’’ (as
resolution through the process we modify the rule to require the holder defined by the entity) requests.
established by the Transactions Rule of the information to consider a request Response: We agree that 60 days will
and described in its preamble. for amendment if the individual not always be a sufficient amount of
Comment: The NPRM proposed to requesting amendment provides a time to adequately respond to these
allow amendment of protected health reasonable basis to believe that the requests. Therefore, we have revised
information in designated record sets. originator of the information is no this provision to allow covered entities
Some commenters supported the longer available to act on a request. For the option of a 30-day extension to deal
concept of a designated record set and example, if a request indicates that the with requests that require additional
stated that it appropriately limits the information at issue was created by a response time. However, we expect that
type of information available for hospital that has closed, and the request 60 days will be adequate for most cases.
amendment to information directly is not denied on other grounds, then the Comment: One commenter questioned
related to treatment. Other commenters entity must amend the information. This whether a covered entity could
appropriately respond to a request by communicate amendments of erroneous at issue on the covered entity’s behalf,
amending the record, without indicating or incomplete information to other the covered entity must fulfill its
whether it believes the information at parties. The negative effects of requirement by informing the business
issue is accurate and complete. erroneous or incomplete medical associate of the amendment to the
Response: An amendment need not information can be devastating. This record. The contract with the business
include a statement by the covered requirement allows individuals to associate must require the business
entity as to whether the information is exercise some control in determining associate to incorporate any such
or is not accurate and complete. A recipients they consider important to be amendments. (See § 164.504(e).)
covered entity may choose to amend a notified, and requires the covered entity
record even if it believes the to communicate amendments to other Comment: Some commenters
information at issue is accurate and persons that the covered entity knows supported the proposal to require
complete. If a request for amendment is have the erroneous or incomplete covered entities to provide notification
accepted, the covered entity must notify information and may take some action of the covered entity’s statement of
the individual that the record has been in reliance on the erroneous or denial and the individual’s statement of
amended. This notification need not incomplete information to the detriment disagreement in any subsequent
include any explanation as to why the of the individual. We have added disclosures of the information to which
request was accepted. A notification of language to clarify that the covered the dispute relates. They argued that we
a denied request, however, must contain entity must obtain the individual’s should extend this provision to prior
the basis for the denial. agreement to have the amendment recipients of disputed information who
Comment: A few commenters shared with the persons the individual have relied on it. These commenters
suggested that when an amendment is and covered entity identifies. We noted an inconsistency in the proposed
made, the date should be noted. Some believe these notification requirements approach, since notification of accepted
also suggested that the physician should appropriately balance covered entities’ amendments is provided to certain
sign the notation. burden and individuals’ interest in previous recipients of erroneous health
Response: We believe such a protecting the accuracy of medical
requirement would create a burden that information and to recipients of future
information used to make decisions disclosures. They contended there is not
is not necessary to protect individuals’ about them. We therefore retain the
interests, and so have not accepted this a good justification for the different
notification provisions substantially as
suggestion. We believe that the treatment and believed that the
proposed.
requirements of § 164.526(c) regarding Comment: Some commenters argued notification standard should be the
actions a covered entity must take when against the proposed provision requiring same, regardless of whether the covered
accepting a request will provide an a covered entity that receives a notice of entity accepts the request for
adequate record of the amendment. A amendment to notify its business amendment.
covered entity may date and sign an associates, ‘‘as appropriate,’’ of These commenters also recommended
amendment at its discretion. necessary amendments. Some argued that the individual be notified of the
Comment: The NPRM proposed that that covered entities should only be covered entity’s intention to rebut a
covered entities, upon accepting a required to inform business associates of statement of disagreement. They
request for amendment, make these changes if the amendment could suggested requiring covered entities to
reasonable efforts to notify those affect the individual’s further treatment, send a copy of the statement of rebuttal
persons the individual identifies, and citing the administrative and financial to the individual.
other persons whom the covered entity burden of notifying all business
knows have received the erroneous or associates of changes that may not have Response: Where a request for
incomplete information and who may a detrimental effect on the patient. amendment is accepted, the covered
have relied, or could foreseeably rely, Other commenters suggested that entity knows that protected health
on such information to the detriment of covered entities should only be required information about the individual is
the individual. Many commenters to inform business associates whom inaccurate or incomplete or the
argued that this notification requirement they reasonably know to be in amendment is otherwise warranted; in
was too burdensome and should be possession of the information. these circumstances, it is reasonable to
narrowed. They expressed concern that Response: We agree with commenters ask the covered entity to notify certain
covered entities would have to notify that clarification is warranted. Our previous recipients of the information
anyone who might have received the intent is that covered entities must meet that reliance on such information could
information, even persons identified by the requirements of this rule with be harmful. Where, however, the request
the individual with whom the covered respect to protected health information for amendment is denied, the covered
entity had no contact. Other they maintain, including protected entity believes that the relevant
commenters also contended that this health information maintained on their information is accurate and complete or
provision would require covered behalf by their business associates. We the amendment is otherwise
entities to determine the reliance clarify this intent by revising the unacceptable. In this circumstance, the
another entity might place on the definition of designated record set (see burden of prior notification outweighs
information and suggested that § 164.501) to include records the potential benefits. We therefore do
particular part of the notification maintained ‘‘by or for’’ a covered entity. not require notification of prior
requirements be removed. Another Section 164.526(e) requires a covered recipients.
commenter suggested that the entity that is informed of an amendment
notification provision be eliminated made by another covered entity to We agree, however, that individuals
entirely, believing that it was incorporate that amendment into should know how a covered entity has
unnecessary. designated record sets, whether the responded to their requests, and
Response: Although there is some designated record set is maintained by therefore add a requirement that
associated administrative burden with the covered entity or for the covered covered entities also provide a copy of
this provision, we believe it is a entity by a business associate. If a any rebuttal statements to the
necessary requirement to effectively business associate maintains the record individual.
Section 164.528—Accounting of the date, nature, and purpose of each seek treatment and payment expect that
Disclosures of Protected Health disclosure of a record to any person or their information will be used and
Information to another agency * * * and * * * the disclosed for these purposes. In many
Comment: Many commenters name and address of the person or cases, under this final rule, the
expressed support for the concept of the agency to whom the disclosure is individual will have consented to these
right to receive an accounting of made.’’ The National Association of uses and disclosures. Thus, the
disclosures. Others opposed even the Insurance Commissioners’ Health additional information that would be
concept. One commenter said that it is Information Privacy Model Act requires gained from including these disclosures
likely that some individuals will request carriers to provide to individuals on would not outweigh the added burdens
an accounting of disclosures from each request ‘‘information regarding on covered entities. We believe that
of his or her health care providers and disclosure of that individual’s protected retaining the exclusion of disclosures to
payors merely to challenge the health information that is sufficient to carry out treatment, payment, and
disclosures that the covered entity exercise the right to amend the health care operations makes for a
made. information.’’ We build on these manageable accounting both from the
Some commenters also questioned the standards in this final rule. point of view of entities and of
value to the individual of providing the Comment: Many commenters individuals. We have conformed the
right to an accounting. One commenter disagreed with the NPRM’s exception language in this section with language
stated that such a provision would be for treatment, payment, and health care in other sections of the rule regarding
meaningless because those who operations. Some commenters wanted uses and disclosures to carry out
deliberately perpetrate an abuse are treatment, payment, and health care treatment, payment, and health care
unlikely to note their breach in a log. operations disclosures to be included in operations. See § 164.508 and the
Response: The final rule retains the an accounting because they believed corresponding preamble discussion
right of an individual to receive an that improper disclosures of protected regarding our decision to use this
accounting of disclosures of protected health information were likely to be language.
health information. The provision committed by parties within the entity Comments: A few commenters called
serves multiple purposes. It provides a who have access to protected health for a record of all disclosures, including
means of informing the individual as to information for treatment, payment, and a right of access to a full audit trail
which information has been sent to health care operations related purposes. where one exists. Some commenters
which recipients. This information, in They suggested that requiring covered stated while audit trails for paper
turn, enables individuals to exercise entities to record treatment, payment, records are too expensive to require, the
certain other rights under the rule, such and health care operations disclosures privacy rule should not discourage audit
as the rights to inspection and would either prevent improper trails, at least for computer-based
amendment, with greater precision and disclosures or enable transgressions to records. They speculated that an
ease. The accounting also allows be tracked. important reason for maintaining a full
individuals to monitor how covered One commenter reasoned that audit trail is that most abuses are the
entities are complying with the rule. disclosures for treatment, payment, and result of activity by insiders. On the
Though covered entities who health care operations purposes should other hand, other commenters pointed
deliberately make disclosures in be tracked since these disclosures out that an enormous volume of records
violation of the rule may be unlikely to would be made without the individual’s would be created if the rule requires
note such a breach in the accounting, consent. Others argued that if an recording all accesses in the manner of
other covered entities may document individual’s authorization is not a full audit trail.
inappropriate disclosures that they required for a disclosure, then the One commenter supported the
make out of ignorance and not disclosure should not have to be tracked NPRM’s reference to the proposed
malfeasance. The accounting will enable for a future accounting to the HIPAA Security Rule, agreeing that
the individual to address such concerns individual. access control and disclosure
with the covered entity. One commenter requested that the requirements under this rule should be
We believe this approach is consistent provision be restated so that no coordinated with the final HIPAA
with well-established privacy accounting is required for disclosures Security Rule. The commenter
principles, with other law, and with ‘‘compatible with or directly related to’’ recommended that HHS add a reference
industry standards and ethical treatment, payment or health care to the final HIPAA Security Rule in this
guidelines. The July 1977 Report of the operations. This comment indicated that section and keep specific audit log and
Privacy Protection Study Commission the change would make § 164.515(a)(1) reporting requirements generic in the
recommended that a health care of the NPRM consistent with privacy rule.
provider should not disclose § 164.508(a)(2)(i)(A) of the NPRM. Response: Audit trails and the
Response: We do not accept the accounting of disclosures serve different
individually-identifiable information for
comments suggesting removing the functions. In the security field, an audit
certain purposes without the
exception for disclosures for treatment, trail is typically a record of each time a
individual’s authorization unless ‘‘an
payment, and health care operations. sensitive record is altered, how it was
accounting of such disclosures is kept
While including all disclosures within altered and by whom, but does not
and the individual who is the subject of
the accounting would provide more usually record each time a record is
the information being disclosed can find
information to individuals about to used or viewed. The accounting
out that the disclosure has been made
whom their information has been required by this rule provides
and to whom.’’ 32 With certain
disclosed, we believe that documenting individuals with information about to
exceptions, the Privacy Act (5 U.S.C.
all disclosures made for treatment, whom a disclosure is made. An
552a) requires government agencies to
payment, and health care operations accounting, as described in this rule,
‘‘keep an accurate accounting of * * *
purposes would be unduly burdensome would not capture uses. To the extent
32 Privacy Protection Study Commission, on entities and would result in that an audit trail would capture uses,
‘‘Personal Privacy in an Information Society,’’ July accountings so voluminous as to be of consumers reviewing an audit trail may
1977, pp. 306–307. questionable value. Individuals who not be able to distinguish between
accesses of the protected health Response: We disagree with information has been disclosed, rather
information for use and accesses for suggestions from commenters that an than to which projects protected health
disclosure. Further, it is not clear the accounting of disclosures is not information may have been disclosed.
degree to which the field is necessary for research. While it is However, we have added a provision
technologically poised to provide audit possible that informing individuals allowing for a summary accounting of
trails. Some entities could provide audit about the disclosures made of their recurrent disclosures. For multiple
trails to individuals upon their request, health information may on occasion disclosures to the same recipient
but we are concerned that many could discourage worthwhile activities, we pursuant to a single authorization or for
not. believe that individuals have a right to a single purpose permitted under the
We agree that it is important to know who is using their health rule without authorization, the covered
coordinate this provision of the privacy information and for what purposes. This entity may provide a summary
rule with the Security Rule when it is information gives individuals more accounting addressing the series of
issued as a final rule. control over their health information disclosures rather than a detailed
Comments: We received many and a better base of knowledge from accounting of each disclosure in the
comments from researchers expressing which to make informed decisions. series. This change is designed to ease
concerns about the potential impact of For the same reasons, we also do not the burden on covered entities involved
requiring an accounting of disclosures believe that IRB or privacy board review in longitudinal projects.
related to research. The majority feared substitutes for providing individuals the With regard to the suggestion that we
that the accounting provision would right to know how their information has exempt ‘‘in-house’’ research from the
prove so burdensome that many entities been disclosed. We permit IRBs or accounting provision, we note that only
would decline to participate in research. privacy boards to determine that a disclosures of protected health
Many commenters believed that research project would not be feasible if information must appear in an
disclosure of protected health authorization were required because we accounting.
information for research presents little understand that it could be virtually Comments: Several commenters noted
risk to individual privacy and feared impossible to get authorization for that disclosures for public health
that the accounting requirement could archival research involving large activities may be of interest to
shut down research. numbers of individuals or where the individuals, but add to the burden
Some commenters pointed out that location of the individuals is not easy to imposed on entities. Furthermore, some
often only a few data elements or a ascertain. While providing an expressed fear that priority public
single element is extracted from the accounting of disclosures for research health activities would be compromised
patient record and disclosed to a may entail some burden, it is feasible, by the accounting provision. One
researcher, and that having to account and we do not believe that IRBs or commenter from a health department
for so singular a disclosure from what privacy boards would have a basis for said that covered entities should not be
could potentially be an enormous waiving such a requirement. We also required to provide an accounting to
number of records imposes a significant note that the majority of comments that certain index cases, where such
burden. Some said that the impact we received from individuals supported disclosures create other hazards, such as
would be particularly harmful to including more information in the potential harm to the reporting provider.
longitudinal studies, where the accounting, not less. This commenter also speculated that
disclosures of protected health We understand that requiring covered knowing protected health information
information occur over an extended entities to include disclosures for had been disclosed for these public
period of time. A number of research in the accounting of health purposes might cause people to
commenters suggested that we not disclosures entails some burden, but we avoid treatment in order to avoid being
require accounting of disclosures for believe that the benefits described above reported to the public health
research, registries, and surveillance outweigh the burden. department.
systems or other databases unless the We do not agree with commenters A provider association expressed
disclosure results in the actual physical that we should exempt disclosures concern about the effect that the
release of the patient’s entire medical where only a few data elements are accounting provision might have on a
record, rather than the disclosure of released or in the case of data released non-governmental, centralized disease
discrete elements of information without individuals’ names. We registry that it operates. The provider
contained within the record. recognize that information other than organization feared that individuals
We also were asked by commenters to names can identify an individual. We might request that their protected health
provide an exclusion for research also recognize that even a few data information be eliminated in the
subject to IRB oversight or research that elements could be clues to an databank, which would make the data
has been granted a waiver of individual’s identity. The actual volume less useful.
authorization pursuant to proposed of information released is not an Response: As in the discussion of
§ 164.510, to exempt ‘‘in-house’’ appropriate indicator of whether an research above, we reject the contention
research from the accounting provision, individual could have a concern about that we should withhold information
and to allow covered entities to describe privacy. from individuals about where their
the type of disclosures they have made We disagree with comments that information has been disclosed because
to research projects, without specifically suggested that it would be sufficient to informing them could occasionally
listing each disclosure. Commenters provide individuals with a general list discourage some worthwhile activities.
suggested that covered entities could of research projects to which We also believe that, on balance,
include in an accounting a listing of the information has been disclosed by the individuals’ interest in having broad
various research projects in which they covered entity. We believe that access to this information outweighs
participated during the time period at individuals are entitled to a level of concerns about the rare instances in
issue, without regard to whether a specificity about disclosures of which providing this information might
particular individual’s protected health protected health information about them raise concerns about harm to the person
information was disclosed to the and should know to which research who made the disclosure. As we stated
project. projects their protected health above, we believe that individuals have
a right to know who is using their health proposed in the NPRM. To protect the with respect to child abuse the
information and for what purposes. This integrity of investigations, in the final Minnesota law’s procedures are not
information gives individuals more rule we require covered entities to preempted even though they are less
control over their health information exclude disclosures to a health oversight stringent with respect to privacy.
and a better base of knowledge from agency or law enforcement official for Second, with respect to abuse of persons
which to make informed decisions. the time specified by that agency or other than children, we allow covered
Comment: We received many official, if the agency or official states entities to refuse to treat a person as an
comments about the proposed time- that including the disclosure in an individual’s personal representative if
limited exclusion for law enforcement accounting to the individual would be the covered entity believes that the
and health oversight. Several reasonably likely to impede the agency individual has been subjected to
commenters noted that it is nearly or official’s activities. We require the domestic violence, abuse, or neglect
impossible to accurately project the statement from the agency or official to from the person. Thus, the abuser would
length of an investigation, especially provide a specific time frame for the not have access to the accounting. We
during its early stages. Some exclusion. For example, pursuant to a also note that a covered entity must
recommended we permit a deadline law enforcement official’s statement, a exclude a disclosure, including
based on the end of an event, such as covered entity could exclude a law disclosures to report abuse, from the
conclusion of an investigation. One enforcement disclosure from the accounting for specified period of time
commenter recommended amending the accounting for a period of three months if the law enforcement official to whom
standard such that covered entities from the date of the official’s statement the report is made requests such
would never be required to give an or until a date specified in the exclusion.
accounting of disclosures to health statement. Comment: A few comments noted the
oversight or law enforcement agencies. In the final rule, we permit the lack of exception for disclosures made
The commenter noted that there are covered entity to exclude the disclosure to intelligence agencies.
public policy reasons for limiting the from an accounting to an individual if Response: We agree with the
extent to which a criminal investigation the agency or official makes the comments and have added an
is made known publicly, including the statement orally and the covered entity exemption for disclosures made for
possibility that suspects may destroy or documents the statement and the national security or intelligence
falsify evidence, hide assets, or flee. The identify of the agency or official that purposes under § 164.512(k)(2).
commenter also pointed out that made the statement. We recognize that Individuals do not have a right to an
disclosure of an investigation may in urgent situations, agencies and accounting of disclosures for these
unfairly stigmatize a person or entity officials may not be able to provide purposes.
who is eventually found to be innocent statements in writing. If the agency or Comment: Commenters noted that the
of any wrongdoing. official’s statement is made orally, burden associated with this provision
On the other hand, many commenters however, the disclosure can be excluded would, in part, be determined by other
disagreed with the exemption for from an accounting to the individual for provisions of the rule, including the
recording disclosures related to no longer than 30 days from the oral definitions of ‘‘individually
oversight activities and law statement. For exclusions longer than 30 identifiable,’’ ‘‘treatment,’’ and ‘‘health
enforcement. Many of these commenters days, a covered entity must receive a care operations.’’ They expressed
stated that the exclusion would permit written statement. concern that the covered entity would
broad exceptions for government We believe these requirements have to be able to organize on a patient
purposes while holding disclosures for appropriately balance individuals’ by patient basis thousands of
private purposes to a more burdensome rights to be informed of the disclosures disclosures of information, which they
standard. of protected health information while described as ‘‘routine.’’ These
Some commenters felt that the NPRM recognizing the public’s interest in commenters point to disclosures for
made it too easy for law enforcement to maintaining the integrity of health patient directory information, routine
obtain an exception. They suggested oversight and law enforcement banking and payment processes, uses
that law enforcement should not be activities. and disclosures in emergency
excepted from the accounting provision Comment: One commenter stated that circumstances, disclosures to next of
unless there is a court order. One under Minnesota law, providers who are kin, and release of admissions statistics
commenter recommended that a written mandated reporters of abuse are limited to a health oversight agency.
request for exclusion be dated, signed as to whom they may reveal the report Response: We disagree with the
by a supervisory official, and contain a of abuse (generally law enforcement commenters that ambiguity in other
certification that the official is authorities and other providers only). areas of the rule increase the burden
personally familiar with the purpose of This is because certain abusers, such as associated with maintaining an
the request and the justification for parents, by law may have access to a accounting. The definitions of
exclusion from accounting. victim’s (child’s) records. The treatment, payment, and health
Response: We do not agree with commenter requested clarification as to operations are necessarily broad and
comments suggesting that we whether these disclosures are exempt there is no accounting required for
permanently exclude disclosures for from the accounting requirement or disclosures for these purposes. These
oversight or law enforcement from the whether preemption would apply. terms cover the vast majority of routine
accounting. We believe generally that Response: While we do not except disclosures for health care purposes.
individuals have a right to know who is mandatory disclosures of abuse from the (See § 164.501 and the associated
obtaining their health information and accounting for disclosure requirement, preamble for a discussion of changes
for what purposes. we believe the commenter’s concerns made to these definitions.)
At the same time, we agree with are addressed in several ways. First, The disclosures permitted under
commenters that were concerned that an nothing in this regulation invalidates or § 164.512 are for national priority
accounting could tip off subjects of limits the authority or procedures purposes, and determining whether a
investigations. We have retained a time- established under state law providing disclosure fits within the section is
limed exclusion period similar to that for the reporting of child abuse. Thus, necessary before the disclosure can be
made. There is no additional burden, Comments: Some commenters said for making and documenting
once such a determination is made, in that the accounting provision described disclosures. We believe this provision
determining whether it must be in the NPRM was ambiguous and provides covered entities with sufficient
included in the accounting. created uncertainty as to whether it flexibility to meet their business needs
We agree with the commenters that addresses disclosures only, as the title without compromising individuals’
there are areas where we can reduce would indicate, or whether it includes rights to know how information about
burden by removing additional accounting of uses. They urged that the them is disclosed.
disclosures from the accounting standard address disclosures only, and Comments: Commenters stated that
requirement, without compromising not uses, which would make the accounting requirements placed
individuals’ rights to know how their implementation far more practicable undue burden on covered entities that
information is being disclosed. In the and less burdensome. use paper, rather than electronic,
final rule, covered entities are not Response: The final rule requires records.
required to include the following disclosures, not uses, to be included in Response: We do not agree that the
disclosures in the accounting: an accounting. See § 164.501 for current reliance on paper records makes
disclosures to the individual, definitions of ‘‘use’’ and ‘‘disclosure.’’ the accounting provision unduly
disclosures for facility directories under Comments: We received many burdensome. Covered entities must use
§ 164.510(a), or disclosures to persons comments from providers and other the paper records in order to make a
assisting in the individual’s care or for representatives of various segments of disclosure, and have the opportunity
other notification purposes under the health care industry, expressing the when they do so to make a notation in
§ 164.510(b). For each of these types of view that a centralized system of the record or in a separate log. We
disclosures, the individual is likely to recording disclosures was not possible require an accounting only for
already know about the disclosure or to given the complexity of the health care disclosures for purposes other than
have agreed to the disclosure, making system, in which disclosures are made treatment, payment, and health care
the inclusion of such disclosures in the by numerous departments within operations. Such disclosures are not so
accounting less important to the entities. For example, commenters numerous that they cannot be accounted
individual and unnecessarily stated that a hospital medical records for, even if paper records are involved.
burdensome to the covered entity. department generally makes notations Comments: The exception to the
Comment: Many commenters objected regarding information it releases, but accounting provision for disclosures of
to requiring business partners to provide that these notations do not include protected health information for
an accounting to covered entities upon disclosures that the emergency treatment, payment, and health care
their request. They cited the department may make. Several operations purposes was viewed
encumbrance associated with re- commenters proposed that the rule favorably by many respondents.
contracting with the various business provide for patients to receive only an However, at least one commenter stated
partners, as well as the burden accounting of disclosures made by that since covered entities must
associated with establishing this type of medical records departments or some differentiate between disclosures that
record keeping. other central location, which would require documentation and those that
Response: Individuals have a right to relieve the burden of centralizing do not, they will have to document each
know to whom and for what purpose accounting for those entities who instance when a patient’s medical
their protected health information has depend on paper records and tracking record is disclosed to determine the
been disclosed by a covered entity. The systems. reason for the disclosure. This
fact that a covered entity uses a business Response: We disagree with commenter also argued that the
associate to carry out a function does commenters’ arguments that covered administrative burden of requiring
not diminish an individual’s right to entities should not be held accountable customer services representatives to ask
know. for the actions of their subdivisions or in which category the information falls
Comments: One commenter requested workforce members. Covered entities and then to keep a record that they
clarification as to how far a covered are responsible for accounting for the asked the question and record the
entity’s responsibility would extend, disclosures of protected health answer would be overwhelming for
asking whether an entity had to track information made by the covered entity, plans. The commenter concluded that
only their direct disclosures or in accordance with this rule. The the burden of documentation on a
subsequent re-disclosures. particular person or department within covered entity would not be relieved by
Response: Covered entities are the entity that made the disclosure is the stipulation that documentation is
required to account for their disclosures, immaterial to the covered entity’s not required for treatment, payment,
as well as the disclosures of their obligation. In the final rule, we require and health care operations.
business associates, of protected health covered entities to document each Response: We disagree. Covered
information. Because business disclosure that is required to be entities are not required to document
associates act on behalf of covered included in an accounting. We do not, every disclosure in order to differentiate
entities, it is essential that their however, require this documentation to those for treatment, payment, and health
disclosures be included in any be maintained in a central registry. A care operations from those for purposes
accounting that an individual requests covered hospital, for example, could for which an accounting is required. We
from a covered entity. Covered entities maintain separate documentation of require that, when a disclosure is made
are not responsible, however, for the disclosures that are made from the for which an accounting is required, the
actions of persons who are not their medical records department and the covered entity be able to produce an
business associates. Once a covered emergency department. At the time an accounting of those disclosures upon
entity has accounted for a disclosure to individual requests an accounting, this request. We do not require a covered
any person other than a business documentation could be integrated to entity to be able to account for every
associate, it is not responsible for provide a single accounting of disclosure. In addition, we believe that
accounting for any further uses or disclosures made by the covered we have addressed many of the
disclosures of the information by that hospital. Alternatively, the covered commenters’ concerns by clarifying in
other person. hospital could centralize its processes the final rule that disclosures to the
individual, regardless of the purpose for requirement. Instead, we require the information more generally. Similarly,
the disclosure, are not subject to the accounting to contain a brief statement commenters suggested that the
accounting requirement. describing the purpose for which the accounting be limited to release of the
Comments: An insurer explained that protected health information was medical record only.
in the context of underwriting, it may disclosed. The statement must be Response: We disagree. Protected
have frequent and multiple disclosures sufficient to reasonably inform the health information exists in many forms
of protected health information to an individual of the basis for the and resides in many sources. An
agent, third party medical provider, or disclosure. Alternatively, the covered individual’s right to know to whom and
other entity or individual. It requested entity may provide a copy of the for what purposes his or her protected
we reduce the burden of accounting for authorization or a copy of the written health information has been disclosed
such disclosures. request for disclosure, if any, under would be severely limited if it pertained
Response: We add a provision §§ 164.502(a)(2)(ii) or 164.512. only to disclosure of the medical record,
allowing for a summary accounting of Comments: We received many or information taken only from the
recurrent disclosures. For multiple comments regarding the amount of record.
disclosures to the same recipient information required in the accounting. Comment: A commenter asked that
pursuant to a single authorization or for A few commenters requested that we we make clear that only disclosures
a single purpose permitted under the include additional elements in the external to the organization are within
rule without authorization, the covered accounting, such as the method of the accounting requirement.
entity may provide a summary transmittal and identity of the employee Response: We agree. The requirement
accounting addressing the series of who accessed the information. only applies to disclosures of protected
disclosures rather than a detailed Other commenters, however, felt that health information, as defined in
accounting of each disclosure in the the proposed requirements went beyond § 164.501.
series. what is necessary to inform the Comment: Some commenters
Comment: Several commenters said individual of disclosures. Another requested that we establish a limit on
that it was unreasonable to expect commenter stated that if the the number of times an individual could
covered entities to track disclosures that individual’s right to obtain an request an accounting. One comment
are requested by the individual. They accounting extends to disclosures that suggested we permit individuals to
believed that consumers should be do not require a signed authorization, request one accounting per year; another
responsible for keeping track of their then the accounting should be limited to suggested two accountings per year,
own requests. a disclosure of the manner and purpose except in ‘‘emergency situations.’’
Other commenters asked that we of disclosures, as opposed to an Others recommended that we enable
specify that entities need not retain and individual accounting of each entity to entities to recoup some of the costs
provide copies of the individual’s whom the protected health information associated with implementation by
authorization to disclose protected was disclosed. An insurer stated that allowing the entity to charge for an
health information. Some commenters this section of the proposed rule should accounting.
were particularly concerned that if they be revised to provide more general, Response: We agree that covered
maintain all patient information on a rather than detailed, guidelines for entities should be able to defray costs of
computer system, it would be accounting of disclosures. The excessive requests. The final rule
impossible to link the paper commenter believed that its type of provides individuals with the right to
authorization with the patient’s business should be allowed to provide receive one accounting without charge
electronic records. general information regarding the in a twelve-month period. For
Another commenter suggested we disclosure of protected health additional requests by an individual
allow entities to submit copies of information to outside entities, within a twelve-month period, the
authorizations after the 30-day deadline particularly with regard to entities with covered entity may charge a reasonable,
for responding to the individual, as long which the insurer maintains an ongoing, cost-based fee. If it imposes such a fee,
as the accounting itself is furnished standard relationship (such as a the covered entity must inform the
within the 30-day window. reinsurer). individual of the fee in advance and
Response: In the final rule we do not Response: In general, we have provide the individual with an
require disclosures to the individual to retained the proposed approach, which opportunity to withdraw or modify the
be included in the accounting. Other we believe strikes an appropriate request to avoid or reduce the fee.
disclosures requested by the individual balance between the individual’s right Comment: In the NPRM, we solicited
must be included in the accounting, to know to whom and for what purposes comments on the appropriate duration
unless they are otherwise excepted from their protected health information has of the individual’s right to an
the requirement. We do not agree that been disclosed and the burden placed accounting. Some commenters
individuals should be required to track on covered entities. In the final rule, we supported the NPRM’s requirement that
these disclosures themselves. In many clarify that the accounting must include the right exist for as long as the covered
cases, an authorization may authorize a the address of the recipient only if the entities maintains the protected health
disclosure by more than one entity, or address is known to the covered entity. information. One commenter, however,
by a class of entities, such as all As noted above, we also add a provision noted that most audit control systems
physicians who have provided medical allowing for a summary accounting of do not retain data on activity for
treatment to the individual. Absent the recurrent disclosures. We note that indefinite periods of time.
accounting, the individual cannot know some of the activities of concern to Other commenters noted that laws
whether a particular covered entity has commenters may fall under the governing the length of retention of
acted on the authorization. definition of health care operations (see clinical records vary by state and by
We agree, however, that it is § 164.501 and the associated preamble). provider type and suggested that entities
unnecessarily burdensome to require Comment: A commenter asked that be allowed to adhere to state laws or
covered entities to provide the we limit the accounting to information policies established by professional
individual with a copy of the pertaining to the medical record itself, organizations or accrediting bodies.
authorization. We remove the as opposed to protected health Some commenters suggested that the
language be clarified to state that about the proposed requirement that a covered entity, such as an office
whatever minimum requirements are in covered health care provider or health manager in a small entity or an
place for the record should also guide plan act as soon as possible. information officer or compliance
covered entities in retaining their Response: We agree with concerns official in a larger institution. Cost
capacity to account for disclosures over raised by commenters and in the final estimates for the privacy official are
that same time, but no longer. rule, covered entities are required to discussed in detail in the overall cost
Several commenters asked us to provide a requested accounting no later analysis.
consider specific time limits. It was than 60 days after receipt of the request. Comment: A few commenters argued
pointed out that proposed We also provide for one 30 day for more flexibility in meeting the
§ 164.520(f)(6) of the NPRM set a six- extension if the covered entity is unable requirement for accountability. One
year time limit for retaining certain to provide the accounting within the health care provider maintained that
information including authorization standard time frame. We eliminate the covered entities should be able to
forms and contracts with business requirement for a covered entity to act establish their own system of
partners. Included in this list was the as soon as possible. accountability. For example, most
accounting of disclosures, but this We recognize that circumstances may physician offices already have the
requirement was inconsistent with the arise in which an individual will patient protections incorporated in the
more open-ended language in § 164.515. request an accounting on an expedited proposed administrative requirements—
Commenters suggested that deferring to basis. We encourage covered entities to the commenter urged that the regulation
this six-year limit would make this implement procedures for handling should explicitly promote the
provision consistent with other record such requests. The time limitation is application of flexibility and scalability.
retention provisions of the standard and intended to be an outside deadline, A national physician association noted
might relieve some of the burden rather than an expectation. We expect that, in small offices, in particular,
associated with implementation. Other covered entities always to be attentive to responsibility for the policies and
specific time frames suggested were two the circumstances surrounding each procedures should be allowed to be
years, three years, five years, and seven request and to respond in an shared among several people. A major
years. appropriate time frame. manufacturing corporation asserted that
Another option suggested by Comment: A commenter asked that mandating a privacy official is
commenters was to keep the accounting we provide an exemption for unnecessary and that it would be
record for as long as entities have the disclosures related to computer preferable to ask for the development of
information maintained and ‘‘active’’ on upgrades, when protected health policies that are designed to ensure that
their systems. Information permanently information is disclosed to another processes are maintained to assure
taken off the covered entity’s system entity solely for the purpose of compliance.
and sent to ‘‘dead storage’’ would not be establishing or checking a computer Response: We believe that a single
covered. One commenter further system. focal point is needed to achieve the
recommended that we not require Response: This activity falls within necessary accountability. At the same
entities to maintain records or account the definition of health care operations time, we recognize that covered entities
for prior disclosures for members who and is, therefore, excluded from the are organized differently and have
have ‘‘disenrolled.’’ accounting requirement. different information systems. We
Response: We agree with commenters therefore do not prescribe who within a
who suggested we establish a specific Section 164.530—Administrative covered entity must serve as the privacy
period for which an individual may Requirements official, nor do we prohibit combining
request an accounting. In the final rule, this function with other duties. Duties
Section 164.530(a)—Designation of a
we provide that individuals have a right may be delegated and shared, so long as
Privacy Official and Contact Person
to an accounting of the applicable there is one point of accountability for
disclosures that have been made in the Comment: Many of the commenters the covered entity’s policies and
six-year period prior to a request for an on this topic objected to the cost of procedures and compliance with this
accounting. We adopt this time frame to establishing a privacy official, including regulation.
conform with the other documentation the need to hire additional staff, which Comment: Some commenters echoed
retention requirements in the rule. We might need to include a lawyer or other the proposal of a professional
also note that an individual may highly paid individual. information management association
request, and a covered entity may then Response: We believe that designation that the regulation establish formal
provide, an accounting of disclosures of a privacy official is essential to qualifications for the privacy official,
for a period of time less than six years ensure a central point of accountability suggesting that this should be a
from the date of the request. For within each covered entity for privacy- credentialed information management
example, an individual could request an related issues. The privacy official is professional with specified minimum
accounting only of disclosures that charged with developing and training standards. One commenter
occurred during the year prior to the implementing the policies and emphasized that the privacy official
request. In addition, we note that procedures for the covered entity, as should be sufficiently high in
covered entities do not have to account required throughout the regulation, and management to have influence.
for disclosures that occurred prior to the for compliance with the regulation Response: While there may be some
compliance date of this rule. generally. While the costs for these advantages to establishing formal
Comments: Commenters asked that activities are part of the costs of qualifications, we concluded the
we provide more time for entities to compliance with this rule, not extra disadvantages outweigh the advantages.
respond to requests for accounting. costs associated with the designation of Since the job of privacy official will
Suggestions ranged from 60 days to 90 a privacy official, we do anticipate that differ substantially among organizations
days. Another writer suggested that there will be some cost associated with of varying size and function, specifying
entities be able to take up to three 30- this requirement. The privacy official a single set of qualifications would
day extensions from the original 30-day role may be an additional responsibility sacrifice flexibility and scalability in
deadline. Commenters raised concerns given to an existing employee in the implementation.
Comment: A few commenters the discretion of the covered entity. covered entities to monitor business
suggested that we provide guidance on Some commenters supported retraining associates’ establishment of specific
the tasks of the privacy official. One only in the event of a material change. training requirements. Covered entities’
noted that this would reduce the burden Some commenters supported the responsibility for breaches of privacy by
on covered entities to clearly identify training requirement as specified in the their business associates is described in
those tasks during the initial HIPAA NPRM. §§ 164.504(e) and 164.530(f). If a
implementation phase. Response: For the reasons cited by the covered entity believes that including a
Response: The regulation itself commenters, we eliminate the triennial training requirement in one or more of
outlines the tasks of the privacy official, recertification requirements in the final its business associate contracts is an
by specifying the policies and rule. We also clarify that retraining is appropriate means of protecting the
procedures required, and otherwise not required every three years. health information provided to the
explaining the duties of covered Retraining is only required in the case business associate, it is free to do so.
entities. Given the wide variation in the of material changes to the privacy Comments: Many commenters argued
function and size of covered entities, policies and procedures of the covered that training, as well as all of the other
providing further detail here would entity. administrative requirements, are too
unnecessarily reduce flexibility for Comment: Several commenters costly for covered entities and that small
covered entities. We will, however, objected to the burden imposed by practices would not be able to bear the
provide technical assistance in the form required signatures from employees added costs. Commenters also suggested
of guidance on the various provisions of after they are trained. Many commenters that HHS should provide training
the regulation before the compliance suggested that electronic signatures be materials at little, or no, cost to the
date. accepted for various reasons. Some felt covered entity.
Comment: Some comments expressed that it would be less costly than Response: For the final regulation, we
concern that the regulation would manually producing, processing, and make several changes to the proposed
require a company with subsidiaries to retaining the hard copies of the forms. provisions. We believe that these
appoint a privacy official within each Some suggested sending out the notice changes address the issue of
subsidiary. Instead they argued that the to the personal workstation via email or administrative cost and burden to the
corporate entity should have the option some other electronic format and having greatest extent possible, consistent with
of designating a single corporate official staff reply via email. One commenter protecting the privacy of health
rather than one at each subsidiary. suggested that the covered entity might information. In enforcing the privacy
Response: In the final regulation, we opt to give web based training instead rule, we expect to provide general
give covered entities with multiple of classroom or some other type. The training materials. We also hope to work
subsidiaries that meet the definition of commenter indicated that with web with professional associations and other
covered entities under this rule the based training, the covered entity could groups that target classes of providers,
flexibility to designate whether such record whether or not an employee had plans and patients, in developing
subsidiaries are each a separate covered received his or her training through the specialized material for these groups.
entity or are together a single covered use of a guest book or registration form We note that, under long-standing
entity. (See § 164.504(b) for the rules on the web site. Thus, a physical legal principles, entities are generally
requiring such designation.) If only one signature should not be required. responsible for the actions of their
covered entity is designated for the Response: We agree that there are workforce. The requirement to train
subsidiaries, only one privacy officer is many appropriate mechanisms by workforce members to implement the
needed. Further, we do not prohibit the which covered entities can implement covered entity’s privacy policies and
privacy official of one covered entity their training programs, and therefore procedures, and do such things as pass
from serving as the privacy official of remove this requirement for signature. evidence of potential problems to those
another covered entity, so long as all the We establish only a general requirement responsible, is in line with these
requirements of this rule are met for that covered entities document principles. For example, the comments
each such covered entity. compliance with the training and our fact finding indicate that, today,
requirement. many hospitals require their workforce
Section 164.530(b)—Training Comment: Some commenters were members to sign a confidentiality
Comment: A few commenters felt that concerned that there was no proposed agreement, and include confidentiality
the proposed provision was too requirement for business associates to matters in their employee handbooks.
stringent, and that the content of the receive training and/or to train their
training program should be left to the employees. The commenters believed Section 164.530(c)—Safeguards
reasonable discretion of the covered that if the business associate violated Comments: A few comments assert
entity. any privacy requirements, the covered that the rule requires some institutions
Response: We clarify that we do not entity would be held accountable. These that do not have adequate resources to
prescribe the content of the required commenters urged the Secretary to develop costly physical and technical
training; the nature of the training require periodic training for appropriate safeguards without providing a funding
program is left to the discretion of the management personnel assigned outside mechanism to do so. Another comment
covered entity. The scenarios in the of the component unit of the covered said that the vague definitions of
NPRM preamble of potential approaches entity, including business associates. adequate and appropriate safeguards
to training for different sized covered Other commenters felt that it would not could be interpreted by HHS to require
entities were intended as examples of be fair to require covered entities to the purchase of new computer systems
the flexibility and scalability of this impose training requirements on and reprogram many old ones. A few
requirement. business associates. other comments suggested that the
Comment: Most commenters on this Response: We do not have the safeguards language was vague and
provision asserted that recertification/ statutory authority directly to require asked for more specifics.
retraining every three years is excessive, business associates to train their Response: We require covered entities
restrictive, and costly. Commenters felt employees. We also believe it would be to maintain safeguards adequate for
that retraining intervals should be left to unnecessarily burdensome to require their operations, but do not require that
specific technologies be used to do so. Response: We agree, and have commenter asked that the final Security
Safeguards need not be expensive or incorporated such a requirement in Rule be published immediately and not
high-tech to be effective. Sometimes, it § 164.504. wait for an expected delay while
is an adequate safeguard to put a lock Comments: One commenter agreed privacy policies are worked out.
on a door and only give the keys to with the need for administrative, Response: Now that this final privacy
those who need access. As described in physical, and technical safeguards, but rule has been published in a timely
more detail in the preamble discussion took issue with our specification of the manner, the final Security Rule can be
of § 164.530, we do not require covered type of documentation or proof that the harmonized with it and published soon.
entities to guarantee the safety of covered entity is taking action to Comments: Several commenters
protected health information against all safeguard protected health information. echoed an association recommendation
assaults. This requirement is flexible Response: This privacy rule does not that, for those organizations that have
and scalable to allow implementation of require specific forms of proof for implemented a computer based patient
required safeguards at a reasonable cost. safeguards. record that is compliant with the
Comments: A few commenters noted Comments: A few commenters asked requirements of the proposed Security
that once protected health information that, for the requirement for a signed Rule, the minimum necessary rule
becomes non-electronic, by being certification of training and the should be considered to have been met
printed for example, it escapes the requirements for verification of identity, by the implementation of role-based
protection of the safeguards in the we consider the use of electronic access controls.
proposed Security Rule. They asked if signatures that meet the requirements in Response: The privacy regulation
this safeguards requirement is intended the proposed security regulation to meet applies to paper records to which the
the requirements of this rule. proposed Security Rule does not apply.
to install similar security protections for
Response: In this final rule, we drop Thus, taking the approach suggested by
non-electronic information.
the requirements for signed these comments would leave a
Response: This provision is not certifications of training. Signatures are significant number of health records
intended to incorporate the provisions required elsewhere in this regulation, unprotected. Further, since the final
in the proposed Security regulation into for example, for a valid authorization. In Security Rule is not yet published and
this regulation, or to otherwise require the relevant sections we clarify that the number of covered entities that have
application of those provisions to paper electronic signatures are sufficient implemented this type of computer-
records. provided they meet standards to be based patient record systems is still
Comments: Some commenters said adopted under HIPAA. In addition, we small, we cannot make a blanket
that it was unclear what ‘‘appropriate’’ do not intend to interfere with the statement. We note that this regulation
safeguards were required by the rule application of the Electronic Signature requires covered entities to develop
and who establishes the criteria for in Global and National Commerce Act. role-based access rules, in order to
them. A few noted that the privacy Comments: A few commenters implement the requirements for
safeguards were not exactly the same as requested that the privacy requirements ‘‘minimum necessary’’ uses and
the security safeguards, or that the for appropriate administrative, disclosures of protected health
‘‘other safeguards’’ section was too technical, and physical safeguards be information. Thus, this regulation
vague to implement. They asked for considered to have been met if the provides a foundation for the type of
more clarification of safeguards requirements of the proposed Security electronic system to which these
requirements and flexible solutions. Rule have been met. Others requested comments refer.
Response: In the preamble discussion that the safeguards requirements of the
of § 164.530, we provide examples of final Privacy Rule mirror or be Section 164.530(d)—Complaints to the
types of safeguards that can be harmonized with the final Security Rule Covered Entity
appropriate to satisfy this requirement. so they do not result in redundant or Comment: Several commenters felt
Other sections of this regulation require conflicting requirements. that some form of due process is needed
specific safeguards for specific Response: Unlike the proposed when it comes to internal complaints.
circumstances. The discussion of the regulation, the final regulation covers all Specifically, they wanted to be assured
requirements for ‘‘minimum necessary’’ protected health information, not just that the covered entity actually hears
uses and disclosures of protected health information that had at some point been the complaints made by the individual
information includes related guidance electronic. Thus, these commenters’ and that the covered entity resolves the
for developing role-based access assumption that the proposed Privacy complaint within a reasonable time
policies for a covered entity’s workforce. Rule and the proposed Security Rule frame. Without due process the
The requirements for ‘‘component covered the same information is not the commenters felt that the internal
entities’’ include requirements for case, and taking the approach suggested complaint process is open ended. Some
firewalls to prevent access by by these comments would leave a commenters wanted the final rule to
unauthorized persons. The proposed significant number of health records include an appeals process for
Security Rule included further details unprotected. The safeguards required by individuals if a covered entity’s
on what safeguards would be this regulation are appropriate for both determination in regards to the
appropriate for electronic information paper and electronic information. We complaint is unfavorable to the
systems. The flexibility and scalability will take care to ensure that the final individual.
of these rules allows covered entities to Security Rule works in tandem with Response: We do not require covered
analyze their own needs and implement these requirements. entities to implement any particular due
solutions appropriate for their own Comments: One commenter requested process or appeals process for
environment. that the final privacy rule be published complaints, because we are concerned
Comments: A few comments asked for before the final Security Rule, about the burden this could impose on
a requirement for a firewall between a recognizing that the privacy policies covered entities. We provide
health care component and the rest of a must be in place before the security individuals with an alternative to take
larger organization as another technology used to implement them their complaints to the Secretary. We
appropriate safeguard. could be worked out. Another believe that this provides incentives for
covered entities to implement a Section 164.530(e)—Sanctions the NPRM, then the covered entities
complaint process that resolves Comment: Commenters argued that should be allowed to come up with
complaints to individuals’ satisfaction. most covered entities already have strict sanctions as appropriate at the time of
Comment: Some commenters felt that sanctions in place for violations of a the violation. Some commenters wanted
the individual making the complaint patient’s privacy, either due to current a better explanation and understanding
should exhaust all other avenues to laws, contractual obligations, or good of what HHS’ expectation is of when is
resolve their issues before filing a operating practices. Requiring covered it appropriate to apply sanctions. Some
complaint with the Secretary. A number entities to create a formal sanctioning commenters felt that the sanctioning
of commenters felt that any complaint requirement is nebulous and requires
process would be superfluous.
being filed with the Secretary should Response: We believe it is important independent judgment of compliance;
include documentation of the reviews for the covered entity to have these as a result it is hard to enforce.
done by the covered entity. Offending individuals may use the
sanction policies and procedures
vagueness of the standard as an defense.
Response: We reject these suggestions, documented so that employees are
for two reasons. First, we want to avoid aware of what actions are prohibited
commenters that argue that covered
establishing particular process and punishable. For entities that already
entities should be allowed to determine
requirements for covered entities’ have sanctions policies in place, it
the specific sanctions as appropriate at
complaint programs. Also, this rule does should not be problematic to document
the time of the violation. We believe it
not require the covered entity to share those policies. We do not define the
is more appropriate to leave this
any information with the complainant, particular sanctions that covered
judgment to the covered entity, because
only to document the receipt of the entities must impose.
the covered entity will be familiar with
complaint and the resolution, if any. Comment: Several commenters agreed
the circumstances of the violation and
Therefore, we cannot expect the that training should be provided and
the best way to improve compliance.
complainant to have this information expectations should be clear so that Comment: A commenter felt that the
available to submit to the Secretary. individuals are not sanctioned for doing self-imposition of this requirement is an
Second, we believe the individual things that they did not know were inadequate protection, as there is an
making the complaint should have the wrong or inappropriate. A good faith inherent conflict of interest when an
right to share the complaint with the exception should be included in the entity must sanction one of its own.
Secretary at any point in time. This final rule to protect these individuals. Response: We believe it is in the
approach is consistent with existing Response: We agree that employees covered entity’s best interests to
civil rights enforcement programs for should be trained to understand the appropriately sanction those individuals
which the Department is responsible. covered entity’s expectations and who do not follow the outlined policies
Based on that experience, we believe understand the consequences of any and procedures. Allowing violations to
that most complaints will come first to violation. This is why we are requiring go unpunished may lead bigger
covered entities for disposition. each covered entity to train its problems later, and result in complaints
Comment: Some commenters wanted workforce. However, we disagree that a being registered with the Department by
the Department to prescribe a minimum good faith exception is explicitly aggrieved parties and/or an enforcement
amount of time before the covered entity needed in the final rule. We leave the action.
could dispose of the complaints. They details of sanctions policies to the Comment: This provision should
felt that storing these complaints discretion of the covered entity. We cover all violations, not just repeat
indefinitely would be cumbersome and believe it is more appropriate to leave violations.
expensive. this judgment to the covered entity that Response: We do not limit this
will be familiar with the circumstances requirement to repeat offenses.
Response: We agree, and in the final
of the violation, rather than to specify
rule require covered entities to keep all Section 164.530(f)—Duty To Mitigate
such requirements in the regulation.
items that must be documented, Comment: Some commenters felt that Comments: A few commenters felt
including complaints, for at least six the sanctions need to reach business that any duty to mitigate would be
years from the date of creation. partners as well, not just employees of onerous, especially for small entities.
Comments: Some commenters the covered entities. These commenters One commenter supported an
objected to the need for covered entities felt all violators should be sanctioned, affirmative duty to mitigate for
to have at least one employee, if not including government officials and employees of the covered entity, as long
more, to deal with complaints. They felt agencies. as there is no prescribed mitigation
that this would be costly and is Response: All members of a covered policy. One commenter stated that a
redundant in light of the designation of entity’s workforce are subject to requirement for mitigation is
a contact person to receive complaints. sanctions for violations, including unnecessary because any prudent entity
Response: We do not require government officials who are part of a would do it.
assignment of dedicated staff to handle covered entity’s workforce. Some practitioner organizations as
complaints. The covered entity can Requirements for addressing privacy well as a health plan, expressed concern
determine staffing based on its needs violations by business associates are about the obligation to mitigate in the
and business practices. We believe that discussed in §§ 164.504(e) and context of the business associate
consumers need one clear point of 164.530(f). relationship. Arguing that it is
contact for complaints, in order that this Comments: Many commenters unnecessary for the regulation to
provision effectively inform consumers appreciated the flexibility left to the explicitly extend the duty to mitigate to
how to lodge complaints and so that the covered entities to determine sanctions. business associates, commenters noted
compliant will get to someone who However, some were concerned that the that: Any prudent entity would
knows how to respond. The contact covered entity would need to predict discipline a vendor or employee that
person (or office) is for receipt of each type of violation and the associated violates a regulation; that the matter is
complaints, but need not handle the sanction. They argue that, if the best left to the terms of the contract, and
complaints. Department could not determine this in that it is difficult and expensive for a
business associate to have a separate set used to cause harm to the patient or employee files a complaint with the
of procedures on mitigation for each another individual, and what steps can Secretary.
client/provider. One commenter actually have a mitigating effect in that Several commenters suggested
suggested that the federal government specific situation. deleting ‘‘in any manner’’ and ‘‘or
should fund the monitoring needed to Comments: Commenters stated that opposing any act or practice made
administer the requirement. the language of the regulation was in unlawful by this subpart’’ in
Response: Eliminating the some places vague and imprecise thus § 164.522(d)(4). The commenters
requirement to mitigate harm would providing covered entities with indicated that, as proposed, the rule
undermine the purposes of this rule by insufficient guidance and allowing would make it difficult to enforce
reducing covered entities’ variation in interpretation. Commenters compliance within the workforce. One
accountability to their patients for also noted that this could result in commenter stated that the proposed
failure to protect their confidential data. inconsistency in implementation as well 164.522(d)(4) ‘‘is extremely broad and
To minimize burden, we do not as permitting such inconsistency to be may allow an employee to reveal
prescribe what mitigation policies and used as a defense by an offending entity. protected health information to fellow
procedures must be implemented. We Particular language for which at least employees, the media and others (e.g.,
require only that the covered entity one commenter requested clarification an employee may show a medical
mitigate harm. We also assume that included ‘‘reasonable steps’’ and what is record to a friend or relative before
violations will be rare, and so the duty entailed in the duty to mitigate. filing a complaint with the Department).
to mitigate harm will rarely be triggered. Response: We considered ways in This commenter further stated that
To the extent a covered entity already which we might increase specificity, covered entities will ‘‘absolutely be
has methods for mitigating harm, this including defining ‘‘to the extent prevented from prohibiting such
rule will not pose significant burden, practicable’’ and ‘‘reasonable steps’’ and conduct.’’ One commenter suggested
since we don’t require the covered relating the mitigating action to the adding that a covered entity may take
entity to follow any prescribed method deleterious impact. While this approach disciplinary action against any member
or set of rules. could remove from the covered entity of its work force or any business partner
We also modify the NPRM to impose the burden of decision-making about who uses or discloses individually
the duty to mitigate only where the actions that need to be taken, we believe identifiable health information in
covered entity has actual knowledge of that other factors outweighed this violation of this subpart in any manner
harm. Further reducing burden, the rule potential benefit. Not only would there other than through the processes set
requires mitigation ‘‘to the extent be a loss of desirable flexibility in forth in the regulation.
practicable.’’ It does not require the implementation, but it would not be Response: To respond to these
covered entity to eliminate the harm possible to define ‘‘to the extent comments, we make several changes to
unless that is practicable. For example, practicable’’ in a way that makes sense the proposed provision.
if protected health information is for all types of covered entities. We First, where the activity does not
advertently provided to a third party believe that allowing flexibility and involve the filing of a complaint under
without authorization in a domestic judgment by those familiar with the § 160.306 of this part or participation in
abuse situation, the covered entity circumstances to dictate the approach is an investigation or proceeding initiated
would be expected to promptly contact the best approach to mitigating harm. by the government under the rule, we
the patient as well as appropriate delete the phrase ‘‘in any manner’’ and
authorities and apprize them of the Section 164.530(g)—Refraining From
Intimidating or Retaliatory Acts add a requirement that the individual’s
potential danger. opposition to ‘‘any act or practice’’
The harm to the individual is the Comment: Several commenters stated made unlawful by this subpart be in
same, whether the privacy breach was that the regulation should prohibit good faith, and that the expression of
caused by a member of the covered covered entities from engaging in that opposition must be reasonable.
entity’s workforce, or by a contractor. intimidating or retaliatory acts against Second, we add a requirement that the
We believe the cost of this requirement any person, not just against the individual’s opposition to ‘‘any act or
to be minimal for covered entities that ‘‘individual,’’ as proposed. They practice’’ made unlawful by this subpart
engage in prudent business practices for suggested adding ‘‘or other person or must not involve a disclosure of
exchanging protected health entity’’ after ‘‘any individual.’’ protected health information that is in
information with their business Response: We agree, and allow any violation of this subpart. Thus, the
associates. person to file a compliant with the employee who discloses protected
Comment: A few commenters noted Secretary. ‘‘Person’’ is not limited to health information to the media or
that it is difficult to determine whether natural persons, but includes any type friends is not protected. In providing
a violation has resulted in a deleterious of organization, association or group interpretations of the retaliation
effect, especially as the entity cannot such as other covered entities, health provision, we will consider existing
know all places to which information oversight agencies and advocacy groups. interpretations of similar provisions
has gone and uses that have been made Comment: A few commenters such as the guidance issued by EEOC in
of it. Consequently, there should be a suggested deleting this provision in its this regard.
duty to mitigate even if a deleterious entirety. One commenter indicated that
effect cannot be shown, because the the whistleblower and retaliation Section 164.530(h)—Waiver of Rights
individual has no other redress. provisions could be inappropriately There are no comments directly about
Response: As noted above, this used against a hospital and that the this section because it was not included
provision only applies if the covered whistleblower’s ability to report in the proposed rule.
entity has actual knowledge of the harm, numerous violations will result in a
and requires mitigation ‘‘to the extent dangerous expansion of liability. Section 164.530(i)—Policies and
practicable.’’ The covered entity is Another commenter stated that covered Procedures and § 164.530(j)—
expected to take reasonable steps based entities could not take action against an Documentation Requirements
on knowledge of where the information employee who had violated the Comments: Many of the comments to
has been disclosed, how it might be employer’s privacy provisions if this this provision addressed the costs and
complexity of the regulation as a whole, we develop specific models which Comment: Many commenters
not the additional costs of documenting might require only minor modification. discussed the need for a recognition of
policies and procedures per se. Some Some of these same associations were scalability of the policies and
did, either implicitly or explicitly, also concerned about liability issues in procedures of an entity based on size,
object to the need to develop and developing such guidelines. One capabilities, and needs of the
document policies and procedures as commenter argued that sample forms, participants. It was noted that the actual
creating excessive administrative procedures, and policies should be language of the draft regulations under
burden. Many of these commenters also provided as part of the Final Rule, so § 164.520 did not address scalability,
asserted that there is a contradiction that practitioners would not be and suggested that some scalability
between the administrative burden of overburdened in meeting the demands standard be formally incorporated into
this provision and one of the statutory of the regulations. They urged us to the regulatory language and not rely
purposes of this section of the HIPAA to apply this provision only to larger solely on the NPRM introductory
reduce costs through administrative entities. commentary.
simplification. Suggested alternatives Response: The purpose of requiring Response: In § 164.530(i)(1) of the
were generally reliance on existing covered entities to develop policies and final rule, we specify that we require
regulations and ethical standards, or on procedures for implementing this covered entities to implement policies
current business practices. regulation is to ensure that important and procedures that take into account
Response: A specific discussion of decisions affecting individuals’ rights the size of the covered entity and the
cost and burden is found in the and privacy interests are made types of activities that relate to
Regulatory Impact Analysis of this final thoughtfully, not on an ad hoc basis. protected health information
rule. The purpose of requiring covered undertaken by the covered entity.
We do not believe there is a entities to maintain written Comment: One commenter objected to
contradiction between the documentation of these policies is to our proposal to allow covered entities to
administrative costs of this provision facilitate workforce training, and to make uses or disclosures not permitted
and of the goal of administrative facilitate creation of the required notice
by their current notice if a compelling
simplification. In the Administrative reason exists to make the use or
of information practices. We further
Simplification provisions of the HIPAA, disclosure and the entity documents the
believe that requiring written
Congress combined a mandate to reasons and changes its policies within
documentation of key decisions about
facilitate the efficiencies and cost 30 days of the use or disclosure. The
privacy will enhance accountability,
savings for the health care industry that commenter argued that the subjective
both within the covered entity and to
the increasing use of electronic language of the regulation might give
the Department, for compliance with
technology affords, with a mandate to entities the ability to engage in post hoc
this regulation.
improve privacy and confidentiality justifications for violations of their own
protections. Congress recognized, and We do not include more specific information practices and policies. The
we agree, that the benefits of electronic guidance on the content of the required commenter suggested that there should
commerce can also cause increased policies and procedures because of the be an objective standard for reviewing
vulnerability to inappropriate access vast difference in the size of covered the covered entity’s reasons before
and use of medical information, and so entities and types of covered entities’ allowing the covered entity to amend its
must be balanced with increased businesses. We believe that covered policies.
privacy protections. By including the entities should have the flexibility to Response: We eliminate this provision
mandate for privacy standards in design the policies and procedures best from the final rule. The final rule
section 264 of the HIPAA, Congress suited to their business and information requires each covered entity to include
determined that existing regulations and practices. We do not exempt smaller in its notice of information practices a
ethical standards, and current business entities, because the privacy of their statement of all permitted uses under
practices were insufficient to provide patients is no less important than the this rule, not just those in which the
the necessary protections. privacy of individuals who seek care covered entity actually engages in at the
Congress mandated that the total from large providers. Rather, to address time of that notice.
benefits associated with administrative this concern we ensure that the Comment: Some commenters
simplification must outweigh its costs, requirements of the rule are flexible so expressed concern that the required
including the costs of implementing the that smaller covered entities need not retention period in the NPRM applied to
privacy regulation. We are well within follow detailed rules that might be the retention of medical records.
this mandate. appropriate for larger entities with Response: The retention requirement
Comments: Several commenters complex information systems. of this regulation only applies to the
suggested that the documentation We understand that smaller covered documentation required by the rule, for
requirements not be established as a entities may require some assistance, example, keeping a record of accounting
standard under the regulation, because and intend to provide such technical for disclosures or copies of policies and
standards are subject to penalties. They assistance after publication of this rule. procedures. It does not apply to medical
recommend we delete the We hope to work with professional records.
documentation standards and instead associations and other groups that target Comments: Comments on the six year
provide specific guidance and technical classes of providers, plans and patients, retention period were mixed. Some
assistance. Several commenters objected in developing specialized material for commenters endorsed the six-year
to the suggestion in the NPRM that these groups. Our discussions with retention period for maintaining
professional associations assist their several such organizations indicate their documentation. One of the comments
members by developing appropriate intent to work on various aspects of stated this retention period would assist
policies for their membership. Several model documentation, including forms. physicians legally. Other commenters
commentators representing professional Because the associations’ comments believed that the retention period would
associations believed this to be an regarding concerns about liability did be an undue burden. One commenter
onerous and costly burden for the not provide sufficient details, we cannot noted that most State Board of
associations, and suggested instead that address them here. Pharmacy regulations require
pharmacies to keep records for two consents, authorizations, or other to § 164.508 or obtain a waiver of
years, so the six year retention period express legal permissions may authorization under § 164.512(i). To the
would triple document retention costs. specifically permit a use or disclosure of extent such a project is ongoing and the
Response: We established the individually identifiable health researchers are unable to locate the
retention period at six years because information for purposes of the project individuals whose protected health
this is the statute of limitations for the or be a general consent of the individual information they are using or disclosing,
civil monetary penalties. This rule does to participate in the project. A covered we believe the IRB or privacy board
not apply to all pharmacy records, but entity may use or disclose protected under the criteria set forth in
only to the documentation required by health information it created or received § 164.512(i) will be able to take that
this rule. before or after the applicable circumstance into account when
Section 164.530(k)—Group Health Plans compliance date of this rule for conducting its review. In most
purposes of the project provided that instances, we believe this type of
There were no comments directly the covered entity complies with all research will be able to obtain a waiver
about this section because it was not limitations expressed in the consent, of authorization and be able to continue
included in the proposed rule. authorization, or permission. uninterrupted.
Section 164.532—Transition Provisions In regard to research projects that Comment: Several comments raised
include the treatment of individuals, questions about the application of the
Comment: Commenters urged the such as clinical trials, covered entities
Department to clarify whether the rule to individually identifiable
engaged in these projects will have information created prior to (1) the
‘‘reach of the transition requirement’’ is obtained at least an informed consent
limited to a particular time frame, to the effective date of the rule, and (2) the
from the individual to participate in the compliance dates of the rule. One
provider’s activities in a particular job, project. In some cases, the researcher
or work for a particular employer. For commenter suggested that the rule
may also have obtained a consent, should apply only to information
example, one commenter questioned authorization, or other express legal
how long a nurse is a covered entity gathered after the effective date of the
permission to use or disclose final rule. A drug manufacturer asked
after she moves from a job reviewing individually identifiable health
files with protected health information what would be the effect of the rule on
information in a specific manner. To research on records compiled before the
to an administrative job that does not avoid disrupting ongoing research and
handle protected health information; or effective date of the rule.
because the participants have already
whether an occupational health nurse Response: We disagree with the
agreed to participate in the project
who used to transmit first reports of commenter’s suggestion. The
(which expressly permits or implies the
injury to her company’s workers’ requirements of this regulation apply to
use or disclosure of their protected
compensation carrier last year but no all protected health information held by
health information), we have
longer does so this year because of a a covered entity, regardless of when or
grandfathered in these consents,
carrier change still is a covered entity. how the covered entity obtained the
authorizations, and other express legal
Response: Because this comment permissions. information. Congress required us to
addresses a question of enforcement, we It is unlikely that a research project adopted privacy standards that apply to
will address it in the enforcement that includes the treatment of individually identifiable health
regulation. individuals could proceed under the information. While it limited the
Comment: Several commenters sought Common Rule with a waiver of compliance date for health plans,
clarification as to the application of the informed consent. However, to the covered health care providers, and
privacy rule to research already begun extent such a waiver has been granted, healthcare clearinghouses, it did not
prior to the effective date or compliance we believe individuals participating in provide similar limiting language with
date of the final rule. These commenters the project should be able to determine regard to individually identifiable
argued that applying the privacy rule to how their protected health information health information. Therefore, uses and
research already begun prior the rule’s is used or disclosed. Therefore, we disclosures of protected health
effective date would substantially require researchers engaged in research information made by a covered entity
overburden IRBs and that the resulting projects that include the treatment of after the compliance date of this
research interruptions could harm individuals who obtained an IRB waiver regulation must meet the requirements
participants and threaten the reliability of informed consent under the Common of these rules. Uses or disclosures of
and validity of conclusions based upon Rule to obtain an authorization or a individually identifiable health
clinical trial data. The commenters waiver of such authorization from an information made prior to the
recommended that the rule grandfather IRB or a privacy board under compliance date are not affected;
in any ongoing research that has been § 164.512(i) of this rule. covered entities will not be sanctioned
approved by and is under the If a covered entity obtained a consent, under this rule based on past uses or
supervision of an IRB. authorization, or other express legal disclosures that are inconsistent with
Response: We generally agree with the permission from the individual who is this regulation.
concerns raised by commenters. In the the subject of the research, it would be Consistent with the definition of
final rule, we have provided that able to rely upon that consent, individually identifiable health
covered entities may rely upon authorization, or permission, consistent information in HIPAA, of which
consents, authorizations, or other with any limitations it expressed, to use protected health information is a subset,
express legal permissions obtained from or disclose the protected health we do not distinguish between
an individual for a specific research information it created or received prior protected health information in research
project that includes the treatment of to or after the compliance date of this records and protected health
individuals to use or disclose protected regulation. If a covered entity wishes to information in other records. Thus, a
health information the covered entity use or disclose protected health covered entity’s research records are
obtained before or after the applicable information but no such consent, subject to this regulation to the extent
compliance date of this rule as long as authorization, or permission exists, it they contain protected health
certain requirements are met. These must obtain an authorization pursuant information.
Section 164.534—Effective Date and standards is unrealistically short. It was Phase-in Requirements
Compliance Date pointed out that providers and others Comment: Several comments
Section 1175(b)(1)(A) of the Act would have to do the following, among suggested that the privacy standards be
requires all covered entities other than other things, prior to the applicable phased in gradually, to ease the
small health plans to comply with a compliance date: assess their current manpower and cost burdens of
standard or implementation systems and departments, determine compliance. A couple of equipment
specification ‘‘not later than 24 months which state laws were preempted and manufacturing groups suggested that
after the date on which an initial which were not, update and reprogram updating of various types of equipment
standard or implementation computer systems, train workers, create would be necessary for compliance
specification is adopted or established’’; and implement the required privacy purposes, and suggested a phased
section 1175(b)(1)(B) provides that small policies and procedures, and create or approach to this—for example, an initial
health plans must comply not later than update contracts with business partners. phase consisting of preparation of
36 months after that date. The proposed One comment also noted that the task of policies, plans, and risk assessments, a
rule provided, at proposed § 164.524 coming into compliance during the second phase consisting of bringing new
(which was titled ‘‘Effective date’’), that same time period with the other equipment into compliance, and a final
a covered entity was required to be in regulations being issued under HIPAA phase consisting of bringing existing
compliance with the proposed subpart E would further complicate the task. equipment into compliance.
not later than 24 months following the These comments generally supported an Response: As noted in the preceding
effective date of the rule, except that extension of the compliance dates by response, section 1175(b)(1) does not
small health plans were required to be one or more years. Other comments allow the Secretary discretion to change
in compliance not later than 36 months supported extending the compliance the time frame within which
following the effective date of the rule. dates on the ground that the complexity compliance must be achieved. Congress
The final rules retain these dates in of the tasks involved in implementing appears to have intended the phasing in
the text of Subpart E, but denominate the regulation would be a heavy of compliance to occur during the two-
them as ‘‘compliance dates,’’ to financial burden for providers and year compliance period, not thereafter.
distinguish the statutory dates from the others, and that they should be given `
more time to comply, in order to spread Compliance Gap Vis-a-Vis State Laws
date on which the rules become and Small Health Plans
effective. The effective date of the final the associated capital and workforce
rules is 60 days following publication in costs over a longer period. It was also Comment: Several comments stated
the Federal Register. suggested that there be provision for that, as drafted, the preemption
granting extensions of the compliance provisions would be effective as of the
Meaning of Effective Date date, based on some criteria, such as a rule’s effective date (i.e., 60 days
Comment: A number of commenters good faith effort to comply or that the following publication), even though
expressed confusion about the compliance dates be extended to two covered entities would not be required
difference between the effective date of years following completion of a ‘‘state- to comply with the rules for at least
the rule and the effective date on which by-state preemption analysis’’ by the another two years. According to these
compliance was required (the statutory Department. comments, the ‘‘preempted’’ state laws
compliance dates set out at section Response: The Secretary would not be in effect in the interim, so
1175(b)(1), summarized above). acknowledges that covered entities will that the actual privacy protection would
Response: The Department agrees that have to make changes to their policies decrease during that period. A couple of
the title of proposed § 164.524 was and procedures during the period comments also expressed concern about
confusing. Similar comments were between the effective date of the rules how the preemption provisions would
received on the Transactions Rule. below and the applicable compliance work, given the one-year difference in
Those comments were addressed by dates. The delayed compliance dates applicable compliance dates for small
treating the ‘‘effective date’’ of the rule which the statute provides for constitute health plans and other covered entities.
as the date on which adoption takes a recognition of the fact changes will be A state medical society pointed out that
effect (the ‘‘Effective Date’’ heading at required and are intended to permit this gap would also be very troublesome
the beginning of the preamble), while covered entities to manage and for providers who deal with both ‘‘small
the dates provided for by section implement these changes in an orderly health plans’’ and other health plans.
1175(b)(1) of the statute were fashion. However, because the time One comment asked what entities that
denominated as ‘‘compliance dates.’’ frames for compliance with the initial decided to come into compliance early
These changes are reflected in the standards are established by statute, the would have to do with respect to
definition of ‘‘compliance date’’ in Secretary has no discretion to extend conflicting state laws and suggested
§ 160.103 below (initially published as them: Compliance is statutorily required that, since all parties ‘‘need to know
part of the Transactions Rule) and are ‘‘not later than’’ the applicable with confidence which laws govern at
also reflected at § 164.524 below. compliance date. Nor do we believe that the moment, * * * [t]here should be
Section 164.524 below has also been it would be advisable to accomplish this uniform effective dates.’’
reorganized to follow the organization of result by delaying the effective date of Response: We agree that clarification
the analogous provisions of the the final rules beyond 60 days. Since the is needed with respect to the
Transactions Rule. The underlying Transactions Rule is now in effect, it is applicability of state laws in the interim
policy, however, remains as proposed. imperative to bring the privacy between the effective date and the
protections afforded by the rules below compliance dates. What the comments
Extend the Compliance Date into effect as soon as possible. Retaining summarized above appeared to assume
Comment: Some commenters the delayed effective date of 60 days, as is that the preemption provisions of
recommended that the compliance date originally contemplated, will minimize section 1178 operate to broadly and
be extended. A number of comments the gap between transactions covered by generally invalidate any state law that
objected that the time frame for those rules and not also afforded comes within their ambit. We do not
compliance with the proposed protection under the rules below. agree that this is the effect of section
1178. Rather, what section 1178 does— proposed rules, applauded the decision Impact Analyses
where it acts to preempt—is to preempt to extend the compliance date to three
Cost/Benefit Analysis
the state law in question with respect to years for small businesses. It was
the actions of covered entities to which requested that the final rules clarify that Comment: Many commenters made
the state law applies. Thus, if a the three year compliance date applies general statements to the effect that the
provision of state law is preempted by to small doctors offices and other small cost estimates for implementing the
section 1178, covered entities within entities, as well as to small health plans. provisions of the proposed regulation
that state to which the state law applies Response: We recognize that our were incomplete or greatly understated.
do not have to comply with it, and must discussion in the preamble to the Response: The proposal, including the
instead comply with the contrary proposed rules may have suggested that cost analysis, is, in effect, a first draft.
federal standard, requirement, or more covered entities came within the The purpose of the proposal was to
implementation specification. However, 36 month compliance date than is in solicit public comment and to use those
as compliance with the contrary federal fact the case. Again, this is an area in comments to refine the final regulation.
standard, requirement, or As a result of the public comment, the
which we are limited by statute. Under
implementation specification is not Department has significantly refined our
section 1175(b) of the Act, only small
required until the applicable initial cost estimates for implementing
health plans have three years to come
compliance date, we do not view the this regulation. The cost analysis below
into compliance with the standards
state law in question as meeting the test reflects a much more complete analysis
below. Thus, other ‘‘small businesses’’
of being ‘‘contrary.’’ That is, since of the major components of the
that are covered entities must comply by
compliance with the federal standard, regulation than was presented in the
the two-year compliance date.
requirement, or implementation proposal.
standard is not required prior to the Coordination With the Security Comment: Numerous commenters
applicable compliance date, it is Standard noted that significant areas of potential
possible for covered entities to comply cost had not been estimated and that if
Comment: Several comments they were estimated, they would greatly
with the state law in question. See suggested that the security standard be
§ 160.202 (definition of ‘‘contrary’’). increase the total cost of the regulation.
issued either with or after the privacy Potential cost areas identified by various
Thus, since the state law is not standards. It was argued that both sets
‘‘contrary’’ to an applicable federal respondents as omitted from the
of standards deal with protecting health analyses include the minimum
standard, requirement, or information and will require extensive
implementation specification in the disclosure requirements; the requisite
personnel training and revisions to monitoring by covered entities of
period before which compliance is business practices, so that coordinating
required, it is not preempted. business partners with whom they share
them would make sense. An equipment private health information; creation of
Several implications of this analysis manufacturers group also pointed out
should be spelled out. First, one de-identified information; internal
that it would be logical for covered complaint processes; sanctions and
conclusion that flows from this analysis
entities and their business partners to enforcement; the designation of a
is that preemption is specific to covered
know what privacy policies are required privacy official and creation of a privacy
entities and does not represent a general
in purchasing security systems, and that board; new requirements for research/
invalidation of state law, as suggested
‘‘the policies on privacy are optional disclosures; and future
by many commenters. Second, because
implemented through the security litigation costs.
preemption is covered entity-specific,
standards rather than having already Response: We noted in the proposed
preemption will occur at different times
finalized security standards drive rule that we did not have data from
for small health plans than it will occur
policy.’’ which to estimate the costs of many
for all other covered entities. That is, the
preemption of a given state law for a Response: We agree with these provisions, and solicited comments
covered entity, such as a provider, that comments, and are making every effort providing such data. The final analysis
is covered by the 24-month compliance to coordinate the final security below reflects the best estimate possible
date of section 1175(b)(1)(A) will occur standards with the privacy standards for these areas, based on the information
12 months earlier than the preemption below. The privacy standards below are available. The data and the underlying
of the same state law for a small health being published ahead of the security assumptions are explained in the cost
plan that is covered by the 36-month standards, which is also responsive to analysis section below.
compliance date of section the stated concerns. Comment: A number of comments
1175(b)(1)(B). Third, the preemption Prospective Application suggested that the final regulation be
occurs only for covered entities; a state delayed until more thorough analyses
law that is preempted under section Comment: Several comments raised could be undertaken and completed.
1178(a)(1) would not be preempted for questions about the application of the One commenter stated that the
persons and entities to which it applies rule to individually identifiable Department should refrain from
who are not covered entities. Thus, to information created prior to (1) the implementing the regulation until a
the extent covered entities or non- effective date of the rule, and (2) the more realistic assessment of costs could
covered entities follow the federal compliance dates of the rule. One be made and include local governments
standards on a voluntary basis (i.e., the provider group suggested that the rule in the process. Similarly, a commenter
covered entity prior to the applicable should apply only to information requested that the Department assemble
compliance date, the non-covered entity gathered after the effective date of the an outside panel of health industry
at any time), the state law in question final rule. A drug manufacturer asked experts, including systems analysts,
will not be preempted for them. what would be the effect of the rule on legal counsel, and management
research on records compiled before the consultants to develop stronger
Small Health Plans effective date of the rule. estimates.
Comment: Several comments, Response: These comments are Response: The Department has
pointing to the ‘‘Small Business’’ addressed in connection with the engaged in extensive research, data
discussion in the preamble to the discussion of § 164.532 above. collection and fact-finding to improve
the quality of its economic analysis. very difficult to quantify. The benefits focused on its projected implementation
This has included comments from and discussion in the proposal reflects this and production costs. For example, one
discussions with the kinds of experts difficulty. The examples presented in respondent stated that determining
one commenter suggested. The the proposal were meant to be ‘‘first service’’ would be an onerous task
estimates represent a reasonable illustrative of the benefits based on a for many small practices, and that
assessment of the policies proposed. few areas of medicine where some provider staff will now have to
Comment: Several commenters relevant data was available. manually review each patient’s chart or
indicated that the proposed regulation Unfortunately, no commenters provided access a computer system to determine
would impose significant new costs on either a better methodological approach whether the patient has been seen since
providers’ practices. Furthermore, they or better data for assessing the overall implementation of the rule.
believe that it runs counter to the benefits of privacy. Therefore, we Response: The policy in the final rule
explicit statutory intent of HIPAA’s believe the analysis in the proposal has been changed to make the privacy
Administrative Simplification represents a valid illustration of the policy notice to patients less
provisions which require that ‘‘any benefits of privacy, and we do not burdensome. Providers will be able to
standard adopted * * * shall be believe it is feasible to provide an distribute the notice when a patient is
consistent with the objective of reducing overall dollar estimate of the benefits of seen and will not have to distribute it
the administrative costs of providing privacy in the aggregate. to a patient more than once, unless
and paying for health care.’’ Comment: One commenter criticized substantive changes are made in the
Response: As the Department the benefit analysis as being incomplete notice. This change will significantly
explained in the Transactions Rule, this because it did not consider the potential reduce the cost of distributing the
provision applies to the administrative cost of new treatments that might be privacy notices.
simplification regulations of HIPAA in engendered by increased confidence in Comment: Some commenters also
the aggregate. The Transactions Rule is medical privacy resulting from the took issue with the methodology used to
estimated to save the health care system regulation. calculate the cost estimates for notices.
$29.9 billion in nominal dollars over ten Response: There is no data or model These respondents believe that the
years. Other regulations published to reliably assess such long-term survey data used in the proposed rule to
pursuant to the administrative behavioral and scientific changes, nor to estimate the costs (i.e., ‘‘encounters,’’
simplification authority in HIPAA, determine what portion of the ‘‘patients,’’ and ‘‘episodes’’ per year) are
including the privacy regulation, will increasingly rapid evolution of new very different concepts that, when used
result in costs, but these costs are within improved treatments might stem from together, render the purported total
the statutory directive so long as they do improved privacy protections. meaningless. Commenters further stated
not exceed the $29.9 billion in Moreover, to be complete, such analysis
estimated savings. Furthermore, as that they can verify the estimate of 543
would have to include the savings that million patients cited as being seen at
explained in the Transactions Rule, and might be realized from earlier detection
the preamble to this rule, assuring least once every five years.
and treatment. It is not possible at this
privacy is essential to sustaining many Response: In the course of receiving
time to project the magnitude or even
of the advances that computers will treatment, a patient may go to a number
the direction of the net effects of the
provide. If people do not have of medical organizations. For example,
response to privacy that the commenter
confidence that their medical privacy a person might see a doctor in a
suggests.
will be protected, they will be much less physician’s office, be admitted to a
likely to allow their records to be used Scope of the Regulation hospital, and later go to a pharmacy for
for any purpose or might even avoid Comment: Numerous commenters medication. Each time a person
obtaining necessary medical care. noted the potential cost and burden of ‘‘encounters’’ a facility, a medical record
Comment: Several commenters keeping track in medical records of may be started or additions made to an
criticized the omission of aggregate, information which had been transmitted existing record. The concept in the
quantifiable benefit estimates in the electronically, which would be subject proposal was to identify the number of
proposed rule. Some respondents to the rule, as opposed to information record sets that a person might have for
argued that the analysis in the proposed that had only been maintained in paper purposes of estimating notice and
rule used ‘‘de minimis’’ cost estimates form. copying costs. For example, whether a
to argue only that benefits would Response: This argument was found person made one or ten visits in the
certainly exceed such a low barrier. to have considerable merit and was one course of a year to a specific doctor
These commenters further characterized of the reasons that the Department would, for our purposes, be one record
the benefits analysis in the Notice of concluded that the final regulation set because in each visit the doctor
Proposed Rulemaking as ‘‘hand waving’’ should apply to all medical records would most likely be adding
used to divert attention from the fact maintained by covered entities, information to an existing medical
that no real cost-benefit comparison is including information that had never record. The comments demonstrated
presented. Another commenter stated been transmitted electronically. The that we had not explained the concept
that the benefit estimates rely heavily on costs analysis below reflects the change well. As explained below we modified
anecdotal and unsubstantiated in scope. the concept to more effectively measure
inferences. This respondent believes the number of record sets that exist and
that the benefit estimates are based on Notice Requirements explain it more clearly.
postulated, but largely unsubstantiated Comment: Several commenters Comment: Several commenters
causal linkages between increased expressed their belief that the criticized the lack of supporting
privacy and earlier diagnosis and administrative and cost burdens evidence for the cost estimates of notice
medical treatment. associated with the notice requirements development and dissemination.
Response: The benefits of privacy are were understated in the proposed rule. Another opinion voiced in the
diffused and intangible but real. While some respondents took issue with comments is that the estimated cost for
Medical privacy is not a good people the policy development cost estimates plans of $0.75 per insured person is so
buy or sell in a market; therefore, it is associated with the notice, more were low that it may cover postage, but it
cannot include labor and capital usage accommodating minimum disclosure we retained the number for the final
costs. provisions; installing notices and estimate.
Response: Based on comments and disclaimers; creating de-identified data; Comment: One respondent states that,
additional fact finding, the Department tracking uses of protected health since the proposed rules give patients
was able to gain a better understanding information by business partners; the right to inspect and copy their
of how covered entities would develop tracking amendments and corrections; medical records regardless of storage
policies and disseminate information. increased systems capacity; and annual medium, HHS must make a distinction
The cost analysis below explains more systems maintenance. The commenters in its cost estimates between records
fully how we derived the final cost noted that some of the aforementioned stored electronically and those which
estimates for these areas. items are acknowledged in the proposed
Comment: A commenter noted that must be accessed by manual means,
rule as future costs to covered entities, since these costs will differ.
privacy policy costs assume that but several others are singularly
national associations will develop ignored. Response: The cost estimates made for
privacy policies for members but HHS Response: The Department recognizes regulations are not intended to provide
analysis does not account for the cost to the validity of much of this criticism. such refined gradations; rather, they are
the national associations. A provider Unfortunately, other than general intended to show the overall costs for
cost range of $300–$3,000 is without criticism, commenters provided no the regulation as a whole and its major
justification and seems low. specific data or methodological components. For inspections and
Response: The cost to the national information which might be used to copying (and virtually all other areas for
associations was included in the improve the estimates. Therefore, the which estimates are made) estimates are
proposal estimates, and it is included in Department retained consultants with based on averages; particular providers
the final analysis (see below). extensive expertise in these areas to may experience greater or lesser costs
Comment: A commenter states that assess the proposed regulation, which than the average cost used in this
the notice costs discussion mixes the helped the Department refine its analysis.
terms ‘‘patients’’, ‘‘encounters’’ and policies and cost estimates. Comment: Several commenters noted
‘‘episodes’’ and 397 million encounter
In addition, it is important to note that the Department did not appear to
estimate is unclear.
that the other HIPAA administrative include the cost of establishing storage
Response: A clearer explanation of the
simplification regulations will require systems, retrieval fees and the cost of
concepts employed in this analysis is
systems changes. As explained generally searching for records, and that these
provided below.
in the cost analysis for the electronic costs, if included, would significantly
Systems Compliance Costs Transactions rule, it is assumed that increase the Department’s estimate.
Comment: Numerous commenters providers and vendors will undertake Response: Currently, providers keep
questioned the methodology used to systems changes for these regulations and maintain medical records and often
estimate the systems compliance cost collectively, thereby minimizing the
provide copies to other providers and
and stated that the ensuing cost cost of changes.
patients. Therefore, much of the cost of
estimates were grossly understated. Inspection and Copying maintaining records already exists.
Some stated that the regulation will Indeed, based on public comments, the
impose significant information Comment: Numerous commenters
Department has concluded that there
technology costs to comply with disagreed with the cost estimates in the
will be relatively few additional copies
requirement to account for disclosures, NPRM for inspection and copying of
requested as the result of this regulation
additional costs for hiring new patient records, believing that they were
(see below). We have measured and
personnel to develop privacy policies, too low.
attributed to this regulation the
and higher costs for training personnel. Response: The Department has
incremental cost, which is the standard
Response: Significant comments were investigated the potential costs through
for conducting this kind of analysis.
received regarding the cost of systems a careful reading of the comments and
compliance. In response, the subsequent factfinding discussions with Comment: A federal agency expressed
Department retained the assistance of a variety of providers. We believe the concern over the proposal to allow
consultants with extensive expertise in estimates, explained more fully below, covered entities to charge a fee for
health care information technology. We represent a reasonable estimate in the copying personal health information
have relied on their work to revise our aggregate. It is important to note, based on reasonable costs. The agency
estimates, as described below. The however, that this analysis is not requests personal health information
analysis does not include ‘‘systems measuring the cost of all inspection and from many covered entities and pays a
compliance’’ as a cost item, per se. copying because a considerable amount fee that it establishes. Allowing covered
Rather, in the final analysis we of this already occurs. The Department entities to establish the fee, the agency
organized estimates around the major is only measuring the incremental fears, may cost them significantly more
policy provisions so the public could increase likely to occur as a result of than the current amounts they pay and
more clearly see the costs associated this regulation. as a result, could adversely affect their
with them. To the extent that the policy Comment: One commenter speculates program.
might require systems changes (and a that, even at a minimum charge of $.50/ Response: The proposal and the final
number of them do), we have page, (and not including search and rule establish the right to access and
incorporated those costs in the retrieval charges), costs could run as copy records only for individuals, not
provision’s estimate. high as $450 million annually. other entities; the ‘‘reasonable fee’’ is
Comment: Items explicitly identified Response: The $0.50 per page in the only applicable to the individual’s
by commenters as significantly adding proposal represent an average of several request. The Department’s expectation
to systems compliance costs include data sources. Subsequently, an industry is that other existing practices regarding
tracking disclosures of protected health commenter, which provided extensive fees, if any, for the exchange of records
information and patient authorizations; medical records copying, stated that this not requested by an individual will not
restricting access to the data; was a reasonable average cost. Hence, be affected by this rule.
Appending Records (Amendment and create a new transaction type for discontinuation of outsourcing for some
Correction) employers, health plans, and providers, functions, thereby driving up the
Comment: The proposed rule and result in duplicated efforts among administrative cost of health care.
them. This commenter estimates that Response: The final regulation
estimated the cost of amending and
the costs of mailing, re-mailing, clarifies the obligations of the business
correcting patients’ records at $75 per
answering inquiries, making outbound associates in assuring privacy. As
instance and $260 million per year for
calls and performing data entry in explained in the preamble, business
small entities. At least one commenter
newly created authorization computer associates must take reasonable steps to
stated that such requests will rise
systems could result in expenses of assure confidentiality of health records
significantly upon implementation of
close to $2.0 billion nationally. Another they may have, and the covered entity
the regulations and increase in direct must take appropriate action if they
commenter indicated that authorization
proportion to the number of patients become aware of a violation of the
costs will be at least double the notice
served. Another commenter described agreement they have with the business
dissemination costs due to the cost of
the more subtle costs associated with associate. This does not represent an
both outbound and return postage.
record amendment and correction, Response: Public commenters and unreasonable burden; indeed, the
which would include a case-by-case subsequent factfinding clearly indicate provider is required to take the same
clinical determination by providers on that most providers with patient contact kind of precautions and provide the
whether to grant such requests, already obtain authorizations for release same kind of oversight that they would
forwarding the ensuing record changes of records, so for them there is virtually in many other kinds of contractual
to business partners, and issuing written no new cost. Further, this comment relationships to assure they obtain the
statements to patients on the reasons for does not reflect the actual regulatory quality and level of performance that
denials, including a recourse for requirement. For example, there is no they would expect from a business
complaints. need to engage in mailing and re- associate.
Response: The comments were mailing of forms, and we do not foresee Comment: HHS failed to consider
considered in revising the proposal, and any reason why there should be any enforcement costs associated with
the decision was made to clarify in the significant calls involved. monitoring partners and litigation costs
final regulation that providers must only Comment: A commenter criticized the arising from covered entities seeking
append the record (the policy is percentage (1%) that we used to restitution from business partners
explained further in the preamble and calculate the number of health care whose behavior puts the covered entity
the regulation text). The provider is now encounters expected to result in at risk for noncompliance.
only required to note in the medical requests to withhold the release of Response: The Department
record any comments from the patient; protected information. This respondent acknowledged in the proposal that it
they may, but are not required to, postulates that even if one in six was not estimating the cost of
correct any errors. This change in policy patients who encounter the U.S. health compliance with the business associates
significantly reduces the cost from the care system opt to restrict access to their provision because of inadequate
initial proposal estimate. records, the total expected national cost information. It requested information on
Comment: Several commenters per year could rise to $900 million. this issue, but no specific information
criticized the proposed rule’s lack of Response: The final regulation was provided in the comments.
justification for assumptions regarding requirements regarding the release of However, based on revisions in the final
the percentage of patients who request protected health information has been policy and subsequent factfinding, the
inspection and copying, who also substantially changed, thereby greatly Department has provided an estimate
request amendment and correction. reducing the potential cost burden. A for this requirement, as explained
Another commenter pointed out that the fuller explanation of the cost is below.
cost estimate for amendment and provided below in the regulatory impact
correction is dependent on a base Training
analysis.
assumption that only 1.5 percent of Comment: An additional issue raised Comment: Many of the commenters
patients will request inspection of their by commenters was the added cost of believe that the Department used
records. As such, if this estimate were seeking authorizations for health unrealistic assumptions in the
too low by just one percentage point, promotion and disease management development of the estimated cost of the
then the estimates for inspection and activities, health care operations that training provisions and they provided
copying plus the costs for amendment traditionally did not require such their own estimates.
and correction could rise by 67 percent. action. Response: The commenters’ estimates
Response: Based on information and Response: In the final regulation, a varied widely, and could not be used by
data received in the public comments, covered entity can use medical the Department in revising its analysis
the estimate for the number of people information collected for treatment or because there was inadequate
requesting inspection and copying has operations for its own health promotion explanation of how the estimates were
been revised. No commenter provided and disease management efforts without made.
specific information on the number of obtaining additional authorization. Comment: Several commenters argued
amended record requests that might Therefore, there is no additional cost that if even an hour of time of each of
result, but the Department subsequently incurred. the entity’s employees is spent on
engaged in fact-finding and made training instead of ‘‘work’’ and they are
appropriate adjustments in its estimates. Business Associates paid the minimum wage, an entity
The revisions are explained further Comment: A number of commenters would incur $100 of cost for training no
below. were concerned about the cost of more than 20 employees. The
monitoring business partners. commenters noted that the provision of
Consent and Authorizations Specifically, one commenter stated that health care services is a labor-intensive
Comment: One respondent indicated the provisions of the proposed enterprise, and many covered entities
that the development, collection, and regulation pertaining to business have thousands of employees, most of
data entry of all the authorizations will partners would likely force the whom make well in excess of minimum
wage. They questioned whether the regulations. Now is the time for The small provider offices could be as much
estimates include time taken from the Secretary to begin building the as 11 times higher than the estimates
employee’s actual duties (opportunity necessary infrastructure to enforce the provided in the proposed rule. Other
cost) and the cost of a trainer and regulation effectively.’’ commenters stated that the estimates for
materials. Response: The Secretary agrees with small entities are ‘‘absurdly low’’.
Response: As explained in more detail the commenters and is committed to an Response: Although there were a
below, the Department made extensive effective enforcement program. We will number of commenters highly critical of
revisions in its training estimate, work with Congress to ensure that the the small business analysis, none
including the number of workers in the Department has the necessary funds to provided alternative estimates or even
health care sector, the cost of workers in secure voluntary compliance through provided a rationale for their
training based on average industry education and technical assistance, to statements. Many appeared to assume
wages, and training costs (instructors investigate complaints and conduct that all costs associated with medical
and materials). The revised estimate is compliance reviews, to provide states record confidentiality should be
a more complete and accurate estimate with exception determinations and to estimated. This represents a
of the costs likely to be borne as a result use civil and criminal penalties when misunderstanding of the purpose of the
of the final regulation. necessary. analysis: to estimate the incremental
Comment: One commenter estimated effects of this regulation, i.e., the new
that simply training an employee could Economic Effect on Small Entities
costs (and savings) that will result from
have a burdensome impact on his Comment: Many commenters stated changes required by the regulation. The
company. He argued, for example, a 10- that the cost estimates on the effect of Department has made substantial
hour annual requirement takes 0.5% of the proposed regulation on small changes in the final small entities
an employee’s time if they work a 2000- businesses were understated or analysis (below), reflecting policy
hour year, but factoring in sick and incomplete. changes in the final rule and additional
vacation leave, the effects of industry Response: The Department conducted information and data collected by the
turnover could significantly increase the a thorough review of potential data Department since the issuance of the
effect. sources that would improve the quality proposal last fall. We believe that these
Response: In the analysis below, the of the analysis of the effects on small estimates reasonably reflect the costs
Department has factored in turnover business. The final regulatory flexibility that various types of small entities will
rates, employment growth and greater analysis below is based on the best data experience in general, though the actual
utilization based on data obtained from available (much of it from the Small costs of particular providers might vary
broad-based surveys and a public Business Administration) and considerably based on their current
comment. represents a reliable estimate for the practices and technology.
Comment: Some commenters felt that effects on small entities in various Comment: A respondent expressed
the regulatory training provisions are segments of the health care industry. It the belief that small providers would
overly burdensome. Specific concerns is important to note that the estimates bear a disproportionate share of the
centered around the requirement to are for small business segments in the regulation’s administrative burden
train all individuals who may come in aggregate; the cost to individual firms because of the likelihood of larger
contact with protected health will vary, perhaps considerably, based companies incurring fewer marginal
information and the requirement to have on its particular circumstances. costs due to greater in-house resources
such individuals sign a new certifying Comment: The cost of implementing to aid in the legal and technical analysis
statement at least every three years. privacy regulations, when added to the of the proposed rule.
Some commenters felt that the content cost of other required HIPAA Response: As explained below, the
of the training program should be left to regulations, could increase overhead Department does not agree with the
the discretion of the covered entity. significantly. As shown in the 1993 assertion that small entities will be
Response: Changes and clarifications Workgroup on Electronic Data disproportionately affected. Based on
in the training requirements are made in Interchange (WEDI) Report, providers discussions with a number of groups,
the final regulation, explained below. will bear the larger share of the Department expects many
For example, the certification implementation costs and will save less professional and trade associations to
requirement has been eliminated. As in than payors. provide their members with analysis of
the NPRM, the content of the training Response: The regulatory flexibility the regulation, including model
program is left to the discretion of the analysis below shows generally the policies, statements and basic training
covered entity. These changes are marginal effect of the privacy regulation materials. This will minimize the cost
expected to lessen the training burden on small entities. Collectively, the for most small entities. Providers that
and are reflected in the final cost HIPAA administrative standards will use protected health information for
estimates. save money in the health care system. voluntary practices, such as marketing
As important, given the rapid expansion or research, are more likely to need
Compliance and Enforcement of electronic commerce, it is probable specific legal and technical assistance,
Comment: A Member of Congress and that small entities would need to but these are likely to be larger
a number of privacy and consumer comply with standards for electronic providers.
groups expressed their concern with commerce in order to complete Comment: Several commenters took
whether the Office for Civil Rights effectively, even if the standards were issue with the ‘‘top-down’’ approach
(OCR) in HHS has adequate funding to voluntary. The establishment of uniform that we used to estimate costs for small
carry out the major responsibility of standards through regulation help small businesses, believing that this
enforcing the complaint process entities because they will not have to methodology provided only a single
established by this rule. The Member invest in multiple systems, which is point estimate, gave no indication of the
stated that ‘‘[d]ue to the limited what they would confront if the system variation around the estimate, and was
enforcement ability allowed for in this remained voluntary. subject to numerous methodological
rule by HIPAA, it is essential that OCR Comment: One respondent believed errors since the entities to which the
have the capacity to enforce the that the initial and ongoing costs for numerator pertained may not have been
the same as the denominator. These notices, inspection and copying, inconsistent because the NPRM
respondents further recommended that amendments and correction, and includes firms with annual receipts of
we prepare a ‘‘bottom-up’’ analysis training as they relate to small $5 million or less and non-profits.
using case studies and/or a survey of businesses. Response: The Small Business
providers to refine the estimates. Response: The Department has made Administration, whose definitions we
Response: The purpose of the substantial revisions in its estimates for use for this analysis, includes firms with
regulatory flexibility analysis is to all of these areas which is explained $5 million or less in receipts and all
provide a better insight into the relative below in the regulatory flexibility non-profits as ‘‘small businesses.’’ We
burden of small businesses compared to analysis. recognize that some health plans,
larger firms in complying with a Comment: One commenter noted that though very large in terms of receipts
regulation. There may be considerable there appeared to be a discrepancy in (and insured lives), nonetheless would
variance around average costs within the number of small entities cited. There be considered ‘‘small businesses’’ under
particular industry sectors, even among is no explanation for the difference and this definition because they are non-
small businesses within them. The no explanation for difference between profits. In the final regulatory flexibility
estimates are based on the best data ‘‘establishments’’ and ‘‘entities.’’ analysis, we generally have maintained
available, including information from Response: There are discrepancies the Small Business Administration
the Small Business Administration, the among the data bases on the number of definitions because it is the accepted
Census Bureau, and public comments. ‘‘establishments’’ and ‘‘entities’’ or standard for these analyses. However,
Comment: A commenter stated that ‘‘firms’’. The problem arises because we have added several categories, such
the proposal’s cost estimate does not most surveys count (or survey) as IRBs and employer sponsored group
account for additional administrative establishments, which are physical health plans, which are not small
costs imposed on physicians, such as sites. A single firm or entity may have entities, per se, but will be effected by
requirements to rewrite contracts with many establishments. Moreover, the final rule and we were able to
business partners. although an establishment may have identify costs imposed by the regulation
Response: Such costs are included in only a few employees, the firm may on them.
the analysis below. have a large number of workers (the Comment: The same commenter
Comment: Numerous public total of all its various establishments) wanted clarification that all non-profit
comments were directed specifically at and therefore not be a small entity. organizations are small entities and that
the systems compliance cost estimates As discussed below, there is some the extended effective date for
for small businesses. One respondent discrepancy between the aggregate compliance applies to them.
maintained that the initial upgrade cost numbers we use for the regulatory Response: For purposes of the
alone would range from $50 thousand to impact analysis (RIA) and the regulatory regulatory flexibility analysis, the
more than $1 million per covered entity. flexibility analysis (RFA). We concluded Department is utilizing the Small
Response: The cost estimates for that for purposes of the RFA, which is Business Administration guidelines.
systems compliance varied enormously; intended to measure the effects on small However, under HIPAA the Secretary
unfortunately, none of the commenters entities, we would use Small Business may extend the effective compliance
provided documentation of how they Administration data, which defines date from 24 months to 36 months for
made their estimates, preventing us entities based on revenues rather than ‘‘small health plans’’. The Secretary is
from comparing their data and physical establishments to count the given the explicit discretion of defining
assumptions to the Department’s. number of small entities in various SIC. the term for purposes of compliance
Because of concern about the costs in This provides a more accurate estimate with the regulation. For compliance
this area, however, the Department of small entities affected. For the RIA, purposes, the Secretary has decided to
retained an outside consultant to which is measuring total effects, we define ‘‘small health plans’’ as those
provide greater expertise and analysis. believe the establishment based surveys with receipts of $5 million or less,
The product of this effort has been provide a more reliable count. regardless of their tax status. As noted
incorporated in the analysis below. Comment: Because small businesses above, some non-profit plans are large
Comment: One commenter stated that must notify patients of their privacy in terms of revenues (i.e., their revenues
just the development and policies on patients’ first visit after the exceed $5 million annually). The
documentation of new health effective date of the regulation, several Department determined that such plans
information policies and procedures commenters argued that staff would do not need extra time for compliance.
(which would require an analysis of the have to search records either manually Comment: Several commenters
federal regulations and state law privacy or by computer on a daily basis to requested that ‘‘small providers’’
provisions), would cost far more than determine if patients had been seen [undefined] be permitted to take 36
the $396 cited in the Notice of Proposed since the regulation was implemented. months to come into compliance with
Rulemaking as the average start-up cost Response: Under the final regulation, the final regulation, just as small health
for small businesses. all covered entities will have to provide plans will be permitted to do so.
Response: As explained below in the patients copies of their privacy policy at Response: Congress specified small
cost analysis, the Department the first visit after the effective date of health plans, but not small providers, as
anticipates that most of the policies and the regulation. The Department does not needing extra time to comply. The
procedures that will be required under view this as burdensome. We expect majority of providers affected by the
the final rule will be largely that providers will simply place a note regulation are ‘‘small’’, based on the
standardized, particularly for small or marker at the beginning of a file SBA definitions; in other words,
businesses. Thus, much of the work and (electronic or paper) when a patient is granting the delay would be tantamount
cost can be done by trade associations given the notice. This is neither time- to make the effective date three years
and professional groups, thereby consuming nor expensive, and it will rather than two. In making policy
minimizing the costs and allowing it to not require constant searches of records. decisions for the final regulation,
be spread over a large membership base. Comment: A commenter stated that extensive consideration was given to
Comment: A number of comments the definitions of small business, small minimizing the cost and administrative
criticized the initial estimates for entity, and a small health plan are burden associated with implementing
the rule. The Department believes that compliance costs). As explained below, more accurately reflect what is likely to
the requirements of the final rule will the compliance requirements are much be the real cost of the regulation.
not be difficult to fulfill, and therefore, less extensive than assumed in this
IV. Final Regulatory Impact Analysis
it has maintained the two year effective study. For example, many providers and
date. plans will not be required to modify 5 U.S.C. 804(2) (as added by section
their privacy systems but will only be 251 of Pub. L. 104–21), specifies that a
External Studies ‘‘major rule’’ is any rule that the Office
required to document their practices
Comment: One commenter submitted and notify patients of these practices, of Management and Budget finds is
a detailed analysis of privacy legislation and others will be able to purchase low- likely to result in:
that was pending and concluded that cost, off-the-shelf software that will • An annual effect on the economy of
they might cost over $40 billion. facilitate the new requirements. The $100 million or more;
Response: The study did not analyze final regulation will not require massive • A major increase in costs or prices
the policies in the proposal, and capital expenditures; we assumed, for consumers, individual industries,
therefore, the estimates do not reflect based on our consultants’ work, that federal, state, or local government
the costs that would have been imposed providers will rely on low-cost agencies, or geographic regions; or
by the proposed regulation. In fact, the incremental adjustments initially, and • Significant adverse effects in
analysis was prepared before the as their technology becomes outdated, competition, employment, investment
Administration’s proposed privacy they will replace it with new systems productivity, innovation, or on the
regulation was even published. As a that incorporate the HIPAA standard ability of United States based
result, the analysis is of limited requirements. enterprises to compete with foreign-
relevance to the regulation actually Although many of the policy based enterprises in domestic and
proposed. assumptions in the study are export markets. The impact of this final
The following are examples of fundamentally different than those in rule will be over $1 billion in the first
assumptions and costs in the analysis the proposed or final regulation, the year of implementation. Therefore, this
that do not match privacy policies or study did provide some assistance to the rule is a major rule as defined in 5
requirements stated in the proposed Department in preparing its final U.S.C. 804(2).
rule. analysis. The Department compared Executive Order 12866 directs
1. Authorizations: The study assumed data, methodologies and model agencies to assess all costs and benefits
rules requiring new authorizations from assumptions, which helped us think of available regulatory alternatives and,
current subscribers to use their data for more critically about our own analysis when regulation is necessary, to select
treatment, payment of claims, or other and enhanced the quality of our final regulatory approaches that maximize
health plan operations. The proposed work. net benefits (including potential
rule would have prohibited providers or Comment: One commenter submitted economic, environmental, public health
plans from obtaining patient a detailed analysis of the NPRM and safety effects; distributive impacts;
authorization to use data for treatment, Regulatory Impact Analysis and and equity). According to Executive
payment or health care operations, and concluded that it might cost over $64 Order 12866, a regulatory action is
the final rule makes obtaining consent billion over 5 years. This analysis ‘‘significant’’ if it meets any one of a
for these purposes voluntary for all provided an interesting framework for number of specified conditions,
health plans and for providers that do analyzing the provision for the rule. including having an annual effect on the
not have direct treatment relationships More precisely, the analysis generally economy of $100 million or more
with individuals. attempted to identify the number of adversely affecting in a material way a
2. Disclosure History: The study entities would be required to comply sector of the economy, competition, or
assumes that providers, health plans, with each of the significant provision of jobs, or if it raises novel legal or policy
and clearinghouses would have to track the proposed rule, then estimated the issues. The purpose of the regulatory
all disclosures of health information. numbers of hours required to comply impact analysis is to assist decision-
Under the NPRM and the final rule, per entity, and finally, estimated an makers in understanding the potential
plans, providers and clearinghouses are hourly wage. ramifications of a regulation as it is
only required to account for disclosures Response: HHS adopted this general being developed. The analysis is also
that are not for treatment, payment, and structure for the final RIA because it intended to assist the public in
health care operations, a small minority provided a better framework for analysis understanding the general economic
of all disclosures. than what the Department had done in ramifications of a regulation, both in the
3. Inspection, Copying, and the NPRM. However, HHS did not agree aggregate as well as the major policy
Amendment: The study assumed with many of the specific assumptions areas of a regulation and how they are
requirements to allow patients and their used by in this analysis, for several likely to affect the major industries or
subscribers to inspect, copy, and amend reasons. First, in some instances the sectors of the economy covered by it.
all information that includes their name, assumptions were no longer relevant In accordance with the Small
social security number or other because the requirements of the NPRM Business Regulatory Enforcement and
identifying feature (e.g. customer service were altered in the final rule. For other Fairness Act (Pub. L. 104–121), the
calls, internal memorandum, claim assumptions, HHS found more Administrator of the Office of
runs). However, the study assumed appropriate data sources for the number Information and Regulatory Affairs of
broader access than provided in the of covered entities, wages rates and the Office of Management and Budget
rule, which requires access only to trend rates or other factors affecting (OMB) has determined that this rule is
information in records used to make costs. In addition, HHS believes that in a major rule for the purpose of
decisions about individuals, not all a few instances, this analysis over- congressional review.
records with identifiable information. estimated what is required of covered The proposal for the privacy
4. Infrastructure development: The entities to comply. Based on public regulation included a preliminary
study attributed significant costs to comments and its own factfinding, the regulatory impact analysis (RIA) which
infrastructure implementation of Department believes many of its estimated the cost of the rule at $3.8
(computer systems, training, and other assumptions used in the final analysis billion over five years. The preliminary
analysis also noted that a number of and not more stringent than privacy information will result in an increase in
significant areas were not included in protection pursuant to this regulation. concern regarding privacy and
the estimate due to inadequate This sets a floor, but permits a state to confidentiality of such information. The
information. The proposal solicited create laws that are more protective of bulk of the first Administrative
public comment on these and all other privacy. We discuss preemption in Simplification section that was debated
aspects of the analysis. In this preamble, greater detail in other parts of the on the floor of the Senate in 1994 (as
the Department has summarized the preamble. part of the Health Security Act) was
public comments pertinent to the cost The second objective is to establish a made up of privacy provisions. The
analysis and its response to them. uniform base of privacy protection for requirement for the issuance of
However, because of the extensive individually identifiable health concomitant privacy measures remained
policy changes incorporated in the final information maintained or transmitted a part of the HIPAA bill passed by the
regulation, additional data collected by covered entities. HIPAA restricts the House of Representatives in 1996, but
from the public comments and the type of entities covered by the rule to the requirement for privacy measures
Department’s fact-finding, and changes three broad categories: health care was removed in conference. Instead,
in the methodology underlying the providers that transmit health Congress added section 264 to Title II of
estimates, the Department is setting information in HIPAA standard HIPAA, which directs the Secretary to
forth in this section a more complete transactions, health plans, and health develop and submit to Congress
explanation of its revised estimates and care clearinghouses. However, there are recommendations addressing at least the
how they were obtained. This will similar public and private entities that following:
facilitate a better understanding by the are not within the Department’s (1) The rights that an individual who
public of how the estimates were authority to regulate under HIPAA. For is a subject of individually identifiable
developed and provide more insight example, life insurance companies are health information should have.
into how the Department believes the not covered by this rule but may have (2) The procedures that should be
regulation will ultimately affect the access to a large amount of individually established for the exercise of such
health care sector. identifiable health information. rights.
The impact analysis measures the The third objective is to protect the
(3) The uses and disclosures of such
effect of the regulation on current privacy of all individually identifiable
information that should be authorized
practices. In the case of privacy, as health information held by covered
or required. The Secretary’s
discussed in the preamble, there already entities, including their business
Recommendations were submitted to
exists considerable, though quite varied, associates. Health information is
currently stored and transmitted in Congress on September 11, 1997, and
efforts to protect the confidentiality of are summarized below. Section
medical information. The RIA is multiple forms, including electronic,
paper, and oral forms. To provide 264(c)(1) of HIPAA provides that: If
measuring the change in these current legislation governing standards with
practices and the cost of new and consistent protection to information,
and to avoid requiring covered entities respect to the privacy of individually
additional responsibilities that are identifiable health information
required to conform to the new from distinguishing between health
information that has been transmitted or transmitted in connection with the
regulation. transactions described in section
To achieve a reasonable level of maintained electronically and that
which has not, this rule covers all 1173(a) of the Social Security Act (as
privacy protection, the Department added by section 262) is not enacted by
defined three objectives for the final individually identifiable health
information in any form maintained or (August 21, 1999), the Secretary of
rule: (1) To establish national baseline Health and Human Services shall
standards, implementation transmitted by a covered entity.
For purposes of this cost analysis, the promulgate final regulations containing
specifications, and requirements for such standards not later than (February
health information privacy protection, Department has assumed all health care
providers will be affected by the rule. 21, 2000). Such regulations shall
(2) to protect the privacy of individually address at least the subjects described in
identifiable health information This results in an overestimation of
costs because there are providers that do subsection (regarding
maintained or transmitted by covered recommendations).
entities, and (3) to protect the privacy of not engage in any HIPAA standard
transactions, and therefore, are not Because the Congress did not enact
all individually identifiable health legislation governing standards with
information within covered entities, affected. The Department could not
obtain any reliable data on the number respect to the privacy of individually
regardless of its form. identifiable health information prior to
Establishing minimum standards, of such providers, but the available data
suggest that there are very few such August 21, 1999, the Department has, in
implementation specifications, and
entities, and given the expected increase accordance with this statutory mandate,
requirements for health information
in all forms of electronic health care in developed final rules setting forth
privacy protection creates a level
the coming decade, the number of standards to protect the privacy of such
baseline of privacy protection for
paper-only providers is likely to information.
patients across states. The Health
decrease. Title II of the Health Insurance
Privacy Project’s report, The State of
Portability and Accountability Act
Health Privacy: An Uneven Terrain 33 A. Relationship of This Analysis to (HIPAA) also provides a statutory
makes it clear that under the current Analyses in Other HIPAA Regulations framework for the promulgation of other
system of state laws, privacy protection
Congress has recognized that privacy administrative simplification
is extremely variable. The Department’s
standards, implementation regulations. On August 17, 2000, the
statutory authority under HIPAA which
specifications and requirements must Transactions Rule was published.
allows the privacy regulation to preempt
accompany the electronic data Proposals for health care provider
any state law if such law is contrary to
interchange standards, implementation identifier (May 1998), employer
33 Janlori Goldman, Institute for Health Care specifications and requirements because identifier (June 1998), and security and
Research and Policy, Georgetown University: the increased ease of transmitting and electronic signature standards (August
<http://www.healthprivacy.org/resources>. sharing individually identifiable health 1998) have also been published. These
regulations are expected to be made areas in the regulation that would result costs to federal, state and local
final in the foreseeable future. in significant costs. Given the vast array governments. The net present value of
HIPAA states that, ‘‘any standard of institutions affected by this regulation the final rule, applying a 11.2 percent
adopted under this part shall be and the considerable variation in discount rate 35, is $11.8 billion.36
consistent with the objective of reducing practices, the Department sought to
The first year estimate is $3.2 billion
the administrative costs of providing identify the ‘‘typical’’ current practice
and paying for health care.’’ (Section (this includes expenditures that may be
for each of the major policy areas and
1172 (b)). This provision refers to the incurred before the effective date in
estimate the cost of change resulting
administrative simplification from the regulation. Because of the 2003). This represents about 0.23
regulations in their totality, including paucity of data and incomplete percent of projected national health
this rule regarding privacy standards. information on current practices, the expenditures for 2003.37 By 2008, seven
The savings and costs generated by the Department has consistently made years after the rule’s effective date, the
various standards should result in a net conservative assumptions (that is, given rule is estimated to cost 0.07 percent of
savings to the health care system. The uncertainty, we have made assumptions projected national health expenditures.
Transactions Rule shows a net savings that, if incorrect, are more likely to The largest cost items are the
of $29.9 billion over ten years (2002– overstate rather than understate the true requirement to have a privacy official,
2011), or a net present value savings of cost). $5.9 billion over ten years, and the
$19 billion. This estimate does not Benefits are difficult to measure requirement that disclosures of
include the growth in ‘‘e-health’’ and because people conceive of privacy protected health information only
‘‘e-commerce’’ that may be spurred by primarily as a right, not as a commodity. involve the minimum amount
the adoption of uniform codes and Furthermore, a wide gap appears to necessary, $5.8 billion over ten years
standards. exist between what people perceive to
(see Table 1). These costs reflect the
This final Privacy Rule is estimated to be the level of privacy afforded health
produce net costs of $18.0 billion, with change that affected organizations will
information about them and what
net present value costs of $11.8 billion have to undertake to implement and
actually occurs with the use of such
(2003 dollars) over ten years (2003– information today. Arguably, the ‘‘cost’’ maintain compliance with the
2012). This estimate is based on some of the privacy regulation is the amount requirements of the rule and achieve
costs already having been incurred due necessary to bring health information enhanced privacy of protected health
to the requirements of the Transactions privacy to these perceived levels. information.
Rule, which included an estimate of a The benefits of enhanced privacy
35 This based on a seven percent real discount
net savings to the health care system of protections for individually identifiable
rate, explained in OMB Circular A–94, and a
$29.9 billion over ten years (2002 health information are significant, even projected 4.2 percent inflation rate projected over
dollars) and a net present value of $19.1 though they are hard to quantify. The the ten-year period covered by this analysis.
billion. The Department expects that the Department solicited comments on this 36 The regulatory impact analysis in the
savings and costs generated by all issue, but no commenters offered a Transactions Rule showed a net savings of $29.9
administrative simplification standards better alternative. Therefore, the billion (net present value of $19.1 billion in 2002
dollars). The cost estimates included all electronic
should result in a net savings to the Department is essentially reiterating the systems changes that would be necessitated by the
health care system. analysis it offered in the proposed HIPAA administrative standards (e.g., security,
Privacy Rule. The illustrative examples safeguards, and electronic signatures; eligibility for
B. Summary of Costs and Benefits
set forth below, using existing data on a health plan; and remittance advice and payment
Measuring both the economic costs mental health, cancer screening, and claim status), except privacy. At the time the
and benefits of health information Transactions Rule was developed, the industry
HIV/AIDS patients, suggest the level of provided estimates for the systems changes in the
privacy is difficult. Traditionally, economic and health benefits that might aggregate. The industry argued that affected parties
privacy has been addressed by state accrue to individuals and society. would seek to make all electronic changes in one
laws, contracts, and professional Moreover, the benefits of improved effort because that approach would be the most
practices and guidelines. Moreover, cost-efficient. The Department agreed, and
privacy protection are likely to increase therefore, it ‘‘bundled’’ all the system change cost
these practices have been evolving as in the future as patients gain trust in in the Transactions Rule estimate. Privacy was not
computers have dramatically increased health care practitioners’ ability to included because at the time the Department had
the potential use of medical data; the maintain the confidentiality of their not made a decision to develop a privacy rule. As
scope and form of health information is the Department develops other HIPAA
health information. administrative simplification standards, there may
likely to be very different ten years from The estimated cost of compliance be additional costs and savings due to the non-
now than it is today. This final with the final rule is $17.6 billion over electronic components of those regulations, and
regulation is both altering current health the ten year period, 2003–2012.34 This they will be identified in regulatory impact analyses
information privacy practice and that accompany those regulations. The Department
includes the cost of all the major anticipates that such costs and savings will be
shaping its evolution as electronic uses requirements for the rule, including relatively small compared to the privacy and
expand. Transactions rules. The Department anticipates that
To estimate costs, the Department 34 The proposed privacy rule provided an the net economic impact of the rules will be a net
used information from published estimate for a five-year period. However, the savings to the health care system.
studies, trade groups and associations, Transactions Rule provided a cost estimate for a ten 37 Health spending projections from National
year period. The decision was made to provide the Health Expenditure Projections 1998–2008 (January
public comments to the proposed final privacy estimates in a ten year period so that 2000), Health Care Financing Administration,
regulation, and fact-finding by staff. The it would be possible to compare the costs and Office of the Actuary, <http://hcfa.hhs.gov/stats/
analysis focused on the major policy benefits of the two regulations. nhe-proj/>.
from national surveys while preserving support could be found for a permitting geographic identifiers that
confidentiality and which have been compromise. The study took random define populations of greater than
dealing with these issues for decades. samples from populations of different 20,000 individuals is an appropriate
The problems and solutions being used sizes and then compared the samples to standard that balances privacy interests
by these agencies are laid out in detail the whole population to see how many against desirable uses of de-identified
in the Statistical Policy Working Paper records were identifiable, that is, data. In making this determination, we
22 cited earlier. matched uniquely to a unique person in focused on the studies by the Bureau of
To protect the privacy of individuals the whole population on the basis of 9 Census cited above which seemed to
providing information to the Bureau of demographic variables: Age (85 indicate that a population size of 20,000
Census, the Bureau has determined that categories), race (4 categories), gender (2 was an appropriate cut off if there were
a geographical region must contain at categories), ethnicity (2 categories), relatively few (6) demographic variables
least 100,000 people.20 This standard marital status (3 categories), income (3 in the database. Our belief is that, after
has been used by the Bureau of the categories), employment status (2 removing the required identifiers to
Census for many years and is supported categories), working class (4 categories), meet the safe harbor standards, the
by simulation studies using Census and occupation (42 categories). Even number of demographic variables
data.21 These studies showed that after when some of the variables are retained in the databases will be
a certain point, increasing the size of a aggregated or coded, from the relatively small, so that it is appropriate
geographic area does not significantly perspective of a large statistical agency to accept a relatively low number as a
decrease the percentage of unique desiring to release data to the public, the minimum geographic size.
study concluded that a population size In applying this provision, covered
records (i.e., those that could be
of 500,000 was not sufficient to provide entities must replace the (currently 18)
identified if sampled), but that the point
a reasonable guarantee that certain forbidden 3-digit zip codes with zeros
of diminishing returns is dependent on
individuals could not be identified. and thus treat them as a single
the number and type of demographic geographic area (with >20,000
About 2.5 % of the sample from the
variables on which matching might population). The list of the forbidden 3-
population of 500,000 was uniquely
occur. For a small number of digit zip codes will be maintained as
identifiable, regardless of sample size.
demographic variables (6), this point part of the updated Secretarial guidance
This percentage rose as the size of the
was quite low (about 20,000 referred to above. Currently, they are:
population decreased, to about 14% for
population), but it rose quickly to about 022, 036, 059, 102, 203, 555, 556, 692,
a population of 100,000 and to about
50,000 for 10 variables and to about 821, 823, 830, 831, 878, 879, 884, 893,
25% for a population of 25,000.
80,000 for 15 variables. The Bureau of 987, and 994. This will result in an
Eliminating the occupation variable
the Census releases sets of data to the (which is less likely to be found in average 3-digit zip code area population
public that it considers safe from re- health data) reduced this percentage of 287,858 which should result in an
identification because it limits significantly to about 0.4 %, 3%, and average of about 4% unique records
geographical areas to those containing at 10% respectively. These percentages of using the 6 variables described above
least 100,000 people and limits the unique records (and thus the potentials from the Census Short Form. Although
number and detail of the demographic for re-identification) are highly this level of unique records will be
variables in the data. At the point of dependent on the number of variables much higher in the smaller geographic
approximately 100,000 population, (which must also be available in other areas, the actual risk of identification
7.3% of records were unique (and databases which are identified to be will be much lower because of the
therefore potentially identifiable) on 6 considered in a disclosure risk analysis), limited availability of comparable data
demographic variables from the 1990 the categorical breakdowns of those in publically available, identified
Census Short Form: Age in years (90 variables, and the level of geographic databases, and will be further reduced
categories), race (up to 180 categories), detail included. by the low probability that someone will
sex (2 categories), relationship to With respect to how we might clarify expend the resources to try to identify
householder (14 categories), Hispanic (2 the requirement to achieve a ‘‘low records when the chance of success is
categories), and tenure (owner vs. renter probability’’ that information could be so small and uncertain. We think this
in 5 categories). Using 6 variables identified, the Statistical Policy compromise will meet the current need
derived from the Long Form data, age Working Paper 22 referenced above for an easy method to identify
(10 categories), race (6 categories), sex (2 discusses the attempts of several geographic area while providing
categories), marital status (5 categories), researchers to define mathematical adequate protection from re-
occupation (54 categories), and personal measures of disclosure risk only to identification. If a greater level of
income (10 categories), raised the conclude that ‘‘more research into geographical detail is required for a
percentage to 9.8%. defining a computable measure of risk is particular use, the information will have
We also examined the results of an necessary.’’ When we considered to be obtained through another
NCHS simulation study using national whether we could specify a maximum permitted mechanism or be subjected to
survey data22 to see if some scientific level of risk of disclosure with some a specific de-identification
precision (such as a probability or risk determination as described above. We
20 Statistical Policy Working Paper 22—Report on
of identification of <0.01), we will monitor the availability of
Statistical Disclosure Limitation Methodology concluded that it is premature to assign identified public data and the
(http://www.fcsm.gov/working-papers/wp22.html) concomitant re-identification risks, both
(prepared by the Subcommittee on Disclosure mathematical precision to the ‘‘art’’ of
Limitation Methodology, Federal Committee on de-identification. theoretical and actual, and adjust this
Statistical Methodology, Office of Management and After evaluating current practices and safe harbor in the future as necessary.
Budget). recognizing the expressed need for some As we stated above, we understand
21 The Geographic Component of Disclosure Risk
geographic indicators in otherwise de- that many commenters would prefer a
for Microdata. Brian Greenberg and Laura Voshell. looser standard for determining when
Bureau of the Census Statistical Research Division identified databases, we concluded that
Report: Census/SRD/RR–90–13, October, 1990. information is de-identified, both
22 A Simulation Study of the Identifiability of Residence is Known. John Horm, Natonal Center for generally and with respect to the
Survey Respondents when their Community of Health Statistics, 2000. standards for identifying geographic
area. However, because public databases unstructured text fields have little or no identifier or serial number’’ and must be
(such as voter records or driver’s license value in a de-identified information set removed. We considered the request to
records) that include demographic and would be removed in any case. remove all proper nouns to be very
information about a geographically With time, we expect that such burdensome to implement for very little
defined population are available, a identifiers will be kept out of places increase in privacy and likely to be
surprisingly large percentage of records where they are hard to locate and arbitrary in operation, and so it is not
of health information that contain expunge. included in the final rule.
similar demographic information can be Comments: Some commenters
asserted that this requirement creates a Re-Identification
identified. Although the number of
these databases seems to be increasing, disincentive for covered entities to de- Comments: One commenter wanted to
the number of demographic variables identify data and would compromise know if the rule requires that covered
within them still appears to be fairly the Secretary’s desire to see de- entities retain the ability to re-identify
limited. The number of cases of privacy identified data used for a multitude of de-identified information.
violation from health records which purposes. Others stated that the ‘‘no Response: The rule does not require
have been identified in this way is small reason to believe’’ test creates an covered entities to retain the ability to
to date. However, the risk of unreasonable burden on covered re-identify de-identified information,
identification increases with decreasing entities, and would actually chill the but it does allow them to retain this
population size, with increasing release of de-identified information, and ability.
amounts of demographic information set an impossible standard. Comments: A few commenters asked
(both in level of detail and number of Response: We recognize that the us to prohibit anyone from re-
variables), and with the uniqueness of proposed standards might have imposed identifying de-identified health
the combination of such information in a burden that could have prevented the information.
the population. That is, an 18-year-old widespread use of de-identified Response: We do not have the
single white male student is not at risk information. We believe that our authority to regulate persons other than
of identification in a database from a modifications to the final rule discussed covered entities, so we cannot affect
large city such as New York. However, above will make the process less attempts by entities outside of this rule
if the database were about a small town burdensome and remove some of the to re-identify information. Under the
where most of the inhabitants were disincentive. However, we could not rule, we permit the covered entity that
older, retired people of a specific loosen the standards as far as many created the de-identified information to
minority race or ethnic group, that same commenters wanted without seriously re-identify it. However, we include a
person might be unique in that jeopardizing the privacy of the subjects requirement that, when a unique record
community and easily identified. We of the information. As discussed above, identifier is included in the de-
believe that the policy that we have we modify the ‘‘no reason to know’’ identified information, such identifier
articulated reaches the appropriate standard that was part of the safe harbor must not be such that someone other
balance between reasonably protecting provision and replace it in the final rule than the covered entity could use it to
privacy and providing a sufficient level with an ‘‘actual knowledge’’ standard. identify the individual (such as when a
of information to make de-identified We believe that this change provides derivative of the individual’s name is
databases useful. additional certainty to covered entities used as the unique record identifier).
Comments: Some comments noted using the safe harbor and should
Section 164.514(d)—Minimum
that identifiers that accompany eliminate any chilling effect.
Comments: Although most Necessary
photographic images are often needed to
interpret the image and that it would be commenters wanted to see data Comment: A large number of
difficult to use the image alone to elements taken off the list, there were a commenters objected to the application
identify the individual. small number of commenters that of the proposed ‘‘minimum necessary’’
Response: We agree that our proposed wanted to see data items added to the standard for uses and disclosures of
requirement to remove all photographic list. They believed that it is also protected health information to uses and
images was more than necessary. Many necessary to remove clinical trial record disclosures for treatment purposes.
photographs of lesions, for example, numbers, device model serial numbers, Some suggested that the final regulation
which cannot usually be used alone to and all proper nouns from the records. should establish a good faith exception
identify an individual, are included in Response: In response to these or safe harbor for disclosures made for
health records. In this final rule, the requests, we have slightly revised the treatment.
only absolute requirement is the list of identifiers that must be removed The overwhelming majority of
removal of full-face photographs, and under the safe harbor provision. Clinical commenters, generally from the medical
we depend on the ‘‘catch-all’’ of ‘‘any trial record numbers are included in the community, argued that application of
other unique * * * characteristic * * * general category of ‘‘any other unique the proposed standard would be
’’ to pick up the unusual case where identifying number, characteristic, or contrary to sound medical practice,
another type of photographic image code.’’ These record numbers cannot be increase medical errors, and lead to an
might be used to identify an individual. included with de-identified information increase in liability. Some likened the
Comments: A number of commenters because, although the availability of standard to a ‘‘gag clause’’ in that it
felt that the proposed bar for removal clinical trial numbers may be limited, limited the exchange of information
had been set too high; that the removal they are used for other purposes besides critical for quality patient care. They
of these 19 identifiers created a difficult de-identification/re-identification, such found the standard unworkable in daily
standard, since some identifiers may be as identifying clinical trial records, and treatment situations. They argued that
buried in lengthy text fields. may be disclosed under certain this standard would be potentially
Response: We understand that some circumstances. Thus, they do not meet dangerous in that it could cause
of the identifiers on our list for removal the criteria in the rule for use as a practitioners to withhold information
may be buried in text fields, but we see unique record identifier for de- that could be essential for later care.
no alternative that protects privacy. In identified records. Device model serial Commenters asserted that caregivers
addition, we believe that such numbers are included in ‘‘any device need to be able to give and receive a
complete picture of the patient’s health health information in the treatment argued that the standard with regard to
to make a diagnosis and develop a setting. However, we believe that the ‘‘uses’’ would be impossible to
treatment plan. arguments for excepting disclosures of implement and prohibitively expensive,
Other commenters noted that the protected health information for requiring both medical and legal input
complexity of medicine is such that it treatment purposes from application of to each disclosure decision.
is unreasonable to think that anyone the minimum necessary standard are Some commenters recommended
will know the exact parameters of the also persuasive with respect to mental deletion of the minimum necessary
information another caregiver will need health information. An individual’s standard with regard to ‘‘uses.’’ Other
for proper diagnosis and treatment or mental health can interact with proper commenters specifically recommended
that a plan will need to support quality treatment for other conditions in many deletion of the requirement that the
assurance and improvement activities. ways. Psychoactive medications may standard be applied on an individual,
They therefore suggested that the have harmful interactions with drugs case-by-case basis. Rather, they
minimum necessary standard be applied routinely prescribed for other purposes; suggested that the covered entity be
instead as an administrative an individual’s mental health history allowed to establish general policies to
requirement. may help another health care provider meet the requirement. Another
Providers also emphasized that they understand the individual’s ability to commenter similarly urged that the
already have an ethical duty to limit the abide by a complicated treatment standard not apply to internal
sharing of unnecessary medical regimen. For these reasons, it is also not disclosures or for internal health care
information, and most already have reasonable to presume that, in every operations such as quality
well-developed guidelines and practice case, a health care provider will not improvement/assurance activities. The
standards in place. Concerns were also need to know an individual’s mental commenter recommended that medical
voiced that attempts to provide the health status to provide appropriate groups be allowed to develop their own
minimum necessary information in the treatment. standards to ensure that these activities
treatment setting would lead to multiple Providers’ comments noted existing are carried out in a manner that best
editions of a record or creation of ethical duties to limit the sharing of helps the group and its patients.
summaries that turn out to omit crucial unnecessary medical information, and Other commenters expressed
information resulting in confusion and well-developed guidelines and practice confusion and requested clarification as
error. standards for this purpose. Under this to how the standard as proposed would
Response: In response to these rule, providers may use these tools to actually work in day-to-day operations
concerns, we substantially revise the guide their discretion in disclosing within an entity.
minimum necessary requirements. As health information for treatment. Response: Commenters’ arguments
suggested by certain commenters, we Comment: Several commenters urged regarding the workability of this
provide, in § 164.502(b), that disclosures that covered entities should be required standard as proposed were persuasive,
of protected health information to or to conspicuously label records to show and we therefore make significant
requests by health care providers for that they are not complete. They argued modification to address these comments
treatment are not subject to the that absent such labeling, patient care and improve the workability of the
minimum necessary standard. We also could be compromised. standard. For all uses and many
modify the requirements for uses of Response: We believe that the final disclosures, we require covered entities
protected health information. This final policy to except disclosures of protected to include in their policies and
rule requires covered entities to make health information for treatment procedures (see § 164.530), which may
determinations of minimum necessary purposes from application of the be standard protocols, for ‘‘minimum
use, including use for treatment minimum necessary standard addresses necessary’’ uses and disclosures. We
purposes, based on the role of the these commenters’ concerns. require implementation of such policies
person or class of workforce members Comment: Some commenters argued in lieu of making the ‘‘minimum
rather than at the level of specific uses. that the audit exception to the minimum necessary’’ determination for each
A covered entity must establish policies necessary requirements needs to be separate use and disclosure.
and procedures that identify the types of clarified or expanded, because ‘‘audit’’ For uses, covered entities must
persons who are to have access to and ‘‘payment’’ are essentially the same implement policies and procedures that
designated categories of information and thing. restrict access to and use of protected
the conditions, if any, of that access. We Response: We eliminate this health information based on the specific
establish no requirements specific to a exception. The proposed exclusion of professional roles of members of the
particular use of information. Covered disclosures to health plans for audit covered entity’s workforce. The policies
entities are responsible for establishing purposes is replaced with a general and procedures must identify the
and documenting these policies and requirement that covered entities must persons or classes of persons in the
procedures. This approach is consistent limit requests to other covered entities entity’s workforce who need access to
with the argument of many commenters for individually identifiable health protected health information to carry
that guidelines and practice standards information to what is reasonably out their duties and the category or
are appropriate means for protecting the necessary for the purpose intended. categories of protected health
privacy of patient information. Comment: Many commenters argued information to which such persons or
Comment: Some commenters argued that the proposed standard was classes need access. These role-based
that the standard should be retained in unworkable as applied to ‘‘uses’’ by a access rules must also identify the
the treatment setting for uses and covered entity’s employees, because the conditions, as appropriate, that would
disclosures pertaining to mental health proposal appeared not to allow apply to such access. For example, an
information. Some of these commenters providers to create general policy as to institutional health care provider could
asserted that other providers do not the types of records that particular allow physicians access to all records
need to know the mental status of a employees may have access to but under the condition that the viewing of
patient for treatment purposes. instead required that each decision be medical records of patients not under
Response: We agree that the standard made ‘‘individually,’’ which providers their care is recorded and reviewed.
should be retained for uses of mental interpret as ‘‘case-by-case.’’ Commenters Other health professionals’ access could
be limited to time periods when they are Comment: The minimum necessary comments, we provide further guidance
on duty. Information available to staff standard should not be applied to uses on how a covered entity can develop its
who are responsible for scheduling and disclosures for payment or health policies for the minimum necessary use
surgical procedures could be limited to care operations. and disclosure of protected health
certain data. In many instances, use of Response: Commenter’s arguments for information. We do not abandon this
order forms or selective copying of exempting these uses and disclosures standard for the reasons described
relevant portions of a record may be from the minimum necessary standard above. We remain concerned about the
appropriate policies to meet this were not compelling. We believe that number of persons who have access to
requirement. our modifications to application of the identifiable health information, and
Routine disclosures also are not minimum necessary standard to internal believe that causing covered entities to
subject to individual review; instead, uses of protected health information, examine their practices will have
covered entities must implement and to routine disclosures, address significant privacy benefits.
policies and procedures (which may be many of the concerns raised, Comment: Some commenters asked
standard protocols) to limit the particularly the concerns about that the minimum necessary standard
protected health information in routine administrative burdens and the should not be applied to disclosures to
disclosures to the minimum information concerns about having the information business partners. Many of these
reasonably necessary to achieve the necessary for day-to-day operations. We commenters articulated the burdens
purpose of that type of disclosure. For do not eliminate this standard in part they would bear if every disclosure to a
non-routine disclosures, a covered because we also remain concerned that business partner was required to meet
entity must develop reasonable criteria covered entities may be tempted to the minimum necessary standard.
to limit the protected health information disclose an entire medical record when Response: We do not agree. In this
disclosed to the minimum necessary to only a few items of information are final rule, we minimize the burden on
accomplish the purpose for which necessary, to avoid the administrative covered entities in the following ways:
disclosure is sought, and to implement step of extracting the necessary in circumstances where disclosures are
procedures for review of disclosures on information (or redacting the made on a routine, recurring basis, such
an individual basis. unnecessary information). We also as in on-going relationships between
We modify the proposed standard to believe this standard will cause covered covered entities and their business
require the covered entity to make entities to assess their privacy practices, associates, individual review of each
‘‘reasonable efforts’’ to meet the give the privacy interests of their routine disclosure has been eliminated;
minimum necessary standard (not patients and enrollees greater attention, covered entities are required only to
‘‘all’reasonable efforts, as proposed). and make improvements that might develop standard protocols to apply to
What is reasonable will vary with the otherwise not have been made. For this such routine disclosures made to
circumstances. When it is practical to reason, the privacy benefits of retaining business associates (or types of business
use order forms or selective copying of the minimum necessary standard for associates). In addition, we allow
relevant portions of the record, the these purposes outweigh the burdens covered entities to rely on the
covered entity is required to do so. involved. We note that the minimum representation of a professional hired to
Similarly, this flexibility in the standard necessary standard is tied to the provide professional services as to what
takes into account the ability of the purpose of the disclosure; thus, information is the minimum necessary
covered entity to configure its record providers may disclose protected health for that purpose.
system to allow selective access to only information as necessary to obtain Comment: Some commenters were
certain fields, and the practicality of payment. concerned that applying the standard in
organizing systems to allow this Comment: Other commenters urged research settings will result in providers
capacity. It might be reasonable for a us to apply a ‘‘good faith’’ provision to declining to participate in research
covered entity with a highly all disclosures subject to the minimum protocols.
computerized information system to necessary standard. Commenters Response: We have modified the
implement a system under which presented a range of options to modify proposal to reduce the burden on
employees with certain functions have the proposed provisions which, in their covered entities that wish to disclose
access to only limited fields in a patient view, would have mitigated their protected health information for
records, while other employees have liability if they failed to comply with research purposes. The final rule
access to the complete records. Such a minimum necessary standard. requires covered entities to obtain
system might not be reasonable for a Response: We believe that the documentation or statements from
covered entity with a largely paper modifications to this standard, persons requesting protected health
records system. described above, substantially address information for research that, among
Covered entities’ policies and these commenters’ concerns. In addition other things, describe the information
procedures must provide that disclosure to allowing the covered entity to use necessary for the research. We allow
of an entire medical record will not be standard protocols for routine covered entities to reasonably rely on
made except pursuant to policies which disclosures, we modify the standard to the documentation or statements as
specifically justify why the entire require a covered entity to make describing the minimum necessary
medical record is needed. ‘‘reasonable efforts,’’ not ‘‘all’’ disclosure.
We believe that these modifications reasonable efforts as proposed, in Comment: Some commenters argued
significantly improve the workability of making the ‘‘minimum necessary’’ that government requests should not be
this standard. At the same time, we disclosure. subject to the minimum necessary
believe that asking covered entities to Comments: Some commenters standard, whether or not they are
assess their practices and establish rules complained that language in the ‘‘authorized by law.’’
for themselves will lead to significant proposed rule was vague and provided Response: We found no compelling
improvements in the privacy of health little guidance, and should be reason to exempt government requests
information. See the preamble for abandoned. from this standard, other than when a
§ 164.514 for a more detailed Response: In the preamble for disclosure is required by law. (See
discussion. § 164.504 and these responses to preamble to § 164.512(a) for the
rationale behind this policy). When a reasonable reliance on the professional services as to what
disclosure is required by law, the representations of public officials. information is the minimum necessary
minimum necessary standard does not Comment: Some commenters argued for that purpose.
apply, whether the recipient of the that it is inappropriate to require Comment: Commenters from the law
information is a government official or covered entities to distinguish between enforcement community expressed
a private individual. disclosures that are ‘‘required by law’’ concern that providers may attempt to
At the same time, we understand that and those that are merely ‘‘authorized misuse the minimum necessary
when certain government officials make by law,’’ for the purposes of determining standard as a means to restrict access to
requests for protected health when the standard applies. information, particularly with regard to
information, some covered entities Response: We do not agree. Covered disclosures for health oversight or to
might feel pressure to comply that might entities have an independent duty to be law enforcement officials.
not be present when the request is from aware of their legal obligations to Response: The minimum necessary
a private individuals. For this reason, federal, state, local and territorial or standard does not apply to disclosures
we allow (but do not require) covered tribal authorities. In addition, required by law. Since the disclosures to
entities to reasonably rely on the § 164.514(h) allows covered entities to law enforcement officials to which this
representations of public officials as to reasonably rely on the oral or written standard applies are all voluntary, there
the minimum necessary information for representation of public officials that a would be no need for a covered entity
the purpose. disclosure is required by law. to ‘‘manipulate’’ the standard; it could
Comment: The minimum necessary decline to make the disclosure.
Comment: Some commenters argued
standard should not be applied to Comment: Some commenters argued
that requests under proposed § 164.510
pharmacists, or to emergency services. that the only exception to the
should not be subject to the minimum Response: We believe that the final application of the standard should be
necessary standard, whether or not they rule’s exemption of disclosures of when an individual requests access to
are ‘‘authorized by law.’’ Others argued protected health information to health his or her own information. Many of
that for disclosures made for care providers for treatment purposes these commenters expressed specific
administrative proceedings pursuant to from the minimum necessary standard concerns about victims of domestic
proposed § 164.510, the minimum addresses these commenters concerns violence and other forms of abuse.
necessary standard should apply unless about emergency services. Together Response: We do not agree with the
they are subject to a court order. with the other changes we make to the general assertion that disclosure to the
Response: We found no compelling proposed standard, we believe we have individual is the only appropriate
reason to exempt disclosures for also addressed most of the commenters’ exception to the minimum necessary
purposes listed in the regulation from concerns about pharmacists. With standard. There are other, limited,
this standard, other than for disclosures respect to pharmacists, the comments circumstances in which application of
required by law. When there is no such offered no persuasive reasons to treat the minimum necessary standard could
legal mandate, the disclosure is pharmacists differently from other cause significant harm. For reasons
voluntary on the part of the covered health care providers. Our reasons for described above, disclosures of
entity, and it is therefore reasonable to retaining this standard for other uses protected health information for
expect the covered entity to make some and disclosures of protected health treatment purposes are not subject to
effort to protect privacy before making information are explained above. this standard. Similarly, as described in
such a disclosure. If the covered entity Comment: A number of commenters detail in the preamble to § 164.512(a),
finds that redacting unnecessary argued that the standard should not where another public body has
information, or extracting the requested apply to disclosures to attorneys, mandated the disclosure of health
information, prior to making the because it would interfere with the information, upsetting that judgment in
disclosure, is too burdensome, it need professional duties and judgment of this regulation would not be
not make the disclosure. Where there is attorneys in their representation of appropriate.
ambiguity regarding what information is covered entities. Commenters stated that The more specific concerns expressed
needed, some effort on the part of the if a layperson within a covered entity about victims of domestic violence and
covered entity can be expected in these makes an improper decision as to what other forms of abuse are addressed in a
circumstances. the minimum necessary information is new provision regarding disclosure of
We also found no compelling reason in regard to a request by the entity’s protected health information related to
to limit the exemption for disclosures attorney, the attorney may end up domestic violence and abuse (see
‘‘required by law’’ to those made lacking information that is vital to § 164.512(c)), and in new limitations on
pursuant to a court order. The judgment representation. These commenters disclosures to persons involved in the
of a state legislature or regulatory body stated that attorneys are usually going to individual’s care (see § 164.510(b)). We
that a disclosure is required is entitled be in a better position to determine what believe that the limitations we place on
to no less deference than the same information is truly the minimum disclosure of health information in
decision made by a court. For further necessary for effective counsel and those circumstances address the
rationale for this policy, see the representation of the client. concerns of these commenters.
preamble to § 164.512(a). Response: We found no compelling Comment: Some commenters argued
Comment: Some commenters argued reason to treat attorneys differently from that disclosures to next of kin should be
that, in cases where a request for other business associates. However, to restricted to minimum necessary
disclosure is not required by law, ensure that this rule does not protected health information, and to
covered entities should be permitted to inadvertently cause covered entities to protected health information about only
rely on the representations by public second-guess the professional judgment the current medical condition.
officials, that they have requested no of the attorneys and other professionals Response: In the final regulation, we
more than the minimum amount they hire, we modify the proposed change the proposed provision
necessary. policies to explicitly allow covered regarding ‘‘next of kin’’ to more clearly
Response: We agree, and retain the entities to rely on the representation of focus on the disclosures we intended to
proposed provision which allows a professional hired to provide target: Disclosures to persons involved
in the individual’s care. We allow such Response: We agree that data Comment: A few commenters
disclosure only with the agreement of elements that are required or suggested that there should be a process
the individual, or where the covered situationally required in the standard for resolving disputes between covered
entity has offered the individual the transactions should not be, and are not, entities over what constitutes the
opportunity to object to the disclosure subject to this standard. However, in ‘‘minimum necessary’’ information.
and the individual did not object. If the many cases, covered entities have Response: We do not intend that this
opportunity to object cannot practicably significant discretion as to the rule change the way covered entities
be provided because of the incapacity of information included in these currently handle their differences
the individual or other emergency, we transactions. Therefore, this standard regarding the disclosure of health
require covered entities to exercise does apply to those optional data information. We understand that the
professional judgment in the best elements. scope of information requested from
interest of the patient in deciding Comment: Some commenters asked providers by health plans is a source of
whether to disclose information. In such for clarification to understand how the tension in the industry today, and we
cases, we permit disclosure only of that minimum necessary standard is believe it would not be appropriate to
information directly relevant to the intended to interact with the security use this regulation to affect that debate.
person’s involvement with the NPRM. As discussed above, we require both the
individual’s health care. (This provision Response: The proposed Security requesting and the disclosing covered
also includes limited disclosure to Rule included requirements for entity to take privacy concerns into
certain persons seeking to identify or electronic health information systems to account, but do not inject additional
locate an individual.) See § 164.510(b). include access management controls. tension into the on-going discussions.
Some additional concerns expressed Under this regulation, the covered Section 164.514(e)—Marketing
about victims of domestic violence and entity’s privacy policies will determine
other forms of abuse are also addressed Comment: Many commenters
who has access to what protected health requested clarification of the boundaries
in a new section on disclosure of information. We will make every effort
protected health information related to between treatment, payment, health care
to ensure consistency prior to operations, and marketing. Some of
domestic violence and abuse. See publishing the final Security Rule.
§ 164.512(c). We believe that the these commenters requested
Comment: Many commenters, clarification of the apparent
limitations we place on disclosure of
representing health care providers, inconsistency between language in
health information in these provisions
argued that if the request was being proposed § 164.506(a)(1)(i) (a covered
address the concerns of these
made by a health plan, the health plan entity is permitted to use or disclose
commenters.
Comment: Some commenters argued should be required to request only the protected health information without
that covered entities should be required minimum protected health information authorization ‘‘to carry out’’ treatment,
to determine whether de-identified necessary. Some of these commenters payment, or health care operations) and
information could be used before stated that the requestor is in a better proposed § 164.508(a)(2)(A) (a covered
disclosing information under the position to know the minimum amount entity must obtain an authorization for
minimum necessary standard. of information needed for their all uses and disclosures that are not
Response: We believe that requiring purposes. Some of these commenters ‘‘compatible with or directly related to’’
covered entities’ policies and argued that the minimum necessary treatment, payment, and health care
procedures for minimum necessary standard should be imposed only on the operations). They suggested retaining
disclosures to address whether de- requesting entity. A few of these the language in proposed
identified information could be used in commenters argued that both the § 164.508(a)(2)(A), which would permit
all instances would impose burdens on disclosing and the requesting entity a broader range of uses and disclosures
some covered entities that could should be subject to the minimum without authorization, in order to
outweigh the benefits of such a necessary standard, to create ‘‘internal engage in health promotion activities
requirement. There is significant tension’’ to assure the standard is that might otherwise be considered
variation in the sophistication of honored. marketing.
covered entities’ information systems. Response: We agree, and in the final Response: In the final rule, we make
Some covered entities can reasonably rule we require that a request for several changes to the definitions of
implement policies and procedures that protected health information made by treatment, payment, and health care
make significant use of de-identified one covered entity to another covered operations that are intended to clarify
information; other covered entities entity must be limited to the minimum the uses and disclosures of protected
would find such a requirement amount necessary for the purpose. As health information that may be made for
excessively burdensome. For this with uses and disclosures of protected each purpose. See § 164.501 and the
reason, we chose instead to require health information, covered entities may corresponding preamble discussion
‘‘reasonable efforts,’’ which can vary have standard protocols for routine regarding the definitions of these terms.
according to the situation of each requests. Similarly, this requirement We also have added a definition of the
covered entity. does not apply to requests made to term ‘‘marketing’’ to help establish the
In addition, we believe that the fact health care providers for treatment boundary between marketing and
that we allow de-identified information purposes. We modify the rule to balance treatment, payment, and health care
to be disclosed without regard to the this provision; that is, it now applies operations. See § 164.501. We also
policies, procedures, and both to disclosure of and requests for clarify the conditions under which
documentation required for disclosure protected health information. We also authorization is or is not required for
of identifiable health information will allow, but do not require, the covered uses and disclosures of protected health
provide an incentive to encourage its entity releasing the information to information for marketing purposes. See
use where appropriate. reasonably rely on the assertion of a § 164.514(e). Due to these changes, we
Comment: Several commenters argued requesting covered entity that it is believe it is appropriate to retain the
that standard transactions should not be requesting only the minimum protected wording from proposed
subject to the standard. health information necessary. § 164.506(a)(1)(i).
Comment: We received a wide variety remuneration. The exceptions to the information, including seeking or acting
of suggestions with respect to definition of marketing fall within the on an authorization, to the extent their
authorization for uses and disclosures of definitions of treatment and/or health contracts allow them to do so. When a
protected health information for care operations, and therefore uses, or clearinghouse creates or receives
marketing purposes. Some commenters disclosures to a business associate, of protected health information other than
supported requiring authorization for all protected health information for these as a business associate of a covered
such uses and disclosures. Other purposes are permissible under the rule entity, it is permitted and required to
commenters suggested permitting all without authorization. obtain authorizations to the same extent
such uses and disclosures without The final rule also permits covered as any other covered entity.
authorization. entities to use protected health Comment: A few commenters
Some commenters suggested we information to market health-related suggested we require covered entities to
distinguish between marketing to products and services, whether they are publicly disclose, on the covered
benefit the covered entity and marketing the products and services of the covered entity’s website or upon request, all of
to benefit a third party. For example, a entity or of a third party, subject to a their marketing arrangements.
few commenters suggested we should number of limitations. See § 164.514(e). Response: While we agree that such a
prohibit covered entities from seeking We permit these uses to allow entities requirement would provide individuals
authorization for any use or disclosure in the health sector to inform their with additional information about how
for marketing purposes that benefit a patients and enrollees about products their information would be used, we do
third party. These commenters argued that may benefit them. The final rule not feel that such a significant intrusion
that the third parties should be required contains significant restrictions, into the business practices of the
to obtain the individual’s authorization including requirements that the covered covered entity is warranted.
directly from the individual, not entity disclose itself as the source of a Comment: Some commenters argued
through a covered entity, due to the marketing communication, that it that if an activity falls within the scope
potential for conflicts of interest. disclose any direct or indirect of payment, it should not be considered
While a few commenters suggested remuneration from third parties for marketing. Commenters strongly
that we require covered entities to making the disclosure, and that, except supported an approach which would
obtain authorization to use or disclose in the cases of general communications bar an activity from being construed as
protected health information for the such as a newsletter, the ‘‘marketing’’ even if performing that
purpose of marketing its own products communication disclose how the activity would result in financial gain to
and services, the majority argued these individual can opt-out of receiving the covered entity. In a similar vein, we
types of marketing activities are vital to additional marketing communications. were urged to adopt the position that if
covered entities and their customers and Additional requirements are imposed if an activity was considered payment,
should therefore be permitted to occur the communication is targeted based on treatment or health care operations, it
without authorization. For example, the health status or condition of the could not be further evaluated to
commenters suggested covered entities proposed recipients. determine whether it should be
should be able to use and disclose We believe that these modifications excluded as marketing.
protected health information without address many of the issues raised by Response: We considered the
authorization in order to provide commenters and provide a substantial approach offered by commenters but
appointment reminders, newsletters, amount of flexibility as to when a decided against it. Some activities, such
information about new initiatives, and covered entity may communicate about as the marketing of a covered entity’s
program bulletins. a health-related product or service to a own health-related products or services,
Finally, many commenters argued we patient or enrollee. These are now included in the definition of
should not require authorization for the communications may include health care operations, provided certain
use or disclosure of protected health appointment reminders, newsletters, requirements are met. Other types of
information to market any health-related and information about new health activities, such as the sale of a patient
goods and services, even if those goods products. These changes, however, do list to a marketing firm, would not be
and services are offered by a third party. not permit a covered entity to disclose permitted under this rule without
Some of these commenters suggested protected health information to third authorization from the individual. We
that individuals should have an parties for marketing (other than to a do not believe that we can envision
opportunity to opt out of these types of business associate to make a marketing every possible disclosure of health
marketing activities rather than communication on behalf of the covered information that would violate the
requiring authorization. entity) without authorization under privacy of an individual, so any list
Response: We have modified the final § 164.508. would be incomplete. Therefore,
rule in ways that address a number of Comment: A few commenters whether or not a particular activity is
the issues raised in the comments. First, suggested we prohibit health care considered marketing, payment,
the final rule defines the term clearinghouses from seeking treatment or health care operations will
marketing, and excepts certain authorization for the use or disclosure of be a fact-based determination based on
communications from the definition. protected health information for the activity’s congruence with the
See § 164.501. These exceptions include marketing purposes. particular definition.
communications made by covered Response: We do not prohibit Comment: Some industry groups
entities for the purpose of describing clearinghouses from seeking stated that if an activity involves selling
network providers or other available authorizations for these purposes. We products, it is not disease management.
products, services, or benefits and believe, however, that health care They suggested we adopt a definition of
communications made by covered clearinghouses will almost always disease management that differentiates
entities for certain treatment-related create or obtain protected health use of information for the best interests
purposes. These exceptions only apply information in a business associate of patient from uses undertaken for
to oral communications or to written capacity. Business associates may only ‘‘ulterior purposes’’ such as advertising,
communications for which the covered engage in activities involving the use or marketing, or promoting separate
entity receives no third-party disclosure of protected health products.
Response: We agree in general that the in order to carry out their fundraising and as such, they should be exempt
sale of unrelated products to individuals campaigns. They stated that a limited from the authorization requirement
is not a population-based activity that data set restricted to name, address, and while for-profit organizations should
supports treatment and payment. telephone number would be sufficient have to comply with the requirement.
However, in certain circumstances to meet their needs. Several commenters Response: We do not agree that the
marketing activities are permitted as a suggested that we create a voluntary profit status of a covered entity should
health care operation; see the definition opt-out provision so people can avoid determine its allowable use of protected
of ‘‘health care operations’’ in § 164.501 solicitations. health information for fundraising.
and the related marketing requirements Response: We agree with commenters Many for-profit entities provide the
of § 164.514. that our proposal could have adversely same services and have similar missions
Comment: Some commenters effected charitable giving, and to not-for-profit entities. Therefore, the
complained that the absence of a accordingly make several modifications final rule does not make this distinction.
definition for disease management to the proposal. First, the final rule Comment: Several commenters
created uncertainty, in view of the allows a covered entity to use or suggested that the final rule should
proposed rule’s requirement to get disclose to a business associate allow the internal use of protected
authorization for marketing. They protected health information without health information for fundraising,
expressed concern that the effect would authorization to identify individuals for without authorization, but not
be to require patient consent for many fundraising for its own benefit. disclosure for fundraising. These
activities that are desirable, not Permissible fundraising activities commenters suggested that by limiting
practicably done if authorization is include appeals for money, sponsorship access of protected health information
required, and otherwise classifiable as of events, etc. They do not include to only internal development offices
treatment, payment, or health care royalties or remittances for the sale of concerns about misuse would be
operations. Examples provided include products of third parties (except reduced.
reminders for appointments, reminders auctions, rummage sales, etc). Response: We do not agree. A number
to get preventive services like Second, the final rule allows a of commenters noted that they have
mammograms, and information about covered entity to disclose protected related charitable foundations that raise
home management of chronic illnesses. health information without funds for the covered entity, and we
They also stated that the proposed rule authorization to an institutionally permit disclosures to such foundations
would prevent many disease related foundation that has as its to ensure that this rule does not
management and preventive health mission to benefit the covered entity. interfere with charitable giving.
activities. This special provision is necessary to Comment: Several commenters asked
Response: We agree that the accommodate tax code provisions us to address the content of fundraising
distinction in the NPRM between which may not allow such foundations letters. They pointed out that disease or
disease management and marketing was to be business associates of their condition-specific letters requesting
unclear. Rather than provide a associated covered entity. contributions, if opened by the wrong
definition of disease management, this We also agree that broad access to person, could reveal personal
final rule defines marketing. We note protected health information is information about the intended
that overlap between disease unnecessary for fundraising and recipient.
management and marketing exists today unnecessarily intrudes on individual Response: We agree that such
in practice and they cannot be privacy. The final rule limits protected communications raise privacy concerns.
distinguished easily with a definitional health information to be used or In the final rule, we limit the
label. However, for purposes of this disclosed for fundraising to information that can be used or
rule, the revised language makes clear demographic information and the date disclosed for fundraising, and exclude
for what activities an authorization is that treatment occurred. Demographic information about diagnosis, nature of
required. We note that under this rule information is not defined in the rule, services, or treatment.
many of the activities mentioned by but will generally include in this
commenters will not require context name, address and other contact Section 164.514(g)—Verification
authorizations under most information, age, gender, and insurance Comment: A few commenters
circumstances. See the discussion of status. The term does not include any suggested that verification guidelines
disease management under the information about the illness or may need to be different as they apply
definition of ‘‘treatment’’ in § 164.501. treatment. to emergency clinical situations as
We also agree that a voluntary opt-out opposed to routine data collection
Section 164.514(f)—Fundraising is an appropriate protection, and require where delays do not threaten health.
Comment: Many comments objected in § 164.520 that covered entities Response: We agree, and make special
to the requirement that an authorization provide information on their provisions in §§ 164.510 and 164.512 for
from the individual be obtained for use fundraising activities in their ‘‘Notice of disclosures of protected health
and disclosure of protected health Information Practices.’’ As part of the information by a covered entity without
information for fundraising purposes. notice and in any fundraising materials, authorization where the individual is
They argued that, in the case of not-for- covered entities must provide unable to agree or object to disclosure
profit health care providers, having to information explaining how individuals due to incapacity or other emergency
obtain authorization would be time may opt out of fundraising circumstance.
consuming and costly, and that such a communications. For example, a health care provider
requirement would lead to a decrease in Comment: Some commenters stated may need to make disclosures to family
charitable giving. The commenters also that use and disclosure of protected members, close personal friends, and
urged that fundraising be included health information for fundraising, others involved in the individual’s care
within the definition of health care without authorization should be limited in emergency situations. Similarly, a
operations. Numerous commenters to not-for-profit entities. They suggested health care provider may need to
suggested that they did not need that not-for-profit entities were in respond to a request from a hospital
unfettered access to patient information greater need of charitable contributions seeking protected health information in
a circumstance described as an created a presumption that ‘‘a request Requiring written proof of identity in
emergency. In each case, we require for disclosure made by official legal many of these situations, such as when
only that the covered entity exercise process issued by a[n] administrative a family member is seeking to locate a
professional judgment, in the best body’’ is reasonable legal authority to relative in an emergency or disaster
interest of the patient, in deciding disclose the protected health situation, would create enormous
whether to make a disclosure. Based on information. The commenter was burden without a corresponding
the comments and our fact finding, this concerned that this provision could be enhancement of privacy, and could
reflects current practice. interpreted to permit a state agency to cause unnecessary delays in these
Comment: A few commenters stated demand the disclosure of protected situations. We therefore believe that
the rules should include provisions for health information merely on the basis reliance on professional judgment
electronic verification of identity (such of a letter signed by an agency provides a better framework for
as Public Key Infrastructure (PKI)) as representative. The commenter believed balancing the need for privacy with the
established in the regulations on that the rule specifically should defer to need to locate and identify individuals.
Security and Electronic Signatures. One state or federal law on the disclosure of Comment: A few commenters stated
commenter suggested that some kind of protected health information pursuant that the verification requirements will
PKI credentialing certificate should be to legal process. provide great uncertainty to providers
required. Response: The verification provisions who receive authorizations from life,
Response: This regulation does not in this rule are minimum requirements disability income and long-term care
address specific technical protocols that covered entities must meet before insurers in the course of underwriting
utilized to meet the verification disclosing protected health information and claims investigation. They are
requirements. If the requirements of the under this regulation. They do not unaware of any breaches of
rule are otherwise met, the mechanism mandate disclosure, nor do they confidentiality associated with these
for meeting them can be determined by preempt state laws which impose circumstances and believe the rule
the covered entity. additional restrictions on disclosure. creates a solution to a non-existent
Comment: A few commenters wanted Where state law regarding disclosures is problem. Another commenter stated that
more clarification on the verification more stringent, the covered entity must it is too burdensome for health care
procedures. One commenter wanted to adhere to state law. providers to verify requests that are
know if contract number is enough for Comment: A few commenters wanted normally received verbally or via fax.
verification. A few commenters wanted the verification requirements to apply to Response: This rule requires covered
to know if a callback or authorization on disclosures of protected health health care providers to adhere to
a letterhead is acceptable. A few information for treatment, payment and current best practices for verification.
commenters wanted to know if plans are operations purposes. That is, when the requester is not
considered to ‘‘routinely do business’’ Response: We agree. This verification known to the covered provider, the
with all of their members. requirement applies to all disclosures of provider makes a reasonable effort to
Response: In the final rule, we modify protected health information permitted determine that the protected health
the proposed provision and require by this rule, including for treatment, information is being sent to the entity
covered entities to have policies and payment and operations, where the authorized to receive it. Our fact finding
procedures reasonably designed to identity of the recipient is not known to reveals that this is often done by
verify the identify and authority of the covered entity. Routine sending the information to a
persons requesting protected health communications between providers, recognizable organizational address or if
information. Whether knowledge of a where existing relationships have been being transmitted by fax or phone by
contract number is reasonable evidence established, do not require special calling the requester back through the
of authority and identity will depend on verification procedures. main organization switchboard rather
the circumstances. Call-backs and Comment: A few commenters were than through a direct phone number.
letterhead are typically used today for concerned that a verbal inquiry for next We agree that these procedures seem to
verification, and are acceptable under of kin verification is not consistent with work reasonably well in current practice
this rule if reasonable under the the verification guidelines of this and are sufficient to meet the relevant
circumstances. For communications verification subsection and that verbal requirements in the final rule.
with health plan members, the covered inquiry would create problems because Comments: One comment suggested
entity will already have information anyone who purports to be a next of kin requiring a form of photo identification
about each individual, collected during could easily obtain information under such as a driver’s license or certain
enrollment, that can be used to establish false pretenses. personal information such as date of
identity, especially for verbal or Response: In the final rule in birth to verify the identity of the
electronic inquiries. For example, today § 164.514, we require the covered entity individual.
many health plans ask for the social to verify the identity and authority of Response: These are exactly the types
security or policy number of individuals persons requesting protected health of standard procedures for verifying the
seeking information or assistance by information, where the identity and identity of individuals that are
telephone. How this verification is done authority of such person is not known envisioned by the final rule. Most health
is left up to the covered entity. to the covered entity. This applies to care entities already conduct such
Comment: One commenter expressed next of kin situations. Procedures for procedures successfully. However, it is
the need for consistency on verification disclosures to next of kin, other family unwise to prescribe specific means of
requirements between this rule and the members and persons assisting in an verification for all situations. Instead,
Security regulation. individual’s care are also discussed in we require policies and procedures
Response: We will make every effort § 164.510(b), which allows the covered reasonably designed for purposes of
to ensure consistency prior to entity to exercise professional judgment verification.
publishing the final Security Rule. as to whether the disclosure is in the Comment: One professional
Comment: One commenter stated that individual’s best interest when the association said that the example
the verification language in proposed individual is not available to agree to procedure described in the NPRM for
§ 164.518(c)(2)(ii)(B)(1) would have the disclosure or is incapacitated. asking questions to verify that an adult
acting for a young child had the routine disclosures under business may be disclosed without his
requisite relationship to the child would associate agreements, with, for example, authorization, and the types of
be quite complex and difficult in medical records copy services. Nothing information that may be disclosed; [and]
practice. The comment asked for in the verification provisions would * * * the procedures whereby the
specific guidance as to what questions preclude those activities, nor have we individual may correct, amend, delete,
would constitute an adequate attempt to significantly modified the NPRM or dispute any resulting record about
verify such a relationship. provision on this issue. himself.’’ 24 The Privacy Act (5 U.S.C.
Response: The final rule requires the 552a) requires government agencies to
covered entity to implement policies Section 164.520—Notice of Privacy provide notice of the routine uses of
and procedures that are reasonably Practices for Protected Health information the agency collects and the
designed to comply with the verification Information rights individuals have with respect to
requirement in § 164.514. It would not Comment: Many commenters that information. In its report ‘‘Best
be possible to create the requested supported the proposal to require Principles for Health Privacy,’’ the
specific guidance which could deal with covered entities to produce a notice of Health Privacy Working Group stated,
the infinite variety of situations that information practices. They stated that ‘‘Individuals should be given notice
providers must face, especially the such notice would improve individuals’ about the use and disclosure of their
complex ones such as that described by understanding of how their information health information and their rights with
the commenter. As with many of the may be used and disclosed and would regard to that information.’’ 25 The
requirements of this final rule, health help to build trust between individuals National Association of Insurance
care providers are given latitude and and covered entities. A few comments, Commissioners’ Health Information
expected to make decisions regarding however, argued that the notice Privacy Model Act requires carriers to
disclosures, based on their professional requirement would be administratively provide a written notice of health
judgment and experience with common burdensome and expensive without information policies, standards, and
practice, in the best interest of the providing significant benefit to procedures, including a description of
individual. individuals. the uses and disclosures prohibited and
Comment: One commenter asserted Response: We retain the requirement permitted by the Act, the procedures for
that ascertaining whether a requestor for covered health care providers and authorizing and limiting disclosures and
has the appropriate legal authority is health plans to produce a notice of for revoking authorizations, and the
beyond the scope of the training or information practices. We additionally procedures for accessing and amending
expertise of most employees in a require health care clearinghouses that protected health information.
physician’s office. They believe that create or receive protected health Some states require additional notice.
health care providers must be able to information other than as a business For example, Hawaii requires health
reasonably rely on the authority of the associate of another covered entity to care providers and health plans, among
requestor. produce a notice. We believe the notice others, to produce a notice of
Response: In the final regulation we will provide individuals with a clearer confidentiality practices, including a
require covered entities to have policies understanding of how their information description of the individual’s privacy
and procedures reasonably designed to may be used and disclosed and is rights and a description of the uses and
verify the identify and authority of essential to inform individuals of their disclosures of protected health
persons requesting health information. privacy rights. The notice will focus information permitted under state law
Where the requester is a public official individuals on privacy issues, and without the individual’s authorization.
and legal authority is at issue, we prompt individuals to have discussions (HRS section 323C–13)
provide detailed descriptions of the about privacy issues with their health Today, health plan hand books and
acceptable methods for such verification plans, health care providers, and other evidences of coverage include some of
in the final rule. For others, the covered persons. what is required to be in the notice.
entity must implement policies and The importance of providing Industry and standard-setting
procedures that are reasonably designed individuals with notice of the uses and organizations have also developed
to comply with the requirement to disclosures of their information and of notice requirements. The National
verify the identity and authority of a their rights with respect to that Committee for Quality Assurance
requestor, but only if the requestor is information is well supported by accreditation guidelines state that an
unknown to the covered entity. As industry groups, and is recognized in accredited managed care organization
described above, we expect these current state and federal law. The July ‘‘communicates to prospective members
policies and procedures to document 1977 Report of the Privacy Protection its policies and practices regarding the
currently used best practices and Study Commission recommended that collection, use, and disclosure of
reliance on professional judgment in the ‘‘each medical-care provider be required medical information [and] * * *
best interest of the individual. to notify an individual on whom it informs members * * * of its policies
Comment: One commenter expressed maintains a medical record of the and procedures on * * * allowing
concern that the verification/ disclosures that may be made of members access to their medical
identification procedures may eliminate information in the record without the records.’’ 26 Standards of the American
or significantly reduce their ability to individual’s express authorization.’’ 23 Society for Testing and Materials state,
utilize medical records copy services. The Commission also recommended
As written, they believe the NPRM that ‘‘an insurance institution * * *
24 Privacy Protection Study Commission,
provides the latitude to set up copy ‘‘Personal Privacy in an Information Society,’’ July
notify (an applicant or principal 1977, p. 192.
service arrangements, but any change insured) as to: * * * the types of parties 25 Health Privacy Working Group, ‘‘Best
that would add restrictions would to whom and circumstances under Principles for Health Privacy,’’ Health Privacy
adversely affect their ability to process which information about the individual
Project, Institute for Health Care Research and
an individual’s disability claim. Policy, Georgetown University, July 1999, p.19.
26 National Committee on Quality Assurance,
Response: The covered entity can 23 Privacy Protection Study Commission, ‘‘Surveyor Guidelines for the Accreditation of
establish reasonable policies and ‘‘Personal Privacy in an Information Society,’’ July MCOs,’’ effective July 1, 2000—June 30, 2001, p.
procedures to address verification in 1977, p. 313. 324.
‘‘Organizations and individuals who mechanism for helping covered entities disclose protected health information
collect, process, handle, or maintain design their notices than the regulation under this rule and other applicable law
health information should provide itself. After the rule is published, we without individual consent or
individuals and the public with a notice can provide guidance on notice content authorization. Specifically, covered
of information practices.’’ They and format tailored to different types of entities must describe the types of uses
recommend that the notice include, health plans and providers. We believe and disclosures they are permitted to
among other elements, ‘‘a description of such specially designed guidance will make for treatment, payment, and health
the rights of individuals, including the be more useful than a one-size-fits-all care operations. They must also describe
right to inspect and copy information model notice we might publish with each of the purposes for which the
and the right to seek amendments [and] this regulation. covered entity is permitted or required
a description of the types of uses and Comment: Commenters suggested that by this subpart to use or disclose
disclosures that are permitted or the rule should require that the notice protected health information without
required by law without the individual’s regarding privacy practices include the individual’s written consent or
authorization.’’ 27 We build on this well- specific provisions related to health authorization (even if they do not plan
established principle in this final rule. information of unemancipated minors. to make a permissive use or disclosure).
Comment: We received many Response: Although we agree that We believe this requirement provides
comments on the model notice provided minors and their parents should be individuals with sufficient information
in the proposed rule. Some commenters made aware of practices related to to understand how information about
argued that patients seeing similar confidentiality of protected health them can be used and disclosed and to
documents would be less likely to information of unemancipated minors, prompt them to ask for additional
become disoriented when examining a we do not require covered entities that information to obtain a clearer
new notice. Other commenters, treat minors or use their protected understanding, while minimizing
however, opposed the inclusion of a health information to include provisions covered entities’ burden.
model notice or expressed concern in their notice that are not required of A notice that stated only that the
about particular language included in other covered entities. In general, the covered entity would make all
the model. They maintained that a content of notice requirements in disclosures required by law, as
uniform model notice would never § 164.520(b) do not vary based on the suggested by some of these commenters,
capture the varying practices of covered status of the individual being served. would fail to inform individuals of the
entities. Many commenters opposed We have decided to maintain uses and disclosures of information
requirements for a particular format or consistency by declining to prescribe about them that are permitted, but not
specific language in the notice. They specific notice requirements for minors. required, by law. We clarify that each
stated that covered entities should be The rule does permit a covered entity to and every disclosure required by law
afforded maximum flexibility in provide individuals with notice of its need not be listed on the notice. Rather,
fashioning their notices. Other policies and procedures with respect to the covered entity can include a general
commenters requested inclusion of anticipated uses and disclosures of statement that disclosures required by
specific language as a header to indicate protected health information law will be made.
(§ 164.520(b)(2)), and providers are Comment: Some comments argued
the importance of the notice. A few
encouraged to do so. that the covered entity should not have
commenters recommended specific
Comment: Some commenters argued to provide notice about uses and
formatting requirements, such as font that covered entities should not be disclosures that are permitted under the
size or type. required to distinguish between those
Response: On the whole, we found rule without authorization. Other
uses and disclosures that are required comments suggested that the notice
commenters’ arguments for flexibility in
by law and those that are permitted by should inform individuals about all of
the regulation more persuasive than
law without authorization, because the uses and disclosures that may be
those arguing for more standardization. these distinctions may not always be made, with or without the individual’s
We agree that a uniform notice would clear and will vary across jurisdictions. authorization.
not capture the wide variation in Some commenters maintained that Response: When the individual’s
information practices across covered simply stating that the covered entity permission is not required for uses and
entities. We therefore do not include a would make all disclosures required by disclosures of information, we believe
model notice in the final rule, and do law would be sufficient. Other providing the required notice is the
not require inclusion of specific comments suggested that covered most effective means of ensuring that
language in the notice (except for a entities should be able to produce very individuals are aware of how
standard header). We also do not require broadly stated notices so that repeated information about them may be shared.
particular formatting. We do, however, revisions and mailings of those The notice need not describe uses and
require the notice to be written in plain revisions would not be necessary. disclosures for which the individual’s
language. (See above for guidance on Response: While we believe that permission is required, because the
writing documents in plain language.) covered entities have an independent individual will be informed of these at
We also agree with commenters that the duty to understand the laws to which the time permission to use or disclose
notice should contain a standard header they are subject, we also recognize that the information is requested.
to draw the individual’s attention to the it could be difficult to convey such legal We additionally require covered
notice and facilitate the individual’s distinctions clearly and concisely in a entities, even those required to obtain
ability to recognize the notice across notice. We therefore eliminate the the individual’s consent for use and
covered entities. proposed requirement for covered disclosure of protected health
We believe that post-publication entities to distinguish between those information for treatment, payment, and
guidance will be a more effective uses and disclosures that are required health care operations, to describe those
by and those that are permitted by law. uses and disclosures in their notice.
Privacy, Access and Data Security, Principles for
We instead require that covered entities (See § 164.506 and the corresponding
Health Information Including Computer-Based describe each purpose for which they preamble discussion regarding consent
Patient Records,’’ E 1869–97, § 9.2. are permitted or required to use or requirements.) We require these uses
and disclosures to be described in the information obtained prior to the implement revised information policies
notice in part in order to reduce the change. They argued that requiring and procedures before properly
administrative burden on covered different protections for information documenting the revisions and updating
providers that are required to obtain obtained at different times would be their notice. See § 164.530(i). Because in
consent. Rather than obtaining a new inefficient and extremely difficult to the final rule we require the notice to
consent each time the covered administer. Some comments supported include all disclosures that may be
provider’s information policies and requiring covered entities to state in the made, not only those the covered entity
procedures are materially revised, notice that the information policies and intends to make, we no longer need this
covered providers may revise and procedures are subject to change. provision to accommodate emergencies.
redistribute their notice. We also expect Response: We agree. In the final rule, Comment: Some comments suggested
that the description of how information we provide a mechanism by which that we require covered entities to
may be used to carry out treatment, covered entities may revise their privacy maintain a log of all past notices, with
payment, and health care operations in practices and apply those revisions to changes from the previous notice
the notice will be more detailed than in protected health information they highlighted. They further suggested we
the more general consent document. already maintain. We permit, but do not require covered entities to post this log
Comment: Some commenters argued require, covered entities to reserve the on their web sites.
that covered entities should not be right to change their practices and apply Response: In accordance with
required to provide notice of the right to the revised practices to information § 164.530(j)(2), a covered entity must
request restrictions, because doing so previously created or obtained. If a retain for six years a copy of each notice
would be burdensome to the covered covered entity wishes to reserve this it issues. We do not require highlighting
entity and distracting to the individual; right, it must make a statement to that of changes to the notice or posting of
because individuals have the right effect in its notice. If it does not make prior notices, due to the associated
whether they are informed of such right such a statement, the covered entity administrative burdens and the
or not; and because the requirement may still revise its privacy practices, but complexity such a requirement would
would be unlikely to improve patient it may apply the revised practices only build into the notice over time. We
care. to protected health information created encourage covered entities, however, to
Response: We disagree. We believe or obtained after the effective date of the make such materials available upon
that the ability of an individual to notice in which the revised practices are request.
request restrictions is an important reflected. See § 164.530(i) and the Comment: Several commenters
privacy right and that informing people corresponding preamble discussion of requested clarification about when,
of their rights improves their ability to requirements regarding changes to relative to the compliance date, covered
exercise those rights. We do not believe information policies and procedures. entities are required to produce their
that adding a sentence to the notice is Comment: Some commenters notice. One commenter suggested that
burdensome to covered entities. requested clarification of the term covered entities be allowed a period not
Comment: We received comments ‘‘material changes’’ so that entities will less than 180 days after adoption of the
supporting inclusion of a contact point be comfortable that they act properly final rule to develop and distribute the
in the notice, so that individuals will after making changes to their notice. Other comments requested that
not be forced to make multiple calls to information practices. Some comments the notice compliance date be consistent
find someone who can assist them with stated that entities should notify with other HIPAA regulations.
the issues in the notice. individuals whenever a new category of Response: We require covered entities
Response: We retain the requirement, disclosures to be made without to have a notice available upon request
but clarify that the title of the contact authorization is created. as of the compliance date of this rule (or
person is sufficient. A person’s name is Response: The concept of ‘‘material the compliance date of the covered
not required. change’’ appears in other notice laws, entity if such date is later). See
Comment: Some commenters argued such as the ERISA requirements for § 164.534 and the corresponding
that we could facilitate compliance by summary plan descriptions. We preamble discussion of the compliance
requiring the notice to include the therefore retain the ‘‘materiality’’ date.
proposed requirement that covered condition for revision of notices, and Comment: Some commenters
entities use and disclose only the encourage covered entities to draw on suggested that covered entities,
minimum necessary protected health the concept as it has developed through particularly covered health care
information. those other laws. We agree that the providers, should be required to discuss
Response: We do not agree that addition of a new category of use or the notice with individuals. They
adding such a requirement would disclosure of health information that argued that posting a notice or
strengthen the notice. The purpose of may be made without authorization otherwise providing the notice in
the notice is to inform individuals of would likely qualify as a material writing may not achieve the goal of
their privacy rights, and of the purposes change. informing individuals of how their
for which protected health information Comment: We proposed to permit information will be handled, because
about them may be used or disclosed. covered entities to implement revised some individuals may not be literate or
Informing individuals that covered policies and procedures without first able to function at the reading level
entities may use and disclose only the revising the notice if a compelling used in the notice. Others argued that
minimum necessary protected health reason existed to do so. Some entities should have the flexibility to
information for a purpose would not commenters objected to this proposal choose alternative modes of
increase individuals’ understanding of because they were concerned that the communicating the information in the
their rights or the purposes for which ‘‘compelling reason’’ exception would notice, including voice disclosure. In
information may be used or disclosed. give covered entities broad discretion to contrast, some commenters were
Comment: A few commenters engage in post hoc violations of its own concerned that requirements to provide
supported allowing covered entities to information practices. the notice in plain language or in
apply changes in their information Response: We agree and eliminate this languages other than English would be
practices to protected health provision. Covered entities may not overly burdensome.
Response: We require covered entities plans should only be required to sponsors for delivery to employees.
to write the notice in plain language so distribute their notice annually or upon Others requested clarification that
that the average reader will be able to re-enrollment. Some suggested that covered health care providers are only
understand the notice. We encourage, health plans should only have to required to distribute their own notice
but do not require, covered entities to distribute their notice upon initial and that health plans should be
consider alternative means of enrollment, not re-enrollment. Other prohibited from using their affiliated
communicating with certain commenters supported the proposed providers to distribute the health plan’s
populations. We note that any covered approach. notice.
entity that is a recipient of federal Response: We agree that the notice Response: We require health plans to
financial assistance is generally distribution requirements for health distribute their notice to individuals
obligated under Title VI of the Civil plans can be less burdensome than in covered by the health plan. Health plans
Rights Act of 1964 to provide material the NPRM while still being effective. In may elect to hire or otherwise arrange
ordinarily distributed to the public in the final rule, we reduce health plans’ for others, including group health plan
the primary languages of persons with distribution burden in several ways. sponsors and health care providers
limited English proficiency in the First, we require health plans to remind affiliated with the health plan, to carry
recipients’ service areas. While we individuals every three years of the out this distribution. We require
believe the notice will prompt availability of the notice and of how to covered providers to distribute only
individuals to initiate discussions with obtain a copy of the notice, rather than their own notices, and neither require
their health plans and health care requiring the notice to be distributed nor prohibit health plans and health
providers about the use and disclosure every three years as proposed. Second, care providers from devising whatever
of health information, we believe this we clarify that health plans only have to arrangements they find suitable to meet
should be a matter left to each distribute the notice to new enrollees on the requirements of this rule. However,
individual and that requiring covered enrollment, not to current members of if a covered entity arranges for another
entities to initiate discussions with each the health plan upon re-enrollment. person or entity to distribute the
individual would be overly Third, we specifically allow all covered covered entity’s notice on its behalf and
burdensome. entities to distribute the notice individuals do not receive such notice,
Comment: Some commenters electronically in accordance with the covered entity would be in violation
suggested that covered entities, § 164.520(c)(3). of the rule.
particularly health plans, should be We retain the requirement for health Comment: Some comments stated that
permitted to distribute their notice in a plans to distribute the notice within 60 covered providers without direct patient
newsletter or other communication with days of a material revision. We believe contact, such as clinical laboratories,
individuals. the revised distribution requirements might not have sufficient patient contact
Response: We agree, so long as the will ensure that individuals are information to be able to mail the
notice is sufficiently separate from other adequately informed of health plans’ notice. They suggested we require or
important documents. We therefore information practices and any changes allow such providers to form
prohibit covered entities from to those procedures, without unduly agreements with referring providers or
combining the notice in a single burdening health plans. other entities to distribute notices on
document with either a consent Comment: Many commenters argued their behalf or to include their practices
(§ 164.506) or an authorization that health plans should not be required in the referring entity’s own notice.
(§ 164.508), but do not otherwise to distribute their notice to every person Response: We agree with commenters’
prohibit covered entities from including covered by the plan. They argued that concerns about the potential
the notice in or with other documents distributing the notice to every family administrative and financial burdens of
the covered entity shares with member would be unnecessarily requiring covered providers that have
individuals. duplicative, costly, and difficult to indirect treatment relationships with
Comment: Some comments suggested administer. They suggested that health individuals, such as clinical
that covered entities should not be plans only be required to distribute the laboratories, to distribute the notice.
required to respond to requests for the notice to the primary participant or to Therefore, we require these covered
notice from the general public. These each household with one or more providers to provide the notice only
comments indicated that the insured individuals. upon request. In addition, these covered
requirement would place an undue Response: We agree, and clarify in the providers may elect to reach agreements
burden on covered entities without final rule that a health plan may satisfy with other entities distribute their
benefitting individuals. the distribution requirement by notice on their behalf, or to participate
Response: We proposed that the providing the notice to the named in an organized health care arrangement
notice be publicly available so that insured on behalf of the dependents of that produces a joint notice. See
individuals may use the notice to that named insured. For example, a § 164.520(d) and the corresponding
compare covered entities’ privacy group health plan may satisfy its notice preamble discussion of joint notice
practices and to select a health plan or requirement by providing a single notice requirements.
health care provider accordingly. We to each covered employee of the plan Comment: Some commenters
therefore retain the proposed sponsor. We do not require the group requested that covered health care
requirement for covered entities to health plan to distribute the notice to providers be permitted to distribute
provide the notice to any person who each covered employee and to each their notice prior to an individual’s
requests a copy, including members of covered dependent of those employees. initial visit so that patients could review
the general public. Comment: Many comments requested the information in advance of the visit.
Comment: Many commenters argued clarification about health plans’ ability They suggested that distribution in
that the distribution requirements for to distribute the notice via other advance would reduce the amount of
health plans should be less burdensome. entities. Some commenters suggested time covered health care providers’ staff
Some suggested requiring distribution that group health plans should be able would have to spend explaining the
upon material revision, but not every to satisfy the distribution requirement notice to patients in the office. Other
three years. Some suggested that health by providing copies of the notice to plan comments argued that providers should
distribute their notice to patients at the must be clear and conspicuous to give mail. They argued that covered entities
time the individual visits the provider, individuals meaningful and effective are increasingly using electronic
because providers lack the notice of their rights. Other commenters technology to communicate with
administrative infrastructure necessary noted that posting the notice will not patients and otherwise administer
to develop and distribute mass inform former patients who no longer benefits. They also noted that other
communications and generally have see the provider. regulations permit similar documents,
difficulty identifying active patients. Response: We clarify in the final rule such as ERISA-required summary plan
Response: In the final rule, we clarify that the requirement to post a notice descriptions, to be delivered
that covered providers with direct does not substitute for the requirement electronically. Some commenters
treatment relationships must provide to give individuals a notice or make suggested that electronic distribution
the notice to patients no later than the notices available upon request. Covered should be permitted unless the
first service delivery to the patient after providers with direct treatment individual specifically requests a hard
the compliance date. For the reasons relationships, including covered copy or lacks electronic access. Some
identified by these commenters, we do hospitals, must give a copy of the notice argued that entities should be able to
not require covered providers to send to the individual as of first service choose a least-cost alternative that
their notice to the patient in advance of delivery after the compliance date. After allows for periodic changes without
the patient’s visit. We do not prohibit giving the individual a copy of the excessive mailing costs. A few
distribution in advance, but only require notice as of that first visit, the covered commenters suggested requiring
distribution to the patient as of the time provider has no other obligation to covered entities to distribute notices
of the visit. We believe this flexibility actively distribute the notice. We electronically.
will allow each covered provider to believe it is unnecessarily burdensome Response: We clarify in the final rule
develop procedures that best meet its to require covered providers to mail the that covered entities may elect to
and its patients’ needs. notice to all current and former patients distribute their notice electronically,
Comment: Some comments suggested each time the notice is revised, because provided the individual agrees to
that covered providers should be unlike health plans, providers may have receiving the notice electronically and
required to distribute the notice as of a difficult time identifying active has not withdrawn such agreement. We
the compliance date. They noted that if patients. All individuals, including do not require any particular form of
the covered provider waited to those who no longer see the covered agreement. For example, a covered
distribute the notice until first service provider, have the right to receive a provider could ask an individual at the
delivery, it would be possible (pursuant copy of the notice on request. time the individual requests a copy of
to the rule) for a use or disclosure to be If the covered provider maintains a the notice whether she prefers to receive
made without the individual’s physical delivery site, it must also post it in hard copy or electronic form. A
authorization, but before the individual the notice (including revisions to the health plan could ask an individual
receives the notice. notice) in a clear and prominent applying for coverage to provide an e-
Response: Because health care location where it is reasonable to expect mail address where the health plan can
providers generally lack the individuals seeking service from the send the individual information. If the
administrative infrastructure necessary covered provider to be able to read the individual provides an e-mail address,
to develop and distribute mass notice. The covered provider must also the health plan can infer agreement to
communications and generally have have the notice available on site for obtain information electronically.
difficulty identifying active patients, we individuals to be able to request and An individual who has agreed to
do not require covered providers to take with them. receive the notice electronically,
distribute the notice until the first Comment: Some comments requested however, retains the right to request a
service delivery after the compliance clarification about the distribution hard copy of the notice. This right must
date. We acknowledge that this policy requirements for a covered entity that is be described in the notice. In addition,
allows uses and disclosure of health a health plan and a covered health care if the covered entity knows that
information without individuals’ provider. electronic transmission of the notice has
consent or authorization before the Response: Under § 164.504(g), failed, the covered entity must produce
individual receives the notice. We discussed above, covered entities that a hard copy of the notice. We believe
require covered entities, including conduct multiple types of covered this provision allows covered entities
covered providers, to have the notice functions, such as the kind of entities flexibility to provide the notice in the
available upon request as of the described in the above comments, are form that best meets their needs without
compliance date of the rule. Individuals required to comply with the provisions compromising individuals’ right to
may request a copy of the notice from applicable to a particular type of health adequate notice of covered entities’
their provider at any time. care function when acting in that information practices.
Comment: Many commenters were capacity. Thus, in the example We note that covered entities may
concerned with the requirement that described above, the covered entity is also be subject to the Electronic
covered providers post their notice. required by § 164.504(g) to follow the Signatures in Global and National
Some commenters suggested that requirements for health plans with Commerce Act. This rule is not
covered hospital-based providers should respect to its actions as a health plan intended to alter covered entities’
be able to satisfy the distribution and to follow the requirements for requirements under that Act.
requirements by posting their notice in health care providers with respect to its Comment: Some commenters were
multiple locations at the hospital, rather actions as a health care provider. concerned that covered providers with
than handing the notice to patients— Comment: We received many ‘‘face-to-face’’ patient contact would
particularly with respect to distribution comments about the ability of covered have a competitive disadvantage against
after material revisions have been made. entities to distribute their notices covered internet-based providers,
Some additionally suggested that these electronically. Many commenters because the face-to-face providers
covered providers should have copies of suggested that we permit covered would be required to distribute the
the notice available on site. Some entities to distribute the notice notice in hard copy while internet-based
commenters emphasized that the notice electronically, either via a web site or e- providers could satisfy the requirement
by requiring review of the notice on the correctional institution that is a covered patients, inconsistent with other notice
web site before processing an order. entity and a group health plan that requirements under other laws,
They suggested allowing face-to-face provides benefits only through one or misleading to individuals who might
covered providers to satisfy the more contracts of insurance with health interpret their signature as an
distribution requirement by asking insurance issuers or HMOs. agreement, inimical to the concept of
patients to review the notice posted on We clarify in § 164.504(d), however, permitting uses and disclosures without
site. that affiliated covered entities under authorization, and an insufficient
Response: We clarify in the final rule common ownership or control may substitute for authorization.
that covered health care providers that designate themselves as a single covered Response: We agree with the majority
provide services to individuals over the entity for purposes of this rule. An of commenters and do not require
internet have direct treatment affiliated covered entity is only required covered entities to obtain the
relationships with those individuals. to produce a single notice. individual’s signed acknowledgment of
Covered internet-based providers, In addition, covered entities that receipt of the notice. We believe that we
therefore, must distribute the notice at participate in an organized health care satisfied most of the arguments in
the first service delivery after the arrangement—which could include support of requiring a signature with the
compliance date by automatically and hospitals and their associated new policy requiring covered health
contemporaneously providing the notice physicians—may choose to produce a care providers with direct treatment
electronically in response to the single, joint notice, if certain relationships to obtain a consent for
individual’s first request for service, requirements are met. See § 164.501 and uses and disclosures of protected health
provided the individual agrees to the corresponding preamble discussion information to carry out treatment,
receiving the notice electronically. of organized health care arrangements. payment, and health care operations.
Even though we require all covered We clarify that each covered entity See § 164.506 and the corresponding
entity web sites to post the entity’s included in a joint notice must meet the preamble discussion of consent
notice prominently, we note that such applicable distribution requirements. If requirements. We note that this rule
posting is not sufficient to meet the any one of the covered entities, does not preempt other applicable laws
distribution requirements. A covered however, provides the notice to a given that require a signed notice and does not
internet-based provider must send the individual, the distribution requirement prohibit a covered entity from
notice electronically at the individual’s with respect to that individual is met for requesting an individual to sign the
first request for service, just as other all of the covered entities included in notice.
covered providers with direct treatment the joint notice. For example, a covered Comment: Some commenters
relationships must give individuals a hospital and its attending physicians supported requiring covered entities to
copy of the notice as of the first service may elect to produce a joint notice. adhere to their privacy practices, as
delivery after the compliance date. When an individual is first seen at the described in their notice. They argued
We do not intend to create hospital, the hospital must provide the that the notice is meaningless if a
competitive advantages among covered individual with a copy of the joint covered entity does not actually have to
providers. A web-based and a non-web- notice. Once the hospital has done so, follow the practices contained in its
based covered provider each have the the notice distribution requirement for notice. Other commenters were
same alternatives available for all of the attending physicians that concerned that the rule would prevent
distribution of the notice. Both types of provide treatment to the individual at a covered entity from using or
covered providers may provide either a the hospital and that are included in the disclosing protected health information
paper copy or an electronic copy of the joint notice is satisfied. in otherwise lawful and legitimate ways
notice. Comment: We solicited and received because of an intentional or inadvertent
Comment: We received several comments on whether to require omission from its published notice.
comments suggesting that some covered covered entities to obtain the Some of these commenters suggested
entities should be exempted from the individual’s signature on the notice. requiring the notice to include a
notice requirement or permitted to Some commenters suggested that description of some or all disclosures
combine notices with other covered requiring a signature would convey the that are required or permitted by law.
entities. Many comments argued that importance of the notice, would make it Some commenters stated that the
the notice requirement would be more likely that individuals read the adherence requirement should be
burdensome for hospital-based notice, and could have some of the same eliminated because it would generally
physicians and result in numerous, benefits of a consent. They noted that at inhibit covered entities’ ability to
duplicative notices that would be least one state already requires entities innovate and would be burdensome.
meaningless or confusing to patients. to make a reasonable effort to obtain a Response: We agree that the value of
Other comments suggested that multiple signed notice. Other comments noted the notice would be significantly
health plans offered through the same that the signature would be useful for diminished absent a requirement that
employer should be permitted to compliance and risk management covered entities adhere to the
produce a single notice. purposes because it would document statements they make in their notices.
Response: We retain the requirement that the individual had received the We therefore retain the requirement for
for all covered health care providers and notice. covered entities to adhere to the terms
health plans to produce a notice of The majority of commenters on this of the notice. See § 164.502(i).
information practices. Health care topic, however, argued that a signed Many of these commenters’ concerns
clearinghouses are required to produce acknowledgment would be regarding a covered entity’s inability to
a notice of information practices only to administratively burdensome, use or disclose protected health
the extent the clearinghouse creates or inconsistent with the intent of the information due to an intentional or
receives protected health information Administrative Simplification inadvertent omission from the notice are
other than as a business associate of a requirements of HIPAA, impossible to addressed in our revisions to the
covered entity. See § 164.500(b)(2). Two achieve for incapacitated individuals, proposed content requirements for the
other types of covered entities are not difficult to achieve for covered entities notice. Rather than require covered
required to produce a notice: a that do not have direct contact with entities to describe only those uses and
disclosures they anticipate making, as commenters that presented this position many state laws restrict disclosures for
proposed, we require covered entities to asserted that the framework of giving certain types of health information
describe all uses and disclosures they patients control over the use or without patient’s authorization. Even if
are required or permitted to make under disclosure of their information is there is no mandated requirement to
the rule without the individual’s contrary to good patient care because restrict disclosures of health
consent or authorization. We permit a incomplete medical records may lead to information, providers may agree to
covered entity to provide a statement medical errors, misdiagnoses, or requests for restrictions of disclosures
that it will disclose protected health inappropriate treatment decisions. when a patient expresses particular
information that is otherwise required Other commenters asserted that covered sensitivity and concern for the
by law, as permitted in § 164.512(a), entities need complete data sets on the disclosure of health information.
without requiring them to list all state populations they serve to effectively We agree that there may be instances
laws that may require disclosure. conduct research and quality in which a restriction could negatively
Because the notice must describe all improvement projects and that affect patient care. Therefore, we
legally permissible uses and disclosures, restrictions would hinder research, include protections against this
the notice will not generally preclude skew findings, impede quality occurrence. First, the right to request
covered entities from making any uses improvement, and compromise restrictions is a right of individuals to
or disclosures they could otherwise accreditation and performance make the request. A covered entity may
make without individual consent or measurement. refuse to restrict uses and disclosures or
authorization. This change will also Response: We acknowledge that may agree only to certain aspects of the
ensure that individuals are aware of all widespread restrictions on the use and individual’s request if there is concern
possible uses and disclosures that may disclosure of protected health for the quality of patient care in the
occur without their consent or information could result in some future. For example, if a covered
authorization, regardless of the covered difficulties related to payment, research, provider believes that it is not in the
entity’s current practices. quality assurance, etc. However, in our patient’s best medical interest to have
We encourage covered entities, efforts to protect the privacy of health such a restriction, the provider may
however, to additionally describe the information about individuals, we have discuss the request for restriction with
more limited uses and disclosures they sought a balance in determining the the patient and give the patient the
actually anticipate making in order to appropriate level of individual control opportunity to explain the concern for
give individuals a more accurate and the smooth operation of the health disclosure. Also, a covered provider
understanding of how information about care system. In the final rule, we require
who is concerned about the
them will be shared. We expect that certain covered providers and permit all
implications on future treatment can
certain covered entities will want to covered entities to obtain consent from
agree to use and disclose sensitive
distinguish themselves on the basis of individuals for use and disclosure of
protected health information for
their privacy protections. We note that protected health information for
treatment purposes only and agree not
a covered entity that chooses to exercise treatment, payment, and health care
to disclose information for payment and
this option must clearly state that, at a operations (see § 164.506). In order to
operation purposes. Second, a covered
minimum, the covered entity may make give individuals some control over their
provider need not comply with a
disclosures that are required by law and health information for uses and
restriction that has been agreed to if the
that are necessary to avert a serious and disclosures of protected health
information for treatment, payment, and individual who requested the restriction
imminent threat to health or safety. is in need of emergency treatment and
health care operations, we provide
Section 164.522—Rights To Request individuals with the opportunity to the restricted protected health
Privacy Protection for Protected Health request restrictions of such uses and information is needed to provide the
Information disclosures. emergency treatment. This exception
Because the right to request should limit the harm to health that may
Section 164.522(a)—Right of an otherwise result from restricting the use
restrictions encourages discussions
Individual To Request Restriction of or disclosure of protected health
about how protected health information
Uses and Disclosures information. We encourage covered
may be used and disclosed and about an
Comment: Several commenters individual’s concerns about such uses providers to discuss with individuals
supported the language in the NPRM and disclosures, it may improve that the information may be used or
regarding the right to request communications between a provider disclosed in emergencies. We require
restrictions. One commenter specifically and patient and thereby improve care. that the covered entity that discloses
stated that this is a balanced approach According to a 1999 survey on the restricted protected health information
that addresses the needs of the few who Confidentiality of Medical Records by in an emergency request that the health
would have reason to restrict the California HealthCare Foundation, care provider that receives such
disclosures without negatively affecting one out of every six people engage in information not further use or re-
the majority of individuals. At least one behavior to protect themselves from disclose the information.
commenter explained that if we unwanted disclosures of health Comment: Some health plans stated
required consent or authorization for information, such as lying to providers that an institutionalized right to restrict
use and disclosure of protected health or avoiding seeking care. This indicates can interfere with proper payment and
information for treatment, payment, and that, without the ability to request can make it easier for unscrupulous
health care operations then we must restrictions, individuals would have providers or patients to commit fraud on
also have a right to request restrictions incentives to remain silent about insurance plans. They were concerned
of such disclosure in order to make the important health information that could that individuals could enter into
consent meaningful. have an effect on their health and health restrictions with providers to withhold
Many commenters requested that we care, rather than consulting a health information to insurance companies so
delete this provision, claiming it would care provider. that the insurance company would not
interfere with patient care, payment, Further, this policy is not a dramatic know about certain conditions when
and data integrity. Most of the change from the status quo. Today, underwriting a policy.
Response: This rule does not enhance protection may be impossible. Others the information for treatment. If the
the ability of unscrupulous patients or stated that the administrative burden individual does not agree to terminate
health care providers to engage in would make providers unable to or modify the restriction, however, the
deceptive or fraudulent withholding of accommodate restrictions, and would provider must continue to honor the
information. This rule grants a right to therefore give patients false expectations restriction with respect to protected
request a restriction, not an absolute that their right to request restrictions health information that was created or
right to restrict. Individuals can make may be acted upon. One commenter received subject to the restriction. We
such requests today. Other laws expressed concern that large covered note that if the restricted protected
criminalize insurance fraud; this providers would have a particularly health information is needed to provide
regulation does not change those laws. difficult time establishing a policy emergency treatment to the individual
Comment: One commenter asserted whereby the covered entity could agree who requested the restriction, the
that patients cannot anticipate the to restrictions and would have an even covered entity may use or disclose such
significance that one aspect of their more difficult time implementing the information for such treatment.
medical information will have on restrictions since records may be kept in Comment: Commenters asked that we
treatment of other medical conditions, multiple locations and accessed by require covered entities to keep an
and therefore, allowing them to restrict multiple people within the organization. accounting of the requests for
use or disclosure of some information is Still other commenters believed that the restrictions and to report this
contrary to the patient’s best interest. right to request restrictions would invite information to the Department in order
Response: We agree that patients may argument, delay, and litigation. for the Department to determine
find it difficult to make such a calculus, Response: We do not believe that this whether covered entities are showing
and that it is incumbent on health care requirement is a significant change from ‘‘good faith’’ in dealing with these
providers to help them do so. Health current practice. Providers already requests.
care providers may deny requests for or respond to requests by patients Response: We require that covered
limit the scope of the restriction regarding sensitive information, and are entities that agree to restrictions with
requested if they believe the restriction subject to state law requirements not to individuals document such restrictions.
is not in the patient’s best interest. disclose certain types of information A covered entity must retain such
Comment: One commenter asked without authorization. This right to documentation for six years from the
whether an individual’s restriction to request is permissive so that covered date of its creation or the date when it
disclosure of information will be a bar entities can balance the needs of last was in effect, whichever is later. We
to liability for misdiagnosis or failure to particular individuals with the entity’s do not require covered entities to keep
diagnose by a covered entity who can ability to manage specific a record of all requests made, including
trace its error back to the lack of accommodations. those not agreed to, nor that they report
information resulting from such Comment: Some commenters were such requests to the Department. The
restriction. concerned that a covered entity would decision to agree to restrictions is that
Response: Decisions regarding agree to a restriction and then realize of the covered entity. Because there is
liability and professional standards are later that the information must be no requirement to agree to a restriction,
determined by state and other law. This disclosed to another caregiver for there is no reason to impose the burden
rule does not establish or limit liability important medical care purposes. to document requests that are denied.
for covered entities under those laws. Response: Some individuals seek Any reporting requirement could
We expect that the individual’s request treatment only on the condition that undermine the purpose of this provision
to restrict the disclosure of their information about that treatment will by causing the sharing, or appearance of
protected health information would be not be shared with others. We believe it sharing, of information for which
considered in the decision of whether or is necessary and appropriate, therefore, individuals are seeking extra protection.
not a covered entity is liable. that when a covered provider agrees to Comment: One commenter asserted
Comment: One commenter requested such a restriction, the individual must that providers that currently allow such
that we allow health plans to deny be able to rely on that promise. We restrictions will choose not to do so
coverage or reimbursement when a strongly encourage covered providers to under the rule based on the guidance of
covered health care provider’s consider future treatment implications legal counsel and loss prevention
agreement to restrict use or disclosure of agreeing to a restriction. We managers, and suggested that the
prevents the plan from getting the encourage covered entities to inform Secretary promote competition among
information that is necessary to others of the existence of a restriction providers with respect to privacy by
determine eligibility or coverage. when appropriate, provided that such developing a third-party ranking
Response: In this rule, we do not notice does not amount to a de facto mechanism.
modify insurers’ rules regarding disclosure of the restricted information. Response: We believe that providers
information necessary for payment. We If the covered provider subject to the will do what is best for their patients,
recognize that restricting the disclosure restriction believes that disclosing the in accordance with their ethics codes,
of information may result in a denial of protected health information that was and will continue to find ways to
payment. We expect covered providers created or obtained subject to the accommodate requested restrictions
to explain this possibility to individuals restriction is necessary to avert harm when they believe that it is in the
when considering their requests for (and it is not for emergency treatment), patients’ best interests. We anticipate
restrictions and to make alternative the provider must ask the individual for that providers who find such action to
payment arrangements with individuals permission to terminate or modify the be of commercial benefit will notify
if necessary. restriction. If the individual agrees to consumers of their willingness to be
Comment: Some commenters the termination of the restriction, the responsive to such requests. Involving
discussed the administrative burden provider must document this third parties could undermine the
and cost of the requirement that termination by noting this agreement in purpose of this provision, by causing
individuals have the right to request the medical record or by obtaining a the sharing, or appearance of sharing, of
restrictions and that trying to segregate written agreement of termination from information for which individuals are
certain portions of information for the individual and may use or disclose seeking extra protection.
Comment: One commenter said that individual’s care in accordance with the to abide by a restriction would be
any agreement regarding patient- rule will be enforceable under the rule. tantamount to forcing them to agree to
requested restrictions should be in Comment: A few commenters raised a request to which they otherwise may
writing before a covered provider would the question of the effect of a restriction not have agreed. Second, some covered
be held to standards for compliance. agreed to by one covered entity that is entities have information systems which
Response: We agree that agreed to part of a larger covered entity, will allow them to accommodate such
restrictions must be documented in particularly a hospital. Commenters requests, while others do not. If the
writing, and we require that covered were also concerned about who may downstream provider is in the latter
entities that agree to restrictions speak on behalf of the covered entity. category, the administrative burden of
document those restrictions in Response: All covered entities are such a requirement would be
accordance with § 164.530(j). The required to establish policies and unmanageable.
writing need not be formal; a notation procedures for providing individuals We encourage covered entities to
in the medical record will suffice. We the right to request restrictions, explain this limitation to individuals
disagree with the request that an agreed including policies for who may agree to when they agree to restrictions, so
to restriction be reduced to writing in such restrictions on the covered entity’s individuals will understand that they
order to be enforced. If we adopted the behalf. Hospitals and other large entities need to ask all their health plans and
requested policy, a covered entity could that are concerned about employees providers for desired restrictions. We
agree to a restriction with an individual, agreeing to restrictions on behalf of the also require that a covered entity that
but avoid being held to this agreed to organization will have to make sure that discloses protected health information
restriction under the rule by failing to their policies are communicated to a health care provider for emergency
document the restriction. This would appropriately to those employees. The treatment, in accordance with § 164.522
give a covered entity the opportunity to circumstances under which members of (a)(iii), to request that the recipient not
agree to a restriction and then, at its sole a covered entity’s workforce can bind further use or disclose the information.
discretion, determine if it is enforceable the covered entity are a function of Comment: One commenter requested
by deciding whether or not to make a other law, not of this regulation.
that agreed-to restrictions of a covered
note of the restriction in the record Comment: Commenters expressed
entity not be applied to business
about the individual. Because the confusion about the intended effect of
any agreed-upon restrictions on associates.
covered entity has the ability to agree or
downstream covered entities. They Response: As stated in § 164.504(e)(2),
fail to agree to a restriction, we believe
asserted that it would be extremely business associates are acting on behalf
that once the restriction is agreed to, the
difficult for a requested restriction to be of, or performing services for, the
covered entity must honor the
followed through the health care system covered entity and may not, with two
agreement. Any other result would be
and that it would be unfair to hold narrow exceptions, use or disclose
deceptive to the individual and could
covered entities to a restriction when protected health information in a
lead an individual to disclose health
they did not agree to such restriction. manner that would violate this rule if
information under the assumption that
Specifically, commenters asked whether done by the covered entity. Business
the uses and disclosures will be
a covered provider that receives associates are agents of the covered
restricted. Under § 164.522, a covered
entity could be found to be in violation protected health information in entity with respect to protected health
of the rule if it fails to put an agreed- compliance with this rule from a information they obtain through the
upon restriction in writing and also if it physician or medical group that has business relationship. If the covered
uses or discloses protected health agreed to limit certain uses of the entity agrees to a restriction and,
information inconsistent with the information must comply with the therefore, is bound to such restriction,
restriction. original restriction. Other commenters the business associate will also be
Comment: Some commenters said that expressed concern that not applying a required to comply with the restriction.
the right to request restrictions should restriction to downstream covered If the covered entity has agreed to a
be extended to some of the uses and entities is a loophole and that all restriction, the satisfactory assurances
disclosures permitted without downstream covered providers and from the business associate, as required
authorization in § 164.510 of the NPRM, health plans should be bound by the in § 164.504(e), must include assurances
such as disclosures to next of kin, for restrictions. that protected health information will
judicial and administrative proceedings, Response: Under the final rule, a not be used or disclosed in violation of
for law enforcement, and for restriction that is agreed to between an an agreed to restriction.
governmental health data systems. individual and a covered entity is only Comment: One commenter requested
Other commenters said that these uses binding on the covered entity that clarification that the right to request
and disclosures should be preserved agreed to the restriction and not on restrictions cannot be used to restrict
without an opportunity for individuals downstream entities. It would also be the creation of de-identified
to opt out. binding on any business associate of the information.
Response: We have not extended the covered entity since a business associate Response: We found no reason to treat
right to request restrictions under this can not use or disclose protected health the use of protected health information
rule to disclosures permitted in information in any manner that a to create de-identified information
§ 164.512 of the final rule. However, we covered entity would not be permitted different from other uses of protected
do not preempt other law that would to use or disclose such information. We health information. The right to request
enforce such agreed-upon restrictions. realize that this may limit the ability of restriction applies to any use or
As discussed in more detail, above, we an individual to successfully restrict a disclosure of protected health
have extended the right to request use or disclosure under all information to carry out treatment,
restrictions to disclosures to persons circumstances, but we take this payment, or health care operations. If
assisting in the individual’s care, such approach for two reasons. First, we the covered entity uses protected health
as next of kin, under § 164.510(b). Any allow covered entities to refuse information to create de-identified
restriction that a covered entity agrees to individuals’ requests for restrictions. information, the covered entity need not
with respect to persons assisting in the Requiring downstream covered entities agree to a restriction of this use.
Comment: Some commenters stated they believe is particularly sensitive. If accommodations may be requested as
that individuals should be given a true a covered entity would like to revoke or well, such as requesting that a covered
right to restrict uses and disclosures of modify an agreed-upon restriction, the provider never contact the individual by
protected health information in certain covered entity must renegotiate the a phone, but only contact her by
defined circumstances (such as for agreement with the individual. If the electronic mail. A provider must
sensitive information) rather than a right individual agrees to modify or terminate accommodate an individual’s request
to request restrictions. the restriction, the covered entity must for confidential communications, under
Response: We are concerned that a get written agreement from the this section, without requiring an
right to restrict could create conflicts individual or must document the oral explanation as to the reason for the
with the professional ethical obligations agreement. If the individual does not request as a condition of
of providers and others. We believe it is agree to terminate or modify the accommodating the request. The
better policy to allow covered entities to restriction, the covered entity must individual does not need to be in an
refuse to honor restrictions that they inform the individual that it is abusive situation to make such requests
believe are not appropriate and leave modifying or terminating its agreement of a covered provider. The only
the individual with the option of to the restriction and any modification conditions that a covered provider may
seeking service from a different covered or termination would apply only with place on an individual is that the
entity. In addition, many covered respect to protected health information request be reasonable with respect to the
entities have information systems that created or received after the covered administrative burden on the provider,
would make it difficult or impossible to entity informed the individual of the the request to be in writing, the request
accommodate certain restrictions. termination. Any protected health specify an alternative address or other
Comment: Some commenters information created or received during method of contact, and that (where
requested that self-pay patients have the time between when the restriction relevant) the individual provide
additional rights to restrict protected was agreed to and when the covered information about how payment will be
health information. Others believed that entity informed the individual or such handled. What is reasonable may vary
this policy would result in de facto modification or termination remains by the size or type of covered entity;
discrimination against those patients subject to the restriction. however, additional modest cost to the
that could not afford to pay out-of- Comment: Many commenters provider would not be unreasonable.
pocket. advocated for stronger rights to request An individual also has a right to
Response: Under the final rule, the restrictions, particularly that victims of restrict communications from a health
decision whether to tie an agreement to domestic violence should have an plan. The right is the same as with
restrict to the way the individual pays absolute right to restrict disclosure of covered providers except it is limited to
for services is left to each covered information. cases where the disclosure of
entity. We have not provided self-pay Response: We address restrictions for information could endanger the
patients with any special rights under disclosures in two different ways, the individual. A health plan may require
the rule. right to request restrictions an individual to state this fact as a
Comment: Some commenters (§ 164.522(a)) and confidential condition of accommodating the
suggested that we require restrictions to communications (§ 164.522(b)). We have individual’s request for confidential
be clearly noted so that insurers and provided all individuals with a right to communications. This would provide
other providers would be aware that request restrictions on uses or victims of domestic violence the right to
they were not being provided with disclosures of treatment, payment, and control such disclosures.
complete information. health care operations. This is not an Comment: Commenters opposed the
Response: Under the final rule, we do absolute right to restrict. Covered provision of the NPRM
not require or prohibit a covered entity entities are not required to agree to (§ 164.506(c)(1)(ii)(B)) stating that an
to note the existence of an omission of requested restrictions; however, if they individual’s right to request restrictions
information. We encourage covered do, the rule would require them to act on use or disclosure of protected health
entities to inform others of the existence in accordance with the restrictions. (See information would not apply in
of a restriction, in accordance with the preamble regarding § 164.522 for a emergency situations as set forth in
professional practice and ethics, when more comprehensive discussion of the proposed § 164.510(k). Commenters
appropriate to do so. In deciding right to request restrictions.) asserted that victims who have been
whether or not to disclose the existence In the final rule, we create a new harmed by violence may first turn to
of a restriction, we encourage the provision that provides individuals with emergency services for help and that, in
covered entity to carefully consider a right to confidential communications, such situations, the victim should be
whether disclosing the existence is in response to these comments. This able to request that the perpetrator not
tantamount to disclosure of the provision grants individuals with a right be told of his or her condition or
restricted protected health information to restrict disclosures of information whereabouts.
so as to not violate the agreed to related to communications made by a Response: We agree with some of the
restriction. covered entity to the individual, by commenters’ concerns. In the final rule,
Comment: A few commenters said allowing the individual to request that the right to request restrictions is
that covered entities should have the such communications be made to the available to all individuals regardless of
right to modify or revoke an agreement person at an alternative location or by the circumstance or the setting in which
to restrict use or disclosure of protected an alternative means. For example, a the individual is obtaining care. For
health information. woman who lives with an abusive man example, an individual that seeks care
Response: We agree that, as and is concerned that his knowledge of in an emergency room has the same
circumstances change, covered entities her health care treatment may lead to right to request a restriction as an
should be able to revisit restrictions to additional abuse can request that any individual seeking care in the office of
which they had previously agreed. At mail from the provider be sent to a a covered physician.
the same time, individuals should be friend’s home or that telephone calls by However, we continue to permit a
able to rely on agreements to restrict the a covered provider be made to her at covered entity to disclose protected
use or disclosure of information that work. Other reasonable health information to a health care
provider in an emergency treatment surrounding disclosure of protected absolute and not contingent on the
situation if the restricted protected health information about victims of reason for the request because we
health information is needed to provide abuse, neglect, and domestic violence. wanted to make it relatively easy for
the emergency treatment or if the victims of domestic violence, who face
disclosure is necessary to avoid serious real safety concerns by disclosures of
and imminent threats to public health health information, to limit the potential
and safety. Although we understand the Comment: Several commenters for such disclosures.
concern of the commenters, we believe requested that we add a new section to The standard we created for health
that these exceptions are limited and prevent disclosure of sensitive health plans is different from the requirement
will not cause a covered entity to care services to members of the patient’s for covered providers, in that we only
disclose information to a perpetrator of family through communications to the require health plans to make requested
a crime. We are concerned that a individual’s home, such as appointment accommodations for confidential
covered provider would be required to notices, confirmation or scheduling of communications when the individual
delay necessary care if a covered entity appointments, or mailing a bill or asserts that disclosure could be
had to determine if a restriction exists explanation of benefits, by requiring dangerous to the individual. We address
at the time of such emergency. Even if covered entities to agree to correspond health plan requirements in this way
a covered entity knew that there was a with the patient in another way. Some because health plans are often issued to
restriction, we permitted this limited commenters stated that this is necessary a family member (the employee), rather
exception for emergency situations in order to protect inadvertent than to each individual member of a
because, as we had stated in the disclosure of sensitive information and family, and therefore, health plans tend
preamble for § 164.506 of the NPRM, an to protect victims of domestic violence to communicate with the named insured
emergency situation may not provide from disclosure to an abuser. A few rather than with individual family
sufficient opportunity for a patient and commenters suggested that a covered members. Requiring plans to
health care provider to discuss the entity should be required to obtain an accommodate a restriction for one
potential implications of restricting use individual’s authorization prior to individual could be administratively
and disclosure of protected health communicating with the individual at more difficult than it is for providers
information on that emergency. We also the individual’s home with respect to that regularly communicate with
believe that the importance of avoiding health care relating to sensitive subjects individuals. However, in the case of
such as reproductive health, sexually domestic violence or potential abuse,
serious and imminent threats to health
transmissible diseases, substance abuse the level of harm that can result from a
and safety and the ethical and legal
or mental health. disclosure of protected health
obligations of covered health care Response: We agree with commenters’
providers’ to make disclosures for these information tips the balance in favor of
concerns regarding covered entities’ requiring such restriction to prevent
purposes is so significant that it is not communications with individuals. We
appropriate to apply the right to request inadvertent disclosure. We have
created a new provision, § 164.522(b), to adopted the policy recommended by the
restrictions on such disclosures. address confidential communications by National Association of Insurance
We note that we have included other covered entities. This provision gives Commissioners in the Health
provisions in the final rule intended to individuals the right to request that they Information Policy Model Act (1998) as
avoid or minimize harm to victims of receive communications from covered this best reflects the balance of the
domestic violence. Specifically, we entities at an alternative address or by appropriate level of regulation of the
include provisions in the final rule that an alternative means, regardless of the industry compared with the need to
allow individuals to opt out of certain nature of the protected health protect individuals from harm that may
types of disclosures and require covered information involved. Covered result from inadvertent disclosure of
entities to use professional judgment to providers are required to accommodate information. This policy is also
determine whether disclosure of reasonable requests by individuals and consistent with recommendations made
protected health information is in a may not require the individual to in the Family Violence Prevention
patient’s best interest (see § 164.510(a) explain the basis for the request as a Fund’s publication ‘‘Health Privacy
on use and disclosure for facility condition of accommodation. Health Principles for Protecting Victims of
directories and § 164.510(b) on uses and plans are required to accommodate Domestic Violence’’ (October 2000). Of
disclosures for assisting in an reasonable requests by individuals as course, health plans may accommodate
individual’s care and notification well; however, they may require the requests for confidential
purposes). Although an agreed to individual to provide a statement that communications without requiring a
restriction under § 164.522 would apply disclosure of the information could statement that the individual would be
to uses and disclosures for assisting in endanger the individual, and they may in danger from disclosure of protected
an individual’s care, the opt out condition the accommodation on the health information.
provision in § 164.510(b) can be more receipt of such statement. Comment: One commenter requested
helpful to a person who is a victim of Under the rule, we have required that we create a standard that all
domestic violence because the covered providers to accommodate information from a health plan be sent
individual can opt out of such requests for communications to to the patient and not the policyholder
disclosure without obtaining the alternative addresses or by alternative or subscriber.
agreement of the covered provider. We means, regardless of the reason, to limit Response: We require health plans to
permit a covered entity to elect not to risk of harm. Providers have more accommodate certain requests that
treat a person as a personal frequent one-on-one communications information not be sent to a particular
representative (see § 164.502(g)) or to with patients, making the safety location or by particular means. A
deny access to a personal representative concerns from an inadvertent disclosure health plan must accommodate
(see § 164.524(a)(3)(iii)) where there are more substantial and the need for reasonable requests by individuals that
concerns related to abuse. We also confidential communications more protected health information about them
include a new § 164.512(c) which compelling. We have made the be sent directly to them and not to a
recognizes the unique circumstances requirement for covered providers policyholder or subscriber, if the
individual states that he or she may be of information, but also with the individual. (See § 164.502(g)(5)
in danger from disclosure of such individual and the particular situation regarding personal representatives.)
information. We did not generally faced by the individual. This is • Covered entities may deny access to
require health plans to send information demonstrated by the different types of protected health information when there
to the patient and not the policyholder information that commenters singled are concerns that the access may result
or subscriber because we believed it out as meriting special protection, and in varying levels of harm. (See
would be administratively burdensome in the great variation among state laws § 164.524(a)(3) regarding denial of
and because the named insured may in defining and protecting sensitive access.)
have a valid need for such information information. Most states have a law • Covered health care providers may,
to manage payment and benefits. providing heightened protection for in some circumstances and consistent
some type of health information. with any known prior preferences of the
Sensitive Subjects individual, exercise professional
However, even though most states have
Comment: Many commenters considered the issue of sensitive judgment in the individual’s best
requested that additional protections be information, the variation among states interest to not disclose directory
placed on sensitive information, in the type of information that is information. (See § 164.510(a) regarding
including information regarding HIV/ specially protected and the directory information.)
AIDS, sexually transmitted diseases, requirements for permissible disclosure • Covered entities may, in some
mental health, substance abuse, of such information demonstrates that circumstances, exercise professional
reproductive health, and genetics. Many there is no national consensus. judgment in the individual’s best
requested that we ensure the regulation Where, as in this case, most states interest to limit disclosure to persons
adequately protects victims of domestic have acted and there is no predominant assisting in the individual’s care. (See
violence. They asserted that the concern rule that emerges from the state § 164.510(b) regarding persons assisting
for discrimination or stigma resulting experience with this issue, we have in the individual’s care.)
from disclosure of sensitive health decided to let state law predominate. This approach allows for state law
information could dissuade a person The final rule only provides a floor of and personal variation in this area.
from seeking needed treatment. Some The only type of protected health
protection for health information and
commenters noted that many state laws information that we treat with
does not preempt state laws that provide
provide additional protections for heightened protection is psychotherapy
greater protection than the rule. Where
various types of information. They notes. We provide a different level of
states have decided to treat certain
requested that we develop federal protection because they are unique
information as more sensitive than other
standards to have consistent rules types of protected health information
information, we do not preempt those
regarding the protection of sensitive that typically are not used or required
laws.
information to achieve the goals of cost for treatment, payment, or health care
savings and patient protection. Others To address the variation in the
operations other than by the mental
requested that we require patient sensitivity of protected health
health professional that created the
consent or special authorization before information without defining specially
notes. (See § 164.508(a)(2) regarding
certain types of sensitive information sensitive information, we incorporate
psychotherapy notes.)
was disclosed, even for treatment, opportunities for individuals and
payment, and health care operations, covered entities to address specific Section 164.524—Access of Individuals
and some thought we should require a sensitivities and concerns about uses to Protected Health Information
separate request for each disclosure. and disclosures of certain protected Comment: Some commenters
Some commenters requested that the health information that the patient and recommended that there be no access to
right to request restrictions be replaced provider believe are particularly disease registries.
with a requirement for an authorization sensitive, as follows: Response: Most entities that maintain
for specific types of sensitive • Covered entities are required to disease registries are not covered
information. There were provide individuals with notice of their entities under this regulation; examples
recommendations that we require privacy practices and give individuals of such non-covered entities are public
covered entities to develop internal the opportunity to request restrictions of health agencies and pharmaceutical
policies to address sensitive the use and disclosure of protected companies. If, however, a disease
information. health information by the covered registry is maintained by a covered
Other commenters argued that entity. (See § 164.522(a) regarding right entity and is used to make decisions
sensitive information should not be to request restrictions.) about individuals, this rule requires the
segregated from the record because it • Individuals have the right to covered entity to provide access to
may limit a future provider’s access to request, and in some cases require, that information about a requesting
information necessary for treatment of communications from the covered entity individual unless one of the rule’s
the individual and it could further to them be made to an alternative conditions for denial of access is met.
stigmatize a patient by labeling him or address or by an alternative means than We found no persuasive reasons why
her as someone with sensitive health the covered entity would otherwise use. disease registries should be given
care issues. These commenters further (See § 164.522(b) regarding confidential special treatment compared with other
maintained that segregation of particular communications.) information that may be used to make
types of information could negatively • Covered entities have the decisions about an individual.
affect analysis of community needs, opportunity to decide not to treat a Comment: Some commenters stated
research, and would lead to higher costs person as a personal representative that covered entities should be held
of health care delivery. when the covered entity has a accountable for access to information
Response: We generally do not reasonable belief that an individual has held by business partners so that
differentiate among types of protected been subjected to domestic violence, individuals would not have the burden
health information, because all health abuse, or neglect by such person or that of tracking down their protected health
information is sensitive. The level of treating such person as a personal information from a business partner.
sensitivity varies not only with the type representative could endanger the Many commenters, including insurers
and academic medical centers, associates of covered entities, and they information pursuant to such
recommended that, to reduce burden must provide access only to protected authorizations because the focus of the
and duplication, only the provider who health information that they maintain rule is privacy of protected health
created the protected health information (or that their business associates information. Requiring disclosures in all
should be required to provide maintain). It would not be efficient to circumstances would be counter to this
individuals access to the information. require a covered entity to compare goal. In addition, a requirement of
Commenters also asked that other another entity’s information with that of disclosing protected health information
entities, including business associates, the entity to which the request was to a third party is not a necessary
the Medicare program, and pharmacy addressed. (See the discussion regarding substitute for the right of access to
benefit managers, not be required to covered entities for information about individuals, because we allow denial of
provide access, in part because they do whether a pharmacy benefit manager is access to individuals under rare
not know what information the covered a covered entity.) circumstances. However, if the third
entity already has and they may not We disagree with the fourth point: a party is a personal representative of the
have all the information requested. A billing company will be required by its individual in accordance with
few commenters also argued that billing business associate contract only to § 164.502(g) and there is no concern
companies should not have to provide provide the requested protected health regarding abuse or harm to the
access because they have a fiduciary information to its physician client. This individual or another person, we require
responsibility to their physician clients action will not violate any fiduciary the covered entity to provide access to
to maintain the confidentiality of responsibility. The physician client that third party on the individual’s
records. would in turn be required by the rule to behalf, subject to specific limitations.
Response: A general principle in provide access to the individual. We note that a personal representative
responding to all of these points is that Comment: Some commenters asked may obtain access on the individual’s
a covered entity is required to provide for clarification that the clearinghouse behalf in some cases where covered
access to protected health information function of turning non-standardized entity may deny access to the
in accordance with the rule regardless of data into standardized data does not individual. For example, an inmate may
whether the covered entity created such create non-duplicative data and that be denied a copy of protected health
information or not. Thus, we agree with ‘‘duplicate’’ does not mean ‘‘identical.’’ information, but a personal
the first point: in order to meet its A few commenters suggested that representative may be able to obtain a
requirements for providing access, a duplicated information in a covered copy on the individual’s behalf. See
covered entity must not only provide entity’s designated record set be § 164.502(g) and the corresponding
access to such protected health supplied only once per request. preamble discussion regarding the
information it holds, but must also Response: We consider as duplicative ability of a personal representative to act
provide access to such information in a information the same information in on an individual’s behalf.
designated record set of its business different formats, media, or Comment: The majority of
associate, pursuant to its business presentations, or which have been commenters supported granting
associate contract, unless the standardized. Business associates who individuals the right to access protected
information is the same as information have materially altered protected health health information for as long as the
maintained directly by the covered information are obligated to provide covered entity maintains the protected
entity. We require this because an individuals access to it. Summary health information; commenters argued
individual may not be aware of business information and reports, including those that to do otherwise would interfere
associate relationships. Requiring an of lab results, are not the same as the with existing record retention laws.
individual to track down protected underlying information on which the Some commenters advocated for
health information held by a business summaries or reports were based. A limiting the right to information that is
associate would significantly limit clean document is not a duplicate of the less than one or two years old. A few
access. In addition, we do not permit a same document with notations. If the commenters explained that frequent
covered entity to limit its duty to same information is kept in more than changes in technology makes it more
provide access by giving protected one location, the covered entity has to difficult to access stored data. The
health information to a business produce the information only once per commenters noted that the information
associate. request for access. obtained prior to the effective date of
We disagree with the second point: if Comment: A few commenters the rule should not be required to be
the individual directs an access request suggested requiring covered entities to accessible.
to a covered entity that has the disclose to third parties without Response: We agree with the majority
protected health information requested, exception at the requests of individuals. of commenters and retain the proposal
the covered entity must provide access It was argued that this would facilitate to require covered entities to provide
(unless it may deny access in disability determinations when third access for as long as the entity maintains
accordance with this rule). In order to parties need information to evaluate the protected health information. We do
assure that an individual can exercise individuals’ entitlement to benefits. not agree that information created prior
his or her access rights, we do not Commenters argued that since covered to the effective date of the rule should
require the individual to make a entities may deny access to individuals not be accessible. The reasons for
separate request to each originating under certain circumstances, granting individuals access to
provider. The originating provider may individuals must have another method information about them do not vary
no longer be in business or may no of providing third parties with their with the date the information was
longer have the information, or the non- protected health information. created.
originating provider may have the Response: We allow covered entities Comment: A few commenters argued
information in a modified or enhanced to forward protected health information that there should be no grounds for
form. about an individual to a third party, denying access, stating that individuals
We disagree with the third point: pursuant to the individual’s should always have the right to inspect
other entities must provide access only authorization under § 164.508. We do and copy their protected health
if they are covered entities or business not require covered entities to disclose information.
Response: While we agree that in the personal representative of the access and a licensed health care
vast majority of instances individuals individual and the harm may be professional has determined, in the
should have access to information about inflicted on the individual or another exercise of professional judgment, that
them, we cannot agree that a blanket person. providing access to such personal
rule would be appropriate. For example, We generally agree with the representative could result in
where a professional familiar with the commenters concerns that denying substantial harm to the individual or
particular circumstances believes that access specifically to mental health another person. Access can be denied
providing such access is likely to records could create distrust. To balance even if the potential harm may be
endanger a person’s life or physical this concern with other commenters’ inflicted by someone other than the
safety, or where granting such access concerns about the potential for personal representative.
would violate the privacy of other psychological harm, however, we This provision is designed to strike a
individuals, the benefits of allowing exclude psychotherapy notes from the balance between the competing interests
access may not outweigh the harm. right of access. This is the only of ensuring access to protected health
Similarly, we allow denial of access distinction we make between mental information and protecting the
where disclosure would reveal the health information and other types of individual or others from harm. The
source of confidential information protected health information in the ‘‘substantial harm’’ standard will ensure
because we do not want to interfere access provisions of this rule. Unlike that a covered entity cannot deny access
with a covered entity’s ability to other types of protected health in cases where the harm is de minimus.
maintain implicit or explicit promises of information, these notes are not widely The amount of discretion that a
confidence. disseminated through the health care covered entity has to deny access to a
We create narrow exceptions to the system. We believe that the individual’s personal representative is generally
rule of open access, and we expect privacy interests in having access to greater than the amount of discretion
covered entities to employ these these notes, therefore, are outweighed that a covered entity has to deny access
exceptions rarely, if at all. Moreover, we by the potential harm caused by such to an individual. Under the final rule, a
require covered entities to provide access. We encourage covered entities covered entity may deny access to an
access to any protected health that maintain psychotherapy notes, individual if a licensed health care
information requested after excluding however, to provide individuals access professional determines that the access
only the information that is subject to a to these notes when they believe it is requested is reasonably likely to
denial. The categories of permissible appropriate to do so. endanger the life or physical safety of
denials are not mandatory, but are a Comment: Some commenters believed the individual or another person. In this
means of preserving the flexibility and that there is a potential for abuse of the case, concerns about psychological or
judgment of covered entities under provision allowing denial of access emotional harm would not be sufficient
appropriate circumstances. because of likely harm to self. They to justify denial of access. We establish
Comment: Many commenters questioned whether there is any a relatively high threshold because we
supported our proposal to allow covered experience from the Privacy Act of 1974 want to assure that individuals have
entities to deny an individual access to to suggest that patients who requested broad access to health information about
protected health information if a and received their records have ever them, and due to the potential harm that
professional determines either that such endangered themselves as a result. comes from denial of access, we believe
access is likely to endanger the life or Response: We are unaware of such denials should be permitted only in
physical safety of a person or, if the problems from access to records that limited circumstances.
information is about another person, have been provided under the Privacy The final rule grants covered entities
access is reasonably likely to cause Act but, since these are private matters, greater discretion to deny access to a
substantial harm to such person. such problems might not come to our personal representative than to an
Some commenters requested that the attention. We believe it is more prudent individual in order to provide
rule also permit covered entities to deny to preserve the flexibility and judgment protection to those vulnerable people
a request if access might be reasonably of health care professionals familiar who depend on others to exercise their
likely to cause psychological or mental with the individuals and facts rights under the rule and who may be
harm, or emotional distress. Other surrounding a request for records than subjected to abuse or neglect. This
commenters, however, were particularly to impose the blanket rule suggested by provision applies to personal
concerned about access to mental health these commenters. representatives of minors as well as
information, stating that the lack of Comment: Commenters asserted that other individuals. The same standard
access creates resentment and distrust the NPRM did not adequately protect for denial of access on the basis of
in patients. vulnerable individuals who depend on potential harm that applies to personal
Response: We disagree with the others to exercise their rights under the representatives also applies when an
comments suggesting that we expand rule. They requested that the rule permit individual is seeking access to his or her
the grounds for denial of access to an a covered entity to deny access when protected health information, and the
individual to include a likelihood of the information is requested by someone information makes reference to another
psychological or mental harm of the other than the subject of the information person. Under these circumstances, a
individual. We did not find persuasive and, in the opinion of a licensed health covered entity may deny a request for
evidence that this is a problem care professional, access to the access if such access is reasonably likely
sufficient to outweigh the reasons for information could harm the individual to cause substantial harm to such other
providing open access. We do allow a or another person. person. The standard for this provision
denial for access based on a likelihood Response: We agree with the and for the provision regarding access
of substantial psychological or mental commenters that such protection is by personal representatives is the same
harm, but only if the protected health warranted and add a provision in because both circumstances involve one
information includes information about § 164.524(a)(3), which permits a covered person obtaining information about
another person and the harm may be health care provider to deny access if a another person, and in both cases the
inflicted on such other person or if the personal representative of the covered entity is balancing the right of
person requesting the access is a individual is making the request for access of one person against the right of
a second person not to be harmed by the believe that any health professional, not information in the access provisions in
disclosure. just one of the individual’s choice, will this rule.
Under any of these grounds for denial exercise appropriate professional Comment: A few commenters
of access to protected health judgment. To address some of these supported the proposed provision
information, the covered entity is not concerns, however, we add a provision temporarily denying access to
required to deny access to a personal for the review of denials requiring the information obtained during a clinical
representative under these exercise of professional judgment. If a trial if participants agreed to the denial
circumstances, but has the discretion to covered entity denies access based on of access when consenting to participate
do so. harm to self or others, the individual in the trial. Some commenters believed
In addition to denial of access rights, has the right to have the denial there should be no access to any
we also address the concerns raised by reviewed by another health care research information. Other commenters
abusive or potentially abusive situations professional who did not participate in believed denial should occur only if the
in the section regarding personal the original decision to deny access. trial would be compromised. Several
representatives by giving covered Comment: A few commenters recommended conditioning the
entities discretion to not recognize a objected to the proposal to allow provision. Some recommended that
person as a personal representative of an covered entities to deny a request for access expires upon completion of the
individual if the covered entity has a access to health information if the trial unless there is a health risk. A few
reasonable belief that the individual has information was obtained from a commenters suggested that access
been subjected to domestic violence, confidential source that may be revealed should be allowed only if it is included
abuse, or neglect by or would be in upon the individual’s access. They in the informed consent and that the
danger from a person seeking to act as argued that this could be subject to informed consent should note that some
the personal representative. (See abuse and the information could be information may not be released to the
§ 164.502(g)) inherently less reliable, making the individual, particularly research
Comment: A number of commenters information that has not yet been
patient’s access to it even more
were concerned that this provision validated. Other commenters believed
important.
would lead to liability for covered that there should be access if the
entities if the release of information Response: While we acknowledge that
information provided by confidential research is not subject to IRB or privacy
results in harm to individuals. board review or if the information can
Commenters requested a ‘‘good faith’’ sources could be inaccurate, we are
be disclosed to third parties.
standard in this provision to relieve concerned that allowing unfettered
covered entities of liability if access to such information could
commenters that support temporary
individuals suffer harm as a result of undermine the trust between a health denial of access to information from
seeing their protected health care provider and patients other than research that includes treatment if the
information or if the information is the individual. We retain the proposed subject has agreed in advance, and with
found to be erroneous. A few policy because we do not want to those who suggested that the denial of
commenters suggested requiring interfere with a covered entity’s ability access expire upon completion of the
providers (when applicable) to include to obtain important information that can research, and retain these provisions in
with any disclosure to a third party a assist in the provision of health care or the final rule. We disagree with the
statement that, in the provider’s to maintain implicit or explicit promises commenters who advocate for further
opinion, the information should not be of confidence, which may be necessary denial of this information. These
disclosed to the patient. to obtain such information. We believe comments did not explain why an
Response: We do not intend to create the concerns raised about abuse are individual’s interest in access to health
a new duty to withhold information nor mitigated by the fact that the provision information used to make decisions
to affect other laws on this issue. Some does not apply to promises of about them is less compelling with
state laws include policies similar to confidentiality made to a health care respect to research information. Under
this rule, and we are not aware of provider. We note that a covered entity this rule, all protected health
liability arising as a result. may provide access to such information. information for research is subject either
Comment: Some commenters Comment: Some commenters were to privacy board or IRB review unless a
suggested that both the individual’s concerned that the NPRM did not allow specific authorization to use protected
health care professional and a second access to information unrelated to health information for research is
professional in the relevant field of treatment, and thus did not permit obtained from the individual. Thus, this
medicine should review each request. access to research information. is not a criterion we can use to
Many commenters suggested that Response: In the final rule, we determine access rights.
individuals have a right to have an eliminate the proposed special Comment: A few commenters
independent review of any denial of provision for ‘‘research information believed that it would be ‘‘extremely
access, e.g., review by a health care unrelated to treatment.’’ The only disruptive of and dangerous’’ to patients
professional of the individual’s choice. restriction on access to research to have access to records regarding their
Response: We agree with the information in this rule applies where current care and that state law provides
commenters who suggest that denial on the individual agrees in advance to sufficient protection of patients’ rights
grounds of harm to self or others should denial of access when consenting to in this regard.
be determined by a health professional, participate in research that includes Response: We do not agree.
and retain this requirement in the final treatment. In this circumstance, the Information about current care has
rule. We disagree, however, that all individual’s right of access to protected immediate and direct impact on
denials should be reviewed by a health information created in the course individuals. Where a health care
professional of the individual’s choice. of the research may be suspended for as professional familiar with the
We are concerned that the burden such long as the research is in progress, but circumstances believes that it is
a requirement would place on covered access rights resume after such time. In reasonably likely that access to records
entities would be significantly greater other instances, we make no distinction would endanger the life or physical
than any benefits to the individual. We between research information and other safety of the individual or another
person, the regulation allows the a finite time period, suggesting the the individual’s agreement to the fee in
professional to withhold access. response time be based on mutual advance.
Comment: Several commenters convenience of covered entities and Comment: Though there were
requested clarification that a patient not individuals, reasonableness, and recommendations that fees be limited to
be denied access to protected health exigencies. Commenters also varied on the costs of copying, the majority of
information because of failure to pay a suggested extension periods, from one commenters on this topic requested that
bill. A few commenters requested 30-day extension to three 30-day covered entities be able to charge a
clarification that entities may not deny extensions to one 90-day extension, reasonable, cost-based fee. Commenters
requests simply because producing the with special provisions for off-site suggested that calculation of access
information would be too burdensome. records. costs involve factors such as labor costs
Response: We agree with these Response: We are imposing a time for verification of requests, labor and
comments, and confirm that neither limit because individuals are entitled to software costs for logging of requests,
failure to pay a bill nor burden are know when to expect a response. labor costs for retrieval, labor costs for
lawful reasons to deny access under this Timely access to protected health copying, expense costs for copying,
rule. Covered entities may deny access information is important because such capital cost for copying, expense costs
only for the reasons provided in the information may be necessary for the for mailing, postal costs for mailing,
rule. individual to obtain additional health billing and bad-debt expenses, and labor
Comment: Some commenters care services, insurance coverage, or costs for refiling. Several commenters
requested that the final rule not include recommended specific fee structures.
disability benefits, and the covered
detailed procedural requirements about Response: We agree that covered
entity may be the only source for such
how to respond to requests for access. entities should be able to recoup their
information. To provide additional
Others made specific recommendations reasonable costs for copying of
flexibility, we eliminate the requirement
on the procedures for providing access, protected health information, and
that access be provided as soon as
including requiring written requests, include such provision in the
possible and we lengthen the deadline
requiring specific requests instead of regulation. We are not specifying a set
for access to off-site records. For on-site
blanket requests, and limiting the fee because copying costs could vary
records, covered entities must act on a
frequency of requests. Commenters significantly depending on the size of
request within 30 days of receipt of the
generally argued against requiring the covered entity and the form of such
covered entities to acknowledge request. For off-site records, entities
copy (e.g., paper, electronic, film).
requests, except under certain must complete action within 60 days.
Rather, covered entities are permitted to
circumstances, because of the potential We also permit covered entities to
charge a reasonable, cost-based fee for
burden on entities. extend the deadline by up to 30 days if
copying (including the costs of supplies
Response: We intend to provide they are unable to complete action on
and labor), postage, and summary or
sufficient procedural guidelines to the request within the standard
explanation (if requested and agreed to
ensure that individuals have access to deadline. These time limits are intended by the individual) of information
their protected health information, to be an outside deadline rather than an supplied. The rule limits the types of
while maintaining the flexibility for expectation. We expect covered entities costs that may be imposed for providing
covered entities to implement policies to be attentive to the circumstances access to protected health information,
and procedures that are appropriate to surrounding each request and respond but does not preempt applicable state
their needs and capabilities. We believe in an appropriate time frame. laws regarding specific allowable fees
that a limit on the frequency of requests Comment: A few commenters for such costs. The inclusion of a
individuals may make would arbitrarily suggested that, upon individuals’ copying fee is not intended to impede
infringe on the individual’s right of requests, covered entities should be the ability of individuals to copy their
access and have, therefore, not included required to provide protected health records.
such a limitation. To limit covered information in a format that would be Comment: Many commenters stated
entities’ burden, we do not require understandable to a patient, including that if a covered entity denies a request
covered entities to acknowledge receipt explanations of codes or abbreviations. for access because the entity does not
of the individuals’ requests, other than The commenters suggested that covered hold the protected health information
to notify the individual once a decision entities be permitted to provide requested, the covered entity should
on the request has been made. We also summaries of pertinent information provide, if known, the name and
permit a covered entity to require an instead of full copies of records; for address of the entity that holds the
individual to make a request for access example, a summary may be more information. Some of these commenters
in writing and to discuss a request with helpful for the patient’s purpose than a additionally noted that the Uniform
an individual to clarify which series of indecipherable billing codes. Insurance Information and Patient
information the individual is actually Response: We agree with these Protection Act, adopted by 16 states,
requesting. If individuals agree, covered commenters’ point that some health already imposes this notification
entities may provide access to a subset information is difficult to interpret. We requirement on insurance entities. Some
of information rather than all protected clarify, therefore, that the covered entity commenters also suggested requiring
health information in a designated may provide summary information in providers who leave practice or move
record set. We believe these changes lieu of the underlying records. A offices to inform individuals of that fact
provide covered entities with greater summary may only be provided if the and of how to obtain their records.
flexibility without compromising covered entity and the individual agree, Response: We agree that, when
individuals’ access rights. in advance, to the summary and to any covered entities deny requests for access
Comment: Commenters offered fees imposed by the covered entity for because they do not hold the protected
varying suggestions for required providing such summary. We similarly health information requested, they
response time, ranging from 48 hours permit a covered entity to provide an should inform individuals of the holder
because of the convenience of electronic explanation of the information. If the of the information, if known; we include
records to 60 days because of the covered entity charges a fee for this provision in the final rule. We do
potential burden. Others argued against providing an explanation, it must obtain not require health care providers to
notify all patients when they move or amend the information.28 The Privacy policies for amendment of health
leave practice, because the volume of Act (5 U.S.C. 552a) requires government information. The National Committee
such notifications would be unduly agencies to permit individuals to for Quality Assurance and the Joint
burdensome. request amendment of any record the Commission on Accreditation of
individual believes is not accurate, Healthcare Organizations issued
Section 164.526—Amendment of
relevant, timely, or complete. In its recommendations stating, ‘‘The
report ‘‘Best Principles for Health opportunity for patients to review their
Comment: Many commenters strongly Privacy,’’ the Health Privacy Working records will enable them to correct any
encouraged the Secretary to adopt Group recommended, ‘‘An individual errors and may provide them with a
‘‘appendment’’ rather than ‘‘amendment should have the right to supplement his better understanding of their health
and correction’’ procedures. They or her own medical record. status and treatment. Amending records
argued that the term ‘‘correction’’ Supplementation should not be implied does not erase the original information.
implies a deletion of information and to mean deletion or alteration of the It inserts the correct information with a
that the proposed rule would have medical record.’’ 29 The National notation about the date the correct
allowed covered entities to remove Association of Insurance information was available and any
portions of the record at their discretion. Commissioners’ Health Information explanation about the reason for the
Commenters indicated that appendment Privacy Model Act establishes the right error.’’ 30 Standards of the American
rather than correction procedures will of an individual who is the subject of Society for Testing and Materials state,
ensure the integrity of the medical protected health information to amend ‘‘An individual has a right to amend by
record and allow subsequent health care protected health information to correct adding information to his or her record
providers access to the original any inaccuracies. The National or database to correct inaccurate
information as well as the appended Conference of Commissioners on information in his or her patient record
information. They also indicated Uniform State Laws’ Uniform Health and in secondary records and databases
appendment procedures will protect Care Information Act states, ‘‘Because which contain patient identifiable
both individuals and covered entities accurate health-care information is not health information.’’ 31 We build on this
since medical records are sometimes only important to the delivery of health well-established principle in this final
needed for litigation or other legal care, but for patient applications for life, rule.
proceedings. disability and health insurance, Comment: Some commenters
Response: We agree with commenters’ employment, and a great many other supported the proposal to allow
concerns about the term ‘‘correction.’’ issues that might be involved in civil individuals to request amendment for as
We have revised the rule and deleted litigation, this Act allows a patient to long as the covered provider or plan
‘‘correction’’ from this provision in request an amendment in his record.’’
order to clarify that covered entities are maintains the information. A few argued
Some states also establish a right for that the provision should be time-
not required by this rule to delete any individuals to amend health
information from the designated record limited, e.g., that covered entities
information about them. For example, should not have to amend protected
set. We do not intend to alter medical Hawaii law (HRS section 323C–12)
record retention laws or current health information that is more than two
states, ‘‘An individual or the years old. Other comments suggested
practice, except to require covered individual’s authorized representative
entities to append information as that the provision should only be
may request in writing that a health care applied to protected health information
requested to ensure that a record is provider that generated certain health
accurate and complete. If a covered created after the compliance date of the
care information append additional
entity prefers to comply with this regulation.
information to the record in order to
provision by deleting the erroneous Response: The purpose of this
improve the accuracy or completeness
information, and applicable record provision is to create a mechanism
of the information; provided that
retention laws allow such deletion, the whereby individuals can ensure that
appending this information does not
entity may do so. For example, an information about them is as accurate as
erase or obliterate any of the original
individual may inform the entity that possible as it travels through the health
information.’’ Montana law (MCA
someone else’s X-rays are in the care system and is used to make
section 50–16–543) states, ‘‘For
individual’s medical record. If the entity decisions, including treatment
purposes of accuracy or completeness, a
agrees that the X-ray is inaccurately patient may request in writing that a decisions, about them. To achieve this
filed, the entity may choose to so health care provider correct or amend result, individuals must have the ability
indicate and note where in the record its record of the patient’s health care to request amendment for as long as the
the correct X-ray can be found. information to which he has access.’’ information used to make decisions
Alternatively, the entity may choose to Connecticut, Georgia, and Maine about them exists. We therefore retain
remove the X-ray from the record and provide individuals a right to request the proposed approach. For these
replace it with the correct X-ray, if correction, amendment, or deletion of reasons, we also require covered entities
applicable law allows the entity to do recorded personal information about to address requests for amendment of all
so. We intend the term ‘‘amendment’’ to them maintained by an insurance protected health information within
encompass either action. institution. Many other states have designated record sets, including
We believe this approach is consistent similar provisions. information created or obtained prior to
with well-established privacy Industry and standard-setting 30 National Committee on Quality Assurance and
principles, with other law, and with organizations have also developed the Joint Commission on Accreditation of
industry standards and ethical Healthcare Organizations, ‘‘Protecting Personal
guidelines. The July 1977 Report of the 28 Privacy Protection Study Commission, Health Information: A Framework for Meeting the
Privacy Protection Study Commission ‘‘Personal Privacy in an Information Society,’’ July Challenges in a Managed Care Environment,’’1998,
recommended that health care providers 1977, p. 300–303. p. 25.
29 Health Privacy Working Group, ‘‘Best 31 ASTM, ‘‘Standard Guide for Confidentiality,
and other organizations that maintain Principles for Health Privacy,’’ Health Privacy Privacy, Access and Data Security, Principles for
medical-record information have Project, Institute for Health Care Research and Health Information Including Computer-Based
procedures for individuals to correct or Policy, Georgetown University, July 1999. Patient Records,’’ E 1869–97, § 11.1.1.
the compliance date, for as long as the were concerned about the burden this provision is necessary to preserve an
entity maintains the information. provision will create due to the volume individual’s right to amend protected
Comment: A few commenters were of information that will be available for health information about them in
concerned that the proposal implied amendment. They were primarily certain circumstances.
that the individual is in control of and concerned with the potential for Comment: Some commenters stated
may personally change the medical frivolous, minor, or technical requests. that the written contract between a
record. These commenters opposed They argued that for purposes of covered entity and its business associate
such an approach. amendment, this definition should be should stipulate that the business
Response: We do not give individuals limited to information used to make associate is required to amend protected
the right to alter their medical records. medical or treatment decisions about health information in accordance with
Individuals may request amendment, the individual. A few commenters the amendment provisions. Otherwise,
but they have no authority to determine requested clarification that individuals these commenters argued, there would
the final outcome of the request and do not have a right to seek amendment be a gap in the individual’s right to have
may not make actual changes to the unless there is verifiable information to erroneous information corrected,
medical record. The covered entity must support their claim or they can because the covered entity could deny
review the individual’s request and otherwise convince the entity that the a request for amendment of information
make appropriate decisions. We have information is inaccurate or incomplete. created by a business associate.
clarified this intent in § 164.526(a)(1) by Response: We believe that the same Response: We agree that information
stating that individuals have a right to information available for inspection created by the covered entity or by the
have a covered entity amend protected should also be subject to requests for covered entity’s business associates
health information and in amendment, because the purpose of should be subject to amendment. This
§ 164.526(b)(2) by stating that covered these provisions is the same: To give requirement is consistent with the
entities must act on an individual’s consumers access to and the chance to requirement to make information
request for amendment. correct errors in information that may be created by a business associate available
Comment: Some comments argued used to make decisions that affect their for inspection and copying. We have
that there is no free-text field in some interests. We thus retain use of the revised the rule to require covered
current transaction formats that would ‘‘designated record set’’ in this entities to specify in the business
accommodate the extra text required to provision. However, we share associate contract that the business
comply with the amendment provisions commenters’’ concerns about the associate will make protected health
(e.g., sending statements of potential for minor or technical information available for amendment
disagreement along with all future requests. To address this concern, we and will incorporate amendments
disclosures of the information at issue). have clarified that covered entities may accordingly. (See § 164.504(e).)
Commenters argued that this provision deny a request for amendment if the Comment: One commenter argued
will burden the efficient transmission of request is not in writing and does not that covered entities should be required
information, contrary to HIPAA articulate a reason to support the to presume information must be
requirements. request, as long as the covered entity corrected where an individual informs
Response: We believe that most informs the individual of these the entity that an adjudicative process
amendments can be incorporated into requirements in advance. has made a finding of medical identity
the standard transactions as corrections Comment: Many commenters noted theft.
of erroneous data. We agree that some the potentially negative impact of the Response: Identity theft is one of
of the standard transactions cannot proposal to allow covered entities to many reasons why protected health
currently accommodate additional deny a request for amendment if the information may be inaccurate, and is
material such as statements of covered entity did not create the one of many subjects that may result in
disagreement and rebuttals to such information at issue. Some commenters an adjudicative process relevant to the
statements. To accommodate these rare pointed out that the originator of the accuracy of protective health
situations, we modify the requirements information may no longer exist or the information. We believe that this
in § 164.526(d)(iii). The provision now individual may not know who created provision accommodates this situation
states that if a standard transaction does the information in question. Other without a special provision for identity
not permit the inclusion of the commenters supported the proposal that theft.
additional material required by this only the originator of the information is Comment: Some commenters asserted
section, the covered entity may responsible for amendments to it. They that the proposed rule’s requirement
separately transmit the additional argued that any extension of this that action must be taken on
material to the recipient of the standard provision requiring covered entities to individuals’ requests within 60 days of
transaction. Commenters interested in amend information they have not the receipt of the request was
modifying the standard transactions to created is administratively and unreasonable and burdensome. A few
allow the incorporation of additional financially burdensome. commenters proposed up to three 30-
materials may also bring the issue up for Response: In light of the comments, day extensions for ‘‘extraordinary’’ (as
resolution through the process we modify the rule to require the holder defined by the entity) requests.
established by the Transactions Rule of the information to consider a request Response: We agree that 60 days will
and described in its preamble. for amendment if the individual not always be a sufficient amount of
Comment: The NPRM proposed to requesting amendment provides a time to adequately respond to these
allow amendment of protected health reasonable basis to believe that the requests. Therefore, we have revised
information in designated record sets. originator of the information is no this provision to allow covered entities
Some commenters supported the longer available to act on a request. For the option of a 30-day extension to deal
concept of a designated record set and example, if a request indicates that the with requests that require additional
stated that it appropriately limits the information at issue was created by a response time. However, we expect that
type of information available for hospital that has closed, and the request 60 days will be adequate for most cases.
amendment to information directly is not denied on other grounds, then the Comment: One commenter questioned
related to treatment. Other commenters entity must amend the information. This whether a covered entity could
appropriately respond to a request by communicate amendments of erroneous at issue on the covered entity’s behalf,
amending the record, without indicating or incomplete information to other the covered entity must fulfill its
whether it believes the information at parties. The negative effects of requirement by informing the business
issue is accurate and complete. erroneous or incomplete medical associate of the amendment to the
Response: An amendment need not information can be devastating. This record. The contract with the business
include a statement by the covered requirement allows individuals to associate must require the business
entity as to whether the information is exercise some control in determining associate to incorporate any such
or is not accurate and complete. A recipients they consider important to be amendments. (See § 164.504(e).)
covered entity may choose to amend a notified, and requires the covered entity
record even if it believes the to communicate amendments to other Comment: Some commenters
information at issue is accurate and persons that the covered entity knows supported the proposal to require
complete. If a request for amendment is have the erroneous or incomplete covered entities to provide notification
accepted, the covered entity must notify information and may take some action of the covered entity’s statement of
the individual that the record has been in reliance on the erroneous or denial and the individual’s statement of
amended. This notification need not incomplete information to the detriment disagreement in any subsequent
include any explanation as to why the of the individual. We have added disclosures of the information to which
request was accepted. A notification of language to clarify that the covered the dispute relates. They argued that we
a denied request, however, must contain entity must obtain the individual’s should extend this provision to prior
the basis for the denial. agreement to have the amendment recipients of disputed information who
Comment: A few commenters shared with the persons the individual have relied on it. These commenters
suggested that when an amendment is and covered entity identifies. We noted an inconsistency in the proposed
made, the date should be noted. Some believe these notification requirements approach, since notification of accepted
also suggested that the physician should appropriately balance covered entities’ amendments is provided to certain
sign the notation. burden and individuals’ interest in previous recipients of erroneous health
Response: We believe such a protecting the accuracy of medical
requirement would create a burden that information and to recipients of future
information used to make decisions disclosures. They contended there is not
is not necessary to protect individuals’ about them. We therefore retain the
interests, and so have not accepted this a good justification for the different
notification provisions substantially as
suggestion. We believe that the treatment and believed that the
proposed.
requirements of § 164.526(c) regarding Comment: Some commenters argued notification standard should be the
actions a covered entity must take when against the proposed provision requiring same, regardless of whether the covered
accepting a request will provide an a covered entity that receives a notice of entity accepts the request for
adequate record of the amendment. A amendment to notify its business amendment.
covered entity may date and sign an associates, ‘‘as appropriate,’’ of These commenters also recommended
amendment at its discretion. necessary amendments. Some argued that the individual be notified of the
Comment: The NPRM proposed that that covered entities should only be covered entity’s intention to rebut a
covered entities, upon accepting a required to inform business associates of statement of disagreement. They
request for amendment, make these changes if the amendment could suggested requiring covered entities to
reasonable efforts to notify those affect the individual’s further treatment, send a copy of the statement of rebuttal
persons the individual identifies, and citing the administrative and financial to the individual.
other persons whom the covered entity burden of notifying all business
knows have received the erroneous or associates of changes that may not have Response: Where a request for
incomplete information and who may a detrimental effect on the patient. amendment is accepted, the covered
have relied, or could foreseeably rely, Other commenters suggested that entity knows that protected health
on such information to the detriment of covered entities should only be required information about the individual is
the individual. Many commenters to inform business associates whom inaccurate or incomplete or the
argued that this notification requirement they reasonably know to be in amendment is otherwise warranted; in
was too burdensome and should be possession of the information. these circumstances, it is reasonable to
narrowed. They expressed concern that Response: We agree with commenters ask the covered entity to notify certain
covered entities would have to notify that clarification is warranted. Our previous recipients of the information
anyone who might have received the intent is that covered entities must meet that reliance on such information could
information, even persons identified by the requirements of this rule with be harmful. Where, however, the request
the individual with whom the covered respect to protected health information for amendment is denied, the covered
entity had no contact. Other they maintain, including protected entity believes that the relevant
commenters also contended that this health information maintained on their information is accurate and complete or
provision would require covered behalf by their business associates. We the amendment is otherwise
entities to determine the reliance clarify this intent by revising the unacceptable. In this circumstance, the
another entity might place on the definition of designated record set (see burden of prior notification outweighs
information and suggested that § 164.501) to include records the potential benefits. We therefore do
particular part of the notification maintained ‘‘by or for’’ a covered entity. not require notification of prior
requirements be removed. Another Section 164.526(e) requires a covered recipients.
commenter suggested that the entity that is informed of an amendment
notification provision be eliminated made by another covered entity to We agree, however, that individuals
entirely, believing that it was incorporate that amendment into should know how a covered entity has
unnecessary. designated record sets, whether the responded to their requests, and
Response: Although there is some designated record set is maintained by therefore add a requirement that
associated administrative burden with the covered entity or for the covered covered entities also provide a copy of
this provision, we believe it is a entity by a business associate. If a any rebuttal statements to the
necessary requirement to effectively business associate maintains the record individual.
Section 164.528—Accounting of the date, nature, and purpose of each seek treatment and payment expect that
Disclosures of Protected Health disclosure of a record to any person or their information will be used and
Information to another agency * * * and * * * the disclosed for these purposes. In many
Comment: Many commenters name and address of the person or cases, under this final rule, the
expressed support for the concept of the agency to whom the disclosure is individual will have consented to these
right to receive an accounting of made.’’ The National Association of uses and disclosures. Thus, the
disclosures. Others opposed even the Insurance Commissioners’ Health additional information that would be
concept. One commenter said that it is Information Privacy Model Act requires gained from including these disclosures
likely that some individuals will request carriers to provide to individuals on would not outweigh the added burdens
an accounting of disclosures from each request ‘‘information regarding on covered entities. We believe that
of his or her health care providers and disclosure of that individual’s protected retaining the exclusion of disclosures to
payors merely to challenge the health information that is sufficient to carry out treatment, payment, and
disclosures that the covered entity exercise the right to amend the health care operations makes for a
made. information.’’ We build on these manageable accounting both from the
Some commenters also questioned the standards in this final rule. point of view of entities and of
value to the individual of providing the Comment: Many commenters individuals. We have conformed the
right to an accounting. One commenter disagreed with the NPRM’s exception language in this section with language
stated that such a provision would be for treatment, payment, and health care in other sections of the rule regarding
meaningless because those who operations. Some commenters wanted uses and disclosures to carry out
deliberately perpetrate an abuse are treatment, payment, and health care treatment, payment, and health care
unlikely to note their breach in a log. operations disclosures to be included in operations. See § 164.508 and the
Response: The final rule retains the an accounting because they believed corresponding preamble discussion
right of an individual to receive an that improper disclosures of protected regarding our decision to use this
accounting of disclosures of protected health information were likely to be language.
health information. The provision committed by parties within the entity Comments: A few commenters called
serves multiple purposes. It provides a who have access to protected health for a record of all disclosures, including
means of informing the individual as to information for treatment, payment, and a right of access to a full audit trail
which information has been sent to health care operations related purposes. where one exists. Some commenters
which recipients. This information, in They suggested that requiring covered stated while audit trails for paper
turn, enables individuals to exercise entities to record treatment, payment, records are too expensive to require, the
certain other rights under the rule, such and health care operations disclosures privacy rule should not discourage audit
as the rights to inspection and would either prevent improper trails, at least for computer-based
amendment, with greater precision and disclosures or enable transgressions to records. They speculated that an
ease. The accounting also allows be tracked. important reason for maintaining a full
individuals to monitor how covered One commenter reasoned that audit trail is that most abuses are the
entities are complying with the rule. disclosures for treatment, payment, and result of activity by insiders. On the
Though covered entities who health care operations purposes should other hand, other commenters pointed
deliberately make disclosures in be tracked since these disclosures out that an enormous volume of records
violation of the rule may be unlikely to would be made without the individual’s would be created if the rule requires
note such a breach in the accounting, consent. Others argued that if an recording all accesses in the manner of
other covered entities may document individual’s authorization is not a full audit trail.
inappropriate disclosures that they required for a disclosure, then the One commenter supported the
make out of ignorance and not disclosure should not have to be tracked NPRM’s reference to the proposed
malfeasance. The accounting will enable for a future accounting to the HIPAA Security Rule, agreeing that
the individual to address such concerns individual. access control and disclosure
with the covered entity. One commenter requested that the requirements under this rule should be
We believe this approach is consistent provision be restated so that no coordinated with the final HIPAA
with well-established privacy accounting is required for disclosures Security Rule. The commenter
principles, with other law, and with ‘‘compatible with or directly related to’’ recommended that HHS add a reference
industry standards and ethical treatment, payment or health care to the final HIPAA Security Rule in this
guidelines. The July 1977 Report of the operations. This comment indicated that section and keep specific audit log and
Privacy Protection Study Commission the change would make § 164.515(a)(1) reporting requirements generic in the
recommended that a health care of the NPRM consistent with privacy rule.
provider should not disclose § 164.508(a)(2)(i)(A) of the NPRM. Response: Audit trails and the
Response: We do not accept the accounting of disclosures serve different
individually-identifiable information for
comments suggesting removing the functions. In the security field, an audit
certain purposes without the
exception for disclosures for treatment, trail is typically a record of each time a
individual’s authorization unless ‘‘an
payment, and health care operations. sensitive record is altered, how it was
accounting of such disclosures is kept
While including all disclosures within altered and by whom, but does not
and the individual who is the subject of
the accounting would provide more usually record each time a record is
the information being disclosed can find
information to individuals about to used or viewed. The accounting
out that the disclosure has been made
whom their information has been required by this rule provides
and to whom.’’ 32 With certain
disclosed, we believe that documenting individuals with information about to
exceptions, the Privacy Act (5 U.S.C.
all disclosures made for treatment, whom a disclosure is made. An
552a) requires government agencies to
payment, and health care operations accounting, as described in this rule,
‘‘keep an accurate accounting of * * *
purposes would be unduly burdensome would not capture uses. To the extent
32 Privacy Protection Study Commission, on entities and would result in that an audit trail would capture uses,
‘‘Personal Privacy in an Information Society,’’ July accountings so voluminous as to be of consumers reviewing an audit trail may
1977, pp. 306–307. questionable value. Individuals who not be able to distinguish between
accesses of the protected health Response: We disagree with information has been disclosed, rather
information for use and accesses for suggestions from commenters that an than to which projects protected health
disclosure. Further, it is not clear the accounting of disclosures is not information may have been disclosed.
degree to which the field is necessary for research. While it is However, we have added a provision
technologically poised to provide audit possible that informing individuals allowing for a summary accounting of
trails. Some entities could provide audit about the disclosures made of their recurrent disclosures. For multiple
trails to individuals upon their request, health information may on occasion disclosures to the same recipient
but we are concerned that many could discourage worthwhile activities, we pursuant to a single authorization or for
not. believe that individuals have a right to a single purpose permitted under the
We agree that it is important to know who is using their health rule without authorization, the covered
coordinate this provision of the privacy information and for what purposes. This entity may provide a summary
rule with the Security Rule when it is information gives individuals more accounting addressing the series of
issued as a final rule. control over their health information disclosures rather than a detailed
Comments: We received many and a better base of knowledge from accounting of each disclosure in the
comments from researchers expressing which to make informed decisions. series. This change is designed to ease
concerns about the potential impact of For the same reasons, we also do not the burden on covered entities involved
requiring an accounting of disclosures believe that IRB or privacy board review in longitudinal projects.
related to research. The majority feared substitutes for providing individuals the With regard to the suggestion that we
that the accounting provision would right to know how their information has exempt ‘‘in-house’’ research from the
prove so burdensome that many entities been disclosed. We permit IRBs or accounting provision, we note that only
would decline to participate in research. privacy boards to determine that a disclosures of protected health
Many commenters believed that research project would not be feasible if information must appear in an
disclosure of protected health authorization were required because we accounting.
information for research presents little understand that it could be virtually Comments: Several commenters noted
risk to individual privacy and feared impossible to get authorization for that disclosures for public health
that the accounting requirement could archival research involving large activities may be of interest to
shut down research. numbers of individuals or where the individuals, but add to the burden
Some commenters pointed out that location of the individuals is not easy to imposed on entities. Furthermore, some
often only a few data elements or a ascertain. While providing an expressed fear that priority public
single element is extracted from the accounting of disclosures for research health activities would be compromised
patient record and disclosed to a may entail some burden, it is feasible, by the accounting provision. One
researcher, and that having to account and we do not believe that IRBs or commenter from a health department
for so singular a disclosure from what privacy boards would have a basis for said that covered entities should not be
could potentially be an enormous waiving such a requirement. We also required to provide an accounting to
number of records imposes a significant note that the majority of comments that certain index cases, where such
burden. Some said that the impact we received from individuals supported disclosures create other hazards, such as
would be particularly harmful to including more information in the potential harm to the reporting provider.
longitudinal studies, where the accounting, not less. This commenter also speculated that
disclosures of protected health We understand that requiring covered knowing protected health information
information occur over an extended entities to include disclosures for had been disclosed for these public
period of time. A number of research in the accounting of health purposes might cause people to
commenters suggested that we not disclosures entails some burden, but we avoid treatment in order to avoid being
require accounting of disclosures for believe that the benefits described above reported to the public health
research, registries, and surveillance outweigh the burden. department.
systems or other databases unless the We do not agree with commenters A provider association expressed
disclosure results in the actual physical that we should exempt disclosures concern about the effect that the
release of the patient’s entire medical where only a few data elements are accounting provision might have on a
record, rather than the disclosure of released or in the case of data released non-governmental, centralized disease
discrete elements of information without individuals’ names. We registry that it operates. The provider
contained within the record. recognize that information other than organization feared that individuals
We also were asked by commenters to names can identify an individual. We might request that their protected health
provide an exclusion for research also recognize that even a few data information be eliminated in the
subject to IRB oversight or research that elements could be clues to an databank, which would make the data
has been granted a waiver of individual’s identity. The actual volume less useful.
authorization pursuant to proposed of information released is not an Response: As in the discussion of
§ 164.510, to exempt ‘‘in-house’’ appropriate indicator of whether an research above, we reject the contention
research from the accounting provision, individual could have a concern about that we should withhold information
and to allow covered entities to describe privacy. from individuals about where their
the type of disclosures they have made We disagree with comments that information has been disclosed because
to research projects, without specifically suggested that it would be sufficient to informing them could occasionally
listing each disclosure. Commenters provide individuals with a general list discourage some worthwhile activities.
suggested that covered entities could of research projects to which We also believe that, on balance,
include in an accounting a listing of the information has been disclosed by the individuals’ interest in having broad
various research projects in which they covered entity. We believe that access to this information outweighs
participated during the time period at individuals are entitled to a level of concerns about the rare instances in
issue, without regard to whether a specificity about disclosures of which providing this information might
particular individual’s protected health protected health information about them raise concerns about harm to the person
information was disclosed to the and should know to which research who made the disclosure. As we stated
project. projects their protected health above, we believe that individuals have
a right to know who is using their health proposed in the NPRM. To protect the with respect to child abuse the
information and for what purposes. This integrity of investigations, in the final Minnesota law’s procedures are not
information gives individuals more rule we require covered entities to preempted even though they are less
control over their health information exclude disclosures to a health oversight stringent with respect to privacy.
and a better base of knowledge from agency or law enforcement official for Second, with respect to abuse of persons
which to make informed decisions. the time specified by that agency or other than children, we allow covered
Comment: We received many official, if the agency or official states entities to refuse to treat a person as an
comments about the proposed time- that including the disclosure in an individual’s personal representative if
limited exclusion for law enforcement accounting to the individual would be the covered entity believes that the
and health oversight. Several reasonably likely to impede the agency individual has been subjected to
commenters noted that it is nearly or official’s activities. We require the domestic violence, abuse, or neglect
impossible to accurately project the statement from the agency or official to from the person. Thus, the abuser would
length of an investigation, especially provide a specific time frame for the not have access to the accounting. We
during its early stages. Some exclusion. For example, pursuant to a also note that a covered entity must
recommended we permit a deadline law enforcement official’s statement, a exclude a disclosure, including
based on the end of an event, such as covered entity could exclude a law disclosures to report abuse, from the
conclusion of an investigation. One enforcement disclosure from the accounting for specified period of time
commenter recommended amending the accounting for a period of three months if the law enforcement official to whom
standard such that covered entities from the date of the official’s statement the report is made requests such
would never be required to give an or until a date specified in the exclusion.
accounting of disclosures to health statement. Comment: A few comments noted the
oversight or law enforcement agencies. In the final rule, we permit the lack of exception for disclosures made
The commenter noted that there are covered entity to exclude the disclosure to intelligence agencies.
public policy reasons for limiting the from an accounting to an individual if Response: We agree with the
extent to which a criminal investigation the agency or official makes the comments and have added an
is made known publicly, including the statement orally and the covered entity exemption for disclosures made for
possibility that suspects may destroy or documents the statement and the national security or intelligence
falsify evidence, hide assets, or flee. The identify of the agency or official that purposes under § 164.512(k)(2).
commenter also pointed out that made the statement. We recognize that Individuals do not have a right to an
disclosure of an investigation may in urgent situations, agencies and accounting of disclosures for these
unfairly stigmatize a person or entity officials may not be able to provide purposes.
who is eventually found to be innocent statements in writing. If the agency or Comment: Commenters noted that the
of any wrongdoing. official’s statement is made orally, burden associated with this provision
On the other hand, many commenters however, the disclosure can be excluded would, in part, be determined by other
disagreed with the exemption for from an accounting to the individual for provisions of the rule, including the
recording disclosures related to no longer than 30 days from the oral definitions of ‘‘individually
oversight activities and law statement. For exclusions longer than 30 identifiable,’’ ‘‘treatment,’’ and ‘‘health
enforcement. Many of these commenters days, a covered entity must receive a care operations.’’ They expressed
stated that the exclusion would permit written statement. concern that the covered entity would
broad exceptions for government We believe these requirements have to be able to organize on a patient
purposes while holding disclosures for appropriately balance individuals’ by patient basis thousands of
private purposes to a more burdensome rights to be informed of the disclosures disclosures of information, which they
standard. of protected health information while described as ‘‘routine.’’ These
Some commenters felt that the NPRM recognizing the public’s interest in commenters point to disclosures for
made it too easy for law enforcement to maintaining the integrity of health patient directory information, routine
obtain an exception. They suggested oversight and law enforcement banking and payment processes, uses
that law enforcement should not be activities. and disclosures in emergency
excepted from the accounting provision Comment: One commenter stated that circumstances, disclosures to next of
unless there is a court order. One under Minnesota law, providers who are kin, and release of admissions statistics
commenter recommended that a written mandated reporters of abuse are limited to a health oversight agency.
request for exclusion be dated, signed as to whom they may reveal the report Response: We disagree with the
by a supervisory official, and contain a of abuse (generally law enforcement commenters that ambiguity in other
certification that the official is authorities and other providers only). areas of the rule increase the burden
personally familiar with the purpose of This is because certain abusers, such as associated with maintaining an
the request and the justification for parents, by law may have access to a accounting. The definitions of
exclusion from accounting. victim’s (child’s) records. The treatment, payment, and health
Response: We do not agree with commenter requested clarification as to operations are necessarily broad and
comments suggesting that we whether these disclosures are exempt there is no accounting required for
permanently exclude disclosures for from the accounting requirement or disclosures for these purposes. These
oversight or law enforcement from the whether preemption would apply. terms cover the vast majority of routine
accounting. We believe generally that Response: While we do not except disclosures for health care purposes.
individuals have a right to know who is mandatory disclosures of abuse from the (See § 164.501 and the associated
obtaining their health information and accounting for disclosure requirement, preamble for a discussion of changes
for what purposes. we believe the commenter’s concerns made to these definitions.)
At the same time, we agree with are addressed in several ways. First, The disclosures permitted under
commenters that were concerned that an nothing in this regulation invalidates or § 164.512 are for national priority
accounting could tip off subjects of limits the authority or procedures purposes, and determining whether a
investigations. We have retained a time- established under state law providing disclosure fits within the section is
limed exclusion period similar to that for the reporting of child abuse. Thus, necessary before the disclosure can be
made. There is no additional burden, Comments: Some commenters said for making and documenting
once such a determination is made, in that the accounting provision described disclosures. We believe this provision
determining whether it must be in the NPRM was ambiguous and provides covered entities with sufficient
included in the accounting. created uncertainty as to whether it flexibility to meet their business needs
We agree with the commenters that addresses disclosures only, as the title without compromising individuals’
there are areas where we can reduce would indicate, or whether it includes rights to know how information about
burden by removing additional accounting of uses. They urged that the them is disclosed.
disclosures from the accounting standard address disclosures only, and Comments: Commenters stated that
requirement, without compromising not uses, which would make the accounting requirements placed
individuals’ rights to know how their implementation far more practicable undue burden on covered entities that
information is being disclosed. In the and less burdensome. use paper, rather than electronic,
final rule, covered entities are not Response: The final rule requires records.
required to include the following disclosures, not uses, to be included in Response: We do not agree that the
disclosures in the accounting: an accounting. See § 164.501 for current reliance on paper records makes
disclosures to the individual, definitions of ‘‘use’’ and ‘‘disclosure.’’ the accounting provision unduly
disclosures for facility directories under Comments: We received many burdensome. Covered entities must use
§ 164.510(a), or disclosures to persons comments from providers and other the paper records in order to make a
assisting in the individual’s care or for representatives of various segments of disclosure, and have the opportunity
other notification purposes under the health care industry, expressing the when they do so to make a notation in
§ 164.510(b). For each of these types of view that a centralized system of the record or in a separate log. We
disclosures, the individual is likely to recording disclosures was not possible require an accounting only for
already know about the disclosure or to given the complexity of the health care disclosures for purposes other than
have agreed to the disclosure, making system, in which disclosures are made treatment, payment, and health care
the inclusion of such disclosures in the by numerous departments within operations. Such disclosures are not so
accounting less important to the entities. For example, commenters numerous that they cannot be accounted
individual and unnecessarily stated that a hospital medical records for, even if paper records are involved.
burdensome to the covered entity. department generally makes notations Comments: The exception to the
Comment: Many commenters objected regarding information it releases, but accounting provision for disclosures of
to requiring business partners to provide that these notations do not include protected health information for
an accounting to covered entities upon disclosures that the emergency treatment, payment, and health care
their request. They cited the department may make. Several operations purposes was viewed
encumbrance associated with re- commenters proposed that the rule favorably by many respondents.
contracting with the various business provide for patients to receive only an However, at least one commenter stated
partners, as well as the burden accounting of disclosures made by that since covered entities must
associated with establishing this type of medical records departments or some differentiate between disclosures that
record keeping. other central location, which would require documentation and those that
Response: Individuals have a right to relieve the burden of centralizing do not, they will have to document each
know to whom and for what purpose accounting for those entities who instance when a patient’s medical
their protected health information has depend on paper records and tracking record is disclosed to determine the
been disclosed by a covered entity. The systems. reason for the disclosure. This
fact that a covered entity uses a business Response: We disagree with commenter also argued that the
associate to carry out a function does commenters’ arguments that covered administrative burden of requiring
not diminish an individual’s right to entities should not be held accountable customer services representatives to ask
know. for the actions of their subdivisions or in which category the information falls
Comments: One commenter requested workforce members. Covered entities and then to keep a record that they
clarification as to how far a covered are responsible for accounting for the asked the question and record the
entity’s responsibility would extend, disclosures of protected health answer would be overwhelming for
asking whether an entity had to track information made by the covered entity, plans. The commenter concluded that
only their direct disclosures or in accordance with this rule. The the burden of documentation on a
subsequent re-disclosures. particular person or department within covered entity would not be relieved by
Response: Covered entities are the entity that made the disclosure is the stipulation that documentation is
required to account for their disclosures, immaterial to the covered entity’s not required for treatment, payment,
as well as the disclosures of their obligation. In the final rule, we require and health care operations.
business associates, of protected health covered entities to document each Response: We disagree. Covered
information. Because business disclosure that is required to be entities are not required to document
associates act on behalf of covered included in an accounting. We do not, every disclosure in order to differentiate
entities, it is essential that their however, require this documentation to those for treatment, payment, and health
disclosures be included in any be maintained in a central registry. A care operations from those for purposes
accounting that an individual requests covered hospital, for example, could for which an accounting is required. We
from a covered entity. Covered entities maintain separate documentation of require that, when a disclosure is made
are not responsible, however, for the disclosures that are made from the for which an accounting is required, the
actions of persons who are not their medical records department and the covered entity be able to produce an
business associates. Once a covered emergency department. At the time an accounting of those disclosures upon
entity has accounted for a disclosure to individual requests an accounting, this request. We do not require a covered
any person other than a business documentation could be integrated to entity to be able to account for every
associate, it is not responsible for provide a single accounting of disclosure. In addition, we believe that
accounting for any further uses or disclosures made by the covered we have addressed many of the
disclosures of the information by that hospital. Alternatively, the covered commenters’ concerns by clarifying in
other person. hospital could centralize its processes the final rule that disclosures to the
individual, regardless of the purpose for requirement. Instead, we require the information more generally. Similarly,
the disclosure, are not subject to the accounting to contain a brief statement commenters suggested that the
accounting requirement. describing the purpose for which the accounting be limited to release of the
Comments: An insurer explained that protected health information was medical record only.
in the context of underwriting, it may disclosed. The statement must be Response: We disagree. Protected
have frequent and multiple disclosures sufficient to reasonably inform the health information exists in many forms
of protected health information to an individual of the basis for the and resides in many sources. An
agent, third party medical provider, or disclosure. Alternatively, the covered individual’s right to know to whom and
other entity or individual. It requested entity may provide a copy of the for what purposes his or her protected
we reduce the burden of accounting for authorization or a copy of the written health information has been disclosed
such disclosures. request for disclosure, if any, under would be severely limited if it pertained
Response: We add a provision §§ 164.502(a)(2)(ii) or 164.512. only to disclosure of the medical record,
allowing for a summary accounting of Comments: We received many or information taken only from the
recurrent disclosures. For multiple comments regarding the amount of record.
disclosures to the same recipient information required in the accounting. Comment: A commenter asked that
pursuant to a single authorization or for A few commenters requested that we we make clear that only disclosures
a single purpose permitted under the include additional elements in the external to the organization are within
rule without authorization, the covered accounting, such as the method of the accounting requirement.
entity may provide a summary transmittal and identity of the employee Response: We agree. The requirement
accounting addressing the series of who accessed the information. only applies to disclosures of protected
disclosures rather than a detailed Other commenters, however, felt that health information, as defined in
accounting of each disclosure in the the proposed requirements went beyond § 164.501.
series. what is necessary to inform the Comment: Some commenters
Comment: Several commenters said individual of disclosures. Another requested that we establish a limit on
that it was unreasonable to expect commenter stated that if the the number of times an individual could
covered entities to track disclosures that individual’s right to obtain an request an accounting. One comment
are requested by the individual. They accounting extends to disclosures that suggested we permit individuals to
believed that consumers should be do not require a signed authorization, request one accounting per year; another
responsible for keeping track of their then the accounting should be limited to suggested two accountings per year,
own requests. a disclosure of the manner and purpose except in ‘‘emergency situations.’’
Other commenters asked that we of disclosures, as opposed to an Others recommended that we enable
specify that entities need not retain and individual accounting of each entity to entities to recoup some of the costs
provide copies of the individual’s whom the protected health information associated with implementation by
authorization to disclose protected was disclosed. An insurer stated that allowing the entity to charge for an
health information. Some commenters this section of the proposed rule should accounting.
were particularly concerned that if they be revised to provide more general, Response: We agree that covered
maintain all patient information on a rather than detailed, guidelines for entities should be able to defray costs of
computer system, it would be accounting of disclosures. The excessive requests. The final rule
impossible to link the paper commenter believed that its type of provides individuals with the right to
authorization with the patient’s business should be allowed to provide receive one accounting without charge
electronic records. general information regarding the in a twelve-month period. For
Another commenter suggested we disclosure of protected health additional requests by an individual
allow entities to submit copies of information to outside entities, within a twelve-month period, the
authorizations after the 30-day deadline particularly with regard to entities with covered entity may charge a reasonable,
for responding to the individual, as long which the insurer maintains an ongoing, cost-based fee. If it imposes such a fee,
as the accounting itself is furnished standard relationship (such as a the covered entity must inform the
within the 30-day window. reinsurer). individual of the fee in advance and
Response: In the final rule we do not Response: In general, we have provide the individual with an
require disclosures to the individual to retained the proposed approach, which opportunity to withdraw or modify the
be included in the accounting. Other we believe strikes an appropriate request to avoid or reduce the fee.
disclosures requested by the individual balance between the individual’s right Comment: In the NPRM, we solicited
must be included in the accounting, to know to whom and for what purposes comments on the appropriate duration
unless they are otherwise excepted from their protected health information has of the individual’s right to an
the requirement. We do not agree that been disclosed and the burden placed accounting. Some commenters
individuals should be required to track on covered entities. In the final rule, we supported the NPRM’s requirement that
these disclosures themselves. In many clarify that the accounting must include the right exist for as long as the covered
cases, an authorization may authorize a the address of the recipient only if the entities maintains the protected health
disclosure by more than one entity, or address is known to the covered entity. information. One commenter, however,
by a class of entities, such as all As noted above, we also add a provision noted that most audit control systems
physicians who have provided medical allowing for a summary accounting of do not retain data on activity for
treatment to the individual. Absent the recurrent disclosures. We note that indefinite periods of time.
accounting, the individual cannot know some of the activities of concern to Other commenters noted that laws
whether a particular covered entity has commenters may fall under the governing the length of retention of
acted on the authorization. definition of health care operations (see clinical records vary by state and by
We agree, however, that it is § 164.501 and the associated preamble). provider type and suggested that entities
unnecessarily burdensome to require Comment: A commenter asked that be allowed to adhere to state laws or
covered entities to provide the we limit the accounting to information policies established by professional
individual with a copy of the pertaining to the medical record itself, organizations or accrediting bodies.
authorization. We remove the as opposed to protected health Some commenters suggested that the
language be clarified to state that about the proposed requirement that a covered entity, such as an office
whatever minimum requirements are in covered health care provider or health manager in a small entity or an
place for the record should also guide plan act as soon as possible. information officer or compliance
covered entities in retaining their Response: We agree with concerns official in a larger institution. Cost
capacity to account for disclosures over raised by commenters and in the final estimates for the privacy official are
that same time, but no longer. rule, covered entities are required to discussed in detail in the overall cost
Several commenters asked us to provide a requested accounting no later analysis.
consider specific time limits. It was than 60 days after receipt of the request. Comment: A few commenters argued
pointed out that proposed We also provide for one 30 day for more flexibility in meeting the
§ 164.520(f)(6) of the NPRM set a six- extension if the covered entity is unable requirement for accountability. One
year time limit for retaining certain to provide the accounting within the health care provider maintained that
information including authorization standard time frame. We eliminate the covered entities should be able to
forms and contracts with business requirement for a covered entity to act establish their own system of
partners. Included in this list was the as soon as possible. accountability. For example, most
accounting of disclosures, but this We recognize that circumstances may physician offices already have the
requirement was inconsistent with the arise in which an individual will patient protections incorporated in the
more open-ended language in § 164.515. request an accounting on an expedited proposed administrative requirements—
Commenters suggested that deferring to basis. We encourage covered entities to the commenter urged that the regulation
this six-year limit would make this implement procedures for handling should explicitly promote the
provision consistent with other record such requests. The time limitation is application of flexibility and scalability.
retention provisions of the standard and intended to be an outside deadline, A national physician association noted
might relieve some of the burden rather than an expectation. We expect that, in small offices, in particular,
associated with implementation. Other covered entities always to be attentive to responsibility for the policies and
specific time frames suggested were two the circumstances surrounding each procedures should be allowed to be
years, three years, five years, and seven request and to respond in an shared among several people. A major
years. appropriate time frame. manufacturing corporation asserted that
Another option suggested by Comment: A commenter asked that mandating a privacy official is
commenters was to keep the accounting we provide an exemption for unnecessary and that it would be
record for as long as entities have the disclosures related to computer preferable to ask for the development of
information maintained and ‘‘active’’ on upgrades, when protected health policies that are designed to ensure that
their systems. Information permanently information is disclosed to another processes are maintained to assure
taken off the covered entity’s system entity solely for the purpose of compliance.
and sent to ‘‘dead storage’’ would not be establishing or checking a computer Response: We believe that a single
covered. One commenter further system. focal point is needed to achieve the
recommended that we not require Response: This activity falls within necessary accountability. At the same
entities to maintain records or account the definition of health care operations time, we recognize that covered entities
for prior disclosures for members who and is, therefore, excluded from the are organized differently and have
have ‘‘disenrolled.’’ accounting requirement. different information systems. We
Response: We agree with commenters therefore do not prescribe who within a
who suggested we establish a specific Section 164.530—Administrative covered entity must serve as the privacy
period for which an individual may Requirements official, nor do we prohibit combining
request an accounting. In the final rule, this function with other duties. Duties
Section 164.530(a)—Designation of a
we provide that individuals have a right may be delegated and shared, so long as
Privacy Official and Contact Person
to an accounting of the applicable there is one point of accountability for
disclosures that have been made in the Comment: Many of the commenters the covered entity’s policies and
six-year period prior to a request for an on this topic objected to the cost of procedures and compliance with this
accounting. We adopt this time frame to establishing a privacy official, including regulation.
conform with the other documentation the need to hire additional staff, which Comment: Some commenters echoed
retention requirements in the rule. We might need to include a lawyer or other the proposal of a professional
also note that an individual may highly paid individual. information management association
request, and a covered entity may then Response: We believe that designation that the regulation establish formal
provide, an accounting of disclosures of a privacy official is essential to qualifications for the privacy official,
for a period of time less than six years ensure a central point of accountability suggesting that this should be a
from the date of the request. For within each covered entity for privacy- credentialed information management
example, an individual could request an related issues. The privacy official is professional with specified minimum
accounting only of disclosures that charged with developing and training standards. One commenter
occurred during the year prior to the implementing the policies and emphasized that the privacy official
request. In addition, we note that procedures for the covered entity, as should be sufficiently high in
covered entities do not have to account required throughout the regulation, and management to have influence.
for disclosures that occurred prior to the for compliance with the regulation Response: While there may be some
compliance date of this rule. generally. While the costs for these advantages to establishing formal
Comments: Commenters asked that activities are part of the costs of qualifications, we concluded the
we provide more time for entities to compliance with this rule, not extra disadvantages outweigh the advantages.
respond to requests for accounting. costs associated with the designation of Since the job of privacy official will
Suggestions ranged from 60 days to 90 a privacy official, we do anticipate that differ substantially among organizations
days. Another writer suggested that there will be some cost associated with of varying size and function, specifying
entities be able to take up to three 30- this requirement. The privacy official a single set of qualifications would
day extensions from the original 30-day role may be an additional responsibility sacrifice flexibility and scalability in
deadline. Commenters raised concerns given to an existing employee in the implementation.
Comment: A few commenters the discretion of the covered entity. covered entities to monitor business
suggested that we provide guidance on Some commenters supported retraining associates’ establishment of specific
the tasks of the privacy official. One only in the event of a material change. training requirements. Covered entities’
noted that this would reduce the burden Some commenters supported the responsibility for breaches of privacy by
on covered entities to clearly identify training requirement as specified in the their business associates is described in
those tasks during the initial HIPAA NPRM. §§ 164.504(e) and 164.530(f). If a
implementation phase. Response: For the reasons cited by the covered entity believes that including a
Response: The regulation itself commenters, we eliminate the triennial training requirement in one or more of
outlines the tasks of the privacy official, recertification requirements in the final its business associate contracts is an
by specifying the policies and rule. We also clarify that retraining is appropriate means of protecting the
procedures required, and otherwise not required every three years. health information provided to the
explaining the duties of covered Retraining is only required in the case business associate, it is free to do so.
entities. Given the wide variation in the of material changes to the privacy Comments: Many commenters argued
function and size of covered entities, policies and procedures of the covered that training, as well as all of the other
providing further detail here would entity. administrative requirements, are too
unnecessarily reduce flexibility for Comment: Several commenters costly for covered entities and that small
covered entities. We will, however, objected to the burden imposed by practices would not be able to bear the
provide technical assistance in the form required signatures from employees added costs. Commenters also suggested
of guidance on the various provisions of after they are trained. Many commenters that HHS should provide training
the regulation before the compliance suggested that electronic signatures be materials at little, or no, cost to the
date. accepted for various reasons. Some felt covered entity.
Comment: Some comments expressed that it would be less costly than Response: For the final regulation, we
concern that the regulation would manually producing, processing, and make several changes to the proposed
require a company with subsidiaries to retaining the hard copies of the forms. provisions. We believe that these
appoint a privacy official within each Some suggested sending out the notice changes address the issue of
subsidiary. Instead they argued that the to the personal workstation via email or administrative cost and burden to the
corporate entity should have the option some other electronic format and having greatest extent possible, consistent with
of designating a single corporate official staff reply via email. One commenter protecting the privacy of health
rather than one at each subsidiary. suggested that the covered entity might information. In enforcing the privacy
Response: In the final regulation, we opt to give web based training instead rule, we expect to provide general
give covered entities with multiple of classroom or some other type. The training materials. We also hope to work
subsidiaries that meet the definition of commenter indicated that with web with professional associations and other
covered entities under this rule the based training, the covered entity could groups that target classes of providers,
flexibility to designate whether such record whether or not an employee had plans and patients, in developing
subsidiaries are each a separate covered received his or her training through the specialized material for these groups.
entity or are together a single covered use of a guest book or registration form We note that, under long-standing
entity. (See § 164.504(b) for the rules on the web site. Thus, a physical legal principles, entities are generally
requiring such designation.) If only one signature should not be required. responsible for the actions of their
covered entity is designated for the Response: We agree that there are workforce. The requirement to train
subsidiaries, only one privacy officer is many appropriate mechanisms by workforce members to implement the
needed. Further, we do not prohibit the which covered entities can implement covered entity’s privacy policies and
privacy official of one covered entity their training programs, and therefore procedures, and do such things as pass
from serving as the privacy official of remove this requirement for signature. evidence of potential problems to those
another covered entity, so long as all the We establish only a general requirement responsible, is in line with these
requirements of this rule are met for that covered entities document principles. For example, the comments
each such covered entity. compliance with the training and our fact finding indicate that, today,
requirement. many hospitals require their workforce
Section 164.530(b)—Training Comment: Some commenters were members to sign a confidentiality
Comment: A few commenters felt that concerned that there was no proposed agreement, and include confidentiality
the proposed provision was too requirement for business associates to matters in their employee handbooks.
stringent, and that the content of the receive training and/or to train their
training program should be left to the employees. The commenters believed Section 164.530(c)—Safeguards
reasonable discretion of the covered that if the business associate violated Comments: A few comments assert
entity. any privacy requirements, the covered that the rule requires some institutions
Response: We clarify that we do not entity would be held accountable. These that do not have adequate resources to
prescribe the content of the required commenters urged the Secretary to develop costly physical and technical
training; the nature of the training require periodic training for appropriate safeguards without providing a funding
program is left to the discretion of the management personnel assigned outside mechanism to do so. Another comment
covered entity. The scenarios in the of the component unit of the covered said that the vague definitions of
NPRM preamble of potential approaches entity, including business associates. adequate and appropriate safeguards
to training for different sized covered Other commenters felt that it would not could be interpreted by HHS to require
entities were intended as examples of be fair to require covered entities to the purchase of new computer systems
the flexibility and scalability of this impose training requirements on and reprogram many old ones. A few
requirement. business associates. other comments suggested that the
Comment: Most commenters on this Response: We do not have the safeguards language was vague and
provision asserted that recertification/ statutory authority directly to require asked for more specifics.
retraining every three years is excessive, business associates to train their Response: We require covered entities
restrictive, and costly. Commenters felt employees. We also believe it would be to maintain safeguards adequate for
that retraining intervals should be left to unnecessarily burdensome to require their operations, but do not require that
specific technologies be used to do so. Response: We agree, and have commenter asked that the final Security
Safeguards need not be expensive or incorporated such a requirement in Rule be published immediately and not
high-tech to be effective. Sometimes, it § 164.504. wait for an expected delay while
is an adequate safeguard to put a lock Comments: One commenter agreed privacy policies are worked out.
on a door and only give the keys to with the need for administrative, Response: Now that this final privacy
those who need access. As described in physical, and technical safeguards, but rule has been published in a timely
more detail in the preamble discussion took issue with our specification of the manner, the final Security Rule can be
of § 164.530, we do not require covered type of documentation or proof that the harmonized with it and published soon.
entities to guarantee the safety of covered entity is taking action to Comments: Several commenters
protected health information against all safeguard protected health information. echoed an association recommendation
assaults. This requirement is flexible Response: This privacy rule does not that, for those organizations that have
and scalable to allow implementation of require specific forms of proof for implemented a computer based patient
required safeguards at a reasonable cost. safeguards. record that is compliant with the
Comments: A few commenters noted Comments: A few commenters asked requirements of the proposed Security
that once protected health information that, for the requirement for a signed Rule, the minimum necessary rule
becomes non-electronic, by being certification of training and the should be considered to have been met
printed for example, it escapes the requirements for verification of identity, by the implementation of role-based
protection of the safeguards in the we consider the use of electronic access controls.
proposed Security Rule. They asked if signatures that meet the requirements in Response: The privacy regulation
this safeguards requirement is intended the proposed security regulation to meet applies to paper records to which the
the requirements of this rule. proposed Security Rule does not apply.
to install similar security protections for
Response: In this final rule, we drop Thus, taking the approach suggested by
non-electronic information.
the requirements for signed these comments would leave a
Response: This provision is not certifications of training. Signatures are significant number of health records
intended to incorporate the provisions required elsewhere in this regulation, unprotected. Further, since the final
in the proposed Security regulation into for example, for a valid authorization. In Security Rule is not yet published and
this regulation, or to otherwise require the relevant sections we clarify that the number of covered entities that have
application of those provisions to paper electronic signatures are sufficient implemented this type of computer-
records. provided they meet standards to be based patient record systems is still
Comments: Some commenters said adopted under HIPAA. In addition, we small, we cannot make a blanket
that it was unclear what ‘‘appropriate’’ do not intend to interfere with the statement. We note that this regulation
safeguards were required by the rule application of the Electronic Signature requires covered entities to develop
and who establishes the criteria for in Global and National Commerce Act. role-based access rules, in order to
them. A few noted that the privacy Comments: A few commenters implement the requirements for
safeguards were not exactly the same as requested that the privacy requirements ‘‘minimum necessary’’ uses and
the security safeguards, or that the for appropriate administrative, disclosures of protected health
‘‘other safeguards’’ section was too technical, and physical safeguards be information. Thus, this regulation
vague to implement. They asked for considered to have been met if the provides a foundation for the type of
more clarification of safeguards requirements of the proposed Security electronic system to which these
requirements and flexible solutions. Rule have been met. Others requested comments refer.
Response: In the preamble discussion that the safeguards requirements of the
of § 164.530, we provide examples of final Privacy Rule mirror or be Section 164.530(d)—Complaints to the
types of safeguards that can be harmonized with the final Security Rule Covered Entity
appropriate to satisfy this requirement. so they do not result in redundant or Comment: Several commenters felt
Other sections of this regulation require conflicting requirements. that some form of due process is needed
specific safeguards for specific Response: Unlike the proposed when it comes to internal complaints.
circumstances. The discussion of the regulation, the final regulation covers all Specifically, they wanted to be assured
requirements for ‘‘minimum necessary’’ protected health information, not just that the covered entity actually hears
uses and disclosures of protected health information that had at some point been the complaints made by the individual
information includes related guidance electronic. Thus, these commenters’ and that the covered entity resolves the
for developing role-based access assumption that the proposed Privacy complaint within a reasonable time
policies for a covered entity’s workforce. Rule and the proposed Security Rule frame. Without due process the
The requirements for ‘‘component covered the same information is not the commenters felt that the internal
entities’’ include requirements for case, and taking the approach suggested complaint process is open ended. Some
firewalls to prevent access by by these comments would leave a commenters wanted the final rule to
unauthorized persons. The proposed significant number of health records include an appeals process for
Security Rule included further details unprotected. The safeguards required by individuals if a covered entity’s
on what safeguards would be this regulation are appropriate for both determination in regards to the
appropriate for electronic information paper and electronic information. We complaint is unfavorable to the
systems. The flexibility and scalability will take care to ensure that the final individual.
of these rules allows covered entities to Security Rule works in tandem with Response: We do not require covered
analyze their own needs and implement these requirements. entities to implement any particular due
solutions appropriate for their own Comments: One commenter requested process or appeals process for
environment. that the final privacy rule be published complaints, because we are concerned
Comments: A few comments asked for before the final Security Rule, about the burden this could impose on
a requirement for a firewall between a recognizing that the privacy policies covered entities. We provide
health care component and the rest of a must be in place before the security individuals with an alternative to take
larger organization as another technology used to implement them their complaints to the Secretary. We
appropriate safeguard. could be worked out. Another believe that this provides incentives for
covered entities to implement a Section 164.530(e)—Sanctions the NPRM, then the covered entities
complaint process that resolves Comment: Commenters argued that should be allowed to come up with
complaints to individuals’ satisfaction. most covered entities already have strict sanctions as appropriate at the time of
Comment: Some commenters felt that sanctions in place for violations of a the violation. Some commenters wanted
the individual making the complaint patient’s privacy, either due to current a better explanation and understanding
should exhaust all other avenues to laws, contractual obligations, or good of what HHS’ expectation is of when is
resolve their issues before filing a operating practices. Requiring covered it appropriate to apply sanctions. Some
complaint with the Secretary. A number entities to create a formal sanctioning commenters felt that the sanctioning
of commenters felt that any complaint requirement is nebulous and requires
process would be superfluous.
being filed with the Secretary should Response: We believe it is important independent judgment of compliance;
include documentation of the reviews for the covered entity to have these as a result it is hard to enforce.
done by the covered entity. Offending individuals may use the
sanction policies and procedures
vagueness of the standard as an defense.
Response: We reject these suggestions, documented so that employees are
for two reasons. First, we want to avoid aware of what actions are prohibited
commenters that argue that covered
establishing particular process and punishable. For entities that already
entities should be allowed to determine
requirements for covered entities’ have sanctions policies in place, it
the specific sanctions as appropriate at
complaint programs. Also, this rule does should not be problematic to document
the time of the violation. We believe it
not require the covered entity to share those policies. We do not define the
is more appropriate to leave this
any information with the complainant, particular sanctions that covered
judgment to the covered entity, because
only to document the receipt of the entities must impose.
the covered entity will be familiar with
complaint and the resolution, if any. Comment: Several commenters agreed
the circumstances of the violation and
Therefore, we cannot expect the that training should be provided and
the best way to improve compliance.
complainant to have this information expectations should be clear so that Comment: A commenter felt that the
available to submit to the Secretary. individuals are not sanctioned for doing self-imposition of this requirement is an
Second, we believe the individual things that they did not know were inadequate protection, as there is an
making the complaint should have the wrong or inappropriate. A good faith inherent conflict of interest when an
right to share the complaint with the exception should be included in the entity must sanction one of its own.
Secretary at any point in time. This final rule to protect these individuals. Response: We believe it is in the
approach is consistent with existing Response: We agree that employees covered entity’s best interests to
civil rights enforcement programs for should be trained to understand the appropriately sanction those individuals
which the Department is responsible. covered entity’s expectations and who do not follow the outlined policies
Based on that experience, we believe understand the consequences of any and procedures. Allowing violations to
that most complaints will come first to violation. This is why we are requiring go unpunished may lead bigger
covered entities for disposition. each covered entity to train its problems later, and result in complaints
Comment: Some commenters wanted workforce. However, we disagree that a being registered with the Department by
the Department to prescribe a minimum good faith exception is explicitly aggrieved parties and/or an enforcement
amount of time before the covered entity needed in the final rule. We leave the action.
could dispose of the complaints. They details of sanctions policies to the Comment: This provision should
felt that storing these complaints discretion of the covered entity. We cover all violations, not just repeat
indefinitely would be cumbersome and believe it is more appropriate to leave violations.
expensive. this judgment to the covered entity that Response: We do not limit this
will be familiar with the circumstances requirement to repeat offenses.
Response: We agree, and in the final
of the violation, rather than to specify
rule require covered entities to keep all Section 164.530(f)—Duty To Mitigate
such requirements in the regulation.
items that must be documented, Comment: Some commenters felt that Comments: A few commenters felt
including complaints, for at least six the sanctions need to reach business that any duty to mitigate would be
years from the date of creation. partners as well, not just employees of onerous, especially for small entities.
Comments: Some commenters the covered entities. These commenters One commenter supported an
objected to the need for covered entities felt all violators should be sanctioned, affirmative duty to mitigate for
to have at least one employee, if not including government officials and employees of the covered entity, as long
more, to deal with complaints. They felt agencies. as there is no prescribed mitigation
that this would be costly and is Response: All members of a covered policy. One commenter stated that a
redundant in light of the designation of entity’s workforce are subject to requirement for mitigation is
a contact person to receive complaints. sanctions for violations, including unnecessary because any prudent entity
Response: We do not require government officials who are part of a would do it.
assignment of dedicated staff to handle covered entity’s workforce. Some practitioner organizations as
complaints. The covered entity can Requirements for addressing privacy well as a health plan, expressed concern
determine staffing based on its needs violations by business associates are about the obligation to mitigate in the
and business practices. We believe that discussed in §§ 164.504(e) and context of the business associate
consumers need one clear point of 164.530(f). relationship. Arguing that it is
contact for complaints, in order that this Comments: Many commenters unnecessary for the regulation to
provision effectively inform consumers appreciated the flexibility left to the explicitly extend the duty to mitigate to
how to lodge complaints and so that the covered entities to determine sanctions. business associates, commenters noted
compliant will get to someone who However, some were concerned that the that: Any prudent entity would
knows how to respond. The contact covered entity would need to predict discipline a vendor or employee that
person (or office) is for receipt of each type of violation and the associated violates a regulation; that the matter is
complaints, but need not handle the sanction. They argue that, if the best left to the terms of the contract, and
complaints. Department could not determine this in that it is difficult and expensive for a
business associate to have a separate set used to cause harm to the patient or employee files a complaint with the
of procedures on mitigation for each another individual, and what steps can Secretary.
client/provider. One commenter actually have a mitigating effect in that Several commenters suggested
suggested that the federal government specific situation. deleting ‘‘in any manner’’ and ‘‘or
should fund the monitoring needed to Comments: Commenters stated that opposing any act or practice made
administer the requirement. the language of the regulation was in unlawful by this subpart’’ in
Response: Eliminating the some places vague and imprecise thus § 164.522(d)(4). The commenters
requirement to mitigate harm would providing covered entities with indicated that, as proposed, the rule
undermine the purposes of this rule by insufficient guidance and allowing would make it difficult to enforce
reducing covered entities’ variation in interpretation. Commenters compliance within the workforce. One
accountability to their patients for also noted that this could result in commenter stated that the proposed
failure to protect their confidential data. inconsistency in implementation as well 164.522(d)(4) ‘‘is extremely broad and
To minimize burden, we do not as permitting such inconsistency to be may allow an employee to reveal
prescribe what mitigation policies and used as a defense by an offending entity. protected health information to fellow
procedures must be implemented. We Particular language for which at least employees, the media and others (e.g.,
require only that the covered entity one commenter requested clarification an employee may show a medical
mitigate harm. We also assume that included ‘‘reasonable steps’’ and what is record to a friend or relative before
violations will be rare, and so the duty entailed in the duty to mitigate. filing a complaint with the Department).
to mitigate harm will rarely be triggered. Response: We considered ways in This commenter further stated that
To the extent a covered entity already which we might increase specificity, covered entities will ‘‘absolutely be
has methods for mitigating harm, this including defining ‘‘to the extent prevented from prohibiting such
rule will not pose significant burden, practicable’’ and ‘‘reasonable steps’’ and conduct.’’ One commenter suggested
since we don’t require the covered relating the mitigating action to the adding that a covered entity may take
entity to follow any prescribed method deleterious impact. While this approach disciplinary action against any member
or set of rules. could remove from the covered entity of its work force or any business partner
We also modify the NPRM to impose the burden of decision-making about who uses or discloses individually
the duty to mitigate only where the actions that need to be taken, we believe identifiable health information in
covered entity has actual knowledge of that other factors outweighed this violation of this subpart in any manner
harm. Further reducing burden, the rule potential benefit. Not only would there other than through the processes set
requires mitigation ‘‘to the extent be a loss of desirable flexibility in forth in the regulation.
practicable.’’ It does not require the implementation, but it would not be Response: To respond to these
covered entity to eliminate the harm possible to define ‘‘to the extent comments, we make several changes to
unless that is practicable. For example, practicable’’ in a way that makes sense the proposed provision.
if protected health information is for all types of covered entities. We First, where the activity does not
advertently provided to a third party believe that allowing flexibility and involve the filing of a complaint under
without authorization in a domestic judgment by those familiar with the § 160.306 of this part or participation in
abuse situation, the covered entity circumstances to dictate the approach is an investigation or proceeding initiated
would be expected to promptly contact the best approach to mitigating harm. by the government under the rule, we
the patient as well as appropriate delete the phrase ‘‘in any manner’’ and
authorities and apprize them of the Section 164.530(g)—Refraining From
Intimidating or Retaliatory Acts add a requirement that the individual’s
potential danger. opposition to ‘‘any act or practice’’
The harm to the individual is the Comment: Several commenters stated made unlawful by this subpart be in
same, whether the privacy breach was that the regulation should prohibit good faith, and that the expression of
caused by a member of the covered covered entities from engaging in that opposition must be reasonable.
entity’s workforce, or by a contractor. intimidating or retaliatory acts against Second, we add a requirement that the
We believe the cost of this requirement any person, not just against the individual’s opposition to ‘‘any act or
to be minimal for covered entities that ‘‘individual,’’ as proposed. They practice’’ made unlawful by this subpart
engage in prudent business practices for suggested adding ‘‘or other person or must not involve a disclosure of
exchanging protected health entity’’ after ‘‘any individual.’’ protected health information that is in
information with their business Response: We agree, and allow any violation of this subpart. Thus, the
associates. person to file a compliant with the employee who discloses protected
Comment: A few commenters noted Secretary. ‘‘Person’’ is not limited to health information to the media or
that it is difficult to determine whether natural persons, but includes any type friends is not protected. In providing
a violation has resulted in a deleterious of organization, association or group interpretations of the retaliation
effect, especially as the entity cannot such as other covered entities, health provision, we will consider existing
know all places to which information oversight agencies and advocacy groups. interpretations of similar provisions
has gone and uses that have been made Comment: A few commenters such as the guidance issued by EEOC in
of it. Consequently, there should be a suggested deleting this provision in its this regard.
duty to mitigate even if a deleterious entirety. One commenter indicated that
effect cannot be shown, because the the whistleblower and retaliation Section 164.530(h)—Waiver of Rights
individual has no other redress. provisions could be inappropriately There are no comments directly about
Response: As noted above, this used against a hospital and that the this section because it was not included
provision only applies if the covered whistleblower’s ability to report in the proposed rule.
entity has actual knowledge of the harm, numerous violations will result in a
and requires mitigation ‘‘to the extent dangerous expansion of liability. Section 164.530(i)—Policies and
practicable.’’ The covered entity is Another commenter stated that covered Procedures and § 164.530(j)—
expected to take reasonable steps based entities could not take action against an Documentation Requirements
on knowledge of where the information employee who had violated the Comments: Many of the comments to
has been disclosed, how it might be employer’s privacy provisions if this this provision addressed the costs and
complexity of the regulation as a whole, we develop specific models which Comment: Many commenters
not the additional costs of documenting might require only minor modification. discussed the need for a recognition of
policies and procedures per se. Some Some of these same associations were scalability of the policies and
did, either implicitly or explicitly, also concerned about liability issues in procedures of an entity based on size,
object to the need to develop and developing such guidelines. One capabilities, and needs of the
document policies and procedures as commenter argued that sample forms, participants. It was noted that the actual
creating excessive administrative procedures, and policies should be language of the draft regulations under
burden. Many of these commenters also provided as part of the Final Rule, so § 164.520 did not address scalability,
asserted that there is a contradiction that practitioners would not be and suggested that some scalability
between the administrative burden of overburdened in meeting the demands standard be formally incorporated into
this provision and one of the statutory of the regulations. They urged us to the regulatory language and not rely
purposes of this section of the HIPAA to apply this provision only to larger solely on the NPRM introductory
reduce costs through administrative entities. commentary.
simplification. Suggested alternatives Response: The purpose of requiring Response: In § 164.530(i)(1) of the
were generally reliance on existing covered entities to develop policies and final rule, we specify that we require
regulations and ethical standards, or on procedures for implementing this covered entities to implement policies
current business practices. regulation is to ensure that important and procedures that take into account
Response: A specific discussion of decisions affecting individuals’ rights the size of the covered entity and the
cost and burden is found in the and privacy interests are made types of activities that relate to
Regulatory Impact Analysis of this final thoughtfully, not on an ad hoc basis. protected health information
rule. The purpose of requiring covered undertaken by the covered entity.
We do not believe there is a entities to maintain written Comment: One commenter objected to
contradiction between the documentation of these policies is to our proposal to allow covered entities to
administrative costs of this provision facilitate workforce training, and to make uses or disclosures not permitted
and of the goal of administrative facilitate creation of the required notice
by their current notice if a compelling
simplification. In the Administrative reason exists to make the use or
of information practices. We further
Simplification provisions of the HIPAA, disclosure and the entity documents the
believe that requiring written
Congress combined a mandate to reasons and changes its policies within
documentation of key decisions about
facilitate the efficiencies and cost 30 days of the use or disclosure. The
privacy will enhance accountability,
savings for the health care industry that commenter argued that the subjective
both within the covered entity and to
the increasing use of electronic language of the regulation might give
the Department, for compliance with
technology affords, with a mandate to entities the ability to engage in post hoc
this regulation.
improve privacy and confidentiality justifications for violations of their own
protections. Congress recognized, and We do not include more specific information practices and policies. The
we agree, that the benefits of electronic guidance on the content of the required commenter suggested that there should
commerce can also cause increased policies and procedures because of the be an objective standard for reviewing
vulnerability to inappropriate access vast difference in the size of covered the covered entity’s reasons before
and use of medical information, and so entities and types of covered entities’ allowing the covered entity to amend its
must be balanced with increased businesses. We believe that covered policies.
privacy protections. By including the entities should have the flexibility to Response: We eliminate this provision
mandate for privacy standards in design the policies and procedures best from the final rule. The final rule
section 264 of the HIPAA, Congress suited to their business and information requires each covered entity to include
determined that existing regulations and practices. We do not exempt smaller in its notice of information practices a
ethical standards, and current business entities, because the privacy of their statement of all permitted uses under
practices were insufficient to provide patients is no less important than the this rule, not just those in which the
the necessary protections. privacy of individuals who seek care covered entity actually engages in at the
Congress mandated that the total from large providers. Rather, to address time of that notice.
benefits associated with administrative this concern we ensure that the Comment: Some commenters
simplification must outweigh its costs, requirements of the rule are flexible so expressed concern that the required
including the costs of implementing the that smaller covered entities need not retention period in the NPRM applied to
privacy regulation. We are well within follow detailed rules that might be the retention of medical records.
this mandate. appropriate for larger entities with Response: The retention requirement
Comments: Several commenters complex information systems. of this regulation only applies to the
suggested that the documentation We understand that smaller covered documentation required by the rule, for
requirements not be established as a entities may require some assistance, example, keeping a record of accounting
standard under the regulation, because and intend to provide such technical for disclosures or copies of policies and
standards are subject to penalties. They assistance after publication of this rule. procedures. It does not apply to medical
recommend we delete the We hope to work with professional records.
documentation standards and instead associations and other groups that target Comments: Comments on the six year
provide specific guidance and technical classes of providers, plans and patients, retention period were mixed. Some
assistance. Several commenters objected in developing specialized material for commenters endorsed the six-year
to the suggestion in the NPRM that these groups. Our discussions with retention period for maintaining
professional associations assist their several such organizations indicate their documentation. One of the comments
members by developing appropriate intent to work on various aspects of stated this retention period would assist
policies for their membership. Several model documentation, including forms. physicians legally. Other commenters
commentators representing professional Because the associations’ comments believed that the retention period would
associations believed this to be an regarding concerns about liability did be an undue burden. One commenter
onerous and costly burden for the not provide sufficient details, we cannot noted that most State Board of
associations, and suggested instead that address them here. Pharmacy regulations require
pharmacies to keep records for two consents, authorizations, or other to § 164.508 or obtain a waiver of
years, so the six year retention period express legal permissions may authorization under § 164.512(i). To the
would triple document retention costs. specifically permit a use or disclosure of extent such a project is ongoing and the
Response: We established the individually identifiable health researchers are unable to locate the
retention period at six years because information for purposes of the project individuals whose protected health
this is the statute of limitations for the or be a general consent of the individual information they are using or disclosing,
civil monetary penalties. This rule does to participate in the project. A covered we believe the IRB or privacy board
not apply to all pharmacy records, but entity may use or disclose protected under the criteria set forth in
only to the documentation required by health information it created or received § 164.512(i) will be able to take that
this rule. before or after the applicable circumstance into account when
Section 164.530(k)—Group Health Plans compliance date of this rule for conducting its review. In most
purposes of the project provided that instances, we believe this type of
There were no comments directly the covered entity complies with all research will be able to obtain a waiver
about this section because it was not limitations expressed in the consent, of authorization and be able to continue
included in the proposed rule. authorization, or permission. uninterrupted.
Section 164.532—Transition Provisions In regard to research projects that Comment: Several comments raised
include the treatment of individuals, questions about the application of the
Comment: Commenters urged the such as clinical trials, covered entities
Department to clarify whether the rule to individually identifiable
engaged in these projects will have information created prior to (1) the
‘‘reach of the transition requirement’’ is obtained at least an informed consent
limited to a particular time frame, to the effective date of the rule, and (2) the
from the individual to participate in the compliance dates of the rule. One
provider’s activities in a particular job, project. In some cases, the researcher
or work for a particular employer. For commenter suggested that the rule
may also have obtained a consent, should apply only to information
example, one commenter questioned authorization, or other express legal
how long a nurse is a covered entity gathered after the effective date of the
permission to use or disclose final rule. A drug manufacturer asked
after she moves from a job reviewing individually identifiable health
files with protected health information what would be the effect of the rule on
information in a specific manner. To research on records compiled before the
to an administrative job that does not avoid disrupting ongoing research and
handle protected health information; or effective date of the rule.
because the participants have already
whether an occupational health nurse Response: We disagree with the
agreed to participate in the project
who used to transmit first reports of commenter’s suggestion. The
(which expressly permits or implies the
injury to her company’s workers’ requirements of this regulation apply to
use or disclosure of their protected
compensation carrier last year but no all protected health information held by
health information), we have
longer does so this year because of a a covered entity, regardless of when or
grandfathered in these consents,
carrier change still is a covered entity. how the covered entity obtained the
authorizations, and other express legal
Response: Because this comment permissions. information. Congress required us to
addresses a question of enforcement, we It is unlikely that a research project adopted privacy standards that apply to
will address it in the enforcement that includes the treatment of individually identifiable health
regulation. individuals could proceed under the information. While it limited the
Comment: Several commenters sought Common Rule with a waiver of compliance date for health plans,
clarification as to the application of the informed consent. However, to the covered health care providers, and
privacy rule to research already begun extent such a waiver has been granted, healthcare clearinghouses, it did not
prior to the effective date or compliance we believe individuals participating in provide similar limiting language with
date of the final rule. These commenters the project should be able to determine regard to individually identifiable
argued that applying the privacy rule to how their protected health information health information. Therefore, uses and
research already begun prior the rule’s is used or disclosed. Therefore, we disclosures of protected health
effective date would substantially require researchers engaged in research information made by a covered entity
overburden IRBs and that the resulting projects that include the treatment of after the compliance date of this
research interruptions could harm individuals who obtained an IRB waiver regulation must meet the requirements
participants and threaten the reliability of informed consent under the Common of these rules. Uses or disclosures of
and validity of conclusions based upon Rule to obtain an authorization or a individually identifiable health
clinical trial data. The commenters waiver of such authorization from an information made prior to the
recommended that the rule grandfather IRB or a privacy board under compliance date are not affected;
in any ongoing research that has been § 164.512(i) of this rule. covered entities will not be sanctioned
approved by and is under the If a covered entity obtained a consent, under this rule based on past uses or
supervision of an IRB. authorization, or other express legal disclosures that are inconsistent with
Response: We generally agree with the permission from the individual who is this regulation.
concerns raised by commenters. In the the subject of the research, it would be Consistent with the definition of
final rule, we have provided that able to rely upon that consent, individually identifiable health
covered entities may rely upon authorization, or permission, consistent information in HIPAA, of which
consents, authorizations, or other with any limitations it expressed, to use protected health information is a subset,
express legal permissions obtained from or disclose the protected health we do not distinguish between
an individual for a specific research information it created or received prior protected health information in research
project that includes the treatment of to or after the compliance date of this records and protected health
individuals to use or disclose protected regulation. If a covered entity wishes to information in other records. Thus, a
health information the covered entity use or disclose protected health covered entity’s research records are
obtained before or after the applicable information but no such consent, subject to this regulation to the extent
compliance date of this rule as long as authorization, or permission exists, it they contain protected health
certain requirements are met. These must obtain an authorization pursuant information.
Section 164.534—Effective Date and standards is unrealistically short. It was Phase-in Requirements
Compliance Date pointed out that providers and others Comment: Several comments
Section 1175(b)(1)(A) of the Act would have to do the following, among suggested that the privacy standards be
requires all covered entities other than other things, prior to the applicable phased in gradually, to ease the
small health plans to comply with a compliance date: assess their current manpower and cost burdens of
standard or implementation systems and departments, determine compliance. A couple of equipment
specification ‘‘not later than 24 months which state laws were preempted and manufacturing groups suggested that
after the date on which an initial which were not, update and reprogram updating of various types of equipment
standard or implementation computer systems, train workers, create would be necessary for compliance
specification is adopted or established’’; and implement the required privacy purposes, and suggested a phased
section 1175(b)(1)(B) provides that small policies and procedures, and create or approach to this—for example, an initial
health plans must comply not later than update contracts with business partners. phase consisting of preparation of
36 months after that date. The proposed One comment also noted that the task of policies, plans, and risk assessments, a
rule provided, at proposed § 164.524 coming into compliance during the second phase consisting of bringing new
(which was titled ‘‘Effective date’’), that same time period with the other equipment into compliance, and a final
a covered entity was required to be in regulations being issued under HIPAA phase consisting of bringing existing
compliance with the proposed subpart E would further complicate the task. equipment into compliance.
not later than 24 months following the These comments generally supported an Response: As noted in the preceding
effective date of the rule, except that extension of the compliance dates by response, section 1175(b)(1) does not
small health plans were required to be one or more years. Other comments allow the Secretary discretion to change
in compliance not later than 36 months supported extending the compliance the time frame within which
following the effective date of the rule. dates on the ground that the complexity compliance must be achieved. Congress
The final rules retain these dates in of the tasks involved in implementing appears to have intended the phasing in
the text of Subpart E, but denominate the regulation would be a heavy of compliance to occur during the two-
them as ‘‘compliance dates,’’ to financial burden for providers and year compliance period, not thereafter.
distinguish the statutory dates from the others, and that they should be given `
more time to comply, in order to spread Compliance Gap Vis-a-Vis State Laws
date on which the rules become and Small Health Plans
effective. The effective date of the final the associated capital and workforce
rules is 60 days following publication in costs over a longer period. It was also Comment: Several comments stated
the Federal Register. suggested that there be provision for that, as drafted, the preemption
granting extensions of the compliance provisions would be effective as of the
Meaning of Effective Date date, based on some criteria, such as a rule’s effective date (i.e., 60 days
Comment: A number of commenters good faith effort to comply or that the following publication), even though
expressed confusion about the compliance dates be extended to two covered entities would not be required
difference between the effective date of years following completion of a ‘‘state- to comply with the rules for at least
the rule and the effective date on which by-state preemption analysis’’ by the another two years. According to these
compliance was required (the statutory Department. comments, the ‘‘preempted’’ state laws
compliance dates set out at section Response: The Secretary would not be in effect in the interim, so
1175(b)(1), summarized above). acknowledges that covered entities will that the actual privacy protection would
Response: The Department agrees that have to make changes to their policies decrease during that period. A couple of
the title of proposed § 164.524 was and procedures during the period comments also expressed concern about
confusing. Similar comments were between the effective date of the rules how the preemption provisions would
received on the Transactions Rule. below and the applicable compliance work, given the one-year difference in
Those comments were addressed by dates. The delayed compliance dates applicable compliance dates for small
treating the ‘‘effective date’’ of the rule which the statute provides for constitute health plans and other covered entities.
as the date on which adoption takes a recognition of the fact changes will be A state medical society pointed out that
effect (the ‘‘Effective Date’’ heading at required and are intended to permit this gap would also be very troublesome
the beginning of the preamble), while covered entities to manage and for providers who deal with both ‘‘small
the dates provided for by section implement these changes in an orderly health plans’’ and other health plans.
1175(b)(1) of the statute were fashion. However, because the time One comment asked what entities that
denominated as ‘‘compliance dates.’’ frames for compliance with the initial decided to come into compliance early
These changes are reflected in the standards are established by statute, the would have to do with respect to
definition of ‘‘compliance date’’ in Secretary has no discretion to extend conflicting state laws and suggested
§ 160.103 below (initially published as them: Compliance is statutorily required that, since all parties ‘‘need to know
part of the Transactions Rule) and are ‘‘not later than’’ the applicable with confidence which laws govern at
also reflected at § 164.524 below. compliance date. Nor do we believe that the moment, * * * [t]here should be
Section 164.524 below has also been it would be advisable to accomplish this uniform effective dates.’’
reorganized to follow the organization of result by delaying the effective date of Response: We agree that clarification
the analogous provisions of the the final rules beyond 60 days. Since the is needed with respect to the
Transactions Rule. The underlying Transactions Rule is now in effect, it is applicability of state laws in the interim
policy, however, remains as proposed. imperative to bring the privacy between the effective date and the
protections afforded by the rules below compliance dates. What the comments
Extend the Compliance Date into effect as soon as possible. Retaining summarized above appeared to assume
Comment: Some commenters the delayed effective date of 60 days, as is that the preemption provisions of
recommended that the compliance date originally contemplated, will minimize section 1178 operate to broadly and
be extended. A number of comments the gap between transactions covered by generally invalidate any state law that
objected that the time frame for those rules and not also afforded comes within their ambit. We do not
compliance with the proposed protection under the rules below. agree that this is the effect of section
1178. Rather, what section 1178 does— proposed rules, applauded the decision Impact Analyses
where it acts to preempt—is to preempt to extend the compliance date to three
Cost/Benefit Analysis
the state law in question with respect to years for small businesses. It was
the actions of covered entities to which requested that the final rules clarify that Comment: Many commenters made
the state law applies. Thus, if a the three year compliance date applies general statements to the effect that the
provision of state law is preempted by to small doctors offices and other small cost estimates for implementing the
section 1178, covered entities within entities, as well as to small health plans. provisions of the proposed regulation
that state to which the state law applies Response: We recognize that our were incomplete or greatly understated.
do not have to comply with it, and must discussion in the preamble to the Response: The proposal, including the
instead comply with the contrary proposed rules may have suggested that cost analysis, is, in effect, a first draft.
federal standard, requirement, or more covered entities came within the The purpose of the proposal was to
implementation specification. However, 36 month compliance date than is in solicit public comment and to use those
as compliance with the contrary federal fact the case. Again, this is an area in comments to refine the final regulation.
standard, requirement, or As a result of the public comment, the
which we are limited by statute. Under
implementation specification is not Department has significantly refined our
section 1175(b) of the Act, only small
required until the applicable initial cost estimates for implementing
health plans have three years to come
compliance date, we do not view the this regulation. The cost analysis below
into compliance with the standards
state law in question as meeting the test reflects a much more complete analysis
below. Thus, other ‘‘small businesses’’
of being ‘‘contrary.’’ That is, since of the major components of the
that are covered entities must comply by
compliance with the federal standard, regulation than was presented in the
the two-year compliance date.
requirement, or implementation proposal.
standard is not required prior to the Coordination With the Security Comment: Numerous commenters
applicable compliance date, it is Standard noted that significant areas of potential
possible for covered entities to comply cost had not been estimated and that if
Comment: Several comments they were estimated, they would greatly
with the state law in question. See suggested that the security standard be
§ 160.202 (definition of ‘‘contrary’’). increase the total cost of the regulation.
issued either with or after the privacy Potential cost areas identified by various
Thus, since the state law is not standards. It was argued that both sets
‘‘contrary’’ to an applicable federal respondents as omitted from the
of standards deal with protecting health analyses include the minimum
standard, requirement, or information and will require extensive
implementation specification in the disclosure requirements; the requisite
personnel training and revisions to monitoring by covered entities of
period before which compliance is business practices, so that coordinating
required, it is not preempted. business partners with whom they share
them would make sense. An equipment private health information; creation of
Several implications of this analysis manufacturers group also pointed out
should be spelled out. First, one de-identified information; internal
that it would be logical for covered complaint processes; sanctions and
conclusion that flows from this analysis
entities and their business partners to enforcement; the designation of a
is that preemption is specific to covered
know what privacy policies are required privacy official and creation of a privacy
entities and does not represent a general
in purchasing security systems, and that board; new requirements for research/
invalidation of state law, as suggested
‘‘the policies on privacy are optional disclosures; and future
by many commenters. Second, because
implemented through the security litigation costs.
preemption is covered entity-specific,
standards rather than having already Response: We noted in the proposed
preemption will occur at different times
finalized security standards drive rule that we did not have data from
for small health plans than it will occur
policy.’’ which to estimate the costs of many
for all other covered entities. That is, the
preemption of a given state law for a Response: We agree with these provisions, and solicited comments
covered entity, such as a provider, that comments, and are making every effort providing such data. The final analysis
is covered by the 24-month compliance to coordinate the final security below reflects the best estimate possible
date of section 1175(b)(1)(A) will occur standards with the privacy standards for these areas, based on the information
12 months earlier than the preemption below. The privacy standards below are available. The data and the underlying
of the same state law for a small health being published ahead of the security assumptions are explained in the cost
plan that is covered by the 36-month standards, which is also responsive to analysis section below.
compliance date of section the stated concerns. Comment: A number of comments
1175(b)(1)(B). Third, the preemption Prospective Application suggested that the final regulation be
occurs only for covered entities; a state delayed until more thorough analyses
law that is preempted under section Comment: Several comments raised could be undertaken and completed.
1178(a)(1) would not be preempted for questions about the application of the One commenter stated that the
persons and entities to which it applies rule to individually identifiable Department should refrain from
who are not covered entities. Thus, to information created prior to (1) the implementing the regulation until a
the extent covered entities or non- effective date of the rule, and (2) the more realistic assessment of costs could
covered entities follow the federal compliance dates of the rule. One be made and include local governments
standards on a voluntary basis (i.e., the provider group suggested that the rule in the process. Similarly, a commenter
covered entity prior to the applicable should apply only to information requested that the Department assemble
compliance date, the non-covered entity gathered after the effective date of the an outside panel of health industry
at any time), the state law in question final rule. A drug manufacturer asked experts, including systems analysts,
will not be preempted for them. what would be the effect of the rule on legal counsel, and management
research on records compiled before the consultants to develop stronger
Small Health Plans effective date of the rule. estimates.
Comment: Several comments, Response: These comments are Response: The Department has
pointing to the ‘‘Small Business’’ addressed in connection with the engaged in extensive research, data
discussion in the preamble to the discussion of § 164.532 above. collection and fact-finding to improve
the quality of its economic analysis. very difficult to quantify. The benefits focused on its projected implementation
This has included comments from and discussion in the proposal reflects this and production costs. For example, one
discussions with the kinds of experts difficulty. The examples presented in respondent stated that determining
one commenter suggested. The the proposal were meant to be ‘‘first service’’ would be an onerous task
estimates represent a reasonable illustrative of the benefits based on a for many small practices, and that
assessment of the policies proposed. few areas of medicine where some provider staff will now have to
Comment: Several commenters relevant data was available. manually review each patient’s chart or
indicated that the proposed regulation Unfortunately, no commenters provided access a computer system to determine
would impose significant new costs on either a better methodological approach whether the patient has been seen since
providers’ practices. Furthermore, they or better data for assessing the overall implementation of the rule.
believe that it runs counter to the benefits of privacy. Therefore, we Response: The policy in the final rule
explicit statutory intent of HIPAA’s believe the analysis in the proposal has been changed to make the privacy
Administrative Simplification represents a valid illustration of the policy notice to patients less
provisions which require that ‘‘any benefits of privacy, and we do not burdensome. Providers will be able to
standard adopted * * * shall be believe it is feasible to provide an distribute the notice when a patient is
consistent with the objective of reducing overall dollar estimate of the benefits of seen and will not have to distribute it
the administrative costs of providing privacy in the aggregate. to a patient more than once, unless
and paying for health care.’’ Comment: One commenter criticized substantive changes are made in the
Response: As the Department the benefit analysis as being incomplete notice. This change will significantly
explained in the Transactions Rule, this because it did not consider the potential reduce the cost of distributing the
provision applies to the administrative cost of new treatments that might be privacy notices.
simplification regulations of HIPAA in engendered by increased confidence in Comment: Some commenters also
the aggregate. The Transactions Rule is medical privacy resulting from the took issue with the methodology used to
estimated to save the health care system regulation. calculate the cost estimates for notices.
$29.9 billion in nominal dollars over ten Response: There is no data or model These respondents believe that the
years. Other regulations published to reliably assess such long-term survey data used in the proposed rule to
pursuant to the administrative behavioral and scientific changes, nor to estimate the costs (i.e., ‘‘encounters,’’
simplification authority in HIPAA, determine what portion of the ‘‘patients,’’ and ‘‘episodes’’ per year) are
including the privacy regulation, will increasingly rapid evolution of new very different concepts that, when used
result in costs, but these costs are within improved treatments might stem from together, render the purported total
the statutory directive so long as they do improved privacy protections. meaningless. Commenters further stated
not exceed the $29.9 billion in Moreover, to be complete, such analysis
estimated savings. Furthermore, as that they can verify the estimate of 543
would have to include the savings that million patients cited as being seen at
explained in the Transactions Rule, and might be realized from earlier detection
the preamble to this rule, assuring least once every five years.
and treatment. It is not possible at this
privacy is essential to sustaining many Response: In the course of receiving
time to project the magnitude or even
of the advances that computers will treatment, a patient may go to a number
the direction of the net effects of the
provide. If people do not have of medical organizations. For example,
response to privacy that the commenter
confidence that their medical privacy a person might see a doctor in a
suggests.
will be protected, they will be much less physician’s office, be admitted to a
likely to allow their records to be used Scope of the Regulation hospital, and later go to a pharmacy for
for any purpose or might even avoid Comment: Numerous commenters medication. Each time a person
obtaining necessary medical care. noted the potential cost and burden of ‘‘encounters’’ a facility, a medical record
Comment: Several commenters keeping track in medical records of may be started or additions made to an
criticized the omission of aggregate, information which had been transmitted existing record. The concept in the
quantifiable benefit estimates in the electronically, which would be subject proposal was to identify the number of
proposed rule. Some respondents to the rule, as opposed to information record sets that a person might have for
argued that the analysis in the proposed that had only been maintained in paper purposes of estimating notice and
rule used ‘‘de minimis’’ cost estimates form. copying costs. For example, whether a
to argue only that benefits would Response: This argument was found person made one or ten visits in the
certainly exceed such a low barrier. to have considerable merit and was one course of a year to a specific doctor
These commenters further characterized of the reasons that the Department would, for our purposes, be one record
the benefits analysis in the Notice of concluded that the final regulation set because in each visit the doctor
Proposed Rulemaking as ‘‘hand waving’’ should apply to all medical records would most likely be adding
used to divert attention from the fact maintained by covered entities, information to an existing medical
that no real cost-benefit comparison is including information that had never record. The comments demonstrated
presented. Another commenter stated been transmitted electronically. The that we had not explained the concept
that the benefit estimates rely heavily on costs analysis below reflects the change well. As explained below we modified
anecdotal and unsubstantiated in scope. the concept to more effectively measure
inferences. This respondent believes the number of record sets that exist and
that the benefit estimates are based on Notice Requirements explain it more clearly.
postulated, but largely unsubstantiated Comment: Several commenters Comment: Several commenters
causal linkages between increased expressed their belief that the criticized the lack of supporting
privacy and earlier diagnosis and administrative and cost burdens evidence for the cost estimates of notice
medical treatment. associated with the notice requirements development and dissemination.
Response: The benefits of privacy are were understated in the proposed rule. Another opinion voiced in the
diffused and intangible but real. While some respondents took issue with comments is that the estimated cost for
Medical privacy is not a good people the policy development cost estimates plans of $0.75 per insured person is so
buy or sell in a market; therefore, it is associated with the notice, more were low that it may cover postage, but it
cannot include labor and capital usage accommodating minimum disclosure we retained the number for the final
costs. provisions; installing notices and estimate.
Response: Based on comments and disclaimers; creating de-identified data; Comment: One respondent states that,
additional fact finding, the Department tracking uses of protected health since the proposed rules give patients
was able to gain a better understanding information by business partners; the right to inspect and copy their
of how covered entities would develop tracking amendments and corrections; medical records regardless of storage
policies and disseminate information. increased systems capacity; and annual medium, HHS must make a distinction
The cost analysis below explains more systems maintenance. The commenters in its cost estimates between records
fully how we derived the final cost noted that some of the aforementioned stored electronically and those which
estimates for these areas. items are acknowledged in the proposed
Comment: A commenter noted that must be accessed by manual means,
rule as future costs to covered entities, since these costs will differ.
privacy policy costs assume that but several others are singularly
national associations will develop ignored. Response: The cost estimates made for
privacy policies for members but HHS Response: The Department recognizes regulations are not intended to provide
analysis does not account for the cost to the validity of much of this criticism. such refined gradations; rather, they are
the national associations. A provider Unfortunately, other than general intended to show the overall costs for
cost range of $300–$3,000 is without criticism, commenters provided no the regulation as a whole and its major
justification and seems low. specific data or methodological components. For inspections and
Response: The cost to the national information which might be used to copying (and virtually all other areas for
associations was included in the improve the estimates. Therefore, the which estimates are made) estimates are
proposal estimates, and it is included in Department retained consultants with based on averages; particular providers
the final analysis (see below). extensive expertise in these areas to may experience greater or lesser costs
Comment: A commenter states that assess the proposed regulation, which than the average cost used in this
the notice costs discussion mixes the helped the Department refine its analysis.
terms ‘‘patients’’, ‘‘encounters’’ and policies and cost estimates. Comment: Several commenters noted
‘‘episodes’’ and 397 million encounter
In addition, it is important to note that the Department did not appear to
estimate is unclear.
that the other HIPAA administrative include the cost of establishing storage
Response: A clearer explanation of the
simplification regulations will require systems, retrieval fees and the cost of
concepts employed in this analysis is
systems changes. As explained generally searching for records, and that these
provided below.
in the cost analysis for the electronic costs, if included, would significantly
Systems Compliance Costs Transactions rule, it is assumed that increase the Department’s estimate.
Comment: Numerous commenters providers and vendors will undertake Response: Currently, providers keep
questioned the methodology used to systems changes for these regulations and maintain medical records and often
estimate the systems compliance cost collectively, thereby minimizing the
provide copies to other providers and
and stated that the ensuing cost cost of changes.
patients. Therefore, much of the cost of
estimates were grossly understated. Inspection and Copying maintaining records already exists.
Some stated that the regulation will Indeed, based on public comments, the
impose significant information Comment: Numerous commenters
Department has concluded that there
technology costs to comply with disagreed with the cost estimates in the
will be relatively few additional copies
requirement to account for disclosures, NPRM for inspection and copying of
requested as the result of this regulation
additional costs for hiring new patient records, believing that they were
(see below). We have measured and
personnel to develop privacy policies, too low.
attributed to this regulation the
and higher costs for training personnel. Response: The Department has
incremental cost, which is the standard
Response: Significant comments were investigated the potential costs through
for conducting this kind of analysis.
received regarding the cost of systems a careful reading of the comments and
compliance. In response, the subsequent factfinding discussions with Comment: A federal agency expressed
Department retained the assistance of a variety of providers. We believe the concern over the proposal to allow
consultants with extensive expertise in estimates, explained more fully below, covered entities to charge a fee for
health care information technology. We represent a reasonable estimate in the copying personal health information
have relied on their work to revise our aggregate. It is important to note, based on reasonable costs. The agency
estimates, as described below. The however, that this analysis is not requests personal health information
analysis does not include ‘‘systems measuring the cost of all inspection and from many covered entities and pays a
compliance’’ as a cost item, per se. copying because a considerable amount fee that it establishes. Allowing covered
Rather, in the final analysis we of this already occurs. The Department entities to establish the fee, the agency
organized estimates around the major is only measuring the incremental fears, may cost them significantly more
policy provisions so the public could increase likely to occur as a result of than the current amounts they pay and
more clearly see the costs associated this regulation. as a result, could adversely affect their
with them. To the extent that the policy Comment: One commenter speculates program.
might require systems changes (and a that, even at a minimum charge of $.50/ Response: The proposal and the final
number of them do), we have page, (and not including search and rule establish the right to access and
incorporated those costs in the retrieval charges), costs could run as copy records only for individuals, not
provision’s estimate. high as $450 million annually. other entities; the ‘‘reasonable fee’’ is
Comment: Items explicitly identified Response: The $0.50 per page in the only applicable to the individual’s
by commenters as significantly adding proposal represent an average of several request. The Department’s expectation
to systems compliance costs include data sources. Subsequently, an industry is that other existing practices regarding
tracking disclosures of protected health commenter, which provided extensive fees, if any, for the exchange of records
information and patient authorizations; medical records copying, stated that this not requested by an individual will not
restricting access to the data; was a reasonable average cost. Hence, be affected by this rule.
Appending Records (Amendment and create a new transaction type for discontinuation of outsourcing for some
Correction) employers, health plans, and providers, functions, thereby driving up the
Comment: The proposed rule and result in duplicated efforts among administrative cost of health care.
them. This commenter estimates that Response: The final regulation
estimated the cost of amending and
the costs of mailing, re-mailing, clarifies the obligations of the business
correcting patients’ records at $75 per
answering inquiries, making outbound associates in assuring privacy. As
instance and $260 million per year for
calls and performing data entry in explained in the preamble, business
small entities. At least one commenter
newly created authorization computer associates must take reasonable steps to
stated that such requests will rise
systems could result in expenses of assure confidentiality of health records
significantly upon implementation of
close to $2.0 billion nationally. Another they may have, and the covered entity
the regulations and increase in direct must take appropriate action if they
commenter indicated that authorization
proportion to the number of patients become aware of a violation of the
costs will be at least double the notice
served. Another commenter described agreement they have with the business
dissemination costs due to the cost of
the more subtle costs associated with associate. This does not represent an
both outbound and return postage.
record amendment and correction, Response: Public commenters and unreasonable burden; indeed, the
which would include a case-by-case subsequent factfinding clearly indicate provider is required to take the same
clinical determination by providers on that most providers with patient contact kind of precautions and provide the
whether to grant such requests, already obtain authorizations for release same kind of oversight that they would
forwarding the ensuing record changes of records, so for them there is virtually in many other kinds of contractual
to business partners, and issuing written no new cost. Further, this comment relationships to assure they obtain the
statements to patients on the reasons for does not reflect the actual regulatory quality and level of performance that
denials, including a recourse for requirement. For example, there is no they would expect from a business
complaints. need to engage in mailing and re- associate.
Response: The comments were mailing of forms, and we do not foresee Comment: HHS failed to consider
considered in revising the proposal, and any reason why there should be any enforcement costs associated with
the decision was made to clarify in the significant calls involved. monitoring partners and litigation costs
final regulation that providers must only Comment: A commenter criticized the arising from covered entities seeking
append the record (the policy is percentage (1%) that we used to restitution from business partners
explained further in the preamble and calculate the number of health care whose behavior puts the covered entity
the regulation text). The provider is now encounters expected to result in at risk for noncompliance.
only required to note in the medical requests to withhold the release of Response: The Department
record any comments from the patient; protected information. This respondent acknowledged in the proposal that it
they may, but are not required to, postulates that even if one in six was not estimating the cost of
correct any errors. This change in policy patients who encounter the U.S. health compliance with the business associates
significantly reduces the cost from the care system opt to restrict access to their provision because of inadequate
initial proposal estimate. records, the total expected national cost information. It requested information on
Comment: Several commenters per year could rise to $900 million. this issue, but no specific information
criticized the proposed rule’s lack of Response: The final regulation was provided in the comments.
justification for assumptions regarding requirements regarding the release of However, based on revisions in the final
the percentage of patients who request protected health information has been policy and subsequent factfinding, the
inspection and copying, who also substantially changed, thereby greatly Department has provided an estimate
request amendment and correction. reducing the potential cost burden. A for this requirement, as explained
Another commenter pointed out that the fuller explanation of the cost is below.
cost estimate for amendment and provided below in the regulatory impact
correction is dependent on a base Training
analysis.
assumption that only 1.5 percent of Comment: An additional issue raised Comment: Many of the commenters
patients will request inspection of their by commenters was the added cost of believe that the Department used
records. As such, if this estimate were seeking authorizations for health unrealistic assumptions in the
too low by just one percentage point, promotion and disease management development of the estimated cost of the
then the estimates for inspection and activities, health care operations that training provisions and they provided
copying plus the costs for amendment traditionally did not require such their own estimates.
and correction could rise by 67 percent. action. Response: The commenters’ estimates
Response: Based on information and Response: In the final regulation, a varied widely, and could not be used by
data received in the public comments, covered entity can use medical the Department in revising its analysis
the estimate for the number of people information collected for treatment or because there was inadequate
requesting inspection and copying has operations for its own health promotion explanation of how the estimates were
been revised. No commenter provided and disease management efforts without made.
specific information on the number of obtaining additional authorization. Comment: Several commenters argued
amended record requests that might Therefore, there is no additional cost that if even an hour of time of each of
result, but the Department subsequently incurred. the entity’s employees is spent on
engaged in fact-finding and made training instead of ‘‘work’’ and they are
appropriate adjustments in its estimates. Business Associates paid the minimum wage, an entity
The revisions are explained further Comment: A number of commenters would incur $100 of cost for training no
below. were concerned about the cost of more than 20 employees. The
monitoring business partners. commenters noted that the provision of
Consent and Authorizations Specifically, one commenter stated that health care services is a labor-intensive
Comment: One respondent indicated the provisions of the proposed enterprise, and many covered entities
that the development, collection, and regulation pertaining to business have thousands of employees, most of
data entry of all the authorizations will partners would likely force the whom make well in excess of minimum
wage. They questioned whether the regulations. Now is the time for The small provider offices could be as much
estimates include time taken from the Secretary to begin building the as 11 times higher than the estimates
employee’s actual duties (opportunity necessary infrastructure to enforce the provided in the proposed rule. Other
cost) and the cost of a trainer and regulation effectively.’’ commenters stated that the estimates for
materials. Response: The Secretary agrees with small entities are ‘‘absurdly low’’.
Response: As explained in more detail the commenters and is committed to an Response: Although there were a
below, the Department made extensive effective enforcement program. We will number of commenters highly critical of
revisions in its training estimate, work with Congress to ensure that the the small business analysis, none
including the number of workers in the Department has the necessary funds to provided alternative estimates or even
health care sector, the cost of workers in secure voluntary compliance through provided a rationale for their
training based on average industry education and technical assistance, to statements. Many appeared to assume
wages, and training costs (instructors investigate complaints and conduct that all costs associated with medical
and materials). The revised estimate is compliance reviews, to provide states record confidentiality should be
a more complete and accurate estimate with exception determinations and to estimated. This represents a
of the costs likely to be borne as a result use civil and criminal penalties when misunderstanding of the purpose of the
of the final regulation. necessary. analysis: to estimate the incremental
Comment: One commenter estimated effects of this regulation, i.e., the new
that simply training an employee could Economic Effect on Small Entities
costs (and savings) that will result from
have a burdensome impact on his Comment: Many commenters stated changes required by the regulation. The
company. He argued, for example, a 10- that the cost estimates on the effect of Department has made substantial
hour annual requirement takes 0.5% of the proposed regulation on small changes in the final small entities
an employee’s time if they work a 2000- businesses were understated or analysis (below), reflecting policy
hour year, but factoring in sick and incomplete. changes in the final rule and additional
vacation leave, the effects of industry Response: The Department conducted information and data collected by the
turnover could significantly increase the a thorough review of potential data Department since the issuance of the
effect. sources that would improve the quality proposal last fall. We believe that these
Response: In the analysis below, the of the analysis of the effects on small estimates reasonably reflect the costs
Department has factored in turnover business. The final regulatory flexibility that various types of small entities will
rates, employment growth and greater analysis below is based on the best data experience in general, though the actual
utilization based on data obtained from available (much of it from the Small costs of particular providers might vary
broad-based surveys and a public Business Administration) and considerably based on their current
comment. represents a reliable estimate for the practices and technology.
Comment: Some commenters felt that effects on small entities in various Comment: A respondent expressed
the regulatory training provisions are segments of the health care industry. It the belief that small providers would
overly burdensome. Specific concerns is important to note that the estimates bear a disproportionate share of the
centered around the requirement to are for small business segments in the regulation’s administrative burden
train all individuals who may come in aggregate; the cost to individual firms because of the likelihood of larger
contact with protected health will vary, perhaps considerably, based companies incurring fewer marginal
information and the requirement to have on its particular circumstances. costs due to greater in-house resources
such individuals sign a new certifying Comment: The cost of implementing to aid in the legal and technical analysis
statement at least every three years. privacy regulations, when added to the of the proposed rule.
Some commenters felt that the content cost of other required HIPAA Response: As explained below, the
of the training program should be left to regulations, could increase overhead Department does not agree with the
the discretion of the covered entity. significantly. As shown in the 1993 assertion that small entities will be
Response: Changes and clarifications Workgroup on Electronic Data disproportionately affected. Based on
in the training requirements are made in Interchange (WEDI) Report, providers discussions with a number of groups,
the final regulation, explained below. will bear the larger share of the Department expects many
For example, the certification implementation costs and will save less professional and trade associations to
requirement has been eliminated. As in than payors. provide their members with analysis of
the NPRM, the content of the training Response: The regulatory flexibility the regulation, including model
program is left to the discretion of the analysis below shows generally the policies, statements and basic training
covered entity. These changes are marginal effect of the privacy regulation materials. This will minimize the cost
expected to lessen the training burden on small entities. Collectively, the for most small entities. Providers that
and are reflected in the final cost HIPAA administrative standards will use protected health information for
estimates. save money in the health care system. voluntary practices, such as marketing
As important, given the rapid expansion or research, are more likely to need
Compliance and Enforcement of electronic commerce, it is probable specific legal and technical assistance,
Comment: A Member of Congress and that small entities would need to but these are likely to be larger
a number of privacy and consumer comply with standards for electronic providers.
groups expressed their concern with commerce in order to complete Comment: Several commenters took
whether the Office for Civil Rights effectively, even if the standards were issue with the ‘‘top-down’’ approach
(OCR) in HHS has adequate funding to voluntary. The establishment of uniform that we used to estimate costs for small
carry out the major responsibility of standards through regulation help small businesses, believing that this
enforcing the complaint process entities because they will not have to methodology provided only a single
established by this rule. The Member invest in multiple systems, which is point estimate, gave no indication of the
stated that ‘‘[d]ue to the limited what they would confront if the system variation around the estimate, and was
enforcement ability allowed for in this remained voluntary. subject to numerous methodological
rule by HIPAA, it is essential that OCR Comment: One respondent believed errors since the entities to which the
have the capacity to enforce the that the initial and ongoing costs for numerator pertained may not have been
the same as the denominator. These notices, inspection and copying, inconsistent because the NPRM
respondents further recommended that amendments and correction, and includes firms with annual receipts of
we prepare a ‘‘bottom-up’’ analysis training as they relate to small $5 million or less and non-profits.
using case studies and/or a survey of businesses. Response: The Small Business
providers to refine the estimates. Response: The Department has made Administration, whose definitions we
Response: The purpose of the substantial revisions in its estimates for use for this analysis, includes firms with
regulatory flexibility analysis is to all of these areas which is explained $5 million or less in receipts and all
provide a better insight into the relative below in the regulatory flexibility non-profits as ‘‘small businesses.’’ We
burden of small businesses compared to analysis. recognize that some health plans,
larger firms in complying with a Comment: One commenter noted that though very large in terms of receipts
regulation. There may be considerable there appeared to be a discrepancy in (and insured lives), nonetheless would
variance around average costs within the number of small entities cited. There be considered ‘‘small businesses’’ under
particular industry sectors, even among is no explanation for the difference and this definition because they are non-
small businesses within them. The no explanation for difference between profits. In the final regulatory flexibility
estimates are based on the best data ‘‘establishments’’ and ‘‘entities.’’ analysis, we generally have maintained
available, including information from Response: There are discrepancies the Small Business Administration
the Small Business Administration, the among the data bases on the number of definitions because it is the accepted
Census Bureau, and public comments. ‘‘establishments’’ and ‘‘entities’’ or standard for these analyses. However,
Comment: A commenter stated that ‘‘firms’’. The problem arises because we have added several categories, such
the proposal’s cost estimate does not most surveys count (or survey) as IRBs and employer sponsored group
account for additional administrative establishments, which are physical health plans, which are not small
costs imposed on physicians, such as sites. A single firm or entity may have entities, per se, but will be effected by
requirements to rewrite contracts with many establishments. Moreover, the final rule and we were able to
business partners. although an establishment may have identify costs imposed by the regulation
Response: Such costs are included in only a few employees, the firm may on them.
the analysis below. have a large number of workers (the Comment: The same commenter
Comment: Numerous public total of all its various establishments) wanted clarification that all non-profit
comments were directed specifically at and therefore not be a small entity. organizations are small entities and that
the systems compliance cost estimates As discussed below, there is some the extended effective date for
for small businesses. One respondent discrepancy between the aggregate compliance applies to them.
maintained that the initial upgrade cost numbers we use for the regulatory Response: For purposes of the
alone would range from $50 thousand to impact analysis (RIA) and the regulatory regulatory flexibility analysis, the
more than $1 million per covered entity. flexibility analysis (RFA). We concluded Department is utilizing the Small
Response: The cost estimates for that for purposes of the RFA, which is Business Administration guidelines.
systems compliance varied enormously; intended to measure the effects on small However, under HIPAA the Secretary
unfortunately, none of the commenters entities, we would use Small Business may extend the effective compliance
provided documentation of how they Administration data, which defines date from 24 months to 36 months for
made their estimates, preventing us entities based on revenues rather than ‘‘small health plans’’. The Secretary is
from comparing their data and physical establishments to count the given the explicit discretion of defining
assumptions to the Department’s. number of small entities in various SIC. the term for purposes of compliance
Because of concern about the costs in This provides a more accurate estimate with the regulation. For compliance
this area, however, the Department of small entities affected. For the RIA, purposes, the Secretary has decided to
retained an outside consultant to which is measuring total effects, we define ‘‘small health plans’’ as those
provide greater expertise and analysis. believe the establishment based surveys with receipts of $5 million or less,
The product of this effort has been provide a more reliable count. regardless of their tax status. As noted
incorporated in the analysis below. Comment: Because small businesses above, some non-profit plans are large
Comment: One commenter stated that must notify patients of their privacy in terms of revenues (i.e., their revenues
just the development and policies on patients’ first visit after the exceed $5 million annually). The
documentation of new health effective date of the regulation, several Department determined that such plans
information policies and procedures commenters argued that staff would do not need extra time for compliance.
(which would require an analysis of the have to search records either manually Comment: Several commenters
federal regulations and state law privacy or by computer on a daily basis to requested that ‘‘small providers’’
provisions), would cost far more than determine if patients had been seen [undefined] be permitted to take 36
the $396 cited in the Notice of Proposed since the regulation was implemented. months to come into compliance with
Rulemaking as the average start-up cost Response: Under the final regulation, the final regulation, just as small health
for small businesses. all covered entities will have to provide plans will be permitted to do so.
Response: As explained below in the patients copies of their privacy policy at Response: Congress specified small
cost analysis, the Department the first visit after the effective date of health plans, but not small providers, as
anticipates that most of the policies and the regulation. The Department does not needing extra time to comply. The
procedures that will be required under view this as burdensome. We expect majority of providers affected by the
the final rule will be largely that providers will simply place a note regulation are ‘‘small’’, based on the
standardized, particularly for small or marker at the beginning of a file SBA definitions; in other words,
businesses. Thus, much of the work and (electronic or paper) when a patient is granting the delay would be tantamount
cost can be done by trade associations given the notice. This is neither time- to make the effective date three years
and professional groups, thereby consuming nor expensive, and it will rather than two. In making policy
minimizing the costs and allowing it to not require constant searches of records. decisions for the final regulation,
be spread over a large membership base. Comment: A commenter stated that extensive consideration was given to
Comment: A number of comments the definitions of small business, small minimizing the cost and administrative
criticized the initial estimates for entity, and a small health plan are burden associated with implementing
the rule. The Department believes that compliance costs). As explained below, more accurately reflect what is likely to
the requirements of the final rule will the compliance requirements are much be the real cost of the regulation.
not be difficult to fulfill, and therefore, less extensive than assumed in this
IV. Final Regulatory Impact Analysis
it has maintained the two year effective study. For example, many providers and
date. plans will not be required to modify 5 U.S.C. 804(2) (as added by section
their privacy systems but will only be 251 of Pub. L. 104–21), specifies that a
External Studies ‘‘major rule’’ is any rule that the Office
required to document their practices
Comment: One commenter submitted and notify patients of these practices, of Management and Budget finds is
a detailed analysis of privacy legislation and others will be able to purchase low- likely to result in:
that was pending and concluded that cost, off-the-shelf software that will • An annual effect on the economy of
they might cost over $40 billion. facilitate the new requirements. The $100 million or more;
Response: The study did not analyze final regulation will not require massive • A major increase in costs or prices
the policies in the proposal, and capital expenditures; we assumed, for consumers, individual industries,
therefore, the estimates do not reflect based on our consultants’ work, that federal, state, or local government
the costs that would have been imposed providers will rely on low-cost agencies, or geographic regions; or
by the proposed regulation. In fact, the incremental adjustments initially, and • Significant adverse effects in
analysis was prepared before the as their technology becomes outdated, competition, employment, investment
Administration’s proposed privacy they will replace it with new systems productivity, innovation, or on the
regulation was even published. As a that incorporate the HIPAA standard ability of United States based
result, the analysis is of limited requirements. enterprises to compete with foreign-
relevance to the regulation actually Although many of the policy based enterprises in domestic and
proposed. assumptions in the study are export markets. The impact of this final
The following are examples of fundamentally different than those in rule will be over $1 billion in the first
assumptions and costs in the analysis the proposed or final regulation, the year of implementation. Therefore, this
that do not match privacy policies or study did provide some assistance to the rule is a major rule as defined in 5
requirements stated in the proposed Department in preparing its final U.S.C. 804(2).
rule. analysis. The Department compared Executive Order 12866 directs
1. Authorizations: The study assumed data, methodologies and model agencies to assess all costs and benefits
rules requiring new authorizations from assumptions, which helped us think of available regulatory alternatives and,
current subscribers to use their data for more critically about our own analysis when regulation is necessary, to select
treatment, payment of claims, or other and enhanced the quality of our final regulatory approaches that maximize
health plan operations. The proposed work. net benefits (including potential
rule would have prohibited providers or Comment: One commenter submitted economic, environmental, public health
plans from obtaining patient a detailed analysis of the NPRM and safety effects; distributive impacts;
authorization to use data for treatment, Regulatory Impact Analysis and and equity). According to Executive
payment or health care operations, and concluded that it might cost over $64 Order 12866, a regulatory action is
the final rule makes obtaining consent billion over 5 years. This analysis ‘‘significant’’ if it meets any one of a
for these purposes voluntary for all provided an interesting framework for number of specified conditions,
health plans and for providers that do analyzing the provision for the rule. including having an annual effect on the
not have direct treatment relationships More precisely, the analysis generally economy of $100 million or more
with individuals. attempted to identify the number of adversely affecting in a material way a
2. Disclosure History: The study entities would be required to comply sector of the economy, competition, or
assumes that providers, health plans, with each of the significant provision of jobs, or if it raises novel legal or policy
and clearinghouses would have to track the proposed rule, then estimated the issues. The purpose of the regulatory
all disclosures of health information. numbers of hours required to comply impact analysis is to assist decision-
Under the NPRM and the final rule, per entity, and finally, estimated an makers in understanding the potential
plans, providers and clearinghouses are hourly wage. ramifications of a regulation as it is
only required to account for disclosures Response: HHS adopted this general being developed. The analysis is also
that are not for treatment, payment, and structure for the final RIA because it intended to assist the public in
health care operations, a small minority provided a better framework for analysis understanding the general economic
of all disclosures. than what the Department had done in ramifications of a regulation, both in the
3. Inspection, Copying, and the NPRM. However, HHS did not agree aggregate as well as the major policy
Amendment: The study assumed with many of the specific assumptions areas of a regulation and how they are
requirements to allow patients and their used by in this analysis, for several likely to affect the major industries or
subscribers to inspect, copy, and amend reasons. First, in some instances the sectors of the economy covered by it.
all information that includes their name, assumptions were no longer relevant In accordance with the Small
social security number or other because the requirements of the NPRM Business Regulatory Enforcement and
identifying feature (e.g. customer service were altered in the final rule. For other Fairness Act (Pub. L. 104–121), the
calls, internal memorandum, claim assumptions, HHS found more Administrator of the Office of
runs). However, the study assumed appropriate data sources for the number Information and Regulatory Affairs of
broader access than provided in the of covered entities, wages rates and the Office of Management and Budget
rule, which requires access only to trend rates or other factors affecting (OMB) has determined that this rule is
information in records used to make costs. In addition, HHS believes that in a major rule for the purpose of
decisions about individuals, not all a few instances, this analysis over- congressional review.
records with identifiable information. estimated what is required of covered The proposal for the privacy
4. Infrastructure development: The entities to comply. Based on public regulation included a preliminary
study attributed significant costs to comments and its own factfinding, the regulatory impact analysis (RIA) which
infrastructure implementation of Department believes many of its estimated the cost of the rule at $3.8
(computer systems, training, and other assumptions used in the final analysis billion over five years. The preliminary
analysis also noted that a number of and not more stringent than privacy information will result in an increase in
significant areas were not included in protection pursuant to this regulation. concern regarding privacy and
the estimate due to inadequate This sets a floor, but permits a state to confidentiality of such information. The
information. The proposal solicited create laws that are more protective of bulk of the first Administrative
public comment on these and all other privacy. We discuss preemption in Simplification section that was debated
aspects of the analysis. In this preamble, greater detail in other parts of the on the floor of the Senate in 1994 (as
the Department has summarized the preamble. part of the Health Security Act) was
public comments pertinent to the cost The second objective is to establish a made up of privacy provisions. The
analysis and its response to them. uniform base of privacy protection for requirement for the issuance of
However, because of the extensive individually identifiable health concomitant privacy measures remained
policy changes incorporated in the final information maintained or transmitted a part of the HIPAA bill passed by the
regulation, additional data collected by covered entities. HIPAA restricts the House of Representatives in 1996, but
from the public comments and the type of entities covered by the rule to the requirement for privacy measures
Department’s fact-finding, and changes three broad categories: health care was removed in conference. Instead,
in the methodology underlying the providers that transmit health Congress added section 264 to Title II of
estimates, the Department is setting information in HIPAA standard HIPAA, which directs the Secretary to
forth in this section a more complete transactions, health plans, and health develop and submit to Congress
explanation of its revised estimates and care clearinghouses. However, there are recommendations addressing at least the
how they were obtained. This will similar public and private entities that following:
facilitate a better understanding by the are not within the Department’s (1) The rights that an individual who
public of how the estimates were authority to regulate under HIPAA. For is a subject of individually identifiable
developed and provide more insight example, life insurance companies are health information should have.
into how the Department believes the not covered by this rule but may have (2) The procedures that should be
regulation will ultimately affect the access to a large amount of individually established for the exercise of such
health care sector. identifiable health information. rights.
The impact analysis measures the The third objective is to protect the
(3) The uses and disclosures of such
effect of the regulation on current privacy of all individually identifiable
information that should be authorized
practices. In the case of privacy, as health information held by covered
or required. The Secretary’s
discussed in the preamble, there already entities, including their business
Recommendations were submitted to
exists considerable, though quite varied, associates. Health information is
currently stored and transmitted in Congress on September 11, 1997, and
efforts to protect the confidentiality of are summarized below. Section
medical information. The RIA is multiple forms, including electronic,
paper, and oral forms. To provide 264(c)(1) of HIPAA provides that: If
measuring the change in these current legislation governing standards with
practices and the cost of new and consistent protection to information,
and to avoid requiring covered entities respect to the privacy of individually
additional responsibilities that are identifiable health information
required to conform to the new from distinguishing between health
information that has been transmitted or transmitted in connection with the
regulation. transactions described in section
To achieve a reasonable level of maintained electronically and that
which has not, this rule covers all 1173(a) of the Social Security Act (as
privacy protection, the Department added by section 262) is not enacted by
defined three objectives for the final individually identifiable health
information in any form maintained or (August 21, 1999), the Secretary of
rule: (1) To establish national baseline Health and Human Services shall
standards, implementation transmitted by a covered entity.
For purposes of this cost analysis, the promulgate final regulations containing
specifications, and requirements for such standards not later than (February
health information privacy protection, Department has assumed all health care
providers will be affected by the rule. 21, 2000). Such regulations shall
(2) to protect the privacy of individually address at least the subjects described in
identifiable health information This results in an overestimation of
costs because there are providers that do subsection (regarding
maintained or transmitted by covered recommendations).
entities, and (3) to protect the privacy of not engage in any HIPAA standard
transactions, and therefore, are not Because the Congress did not enact
all individually identifiable health legislation governing standards with
information within covered entities, affected. The Department could not
obtain any reliable data on the number respect to the privacy of individually
regardless of its form. identifiable health information prior to
Establishing minimum standards, of such providers, but the available data
suggest that there are very few such August 21, 1999, the Department has, in
implementation specifications, and
entities, and given the expected increase accordance with this statutory mandate,
requirements for health information
in all forms of electronic health care in developed final rules setting forth
privacy protection creates a level
the coming decade, the number of standards to protect the privacy of such
baseline of privacy protection for
paper-only providers is likely to information.
patients across states. The Health
decrease. Title II of the Health Insurance
Privacy Project’s report, The State of
Portability and Accountability Act
Health Privacy: An Uneven Terrain 33 A. Relationship of This Analysis to (HIPAA) also provides a statutory
makes it clear that under the current Analyses in Other HIPAA Regulations framework for the promulgation of other
system of state laws, privacy protection
Congress has recognized that privacy administrative simplification
is extremely variable. The Department’s
standards, implementation regulations. On August 17, 2000, the
statutory authority under HIPAA which
specifications and requirements must Transactions Rule was published.
allows the privacy regulation to preempt
accompany the electronic data Proposals for health care provider
any state law if such law is contrary to
interchange standards, implementation identifier (May 1998), employer
33 Janlori Goldman, Institute for Health Care specifications and requirements because identifier (June 1998), and security and
Research and Policy, Georgetown University: the increased ease of transmitting and electronic signature standards (August
<http://www.healthprivacy.org/resources>. sharing individually identifiable health 1998) have also been published. These
regulations are expected to be made areas in the regulation that would result costs to federal, state and local
final in the foreseeable future. in significant costs. Given the vast array governments. The net present value of
HIPAA states that, ‘‘any standard of institutions affected by this regulation the final rule, applying a 11.2 percent
adopted under this part shall be and the considerable variation in discount rate 35, is $11.8 billion.36
consistent with the objective of reducing practices, the Department sought to
The first year estimate is $3.2 billion
the administrative costs of providing identify the ‘‘typical’’ current practice
and paying for health care.’’ (Section (this includes expenditures that may be
for each of the major policy areas and
1172 (b)). This provision refers to the incurred before the effective date in
estimate the cost of change resulting
administrative simplification from the regulation. Because of the 2003). This represents about 0.23
regulations in their totality, including paucity of data and incomplete percent of projected national health
this rule regarding privacy standards. information on current practices, the expenditures for 2003.37 By 2008, seven
The savings and costs generated by the Department has consistently made years after the rule’s effective date, the
various standards should result in a net conservative assumptions (that is, given rule is estimated to cost 0.07 percent of
savings to the health care system. The uncertainty, we have made assumptions projected national health expenditures.
Transactions Rule shows a net savings that, if incorrect, are more likely to The largest cost items are the
of $29.9 billion over ten years (2002– overstate rather than understate the true requirement to have a privacy official,
2011), or a net present value savings of cost). $5.9 billion over ten years, and the
$19 billion. This estimate does not Benefits are difficult to measure requirement that disclosures of
include the growth in ‘‘e-health’’ and because people conceive of privacy protected health information only
‘‘e-commerce’’ that may be spurred by primarily as a right, not as a commodity. involve the minimum amount
the adoption of uniform codes and Furthermore, a wide gap appears to necessary, $5.8 billion over ten years
standards. exist between what people perceive to
(see Table 1). These costs reflect the
This final Privacy Rule is estimated to be the level of privacy afforded health
produce net costs of $18.0 billion, with change that affected organizations will
information about them and what
net present value costs of $11.8 billion have to undertake to implement and
actually occurs with the use of such
(2003 dollars) over ten years (2003– information today. Arguably, the ‘‘cost’’ maintain compliance with the
2012). This estimate is based on some of the privacy regulation is the amount requirements of the rule and achieve
costs already having been incurred due necessary to bring health information enhanced privacy of protected health
to the requirements of the Transactions privacy to these perceived levels. information.
Rule, which included an estimate of a The benefits of enhanced privacy
35 This based on a seven percent real discount
net savings to the health care system of protections for individually identifiable
rate, explained in OMB Circular A–94, and a
$29.9 billion over ten years (2002 health information are significant, even projected 4.2 percent inflation rate projected over
dollars) and a net present value of $19.1 though they are hard to quantify. The the ten-year period covered by this analysis.
billion. The Department expects that the Department solicited comments on this 36 The regulatory impact analysis in the
savings and costs generated by all issue, but no commenters offered a Transactions Rule showed a net savings of $29.9
administrative simplification standards better alternative. Therefore, the billion (net present value of $19.1 billion in 2002
dollars). The cost estimates included all electronic
should result in a net savings to the Department is essentially reiterating the systems changes that would be necessitated by the
health care system. analysis it offered in the proposed HIPAA administrative standards (e.g., security,
Privacy Rule. The illustrative examples safeguards, and electronic signatures; eligibility for
B. Summary of Costs and Benefits
set forth below, using existing data on a health plan; and remittance advice and payment
Measuring both the economic costs mental health, cancer screening, and claim status), except privacy. At the time the
and benefits of health information Transactions Rule was developed, the industry
HIV/AIDS patients, suggest the level of provided estimates for the systems changes in the
privacy is difficult. Traditionally, economic and health benefits that might aggregate. The industry argued that affected parties
privacy has been addressed by state accrue to individuals and society. would seek to make all electronic changes in one
laws, contracts, and professional Moreover, the benefits of improved effort because that approach would be the most
practices and guidelines. Moreover, cost-efficient. The Department agreed, and
privacy protection are likely to increase therefore, it ‘‘bundled’’ all the system change cost
these practices have been evolving as in the future as patients gain trust in in the Transactions Rule estimate. Privacy was not
computers have dramatically increased health care practitioners’ ability to included because at the time the Department had
the potential use of medical data; the maintain the confidentiality of their not made a decision to develop a privacy rule. As
scope and form of health information is the Department develops other HIPAA
health information. administrative simplification standards, there may
likely to be very different ten years from The estimated cost of compliance be additional costs and savings due to the non-
now than it is today. This final with the final rule is $17.6 billion over electronic components of those regulations, and
regulation is both altering current health the ten year period, 2003–2012.34 This they will be identified in regulatory impact analyses
information privacy practice and that accompany those regulations. The Department
includes the cost of all the major anticipates that such costs and savings will be
shaping its evolution as electronic uses requirements for the rule, including relatively small compared to the privacy and
expand. Transactions rules. The Department anticipates that
To estimate costs, the Department 34 The proposed privacy rule provided an the net economic impact of the rules will be a net
used information from published estimate for a five-year period. However, the savings to the health care system.
studies, trade groups and associations, Transactions Rule provided a cost estimate for a ten 37 Health spending projections from National
year period. The decision was made to provide the Health Expenditure Projections 1998–2008 (January
public comments to the proposed final privacy estimates in a ten year period so that 2000), Health Care Financing Administration,
regulation, and fact-finding by staff. The it would be possible to compare the costs and Office of the Actuary, <http://hcfa.hhs.gov/stats/
analysis focused on the major policy benefits of the two regulations. nhe-proj/>.
TABLE 1.—THE COST OF COMPLYING WITH THE PROPOSED PRIVACY REGULATION

[In dollars]
Initial or first Average an- Ten year

year cost nual cost cost (2003–
Provision (2003, ($million, 2012)
$million) years 2–10) ($million)
Policy Development ................................................................................................................................. 597.7 0 597.7

Minimum Necessary ................................................................................................................................ 926.2 536.7 5,756.7
Privacy Officials ....................................................................................................................................... 723.2 575.8 5,905.8
Disclosure Tracking/History ..................................................................................................................... 261.5 95.9 1,125.1
Business Associates ................................................................................................................................ 299.7 55.6 800.3
Notice Distribution .................................................................................................................................... 50.8 37.8 391.0
Consent .................................................................................................................................................... 166.1 6.8 227.5
Inspection/Copying .................................................................................................................................. 1.3 1.7 16.8
Amendment .............................................................................................................................................. 5.0 8.2 78.8
Requirements on Research ..................................................................................................................... 40.2 60.5 584.8
Training .................................................................................................................................................... 287.1 50.0 737.2
De-Identification of Information ................................................................................................................ 124.2 117.0 1,177.4
Employers with Insured Group Health Plans .......................................................................................... 52.4 0 52.4
Internal Complaints .................................................................................................................................. 6.6 10.7 103.2
Total * ................................................................................................................................................ 3,242.0 1,556.9 17,554.7
Net Present Value ................................................................................................................................... 3,242.0 917.8 11,801.8

* Note: Numbers may not add due to rounding.
C. Need for the Final Rule withdraw from the health care system, national rules, patients may face
but for society to establish a clear significant costs in trying to learn and
The need for a national health
national legal framework for privacy. understand the nature of a company’s
information privacy framework is
This section adds to the discussion in privacy policies.
described in detail in Section I of the Section I, above, a discussion of the The costs of learning about
preamble above. In short, privacy is a market failures inherent in the current companies’ policies are magnified by
necessary foundation for delivery of system which create additional and the difficulty patients face in detecting
high quality health care—the entire compelling reasons to establish national whether companies, in fact, are
health care system is built upon the health information privacy standards. complying with those policies. Patients
willingness of individuals to share the Market failures will arise to the extent might try to adopt strategies for
most intimate details of their lives with that privacy is less well protected than monitoring whether companies have
their health care providers. At the same the parties would have agreed to, if they complied with their announced
time, there is increasing public concern were fully informed and had the ability policies. These sorts of strategies,
about loss of privacy generally, and to monitor and enforce contracts. The however, are both costly (in time and
health privacy in particular. The chief market failures with respect to effort) and likely to be ineffective. In
growing use of interconnected privacy of health information concern addition, modern health care often
electronic media for business and information, negotiation, and requires protected health information to
personal activities, our increasing enforcement costs between the entity flow legitimately among multiple
ability to know an individual’s genetic and the individual. The information entities for purposes of treatment,
make-up, and the increasing complexity costs arise because of the information payment, health care operations, and
of the health care system each bring the asymmetry between the company and other necessary uses. Even if the patient
potential for tremendous benefits to the patient—the company typically could identify the provider whose data
individuals and society, but each also knows far more than the patient about ultimately leaked, the patient could not
brings new potential for invasions of our how the protected health information easily tell which of those multiple
privacy. will be used by that company. A health entities had impermissibly transferred
Concerns about the lack of attention care provider or plan, for instance, her information. Therefore, the cost and
to information privacy in the health care knows many details about how ineffectiveness of monitoring leads to
industry are not merely theoretical. protected health information may be less than optimal protection of
Section I of the preamble, above, lists generated, combined with other individually identifiable health
numerous examples of the kinds of databases, or sold to third parties. information.
deliberate or accidental privacy Absent this regulation, patients face at The incentives facing a company that
violations that call for a national legal least two layers of cost in learning about acquires individually identifiable health
framework of health privacy how their information is used. First, as information also discourage privacy
protections. Disclosure of health with many aspects of health care, protection. A company gains the full
information about an individual can patients face the challenge of trying to benefit of using such information,
have significant implications well understand technical medical including its own marketing efforts or
beyond the physical health of that terminology and practices. A patient its ability to sell the information to third
person, including the loss of a job, generally will have difficulty parties. The company, however, does
alienation of family and friends, the loss understanding medical records and the not suffer the losses from disclosure of
of health insurance, and public implications of transferring health protected health information; the
humiliation. The answer to these information about them to a third party. patient does. Because of imperfect
concerns is not for consumers to Second, in the absence of consistent monitoring, customers often will not
learn of, and thus not be able to take the near future, accompanying privacy better information practices in the
efficient action to prevent uses or rules will become more critical to future.
disclosures of sensitive information. prevent unanticipated, inappropriate, or
D. Baseline Privacy Protections
Because the company internalizes the unnecessary uses or disclosures of
gains from using the information, but individually identifiable health An analysis of the costs and benefits
does not bear a significant share, if any, information without patient consent and of the regulation requires a baseline
of the cost to patients (in terms of lost without effective institutional controls from which to measure the regulation’s
privacy), it will have a systematic against further dissemination. In terms effects. For some regulations, the
incentive to over-use individually of the market failure, it will become baseline is relatively straightforward.
identifiable health information. In more difficult for patients to know how For instance, an industry might widely
market failure terms, companies will their health provider or health plan is use a particular technology, but a new
have an incentive to use individually using health information about them. It regulation may require a different
identifiable health information where will become more difficult to monitor technology, which would not otherwise
the patient would not have freely agreed the subsequent flows of individually have been adopted by the industry. In
to such use. identifiable health information, as the this example, the old and widely used
These difficulties are exacerbated by number of electronic flows and possible technology provides the baseline for
the third-party nature of many health points of leakage both increase. measuring the effects of the regulation.
insurance and payment systems. Even Similarly, the costs and difficulties of The costs and the benefits are the
where individuals would wish to bargaining to get the patients’ desired difference between keeping the old
bargain for privacy, they may lack the level of use will likely rise due to the technology and implementing the new
legal standing to do so. For instance, greater number and types of entities that technology.
employers often negotiate the terms of Where the underlying technology and
receive protected health information.
health plans with insurers. The industry practices are rapidly changing,
As the benefits section, below, however, it can be far more difficult to
employee may have no voice in the discusses in more detail, the protection
privacy or other terms of the plan, determine the baseline and thereby
of privacy and correcting the market measure the costs and benefits of a
facing a take-it-or-leave-it choice of failure also have practical implications.
whether to be covered by insurance. The regulation. There is no simple way to
Where patients are concerned about lack know what technology industry would
current system leads to significant of privacy protections, they might fail to
market failures in bargaining privacy have chosen to introduce if the
get medical treatment that they would regulation had never existed, nor how
protection. Many privacy-protective
otherwise seek. This failure to get industry practices would have evolved.
agreements that patients would wish to
treatment may be especially likely for Today, the entities covered by the
make, absent barriers to bargaining, will
certain conditions, including mental HIPAA privacy regulation are in the
not be reached.
The economic arguments become health, and HIV. Similarly, patients who midst of a shift from primarily paper
more compelling as the medical system are concerned about lack of privacy records to electronic records. As
shifts from predominantly paper to protections may report health covered entities spend significant
predominantly electronic records. Rapid information inaccurately to their resources on hardware, software, and
changes in information technology providers when they do seek treatment. other information technology costs,
should result in increased market For instance, they might decide not to questions arise about which of these
failures in the markets for individually mention that they are taking costs are fairly attributable to the
identifiable health information. prescription drugs that indicate that privacy regulations as opposed to costs
Improvements in computers and they have an embarrassing condition. that would have been expended even in
networking mean that the costs of These inaccurate reports may lead to the absence of the regulations. Industry
gathering, analyzing, and disseminating mis-diagnosis and less-than-optimal practices generally are rapidly evolving,
electronic data are plunging. Market treatment, including inappropriate as described in more detail in Part I of
forces are leading many health care additional medications. In short, the this preamble. New technological or
providers and health plans to shift from lack of privacy safeguards can lead to other measure taken to protect privacy
paper to electronic records, due both to efficiency losses in the form of forgone are in part attributable to the expected
lower cost and the increased or inappropriate treatment. expense of shifting to electronic medical
functionality provided by having In summarizing the economic records, rather than being solely
information in electronic form. These arguments supporting the need for this attributable to the new regulations. In
market changes will be accelerated by regulation, the discussion here has addition, the existence of privacy rules
the administrative simplification emphasized the market failures that will in other sectors of the economy help set
implemented by the other regulations be addressed by this regulation. These a norm for what practices will be
promulgated under HIPAA. A chief goal arguments become considerably considered good practices for health
of administrative simplification, in fact, stronger with the shift from information. The level of privacy
is to create a more efficient flow of predominantly paper to predominantly protection that would exist in the health
medical information, where appropriate. electronic records. As discussed in the care sector, in the absence of
This privacy regulation is an integral benefits section below, the proposed regulations, thus would likely be
part of the overall effort of privacy protections may prevent or affected by regulatory and related
administrative simplification; it creates reduce the risk of unfair treatment or developments in other sectors. In short,
a framework for more efficient flows for discrimination against vulnerable it is therefore difficult to project a cost
certain purposes, including treatment categories of persons, such as those who or benefits baseline for this rule.
and payment, while restricting flows in are HIV positive, and thereby, foster The common security practice of
other circumstances except where better health. The proposed regulation using ‘‘firewalls’’ illustrates how each of
appropriate institutional safeguards may also help educate providers, health the three baselines might apply. Under
exist. plans, and the general public about how the first baseline, the full cost of
If the medical system shifts protected health information is used. implementing firewalls should be
predominantly to electronic records in This education, in turn, may lead to included in a Regulatory Impact
Analysis for a rule that expects entities commerce, such as finance and general to review their medical records. One
to have firewalls. Because current law commercial marketing, have also group declares this as a fundamental
has not required firewalls, a new rule increased the demand for privacy in patient right, while the second
expecting this security measure must ways that were not of concern in the association qualifies its position by
include the full cost of creating past. stating that the physician has the final
firewalls. This approach, however, word on whether a patient has access to
1. Professional Codes of Ethics
would seem to overstate the cost of such his or her health information. This
a regulation. Firewalls would seem to be The Department examined statements association also recommends that its
an integral part of the decision to move issued by five major professional members respond to requests for access
to an on-line, electronic system of groups, one national electronic network to patient information within ten days,
records. Firewalls are also being widely association and a leading managed care and recommends that entities allow for
deployed by users and industries where association.38 There are a number of an appeal process when patients are
no binding security or privacy common themes that all the denied access. The association further
regulations have been proposed. organizations appear to subscribe to: recommends that when a patient
Under the second baseline, the • The need to maintain and protect contests the accuracy of the information
touchstone is the level of risk of security an individual’s health information; in his or her record and the entity
breaches for individually identifiable • The development of policies to refuses to accept the patient’s change,
health information under current ensure the confidentiality of the patient’s statement should be
practices. There is quite possibly a individually identifiable health included as a permanent part of the
greater risk of breach for an electronic information; patient’s record.
system of records, especially where • A restriction that only the In addition, three of the five
such records are accessible globally minimum necessary information should professional groups endorse the
through the Internet, than for patient be released to accomplish the purpose maintenance of audit trails that can
records dispersed among various for which the information is sought. track the history of disclosures of
doctors’ offices in paper form. Using the Beyond these principles, the major individually identifiable health
second baseline, the costs of firewalls associations differ with respect to the information.
for electronic systems should not be methods used to protect individually The one set of standards that we
counted as a cost of the regulation identifiable health information. There is reviewed from a health network
except where firewalls create greater no common professional standard association advocated the protection of
security than existed under the across the health care field with respect individually identifiable health
previous, paper-based system. to the protection of individually information from disclosure without
Finally, the third baseline would identifiable health information. One patient authorization and emphasized
require an estimate of the typical level critical area of difference is the extent to that encrypting information should be a
of firewall protections that covered which professional organizations should principal means of protecting
entities would adopt in the absence of release individually identifiable health individually identifiable health
regulation, and include in the information. A major mental health information. The statements of a leading
Regulatory Impact Analysis only the association advocates the release of managed care association, while
costs that exceed what would otherwise identifiable patient information ‘‘ * * * endorsing the general principles of
have been adopted. For this analysis, only when de-identified data are privacy protection, were vague on the
the Department has generally assumed inadequate for the purpose at hand.’’ A release of information for purposes
that the status quo would otherwise major association of physicians counsels other than treatment. The association
exist throughout the ten-year period (in members who use electronically suggested allowing the use of protected
a few areas we explicitly discuss likely maintained and transmitted data to health information without the patient’s
changes). We made this decision for two require that they and their patients authorization for what they term ‘‘health
reasons. First, predicting the level of know in advance who has access to promotion.’’ It is possible that the use of
change that would otherwise occur is protected patient data, and the purposes protected health information for ‘‘health
highly problematic. Second, it is a for which the data will be used. In promotion’’ may be construed under the
‘‘conservative’’ assumption—that is, any another document, the association rule as part of marketing activities.
error will likely be an overstatement of advises physicians not to ‘‘sell’’ patient Based on the review of the leading
the true costs of the regulation. information to data collection association standards, we believe that
Privacy practices are most often companies without fully informing their the final rule embodies most or all of the
shaped by professional organizations patients of this practice and receiving major principles expressed in the
that publish ethical codes of conduct authorization in advance to release of standards. However, there are some
and by state law. On occasion, state the information. major areas of difference between the
laws defer to professional conduct Only two of the five professional rule and the professional standards
codes. At present, where professional groups state that patients have the right reviewed. The final rule generally
organizations and states have developed provides stronger, more consistent, and
38 American Association of Health Plans, Code of
only limited guidelines for privacy more comprehensive guarantees of
Conduct; http:www.aahp.org.; American Dental
practices, an entity may implement Association, Principles of Ethics and Professional
privacy for individually identifiable
privacy practices independently. Conduct; http://www.ada.org.; American Hospital health information than the professional
However, it is worth noting that changes Association, ‘‘Disclosure of Medical Record standards. The differences between the
in privacy protection continue to Information,’’ Management Advisory: Information rule and the professional codes include
Management; 1990, AHA: Chicago, IL.; American
increase in various areas. For example, Medical Association, AMA Policy Finder—Current
the individual’s right of access to health
European Union countries may only Opinions Council on Ethical and Judicial Affairs; information in the covered entity’s
send individually identifiable several documents available through the Policy possession, relationships between
information to companies, including Finder at http:www.ama-assn.org.; American contractors and covered entities, and the
Psychiatric Association, ‘‘APA Outlines Standards
U.S. firms, that comply with their Needed to Protect Patient’s Medical Record’’;
requirement that covered entities make
privacy standards, and the growing use Release No. 99–32, May 27, 1999; their privacy policies and practices
of health data in other areas of http:www.psych.org. available to patients through a notice
and the ability to respond to questions We recognize that covered entities combination of fees for search and
related to the notice. Because the will need to learn the laws of their states retrieval, and the copying of the record.
regulation requires that (with a few in order to comply with such laws that In 35 states, there are laws or
exceptions) patients have access to their are not contrary to the rule, or that are regulations that set a basis for charging
protected health information that a contrary to and more stringent than the individuals inspecting and copying fees.
covered entity possesses, large numbers rule. This analysis should be completed Charges vary not only by state, but also
of health care providers may have to in the context of individual markets; by the purpose of the request and the
modify their current practices in order therefore, we expect that professional facility holding the health information.
to allow patient access, and to establish associations or individual businesses Also, charges vary by the number of
a review process if they deny a patient will complete this task. pages and whether the request is for X-
access. Also, none of the privacy Recognizing the limits of our ability to rays or for standard medical
protection standards reviewed require effectively summarize state privacy information.
that health care providers or health laws, we discuss conclusions generated Of the 35 states with laws regulating
plans prepare a formal statement of by the Georgetown University Privacy inspection and copying charges, seven
privacy practices for patients (although Project’s report, The State of Health states either do not allow charges for
the major physician association urges retrieval of records or require that the
Privacy: An Uneven Terrain. The
members to inform patients about who entity provide the first copy free of
Georgetown report is among the most
would have access to their protected charge. Some states may prohibit
comprehensive examination of state
health information and how their health hospitals from charging patients a
health privacy laws currently published,
information would be used). Only one retrieval and copying fee, but allow
although it is not exhaustive. The
HMO association explicitly made clinics to do so. Many states allow fee
report, which was completed in July
reference to information released for structures, while eleven states specify
1999, is based on a 50-state survey.
legitimate research purposes. The only that the record holder may charge
regulation allows for the release of To facilitate discussion, we have ‘‘reasonable/actual costs.’’
protected health information for organized the analysis into two sections: According to the report by the
research purposes without an access to health information and Georgetown Privacy Project, among
individual’s authorization, but only if disclosure of health information. Our states that do grant access to patient
the research where such authorization is analysis is intended to suggest areas records, the most common basis for
waived by an institutional research where the final rule appears to preempt denying individuals access is concern
board or an equivalent privacy board. various state laws; it is not designed to for the life and safety of the individual
This research requirement may cause be a definitive or wholly comprehensive or others.
some groups to revise their disclosure state-by-state comparison. The amount of time an entity is given
authorization standards. Access to Subject’s Information: In to supply the individual with his or her
2. State Laws general, state statutes provide record varies widely. Many states allow
individuals with some access to medical individuals to amend or correct
The second body of privacy records about them. However, only a inaccurate health information,
protections is found in a complex, and few states allow individuals access to especially information held by insurers.
often confusing, myriad of state laws health information held by all their However, few states provide the right to
and requirements. To determine health care providers and health plans. insert a statement in the record
whether or not the final rule would In 33 states, individuals may access challenging the covered entity’s
preempt a state law, first we identified their hospital and health facility information when the individual and
the relevant laws, and second, we records. Only 13 states guarantee entity disagree.41
addressed whether state or federal law individuals access to their HMO Disclosure of Health Information:
provides individuals with greater records, and 16 states provide State laws vary widely with respect to
privacy protection. individuals access to their medical disclosure of individually identifiable
Identifying the Relevant State information when it is held by insurers. health information. Generally, states
Statutes: Health information privacy Seven states have no statutory right of have applied restrictions on the
provisions can be found in laws patient access; three states and the disclosure of health information either
applicable to many issues including District of Columbia have laws that only to specific entities or for specific health
insurance, worker’s compensation, assure individuals’ right to access their conditions. Only three state laws place
public health, birth and death records, mental health records. Only one state broad limits on disclosure of
adoptions, education, and welfare. In permits individuals access to records individually identifiable health
many cases, state laws were enacted to about them held by health care information without regard for policies
address a specific situation, such as the providers, but it excludes pharmacists and procedures developed by covered
reporting of HIV/AIDS, or medical from the definition of provider. Thirteen entities. Most states require patient
conditions that would impair a person’s states grant individuals statutory right of authorization before an entity may
ability to drive a car. For example, access to pharmacy records. disclose health information to certain
Florida has over 60 laws that apply to The amount that entities are allowed recipients, but the patient often does not
protected health information. According to charge for copying of individuals’ have an opportunity to object to any
to the Georgetown Privacy Project,39 records varies widely from state to state. disclosures.42
Florida is not unique. Every state has A study conducted by the American It is also important to point out that
laws and regulations covering some Health Information Management none of the states appear to offer
aspect of medical information privacy. Association 40 found considerable individuals the right to restrict
For the purpose of this analysis, we variation in the amounts, structure, and disclosure of their health information
simply acknowledge the variation in for treatment.
state requirements. 40 ‘‘Practice Briefs,’’ Journal of AHIMA; Harry
41 Ibid, Goldman, p. 20.
Rhodes, Joan C. Larson, Association of Health
39 Ibid, Goldman, p. 6. Information Outsourcing Service; January 1999. 42 Ibid, Goldman, p. 21.
State statutes often have exceptions to such laws demonstrates the need for 3. Other Federal Laws
requiring authorization before uniformity and minimum standards for The relationship with other federal
disclosure. The most common privacy protection. This regulation is statutes is discussed above in the
exceptions are for purposes of designed to meet these goals while preamble.
treatment, payment, or auditing and allowing stricter state laws to be enacted
quality assurance functions. Restrictions and remain effective. A comparison of E. Costs
on re-disclosure of individually state privacy laws with the final Covered entities will be implementing
identifiable health information also vary regulation highlights several of the the privacy final rules at the same time
widely from state to state. Some states rule’s key implications: many of the administrative
restrict the re-disclosure of health • No state law requires covered simplification standards are being
information, and others do not. The entities to make their privacy and access implemented. As described in the
Georgetown report cites state laws that policies available to patients. Thus, all overall impact analysis for the
require providers to adhere to covered entities that have direct contact Transactions Rule, the data handling
professional codes of conduct and ethics with patients will be required by this change occurring due to the other
with respect to disclosure and re- rule to prepare a statement of their HIPAA standards will have both costs
disclosure of protected health privacy protection and access policies. and benefits. To the extent the changes
information. This necessarily assumes that entities required for the privacy standards,
Most states have adopted specific have to develop procedures if they do implementation specifications, and
measures to provide additional not already have them in place. requirements can be made concurrently
protections for health information • The rule will affect more entities with the changes required by the other
regarding certain sensitive conditions or than are covered or encompassed under regulations, costs for the combined
illnesses. The conditions and illnesses many state laws. implementation should be only
most commonly afforded added privacy • Among the three categories of marginally higher than for the
protection are: covered entities, it appears that health administrative simplification standards
• Information derived from genetic alone. The extent of this incremental
plans will be the most significantly
testing; cost is uncertain, in the same way that
affected by the access provisions of the
• Communicable and sexually- the costs associated with each of the
rule. Based on the Health Insurance
transmitted diseases; individual administrative simplification
• Mental health; and Association of America (HIAA) data44,
there are approximately 94.7 million standards is uncertain.
• Abuse, neglect, domestic violence, The costs associated with
and sexual assault. non-elderly persons with private health
implementing the requirements under
Some states place restrictions on insurance in the 35 states that do not
this Privacy Rule will be directly related
releasing condition-specific health provide patients a legal right to inspect
to the number of affected entities and
information for research purposes, and copy their records.
the number of affected transactions in
while others allow release of • Under the rule, covered entities will each entity. There are approximately
information for research without the have to obtain an individual’s 12,200 health plans (including self-
patient’s authorization. States frequently authorization before they could use or insured employer and government
require that researchers studying genetic disclose their information for purposes health plans that are at least partially
diseases, HIV/AIDS, and other sexually other than treatment, payment, and self-administered)45, 6480 hospitals,
transmitted diseases have different health care operations—except in the and 630,000 non-hospital providers that
authorization and privacy controls than situations explicitly defined as will bear implementation costs under
those used for other types of research. allowable disclosures without the final rule.
Some states require approval from an authorization. Although the final rule The relationship between the HIPAA
IRB or agreements that the data will be would establish a generally uniform security and privacy standards is
destroyed or identifiers removed at the disclosure and re-disclosure particularly relevant. On August 17,
earliest possible time. Another approach requirement for all covered entities, the 2000, the Secretary published a final
has been for states to require researchers entities that currently have the greatest rule to implement the HIPAA standards
to obtain sensitive, identifiable ability and economic incentives to use on electronic transactions. That rule
information from a state public health and disclose protected health adopted standards for eight electronic
department. One state does not allow information for marketing services to code sets to be used for those
automatic release of protected health both patients and health care providers transactions. The proposed rule for
information for research purposes without individual authorization. security and electronic signature
without notifying the subjects that their • While the final rule appears to standards was published on August 12,
health information may be used in encompass many of the requirements 1998. That proposal specified the
research and allowing them an found in current state laws, it also is security requirements for covered
opportunity to object to the use of their clear that within state laws, there are entities that transmit and store
information.43 many provisions that cover specific information specified in Part C, Title II
Comparing state statutes to the final cases and health conditions. Certainly, of the Act. In general, that proposed rule
rule: The variability of state law in states that have no restrictions on proposed administrative and technical
regarding privacy of individually disclosure, the rule will establish a standards for protecting ‘‘* * * any
identifiable health information and the baseline standard. But in states that do health information pertaining to an
limitations of the applicability of many place conditions on the disclosure of individual that is electronically
protected health information, the rule
43 ‘‘Medical records and privacy: Empirical effects
may place additional requirements on 45 ‘‘Health plans,’’ for purposes of the regulatory
of legislation; A memorial to Alice Hersh’’; covered entities. impact and regulatory flexibility analyses, include
McCarthy, Douglas B; Shatin, Deborah; et al. Health licensed insurance carriers who sell health
Service Research: April 1, 1999; No. 1, Vol. 34; p. products; third party administrators that will have
417. The article details the effects of the Minnesota 44 Source Book of Health Insurance Data: 1997– to comply with the regulation for the benefit of the
law conditioning disclosure of protected health 1998, Health Insurance Association of America, plan sponsor; and self-insured health plans that are
information on patient authorization. 1998. p. 33. at least partially administered by the plan sponsor.
maintained or transmitted.’’ (63 FR final rules, and ongoing costs that result annual growth rate in employer-
43243). The final Security Rule will in continuous requirements in the final sponsored, individual, military, and
detail the system and administrative rule. overall coverage growth from the Census
requirements that a covered entity must The Department has quantified the Bureau’s CPS, 1995–1999. To estimate
meet in order to assure itself and the costs imposed by the final regulation to growth in the number of Medicare and
Secretary that health information is safe the extent possible. The cost of many Medicaid enrollees, the Department
from destruction and tampering from provisions were estimated by first using used the enrollment projections of the
people without authorization for its data from the Census Bureau’s Statistics Health Care Financing Administration’s
access. of U.S. Business to identify the number Office of the Actuary. For growth in the
By contrast, the Privacy Rule of non-hospital health care providers, number of hospitals, health care
describes the requirements that govern hospitals and health plans. Then, using providers and health plans, trend rates
the circumstances under which the Census Bureau’s Current Population were derived from the Census Bureau’s
protected health information must be Survey (CPS) wage data for the classes Statistics of U.S. Businesses, using SIC
used or disclosed with and without of employees affected by the rule, the code-specific five-year annual average
patient involvement and when a patient Department identified the hourly wage growth rate from 1992–1997 (the most
may have access to his or her protected of the type of employee assumed to be recent data available). For wage growth,
health information. mostly likely responsible for the Department used the same
While the vast majority of health care compliance with a given provision. assumptions made in the Medicare
entities are privately owned and Where the Department believed a Trustees’ Hospital Insurance Trust Fund
operated, we note that federal, state, and number of different types of employees report for 2000.
local government providers are reflected might be responsible for complying with In some areas, the Department was
in the total costs as well. Federal, state, a certain provision, as is often expected able to obtain very reliable data, such as
and locally funded hospitals represent to be the case, the Department survey data from the Statistics of U.S.
approximately 26 percent of hospitals in established a weighted-average wage Businesses and the Medical
the United States. This is a significant based on the types of employees Expenditures Panel Survey (MEPS). In
portion of hospitals, but it represents a involved. Finally, the Department made numerous areas, however, there was too
relatively small proportion of all assumptions regarding the number of little information or data to support
provider entities. We estimated that the person-hours per institution required to quantitative estimates. As a result, the
number of government providers who comply with the rule. Department relied on data provided in
are employed at locations other than The Department cannot determine the public comments or subsequent fact-
government hospitals is significantly precisely how many person-hours per finding to provide a basis for making
smaller (approximately two percent of institution will be required to comply key assumptions. We were able to
all providers). Weighting the relative with a given provision, however, the provide a reasonable cost estimate for
number of government hospital and Department attempted to establish virtually all aspects of the regulation,
non-hospital providers by the revenue reasonable estimates based on fact- except law enforcement. In this latter
these types of providers generate, we finding discussions with private sector area, the Department was unable to
estimate that health care services health care providers, the advice of the obtain sufficient data about current
provided directly by government Department’s consultants, and the practices (e.g., the number of criminal
entities represent 3.4 percent of total Department’s own best judgement of the and civil investigations that may
health care services. Indian Health level of burden required to comply with involve requests for protected health
Service and tribal facilities costs are a given provision. Moreover, the information, the number of subpoenas
included in the total, since the Department recognizes that the number for protected health information, etc.) to
adjustments made to the original private of hours required to comply with a determine the marginal effects of the
provider data to reflect federal providers given requirement of the rule will vary regulation. As discussed more fully
included them. In developing the rule, from provider to provider and health below, the Department believes the
the Department consulted with states, plan to health plan, particularly given effects of the final rule are marginal
representatives of the National Congress the flexibility and scalability permitted because the policies adopted in the final
of American Indians, representatives of under the rule. Therefore, the rule appear to largely reflect current
the National Indian Health Board, and a Department considers the estimates to practice.
representative of the self-governance be averages across the entire class of The NPRM included an estimate of
tribes. During the consultation we health care providers, hospitals, or $3.8 billion for the privacy proposal.
discussed issues regarding the health plans in question. The estimate for the final rule is $18.0
application of Title II of HIPAA to the Underlying all annual cost estimates billion. Much of the difference can be
states and tribes. are growth projections. For growth in explained by two factors. First, the
The costs associated with this final the number of patients, the Department NPRM estimate was for five years; the
rule involve, for each provision, used data from the National Ambulatory final rule estimate is for ten years. The
consideration of both the degree to Medical Care Survey, the National Department chose the longer period for
which covered entities must modify Hospital Ambulatory Medical Care the final rule because ten years was also
their existing records management Survey, the National Home and Hospice the period of analysis in the
systems and privacy policies under the Survey, the National Nursing Home Transactions Rule RIA, and we wanted
final rule, and the extent to which there Survey, and information from the to facilitate comparisons, given that the
is a change in behavior by both patients American Hospital Association. For net benefits and costs of the
and the covered entities as a result of growth in the number of health care administrative simplification rules
the final rule. The following sections workers, the Department used data from should be considered together. Second,
examine these provisions as they apply the Bureau of Health Professions in the the final impact analysis includes cost
to the various covered entities under the Department’s Health Resources Services estimates for a number of key provisions
final rule. The major costs that covered Administration (HRSA). For insurance that were not estimated in the NPRM
entities will incur are one-time costs coverage growth (private and military because the Department did not have
associated with implementation of the coverage), we used a five-year average adequate information at the time.
Although we received little useable data expenditures the first year the the time estimates for this and other
in the public comments (see comment regulation is enacted. The costs for the provisions of the rule are considered an
and response section), the Department first eight years of the final regulation average number of person-hours for the
was able to undertake more extensive represents 0.07 percent of the increase institutions involved. An underlying
fact-finding and collect sufficient in national health care costs assumption is that some hospitals, and
information to make informed experienced over the same period.46 to a lesser extent health plans, are part
assumptions about the level of effort of chains or larger entities that will be
Minimum Necessary
and time various provisions of the final able to prepare the basic materials at a
rule are likely to impose on different The ‘‘minimum necessary’’ policy in corporate level for a number of covered
types of affected entities. the final rule has essentially three entities.
The estimate of $18.0 billion components: first, it does not pertain to Once the policies and procedures are
represents a gross cost, not a net cost. As certain uses and disclosures including established, the Department estimates
discussed more fully below in the treatment-related exchange of there will be costs resulting from
benefits section, the benefits of information among health care implementing the new policies and
enhanced privacy and confidentiality of providers; second, for disclosures that procedures to restrict internal uses of
personal health information are very are made on a routine and recurring protected health information to the
significant. If people believe their basis, such as insurance claims, a minimum necessary. Initially, this will
information will be used properly and covered entity is required to have require 560 hours for hospitals, 160
not disseminated beyond certain bounds policies and procedures for governing hours for health plans, and 12 hours for
without their knowledge and consent, such exchanges (but the rule does not non-hospital providers.47 The wage for
they will be much more likely to seek require a case-by-case determination); health care providers and hospitals is
proper health care, provide all relevant and third, providers must have a estimated at $47.28, a weighted average
health information, and abide by their process for reviewing non-routine of various health care professionals
providers’ recommendations. In requests on a case-by-case basis to based on CPS data; the wage for health
addition, more confidence by assure that only the minimum necessary plans is estimated to be $33.82, based
individuals and covered entities that information is disclosed. on average wages in the insurance
privacy will be maintained will lead to Based on public comments and industry (note that all wage assumptions
an increase in electronic transactions subsequent fact-finding, the Department in this impact analysis assume a 39
and the efficiencies and cost savings has concluded that the requirements of percent load for benefits, the standard
that stem from such action. The benefits the final rule are generally similar to the Bureau of Labor Statistics assumption).
section quantifies some examples of current practice of most providers. For In addition, there will be time required
benefits. The Department was not able standard disclosure requests, for on an annual basis to ensure that the
to identify data sources or models that example, providers generally have implemented practices continue to meet
would permit us to measure benefits established procedures for determining the requirements of the rule. Therefore,
more broadly or accurately. The how much health information is the Department estimates that on an
inability to quantify benefits, however, released. For non-routine disclosures, annual ongoing basis (after the first
does not lessen the importance or value providers have indicated that they year), hospitals will require 320 hours,
that is ultimately realized by having a currently ask questions to discern how health plans 100 hours, and non-
national standard for health information much health information is necessary hospital providers 8 hours to comply
privacy. for such disclosure. Under the final rule, with this provision.
The largest initial costs resulting from we anticipate providers will have to be The initial cost attributable to the
the final Privacy Rule stem primarily more thorough in their policies and minimum necessary provision is $926
from the requirement that covered procedures and more vigilant in their million. The total cost of the provision
entities use and disclose only the oversight of them; hence, the costs of is $5.757 billion. (These estimates are
minimum necessary protected health this provision are significant. for the cost of complying with the
information, that covered entities To make the final estimates for this minimum necessary provisions that
develop policies and codify their provision, the Department considered restrict internal uses to the minimum
privacy procedures, and that covered the minimum necessary requirement in necessary. The Department has
entities designate a privacy official and two parts. First, providers, hospitals, estimated in the business associates
train all personnel with access to and health plans will need to establish section below the requirement limiting
individually identifiable health policies and procedures which govern
disclosures outside the covered entity to
information. The largest ongoing costs uses and disclosures of protected health
the minimum amount necessary.)
will result from the minimum necessary information. Next, these entities will
provisions pertaining internal uses of need to adjust current practices that do Privacy Official
individually identifiable health not comply with the rule, such as The final rule requires entities to
information, and the cost of a privacy updating passwords and making designate a privacy official who will be
official. In addition, covered entities revisions to software. responsible for the development and
will have recurring costs for training, To determine the policies and implementation of privacy policies and
disclosure tracking and notice procedures for the minimum necessary procedures. In this cost analysis, the
requirements. A smaller number of large requirement, the Department assumed Department has estimated each of the
entities may have significant costs for that each hospital would spend 160 primary administrative requirements of
de-identification of protected health hours, health plans would spend 107 the rule (e.g., training, policy and
information and additional hours, and non-hospital providers
requirements for research. would spend 8 hours. As noted above, 47 These estimates were, in part, derived from a
The privacy costs are in addition to report prepared for the Department by the Gartner
46 Health Care Finance Administration, Office of Group, consultants in health care information
the Transactions Rule estimates. The
the Actuary, 2000. Estimates for the national health technology: ‘‘Gartner DHHS Privacy Regulation
cost of complying with the regulation care expenditure accounts are only available Study,’’ by Jim Klein and Wes Rishel, submitted to
represents approximately 0.23 percent through 2008; hence, we are only able to make the the Office of the Assistant Secretary for Policy and
of projected national health comparison through that year. Evaluation on October 20, 2000.
procedure development, etc), including claims executives.49 Although assumes that all hospitals already track
the development and implementation individual hospitals and health plans disclosures of individually identifiable
costs associated with each specific may not necessarily select their health information and that 15 percent
requirement. These activities will planning officers or claims executives to of all patient records held by a hospital
certainly involve the privacy official to be their privacy officials, we believe will have an annual disclosure that will
some degree; thus, some costs for the they will be of comparable have to be recorded in an individual’s
privacy official, particularly in the responsibility, and therefore comparable record. It was more difficult to obtain a
initial years, are subsumed in other cost pay, in larger institutions. reliable estimate for non-hospital
requirements. Nonetheless, we The initial year cost for privacy providers, though it appears that they
anticipate that there will be additional officials will be $723 million; the ten- receive many fewer requests. The
ongoing responsibilities that the privacy year cost will be $5.9 billion. Department assumed a ten percent rate
official will have to address, such as Internal Complaints for ambulatory care patients and five
coordinating between departments, percent, for nursing homes, home
evaluating procedures and assuring The final rule requires each covered health, dental and pharmacy providers.
compliance. To avoid double-counting, entity to have an internal process to (It was difficult to obtain any reliable
the cost calculated in this section is allow an individual to file a complaint data for these latter groups, but those we
only for the ongoing, operational concerning the covered entity’s talked to said that they had very few,
functions of a privacy official (e.g., compliance with its privacy policies and some indicated that they currently
clarifying procedures for staff) that are and procedures. The requirement keep track of them in the records.)
in addition to items discussed in other includes designating a contact person or These estimated percentages represent
sections of this impact analysis. office responsible for receiving about 63 million disclosures that will
complaints and documenting the have to be recorded in the first year,
The Department assumes the privacy disposition of them, if any. This
official role will be an additional with each recording estimated to require
function may be performed by the two minutes. At the average nurse’s
responsibility given to an existing privacy official, but because it is a
employee in the covered entity, such as salary of $30.39 per hour, the cost in the
distinct right under the final rule and first year is $25.7 million. For health
an office manager in a small entity or a may be performed by someone else, we
compliance official in a larger plans, the Department assumed that
are costing it separately. disclosures of protected health
institution. Moreover, today any The covered entity only is required to
covered entity that handles individually information are more rare than for
receive and document a complaint (no
identifiable health information has one health care providers. Therefore, the
response is required), which we assume
or more people with responsibility for Department assumed that there will be
will take, on average, ten minutes (the
handling and protecting the disclosures of protected health
complaint can be oral or in writing). The
confidentiality of such information. As information for five percent of covered
Department believes that such
a result of the specific requirement for lives. At the average wage for the
complaints will be uncommon. We have
a privacy official, the Department insurance industry of $33.82 per hour,
assumed that one in every thousand
assumes covered entities will centralize the initial cost for health plans is $6.8
patients will file a complaint, which is
this function, but the overall effort is not million. Using our standard growth rates
approximately 10.6 million complaints
likely to increase significantly. for wages, patients, and covered entities,
over ten years. Based on a weighted-
Specifically, the Department has the ten-year cost for providers and
average hourly wage of $47.28 at ten
assumed non-hospital providers will health plans is $519 million.
minutes per complaint, the cost of this
need to devote, on average, an policy is $6.6 million in the first year. In addition, although hospitals
additional 30 minutes per week of an Using wage growth and patient growth generally track patient disclosures
official’s time (i.e., 26 hours per year) to assumptions, the cost of this policy is today, the Department assumes that
compliance with the final regulation for $103 million over ten years. hospitals will seek to update software
the first two years and 15 minutes per systems to assure full compliance.
week for the remaining eight years (i.e., Disclosure Tracking and History Based on software upgrade costs
13 hours per year). For hospitals and The final rule requires providers to be provided by the Department’s private
health plans, which are more likely to able to produce a record of all sector consultants with expertise in the
have a greater diversity of activities disclosures of protected health area (the Gartner Group), the
involving privacy issues, we have information, except in certain Department assumed that each upgrade
assumed three hours per week for the circumstances. The exceptions include would cost $35,000 initially and $6,300
first two years (i.e., 156 hours per year), disclosures for treatment, payment, annually thereafter, for a total cost of
and 1.5 hours per week for the health care operations, or disclosures to $572 million over ten years.
remaining eight years (i.e., 78 hours per an individual. This requirement will The final rule also requires covered
year). require a notation in the record entities to provide individuals with an
For non-hospital providers, the time (electronic or paper) of when, to whom, accounting of disclosures upon request.
was calculated at a wage of $34.13 per and what information was disclosed, as The Department assumes that few
hour, which is the average wage for well as the purpose of such disclosure patients will request a history of
managers of medicine and health or a copy of an individual’s written disclosures of their protected medical
according to the CPS. For hospitals, we authorization or request for a disclosure. information. Therefore, we estimate that
used a wage of $79.44, which is the rate Based on information from several one in a thousand patients will request
for senior planning officers.48 For health hospital sources, the Department such an accounting each year, which is
plans, the Department assumed a wage approximately 850,000 requests. If it
of $88.42 based on the wage for top
49 ‘‘A Unifif Survey of Compensation in Financial takes an average of five minutes to copy
Services: 2000,’’ July 2000, Unifi Network Survey any disclosures and the work is done by
unit, PriceWaterhouseCoopers LLP and Global HR
48 ‘‘Top Compensation in the Healthcare Industry, Solutions LLC, Westport, Ct., <http://
a nurse, the cost for the first year will
1997’’, Coopers & Lybrand, New York, NY., public.wsj.com/careers/resources/documents/ be $2.1 million. The total ten-year cost
<http://www.pohly.com/salary/2.shtml>. 20000912-insuranceexecs-tab.htm>. is $33.8 million.
De-Identification of Information $124 million. Using our standard broadly. These will likely include the
The rule allows covered entities to growth rates for wages, patients, and model privacy practice notice that all
determine that health information is de- covered entities, the total cost of the covered entities will have to provide
identified (i.e., that it is not individually provision is $1.1 billion over ten years. patients; general descriptions of the
identifiable health information) if The Department expects that the final regulation’s requirements appropriate
certain conditions are met. Currently, rule and the increasing trend toward for various types of health care
some entities release de-identified computerization of large record sets will providers; checklists of steps entities
information for research purposes. De- result over time in de-identification will have to take to comply; training
identified information may originate being performed by relatively few firms materials; and recommended
from automated systems (such as or associations. Whether the covered procedures or guidelines. The
records maintained by pharmacy benefit entity is a small provider with relatively Department spoke with a number of
managers) and non-automated systems few files or a hospital or health plan professional associations, and they
(such as individual medical records with large record files, it will be more confirmed that they would expect to
maintained by providers). As compared efficient to contract with specialists in provide such materials for their
with current practice, the rule requires these firms or associations (as ‘‘business members at either the federal or state
that an expanded list of identifiers be associates’’ of the covered entity) to de- level.
identify files. The process will be Using Faulkner and Gray’s Health
removed for the data (such as driver’s
different but the ultimate cost is likely Data Directory 2000, we identified 216
license numbers, and detailed
to be the same or only slightly higher, associations that would be likely to
geographic and certain age information).
if at all, than the costs for de- provide guidance to members. In
For example, as noted in a number of
identification today. The estimate is for addition, we assume three organizations
public comments, currently complete
the costs required to conform existing (i.e., one for hospitals, health plans, and
birth dates (day, month, and year) and
and future agreements to the provisions other health care providers) in each
zip codes are often included in de-
of the rule. The Department has not state would also provide some
identified information. The final rule
quantified the benefits that might arise additional services to help covered
requires that only the year of birth
from changes in the market for de- entities coordinate the requirements of
(except in certain circumstances) and
identified information because the this rule with state laws and
the first three digits of the zip code can
centralization and efficiency that will requirements. The Department assumed
be included in de-identified
come from it will not be fully realized that these associations would each
information.
for several years, and we do not have a provide 320 hours of legal analysis at
These changes will not require
reliable means of estimating such $150 per hour, and 640 hours of senior
extensive change from current practice.
changes. analysts time at $50 per hour. This
Providers generally remove most of the
equals $17.3 million. Hourly rates for
19 identifiers listed in the final rule. Policy and Procedures Development legal council are the average billing rate
The Department relied on Gartner
The final regulation imposes a variety for a staff attorney.51 The senior analysts
Group estimates that some additional
of requirements which collectively will rates are based on a salary of $75,000
programmer time will be required by
necessitate entities to develop policies per year, plus benefits, which was
covered entities that produce de-
and procedures (henceforth in this provided by a major professional
identified information to make revisions
section to be referred to as policies) to association.
in their procedures to eliminate
establish and maintain compliance with For larger health care entities such as
additional identifiers. Entities that de-
the regulation. These include policies hospitals and health plans, the
identify information will have to review
such as those for inspection and Department assumed that the
existing and future data flows to assure
copying, amending records, and complexity of their operations would
compliance with the final rule. For
receiving complaints.50 In developing require them to seek more customized
example, an automated system may
the final regulations, simplifying the assistance from outside council or
need to be re-programmed to remove
administrative burden was a significant consultants. Therefore, the Department
additional identifiers from otherwise
consideration. To the extent practical, assumes that each hospital and health
protected health information. (The costs
consistent with maintaining adequate plan (including self-administered, self-
of educating staff about the de-
protection of protected health insured health plans) will, on average,
identification requirements are included
information, the final rule is designed to require 40 hours of outside assistance.
in the cost estimate for training staff on
encourage the development of policies The resulting cost for external policy
privacy policies.)
by professional associations and others, development is estimated to be $112
The Department was not able to
that will reduce costs and facilitate million.
obtain any reliable information on the
greater consistency across providers and All covered entities are expected to
volume of medical data that is currently
other covered entities. require some time for internal policy
de-identified. To provide some measure
The development of policies will development beyond what is provided
of the potential magnitude, we assumed
occur at two levels: first, at the by associations or outside consultants.
that health plans and hospitals would
association or other large scale levels; For most non-hospital providers, the
have an average of two existing
and second, at the entity level. Because external assistance will provide most of
agreements that would need to be
of the generic nature of many of the the necessary information. Therefore,
reviewed and modified. Based on
final rule’s provisions, the Department we expect these health care providers
information provided by our
anticipates that trade, professional will need only eight hours to adapt
consultants, we estimate that these
associations, and other groups serving these policies for their specific use
agreements would require an average of
large numbers of members or clients (training cost is estimated separately in
152 hours by hospitals and 116 hours by
will develop materials that can be used the impact analysis). Hospitals and
health plans to review and revise
existing agreements to conform to the 50 The cost for policies for minimum necessary, 51 ‘‘The Altman Weil 1999 Survey of Law Firm
final rule. Using the weighted average because they will be distinct and extensive, are Economics,’’ <http://www.altmanweil.com/
wage of $47.28, the initial costs will be presented separately, above. publications/survey/sife99/standard.htm>.
health plans, which employ more for benefits. Wages were increased nursing homes, because the Department
individuals and are involved in a wider based on the wage inflation factor did not have estimates for new patients
array of endeavors, are likely to require utilized for the short-term assumptions for other types of providers. The number
more specific policies tailored to their (which covers ten years) in the Medicare of new patients was increased over time
operations to comply with the final rule. Trustees’ Annual Report for 1999. to account for growth in the patient
For these entities, we assume an average population. Therefore, the number of
Notice
of 320 hours of policy development per notices provided in years 2004 through
institution. The total cost for internal This section describes only the cost 2012 is estimated to be 5.3 billion.
policy development is estimated to be associated with the production and For health plans, the Department
$468 million. provision of a notice. The cost of estimated the number of notices by
The total cost for policy, plan, and developing the policy stated in the trending forward the average annual rate
procedures development for the final notice is covered under policies and of growth from 1995 through 1998 (the
regulation is estimated to be $598 procedures, above. most recent data available) of private
million. All of these costs are initial Covered health care providers with policy holders using the Census
costs. direct treatment relationships are Bureau’s Current Population Survey,
required to provide a notice of privacy and also by using Health Care Financing
Training practices no later than the date of the Administration Office of the Actuary’s
The final regulation’s requirements first service delivery to individuals after estimates for growth in Medicare and
provide covered entities with the compliance date for the covered Medicaid enrollment. It should be noted
considerable flexibility in how to best health care provider. The Department that the regulation does not require that
fulfill the necessary training of their assumed that for most types of health the notice be mailed to individuals.
workforce. As a result, the actual care providers (such as physicians, Therefore, the Department assumed that
practices may vary substantially based dentists, and pharmacists) one notice health plans would include their
on such factors as the number of would be distributed to each patient privacy policy in the annual mailings
members of the workforce, the types of during his or her first visit following the they make to members, such as by
operations, worker turnover, and compliance date for the covered adding a page to an existing information
experience of the workforce. Training is provider, but not for subsequent visits. booklet.
estimated to cost $737 million over ten For hospitals, however, the Department Since clinical laboratories generally
years. The Department estimates that at assumed that a notice would be do not have direct contact with patients,
the time of the effective date, provided at each admission, regardless they would not normally be required to
approximately 6.7 million health care of how many visits an individual has in provide notices. However, there are
workers will have to be trained, and in a given year. In subsequent years, the some laboratory services that involve
the subsequent ten years, 7 million more Department assumed that non-hospital direct patient contact, such as patients
will have to be trained because of providers would only provide notices to who have tests performed in a
worker turnover. The estimate of their new patients, because it is laboratory or at a health fair. We found
employee numbers are based on 2000 assumed that providers can distinguish no data from which we could estimate
CPS data regarding the number of health between new and old patients, although the number of such visits. Therefore, we
care workers who indicated they hospitals will continue to provide a have assumed that labs would incur no
worked for a health care institution. To notice for each admission. The total costs as a result of this requirement.
estimate a workforce turnover rate, the number of notices provided in the The printing cost of the policy is
Department relied on a study submitted initial year is estimated to be 816 estimated to be $0.05, based on data
in the public comments which used a million. obtained from the Social Security
turnover rate of ten percent or less, Under the final rule, only providers Administration, which does a
depending on the labor category. To be that have direct treatment relationships significant number of printings for
conservative, the Department assumed with individuals are required to provide distribution. Some large bulk users,
ten percent for all categories. notices to them. To estimate the number such as health plans, can probably
Covered entities will need to provide of visits that trigger a notice in the reproduce the document for less, and
members of the workforce with varying initial year and in subsequent years, the small providers simply may copy the
amounts of training depending on their Department relied on the Medical notice, which would also be less than
responsibilities, but on average, the Expenditure Panel Survey (MEPS, 1996 $0.05. Nonetheless, at $0.05, the total
Department estimates that each member data) conducted by the Department’s cost of the initial notice is $50.8 million.
of the workforce who is likely to have Agency for Healthcare Quality and Using our standard growth rate for
access to protected health information Research. This data set provides patients, the total cost for notices is
will require one hour of training in the estimates for the number of total visits estimated to be $391 million for the ten-
policies and procedures of the covered to a variety of health care providers in year period.
entity. The initial training cost estimate a given year and estimates of the
is based on teacher training with an number of patients with at least one Requirements on Use and Disclosure for
average class size of ten. After the initial visit to each type of each care provider. Research
training, the Department expects some To estimate the number of new patients The final regulation places certain
training (for example, new employees in in a given year, the Department used the requirements on covered entities that
larger institutions) will be done by National Ambulatory Medical Care supply individually identifiable health
videotape, video conference, or Survey and the National Hospital information to researchers. As a result of
computer, all of which are likely to be Ambulatory Medical Care Survey, these requirements, researchers who
less expensive. Training materials were which indicate that for ambulatory care seek such health information and the
assumed to cost an average of $2 per visits to physician offices and hospital Institutional Review Boards (IRBs) that
worker. The opportunity cost for the ambulatory care departments, 13 review research projects will have
training time is based on the average percent of all patients are new. This additional responsibilities. Moreover, a
wage for each health care labor category data was used as a proxy for other types covered entity doing research, or
listed in the CPS, plus a 39 percent load of providers, such as dentists and another entity requesting disclosure of
protected health information for Department assumed that the total standardized), which is also assumed to
research that is not currently subject to volume of non-IRB reviewed research is be $0.05 per document. It is assumed
IRB review (research that is 100 percent equal to 25 percent of all IRB-reviewed that all providers required to obtain
privately funded and which takes place research, leading to 19,152 new IRB or consent under the rule will do so upon
in institutions which do not have privacy board reviews in the first year the first visit, so there will be no mailing
‘‘multiple project assurances’’) may of the regulation. Using the same cost. For non-hospital providers, we
need to seek IRB or privacy board assumptions as used above for wages, assume the consent will be maintained
approval if they want to avoid the time spent developing privacy in paper form, which is what most
requirement to obtain authorization for protection protocols for researchers, and providers currently do (electronic form,
use or disclosure of protected health time spent by IRB and privacy board if available, is cheaper to maintain).
information for research, thereby members, the total one-year cost for new There is no new cost for records
creating the need for additional IRBs IRB and privacy board reviews is $8 maintenance because the consent will
and privacy boards that do not currently million. be kept in active files (paper or
exist. For estimating total ten-year costs, the electronic).
To estimate the additional Department used the Bell study, which The initial cost of the consent
requirements placed on existing IRBs, showed an average annual growth rate requirement is estimated to be $166
the Department relied on a survey of of 3.7 percent in the number of studies million. Using our standard
IRBs conducted by James Bell reviewed by IRBs. Using this growth assumptions for patient growth, the total
Associates on behalf of NIH and on rate, the total ten-year cost for the new costs for the ten years is estimated to be
estimates of the total number of existing research requirements is $117 million. $227 million.
IRBs provided by NIH staff. Based on
Consent Authorizations
this information, the Department
concluded that of the estimated 4,000 Under the final rule, a covered health Patient authorizations are required for
IRBs in existence, the median number of care provider with direct treatment uses or disclosures of protected health
initial current research project reviews relationships must obtain an information that are not otherwise
is 133 per IRB, of which only ten individual’s consent for use or explicitly permitted under the final rule
percent do not receive direct consent for disclosure of protected health with or without consent. In addition to
the use of protected health information. information for treatment, payment, or uses and disclosures of protected health
(Obtaining consent nullifies the need for health care operations. Covered information for treatment, payment, and
IRB privacy scrutiny.) Therefore, in the providers with indirect treatment health care operations with or without
first year of implementation, there will relationships and health plans may consent, the rule also permits certain
be 76,609 initial reviews affected by the obtain such consent if they so choose. uses of protected health information,
regulation, and the Department assumes Providers and health plans that seek such as fund-raising for the covered
that the requirement to consider the consent under this rule can condition entity and certain types of marketing
privacy protections in the research treatment or enrollment upon provision activity, without prior consent or
protocols under review will add an of such consent. Based on public authorization. Authorizations are
average of 1 hour to each review. The comments and discussions with a wide generally required if a covered entity
cost to researchers for having to develop array of health care providers, it is wants to provide protected health
protocols which protect protected apparent that most currently obtain information to third party for use by the
health information is difficult to written consent for use and disclosure third party for marketing or for research
estimate, but the Department assumes of individually identifiable health that is not approved by an IRB or
that each of the affected 76,609 studies information for payment. Under the privacy board.
will require an average of an additional final rule, they will have to obtain The requirement for obtaining
8 hours of time for protocol consent for treatment and health care authorizations for use or disclosure of
development and implementation. At operations, as well, but this may entail protected health information for most
the average medical scientist hourly only minor changes in the language of marketing activity will make direct
wage of $46.61, the initial cost is $32.1 the consent to incorporate these other third-party marketing more difficult
million; the total ten-year cost of these categories and to conform to the rule. because covered entities may not want
requirements is $468 million over ten Although the Department was unable to obtain and track such authorizations,
years. to obtain any systematic data, the or they may obtain too few to make the
As stated above, some privately anecdotal evidence suggests that most effort economically worthwhile.
funded research not subject to any IRB non-hospital providers and virtually all However, the final rule permits an
review currently may need to obtain IRB hospitals follow this practice. For the alternative arrangement: the covered
or privacy board approval under the cost analysis, the Department assumes entity can engage in health-related
final rule. Estimating how much that 90 percent of the non-hospital marketing on behalf of a third party,
research exists which does not currently providers and all hospitals currently presumably for a fee. Moreover, the
go through any IRB review is highly obtain some consent for use and covered entity could retain another
speculative, because the experts disclosure of individually identifiable party, through a business associate
consulted by the Department all agree health information. For providers that relationship, to conduct the actual
that there is no data on the volume of currently obtain written consent, there health-related marketing, such as
privately funded research. Likewise, is only a nominal cost for changing the mailings or telemarketing, under the
public comments on this subject language on the document to conform to covered entity’s name. The Department
provided no useful data. However, the the rule. For this activity, we assumed is unable to estimate the cost of these
Department assumed that most research $0.05 cost per document for revising changes because there is no credible
that takes place today is subject to IRB existing consent documents. data on the extent of current third party
review, given that so much research has For the ten percent of treating marketing practices or the price that
some government funding and many providers who currently do not obtain third party marketers currently pay for
large research institutions have multiple consent, there is the cost of creating information from covered entities. The
project assurances. As a result, the consent documents (which will be effect of the final rule is to change the
arrangement of practices to enhance Employers With Insured Group Health an additional 1⁄3 hour of an attorney’s
accountability of protected health Plans time to make plan document changes,
information by the covered entity and Some group health plans will use or which will be simple and essentially
its business associates; however, there is maintain protected health information, standardized. This will cost $7.1
nothing inherently costly in these particularly group health plans that are million.
changes. Plan sponsors who are employers of
self-insured. Also, some plan sponsors
medium (51–199 employees) and large
Examples of other circumstances in that perform administrative functions
(over 200 employees) firms that provide
which authorizations are required under on behalf of their group health plans,
health benefits through contracts with
the final rule include disclosure of may need protected health information.
issuers are more likely to want access to
protected health information to an The final rule permits a group health
protected health information for plan
employer for an employment physical, plan, or a health insurance issuer or
administration, for example to use it to
pre-enrollment underwriting for HMO that provides benefits on behalf of
audit claims or perform quality
insurance, or the sharing of protected the group health plan, to disclose
assurance functions on behalf of the
protected health information to a plan
health insurance information by an group health plan. The Department
sponsor who performs administrative assumes that 25 percent of plan
insurer with an employer. The
functions on its behalf for certain sponsors of medium sized firms and 75
Department assumes there is no new
purposes and if certain requirements are percent of larger firms will want to
cost associated with these requirements met. The plan documents must be
because providers have said that receive protected health information.
amended to: describe the permitted uses This is approximately 38,000 medium
obtaining authorization under such and disclosures of protected health
circumstances is current practice. size firms and 27,000 larger firms. To
information by the plan sponsor; specify provide access to protected health
To use or disclose psychotherapy that disclosure is permitted only upon information by the group health plan, a
notes for most purposes (including for receipt of a certification by the plan plan sponsor will have to assess the
treatment, payment, or health care sponsor that the plan documents have current flow of protected health
operations), a covered entity must been amended and the plan sponsor information from their issuer and
obtain specific authorization by the agrees to certain restrictions on the use determine what information is
individual that is distinct from any of protected health information; and necessary and appropriate. The plan
authorization for use and disclosure of provide for adequate firewalls to assure sponsors may then have to make
other protected health information. This unauthorized personnel do not have internal organizational changes to
is current practice, so there is no new access to individually identifiable assure adequate protection of protected
cost associated with this provision. health information. health information so that the relevant
Some plan sponsors may need requirements are met for the group
Confidential Communications information, not to administer the group health plan. We assume that medium
health plan, but to amend, modify, or size firms will take 16 work hours to
The final rule permits individuals to terminate the plan. ERISA case law complete organizational changes, plus
receive communications of protected describes such activities as settlor one hour of legal time to make changes
health information from a covered functions. For example, a plan sponsor to plan documents and certify to the
health care provider or a health plan by may want to change its contract from a insurance carrier that the firm is eligible
an alternative means or at an alternative preferred provider organization to a to receive protected health information.
address. A covered provider and a health maintenance organization We assume that larger firms will require
health plan must accommodate (HMO). In order to obtain premium 32 hours of internal organizational work
reasonable requests; however, a health information, the plan sponsor may need and one hour of legal time. This will
plan may require the individual to state to provide the HMO with aggregate cost $52.4 million and is a one-time
that disclosure of such information may claims information. Under the rule, the expense.
endanger the individual. A number of plan sponsor can obtain summary
information with certain identifiers Business Associates
providers and health plans indicated
that they currently provide this service removed, in order to provide it to the The final rule requires a covered
for patients who request it. For HMO and receive a premium rate. entity to have a written contract or other
providers and health plans with The Department assumes that most arrangement that documents satisfactory
electronic records system, maintaining plan sponsors who are small employers assurance that business associate will
(those with 50 or fewer employees) will appropriately safeguard protected health
separate addresses for certain
elect not to receive protected health information in order to disclose it to a
information is simple and inexpensive,
information because they will have business associate based on such an
requiring little or no change in the
little, if any, need for such data. Any arrangement. The Department expects
system. For providers with paper needs that plan sponsors of small group business associate contracts to be fairly
records, the cost may be higher because health plans may have for information standardized, except for language that
they will have to manually check can be accomplished by receiving the will have to be tailored to the specific
records to determine which information information in summary form. The arrangement between the parties, such
must be treated in accordance with such Department has assumed that only 5 as the allowable uses and disclosures of
requests. Although some providers percent of plan sponsors of small group information. The Department assumes
currently provide this service, the health plans that provide coverage the standard language initially will be
Department was unable to obtain any through a contract with an issuer will developed by trade and professional
reliable estimate of the number of such actually take the steps necessary to associations for their members. Small
requests today or the number of receive protected health information. providers are likely to simply adopt the
providers who perform this service. The This is approximately 96,900 firms. For language or make minor modifications,
cost attributable to this requirement to these firms, the Department assumes it while health plans and hospitals may
send materials to alternate addresses will take one hour to determine start with the prototype language but
does not appear to be significant. procedural and organization issues and may make more specific changes to
meet their institutional needs. The estimated these policies and found them taken for file retrieval, photocopying,
regulation includes a requirement that to be much less expensive. and re-filing; file retrieval is the only
the covered entity take steps to correct, The public comments demonstrate time cost that would remain under
and in some cases terminate, a contract, that copying of records is wide-spread computerization).
if necessary, if they know of violations today. Records are routinely copied, in In estimating the cost of copying
by a business associate. This oversight whole or in part, as part of treatment or records, the Department relied on the
requirement is consistent with standard when patients change providers. In public comment from a medical records
oversight of a contract. addition, copying occurs as part of legal outsourcing industry representative,
The Department could not derive a proceedings. The amount of inspection which submitted specific volume and
per entity cost for this work directly. In and copying of medical records that cost data from a major firm that
lieu of this, we have assumed that the occurs for these purposes is not provides extensive medical record
trade and professional associations’ expected to change measurably as a copying services. According to these
work plus any minor tailoring of it by result of the final regulation. data, 900 million pages of medical
a covered entity would amount to one The final regulation establishes the records are copied each year in the U.S.,
hour per non-hospital provider and two right of individuals to access, that is to the average medical record is 31 pages,
hours for hospitals and health plans. inspect and obtain a copy of, protected and copying costs are $0.50 per page. In
The larger figure for hospitals and health information about them in addition, the commenter noted that only
health plans reflects the fact that they designated record sets. Although this is 10 percent of all requests are made
are likely to have a more extensive array an important right, the Department does directly from patients, and of those, the
of relationships with business not expect it to result in dramatic majority are for purposes of continuing
associates. increases in requests from individuals. care (transfer to another provider), not
The cost for the changes in business The Georgetown report on state privacy for purposes of individual inspection.
associate contracts is estimated to be laws indicates that 33 states currently The Department assumed that 25
$103 million. This will be an initial year give patients some right to access percent of direct patient requests to
cost only because the Department medical information. The most common copy medical records are for purposes of
assumes that this contract language will right of access granted by state law is inspecting their accuracy (i.e., 2.5
become standard in future contracts. the right to inspect personal information percent of all copy requests) or 850,000
In addition, the Department has held by physicians and hospitals. In the in 2003 if the current practice remained
estimated the cost for business process of developing estimates for the unchanged.
associates to comply with the minimum cost of providing access, we assumed To estimate the marginal increase in
necessary provisions. As part of the that most providers currently have copying that might result from the
minimum necessary provisions, covered procedures for allowing patients to regulation, the Department assumed that
entities will have to establish policies to inspect and obtain a copy of as patients gained more awareness of
ensure that only the minimum individually identifiable health their right to inspect and copy their
necessary protected health information information about themselves. The records, more requests will occur. As a
is shared with business associates. To economic impact of requiring entities to result, the Department assumed a ten
the extent that data are exchanged, allow individuals to access their records percent increase in the number of
covered entities will have to review the should be relatively small. One public requests to inspect and copy medical
data and systems programs to assure commenter addressed this issue and records over the current baseline, which
compliance. provided specific data which supports would amount to a little over 85,000
For non-hospital providers, we this conclusion. additional requests in 2003 at a cost of
estimate that the first year will require Few studies address the cost of $1.3 million. Allowing for a 5.3 percent
an average of three hours to review providing medical records to patients. increase in records based on the
existing agreements, and thereafter, they The most recent was a study in 1998 by increase in ambulatory care visits, the
will require an additional hour to assure the Tennessee Comptroller of the highest growth rate among health
business associate compliance. We Treasury. It found an average cost of service sectors (the National
estimate that hospitals will require an $9.96 per request, with an average of 31 Ambulatory Medical Care Survey,
additional 200 hours the first year and pages per request. The cost per page of 1998), the total cost for the ten-year
16 hours in subsequent years; health providing copies was $0.32 per page. period would be $16.8 million.
plans will require an additional 112 This study was performed on hospitals The final rule allows a provider to
hours the first year and 8 hours in only. The cost per request may be lower deny an individual the right to inspect
subsequent years. As in other areas, we for other types of providers, since those or obtain a copy of protected health
have assumed a weighted average wage seeking hospital records are more likely information in a designated record set
for the respective sectors. to have more complicated records than under certain circumstances, and it
The cost of the covered entities those in a primary care or other types provides, in certain circumstances, that
assuring business associates’ complying of offices. An earlier report showed the patient can request the denial to be
with the minimum necessary is $197 much higher costs than the Tennessee reviewed by another licensed health
million in the first year, and a total of study. In 1992, Rose Dunn published a care professional. The initial provider
$697 million over ten years. (These report based on her experience as a can choose a licensed health care
estimates include the both the cost for manager of medical records. She professional to render the second
the covered entity and the business estimated a 10-page request would cost review.
associates.) $5.32 in labor costs only, equaling labor The Department assumes denials and
cost per page of $0.53. However, this subsequent requests for reviews will be
Inspection and Copying estimate appears to reflect costs before extremely rare. The Department
In the NPRM estimate, inspection and computerization. The expected time estimates there are about 932,000
copying were a major cost. Based on spent per search was 30.6 minutes; 85 annual requests for inspections (i.e.,
data and information from the public percent of this time could be base plus new requests resulting from
comments and further fact-finding, significantly reduced with the regulation), or approximately 11
however, the Department has re- computerization (this includes time million over the ten-year period. If one-
tenth of one percent of these requests rarely seek to amend their records, but law enforcement of establishing the
were to result in a denial in accordance that the establishment of this right in predicates for issuing the administrative
with the rule, the result would be the rule will spur more requests. The 25 subpoena, nor have we been able to
11,890 cases. Not all these cases would percent appears to be high based on our estimate the number of such subpoenas
be appealed. If 25 percent were discussions with providers but it is that will likely be issued once the final
appealed, the result would be 2,972 being used to avoid an underestimation rule is implemented.
cases. If a second provider were to of the cost. A covered entity may disclose
spend 15 minutes reviewing the case, As noted, the provider or health plan protected health information in
the cost would be $6,000 in the first is not required to evaluate any response to an order in the course of a
year and $86,360 over ten years. amendment requests, only to append or judicial or administrative proceeding if
otherwise link to the request in the reasonable efforts have been made to
Amendments to Protected Health record. We expect the responses will give the individual, who is the subject
Information vary: sometimes an assistant will only of the protected health information,
Many providers and health plans make the appropriate notation in the notice of and an opportunity to object to
currently allow patients to amend the record, requiring only a few minutes; the disclosure or to secure a qualified
information in their medical record, other times a provider or manager will protective order.
where appropriate. If an error exists, review the request and make changes if The Department was unable to
both the patient and the provider or appropriate, which may require as much estimate any additional costs due to
health plan benefit from the correction. as an hour. To be conservative in its compliance with the final rule’s
However, as with inspection and estimate, the Department has assumed, provisions regarding judicial and
copying, many states do not provide on average, 30 minutes for each administrative proceedings. The
individuals with the right to request amendment request at a cost of $47.28 provision requiring a covered entity to
amendment to protected health per hour (2000 CPS). make efforts to notify an individual that
information about themselves. Based on The first-year cost for the amendment his or her records will be used in
these assumptions, the Department policy is estimated to be $5 million. The proceedings is similar to current
concludes that the principal economic ten-year cost of this provision is $78.8 practice; attorneys for plaintiffs and
effect of the final rule would be to million. defendants agreed that medical records
expand the right to request amendments are ordinarily produced after the
Law Enforcement and Judicial and
to protected health information held by relevant party has been notified. With
Administrative Proceedings
a health plan or provider to those who regard to protective orders, we believe
are not currently covered by amendment The law enforcement provisions of that standard language for such orders
requirements under state laws or codes the final rule allow disclosure of can be created at minimal cost. The cost
of conduct. In addition, the rule may protected health information without of complying with such protective
draw additional attention to the issue of patient authorization under four orders will also likely be minimal,
inaccuracies in information and may circumstances: (1) Pursuant to legal because attorney’s client files are
stimulate patient demand for process or as otherwise required by law; ordinarily already treated under
amendment of medical records, (2) to locate or identify a suspect, safeguards comparable to those
including in those states that currently fugitive, material witness, or missing contemplated under the qualified
provide a right to amend medical person; (3) under specified conditions protective orders. The Department was
records. regarding a victim of crime; and (4) and unable to make an estimate of how
Under the final regulation, if a patient when a covered entity believes the many such protective orders might be
requests an amendment to his or her protected health information constitutes created annually.
medical record, the provider must either evidence of a crime committed on its We thus do not make any estimate of
accept the amendment or provide the premises. As under current law and the initial or ongoing costs for judicial,
individual with the opportunity to practice, a covered entity may disclose administrative, or law enforcement
submit a statement disagreeing with the protected health information to a law proceedings.
denial. The provider must acknowledge enforcement official if such official.
Based on our fact finding, we are not Costs to the Federal Government
the request and inform the patient of his
action. able to estimate any additional costs The rule will have a cost impact on
The cost calculations assume that from the final rule regarding disclosures various federal agencies that administer
individuals who request an opportunity to law enforcement officials. The final programs that require the use of
to amend their medical record have rule makes clear that current court individual health information. The
already obtained a copy of it. Therefore, orders and grand jury subpoenas will federal costs of complying with the
the administrative cost of amending the continue to provide a basis for covered regulation and the costs when federal
patient’s record is completely separate entities to disclose protected health government entities are serving as
from inspection and copying costs. information to law enforcement providers are included in the
Based on fact-finding discussions officials. The three-part test, which regulation’s total cost estimate outlined
with a variety of providers, the covered entities must use to decide in the impact analysis. Federal agencies
Department assumes that 25 percent of whether to disclose information in or programs clearly affected by the rule
the projected 850,000 people who response to an administrative request are those that meet the definition of a
request to inspect their records will seek such as an administrative subpoena, covered entity. However, non-covered
to amend them. This number is the represents a change from current agencies or programs that handle
existing demand plus the additional practice. There will be only minimal medical information, either under
requests resulting from the rule. Over costs to draft the standard language for permissible exceptions to the disclosure
ten years, the number of expected such subpoenas. We are unable to rules or through an individual’s
amendment requests will be 2.7 million. estimate other costs attributable to the expressed authorization, will likely
Unlike inspections, which currently use of administrative subpoenas. We incur some costs complying with
occur in a small percentage of cases, our have not been able to discover any provisions of this rule. A sample of
fact-finding suggests that patients very specific information about the costs to federal agencies encompassed by the
broad scope of this rule include the: Prevention, health research projects at share of Medicaid spending. The results
Department of Health and Human the Agency for Healthcare Research and of this actuarial analysis add another
Services, Department of Defense, Quality, clinical trials at the National $30 million in 2003 and $1.0 billion
Department of Veterans Affairs, Institutes of Health, and law over ten years to the federal cost
Department of State, and the Social enforcement investigations and estimate. Together, these three steps
Security Administration. prosecutions by the Federal Bureau of constitute the total federal cost estimate
The greatest cost and administrative Investigations. For these and other of $236 million in 2003 and $2.2 billion
burden on the federal government will activities, federal agencies will incur over ten years.
fall to agencies and programs that act as some costs to ensure that protected
covered entities, by virtue of being Costs to State and Local Governments
health information is handled and
either a health plan or provider. tracked in ways that comply with the The rule will also have a cost effect
Examples include the Medicare, requirements of this title. on various state and local agencies that
Medicaid, Children’s Health Insurance We estimate that federal costs under administer programs requiring the use
and Indian Health Service programs at this rule will be approximately $196 of individually identifiable health
the Department of Health and Human million in 2003 and $1.8 billion over ten information. State and local agencies or
Services; the CHAMPVA health program years. The ten-year federal cost estimate programs clearly affected by the rule are
at the Department of Veterans Affairs; represents about 10.2 percent of the those that meet the definition of a
and the TRICARE health program at the privacy regulation’s total cost. This covered entity. The costs when
Department of Defense. These and other estimate was derived in two steps. government entities are serving as
health insurance or provider programs First, we assumed that the proportion providers are included in the total cost
operated by the federal government are of the privacy regulation’s total cost estimates. However, non-covered
subject to requirements placed on accruing to the federal government in a agencies or programs that handle
covered entities under this rule, given year will be equivalent to the individually identifiable health
including, but not limited to, those proportion of projected federal costs as information, either under permissible
outlined in Section D of the impact a percentage of national health exceptions to the disclosure rules or
analysis. While many of these federal expenditures for that year. To estimate through an individual’s expressed
programs already afford privacy these proportions, we used the Health authorization, will likely incur some
protections for individual health Care Financing Administration’s costs complying with provisions of this
information through the Privacy Act and November 1998 National Health rule. Samples of state and local agencies
standards set by the Departments and Expenditure projections (the most or programs encompassed by the broad
implemented through their contracts recent data available) of federal health scope of this rule include: Medicaid,
with providers, this rule is nonetheless expenditures as a percent of national State Children’s Health Insurance
expected to create additional health expenditures from 2003 through Programs, county hospitals, state mental
requirements. Further, we anticipate 2008, trended forward to 2012. We then health facilities, state or local nursing
that most federal health programs will, adjusted these proportions to exclude facilities, local health clinics, and
to some extent, need to modify their Medicare and Medicaid spending, public health surveillance activities,
existing practices to comply fully with reflecting the fact that the vast majority among others. We have included state
this rule. The cost to federal programs of participating Medicare and Medicaid and local costs in the estimation of total
that function as health plans will be providers will not be able to pass costs in this section.
generally the same as those for the through the costs of complying with this The greatest cost and administrative
private sector. rule to the federal government because burden on the state and local
A unique cost to the federal they are not reimbursed under cost- government will fall to agencies and
government will be in the area of based payment systems. This programs that act as covered entities, by
enforcement. The Office for Civil Rights calculation yields a partial federal cost virtue of being either a health plan or
(OCR), located at the Department of of $166 million in 2003 and $770 provider, such as Medicaid, State
Health and Human Services, has the million over ten years. Children’s Health Insurance Programs,
primary responsibility to monitor and Second, we add the Medicare and and county hospitals. These and other
audit covered entities. OCR will monitor federal Medicaid costs resulting from health insurance or provider programs
and audit covered entities in both the the privacy regulation that HCFA’s operated by state and local government
private and government sectors, will Office of the Actuary project can be are subject to requirements placed on
ensure compliance with requirements of passed through to the federal covered entities under this rule,
this rule, and will investigate government. These costs reflect the including, but not limited to, those
complaints from individuals alleging actuaries’ assumption regarding how outlined in this section (Section E) of
violations of their privacy rights. In much of the total privacy regulation cost the impact analysis. Many of these state
addition, OCR will be required to burden will fall on participating and local programs already afford
recommend penalties and other Medicare and Medicaid providers, privacy protections for individually
remedies as part of their enforcement based on the November 1998 National identifiable health information through
activities. These responsibilities Health Expenditure data. Then the the Privacy Act. For example, state
represent an expanded role for OCR. actuaries estimate what percentage of governments often become subject to
Beyond OCR, the enforcement the total Medicare and federal Medicaid Privacy Act requirements when they
provisions of this rule may have burden could be billed to the programs, contract with the federal government.
additional costs to the federal assuming that (1) only 3 percent of This rule is expected to create
government through increased Medicare providers and 5 percent of additional requirements beyond those
litigation, appeals, and inspector general Medicaid providers are still reimbursed covered by the Privacy Act.
oversight. under cost-based payment systems, and Furthermore, we anticipate that most
Examples of other unique costs to the (2) over time, some Medicaid costs will state and local health programs will, to
federal government may include such be incorporated into the state’s some extent, need to modify their
activities as public health surveillance Medicaid expenditure projections that existing Privacy Act practices to fully
at the Centers for Disease Control and are used to develop the federal cost comply with this rule. The cost to state
and local programs that function as reliable means of measuring dollar value represents the highest possible cost for
health plans will be different than the of such benefit. an individual.
private sector, much as the federal costs As noted in the comment and An alternative approach to
vary from private health plans. response section, a number of determining how people would have to
A preliminary analysis suggests that commenters raised legitimate criticisms value increased privacy for this
state and local government costs will be of the Department’s approach to regulation to be beneficial is to look at
on the order of $460 million in 2003 and estimating benefits. The Department the costs divided by the number of
$2.4 billion over ten years. We assume considered other approaches, including encounters with health care
that the proportion of the privacy attempts to measure benefits in the professionals annually. Data from the
regulation’s total cost accruing to state aggregate rather than the specific Medical Expenditure Panel Survey
and local governments in a given year examples set forth in the NPRM. (MEPS) produced by the Agency for
will be equivalent to the proportion of However, we were unable to identify Healthcare Policy Research (AHCPR)
projected state and local costs as a data or models that would provide show approximately 776.3 million
percentage of national health credible measures. Privacy has not been health care visits (e.g., office visits,
expenditures for that year. To estimate studied empirically from an economic hospital and nursing home stays, etc.) in
these proportions, we used the Health perspective, and therefore, we the first year (2003). As with the
Care Financing Administration’s concluded that the approach taken in calculation of average annual cost per
November 1998 National Health the NPRM is still the most useful means insured patient, we divided the total
Expenditure projections of state and of illustrating that the benefits of the cost of complying with the regulation by
local health expenditures as a percent of regulation are significant in relation to the total annual number of health care
national health expenditures from 2003 the economic costs. visits. The cost of instituting
through 2008, trended forward to 2012. Before beginning the discussion of the requirements of the proposed regulation
Based on this approach, we assume that benefits, it is important to create a is $0.19 per health care visit. If we
over the entire 2003 to 2012 period, 13.6 framework for how the costs and assume that individuals would be
percent, or $2.4 billion, of the privacy willing to pay more than $0.19 per
benefits may be viewed in terms of
regulation’s total cost will accrue to health care visit to improve health
individuals rather than societal
state and local governments. Of the $2.4 information privacy, the benefits of the
aggregates. We have estimated the value
billion state and local government cost, proposed regulation outweigh the cost.
an insured individual would need to
19 percent will be incurred in the place on increased privacy to make the Qualitative Discussion
regulation’s first year (2003). In each of privacy regulation a net benefit to those A well designed privacy standard can
the out-years (2004–2012), the average who receive health insurance. Our be expected to build confidence among
percent of the total cost incurred will be estimates are derived from data the public about the confidentiality of
about nine percent per year. These state produced by the 1998 Current their medical records. The seriousness
and local government costs are included Population Survey from the Census of public concerns about privacy in
in the total cost estimates discussed in Bureau (the most recent available at the general are shown in the 1994 Equifax-
the regulatory impact analysis. time of the analysis), which show that Harris Consumer Privacy Survey, where
220 million persons are covered by ‘‘84 percent of Americans are either very
F. Benefits
either private or public health or somewhat concerned about threats to
There are important societal benefits insurance. Joining the Census Bureau their personal privacy.’’ 53 A 1999
associated with improving health data with the costs calculated in Section report, ‘‘Promoting Health and
information privacy. Confidentiality is a E, we have estimated the cost of the Protecting Privacy’’ notes ‘‘* * * many
key component of trust between patients regulation to be approximately $6.25 per people fear their personal health
and providers, and some studies year (or approximately $0.52 per month) information will be used against them:
indicate that a lack of privacy may deter for each insured individual (including to deny insurance, employment, and
patients from obtaining preventive care people in government programs). If we housing, or to expose them to unwanted
and treatment.52 For these reasons, assume that individuals who use the judgements and scrutiny.’’ 54 These
traditional approaches to estimating the health care system will be willing to pay concerns would be partly allayed by the
value of a commodity cannot fully more than this per year to improve privacy standard.
capture the value of personal privacy. It health information privacy, the benefits Fear of disclosure of treatment is an
may be difficult for individuals to assign of the proposed regulation will impediment to health care for many
value to privacy protection because outweigh the cost. Americans. In the 1993 Harris-Equifax
most individuals view personal privacy This is a conservative estimate of the Health Information Privacy Survey,
as a right. Therefore, the benefits of the number of people who will benefit from seven percent of respondents said they
proposed regulation are impossible to the regulation because it assumes that or a member of their immediate family
estimate based on the market value of only those individuals who have health had chosen not to seek medical services
health information alone. However, it is insurance or are in government due to fear of harm to job prospects or
possible to evaluate some of the benefits programs will use medical services or other life opportunities. About two
that may accrue to individuals as a benefit from the provisions of the percent reported having chosen not to
result of proposed regulation, and these proposed regulation. Currently, there file an insurance claim because of
benefits, alone, suggest that the are 42 million Americans who do not concerns of lack of privacy or
regulation is warranted. Added to these have any form of health care coverage. confidentiality.55 Increased confidence
benefits is the intangible value of The estimates do not include those who
privacy, the security that individuals pay for medical care directly, without 53 Consumer Privacy Survey, Harris-Equifax,
feel when personal information is kept any insurance or government support. 1994, p vi.
54 Promoting Health: Protecting Privacy,
confidential. This benefit is very real By lowering the number of users in the
California Health Care Foundation and Consumers
and very significant but there are no system, we have inflated our estimate of Union, January 1999, p 12.
the per-person cost of the regulation; 55 Health Information Survey, Harris-Equifax,
52 Equifax-Harris Consumer Privacy Survey, 1994. therefore, we assume that our estimate 1993, pp 49–50.
on the part of patients that their privacy The National Institutes of Health are probably offset by the costs of
would be protected would lead to estimates that the overall annual cost of treating late-stage cancer among people
increased treatment among people who cancer in 1990 was $96.1 billion; $27.5 who would otherwise not be treated
delay or never begin care, as well as billion in direct medical costs and $68.7 until their cases had progressed.
among people who receive treatment billion for lost income due to morbidity Although figures on the number of
but pay directly (to the extent that the and mortality.60 Health-related quality individuals who avoid cancer treatment
ability to use their insurance benefits of life measures integrate the mortality due to privacy concerns do not exist,
will reduce cost barriers to more and morbidity effects of disease to some indirect evidence is available. A
complete treatment). It will also change produce health status scores for an 1993 Harris-Equifax Health Information
the dynamic of current payments. individual or population. For example, Privacy Survey (noted earlier) found
Insured patients currently paying out-of- the Quality Adjusted Life Year (QALY) that seven percent of respondents
pocket to protect confidentiality will be combines the pain, suffering, and reported that they or a member of their
more likely to file with their insurer and productivity loss caused by illness into immediate family had chosen not to
to seek all necessary care. The increased a single measure. The Disability seek services for a physical or mental
utilization that would result from Adjusted Life Year (DALY) is based on health condition due to fear of harm to
increased confidence in privacy could the sum of life years lost to premature job prospects or other life opportunities.
be beneficial under many mortality and years that are lived, It should be noted that this survey is
circumstances. For many medical adjusted for disability.61 The analysis somewhat dated and represents only
conditions, early and comprehensive below is based on the cost-of-illness one estimate. Moreover, given the
treatment can lead to lower costs. measure for cancer, which is more wording of the question, there are other
The following are four examples of developed than the quality of life reasons aside from privacy concerns
areas where increased confidence in measure. that led these individuals to respond
privacy would have significant benefits. Among the most important elements affirmatively. However, for the purposes
They were chosen both because they are in the fight against cancer are screening, of this estimate, we assume that privacy
representative of widespread and early detection and treatment of the concerns were responsible for the
serious health problems, and because disease. However, many patients are majority of positive responses.
they are areas where reliable and concerned that cancer detection and Based on the Harris-Equifax survey
relatively complete data are available for treatment will make them vulnerable to estimate that seven percent of people
this kind of analysis. The logic of the discrimination by insurers or did not seek services for physical or
analysis, however, applies to any health employers. These privacy concerns have mental health conditions due to fears
condition, including relatively minor been cited as a reason patients do not about job prospects or other
conditions. We expect that some seek early treatment for diseases such as opportunities, we assume that the
individuals might be concerned with cancer. As a result of forgoing early proportion of people diagnosed with
maintaining privacy even if they have treatment, cancer patients may cancer who did not seek earlier
no significant health problems because ultimately face a more severe illness treatment due to these fears is also
it is likely that they will develop a and/or premature death. seven percent. Applying this seven
medical condition in the future that Increasing people’s confidence in the percent figure to the estimated number
they will want to keep private. privacy of their medical information of total cancer cases (8.37 million) gives
Cancer would encourage more people with us an estimate of 586,000 people who
cancer to seek cancer treatment earlier, did not seek earlier cancer treatment
The societal burden of disease
which would increase cancer survival due to privacy concerns. We estimate
imposed by cancer is indisputable.
rates and thus reduce the lost wages annual lost wages due to cancer
Cancer is the second leading cause of
associated with cancer. For example, morbidity and mortality per cancer
death in the US,56 exceeded only by
only 24 percent of ovarian cancers are patient by dividing total lost wages
heart disease. In 2000, it is estimated
diagnosed in the early stages. Of these, ($68.7 billion) by the number of cancer
that 1.22 million new cancer cases will
approximately 90 percent of patients patients (8.37 million), which rounds to
be diagnosed.57 The estimated
prevalence of cancer cases (both new survive treatment. The survival rate of $8,200. We then assume that cancer
and existing cases) in 1999 was 8.37 women who detect breast cancer early is patients who seek earlier treatment
million.58 In addition to mortality, similarly high; more than 90 percent of would achieve a one-third reduction in
incidence, and prevalence rates, the women who detect and treat breast cancer mortality and morbidity due to
other primary methods of assessing the cancer in its early stages will survive.62 earlier treatment. The assumption of a
burden of disease are cost-of-illness and We have attempted to estimate the one-third reduction in mortality and
quality of life measures.59 Cost of illness annual savings in foregone wages that morbidity is derived from a study
measures the economic costs associated would result from earlier treatment due showing a one-third reduction in
with treating the disease (direct costs) to enhanced protection of the privacy of colorectal cancer mortality due to
and lost income associated with medical records. We do not assume colorectal cancer screening.63 We could
morbidity and mortality (indirect costs). there would be increased medical costs have chosen a lower or higher treatment
from earlier treatment because the costs success rate. By multiplying 586,000 by
56 American Cancer Society. http://4a2z.com/cgi/ of earlier and longer cancer treatment $8,200 by one-third, we calculate that
rfr.cgi?4CANCER–2-http://www.cancer.org/ $1.6 billion in lost wages could be saved
frames.html 60 Disease-Specific Estimates of Direct and
each year by encouraging more people
57 American Cancer Society. http:// Indirect Costs of Illness and NIH Support: Fiscal to seek early cancer treatment through
www3.cancer.org/cancerinfo/sitecenter.asp?ctid= Year 2000 Update. Department of Health and
8&scp= 0&scs= 0&scss= 0&scdoc = 40000. Human Services, Naitonal Institutes of Health, enhanced privacy protections. This
58 Polednak, AP. ‘‘Estimating Prevalence of Office of the Director, February 2000. estimate illustrates the potential savings
Cancer in the United States,’’ Cancer 1997; 8–:136– 61 DALY scores for 10 cancer sites are presented
41 in Brown, ‘‘The Burden of Illness of Cancer: 63 Jack S. Mandel, et al., ‘‘Reducing Mortality
59 Martin Brown, ‘‘The Burden of Illness of Economic Cost and Quality of Life,’’ figure 1. from Colorectal Cancer by Screening for Fecal
Cancer: Economic Cost and Quality of Life.’’ 62 Breast Cancer Information Service. http:// Occult Blood,’’ The New England Journal of
Annual Review of Public Health, 2001:22:91–113. trfn.clpgh.org/bcis/FAQ/facts2.html Medicine, May 13, 1993, Vol, 328, No. 19.
in lost wages due to cancer that could in both the provider and the health care cost to society of mental illness in 1994
be achieved with greater privacy system for confidentiality of such was about $204.4 billion. About $91.7
protections. information. Greater trust should lead to billion was due to the cost of treatment
more testing and greater levels of and medical care and $112.6 billion
HIV/AIDS
treatment. Earlier treatment for curable (1994 dollars) was due to loss of
Early detection is essential for the STDs can mean a decrease in morbidity productivity associated with morbidity
survival of a person with HIV (Human and the costs associated with and mortality and other related costs,
Immunodeficiency Virus). Concerns complications. These include expensive such as crime.69 Evidence suggests that
about the confidentiality of HIV status fertility problems, fetal blindness, appropriate treatment of mental health
would likely deter some people from ectopic pregnancies, and other disorders can result in 50–80 percent of
getting tested. For this reason, each state reproductive complications.68 In individuals experiencing improvements
has passed some sort of legislation addition, there could be greater overall in these types of conditions.
regarding confidentiality of an savings if earlier treatment translates Improvements in patient functioning
individual’s HIV status. However, HIV into reduced spread of infections. and reduced hospital stays could result
status can be revealed indirectly in hundreds of millions of dollars in
through disclosure of HAART (Highly Mental Health Treatment
cost savings annually.
Active Anti-Retroviral Therapy) or When individuals have a better Although figures on the number of
similar HIV treatment drug use. In understanding of the privacy practices individuals who avoid mental health
addition, since HIV/AIDS (Acquired that we are requiring in this proposed treatment due to privacy concerns do
Immune Deficiency Syndrome) is often rule, some will be less reluctant to seek not exist, some indirect evidence is
the only specially protected condition, mental health treatment. One way that available. As noted in the cancer
‘‘blacked out’’ information on medical individuals will receive this information discussion, the 1993 Harris-Equifax
charts could indicate HIV positive is through the notice requirement. Health Information Privacy Survey
status.64 Strengthening privacy Increased use of mental health and found that 7 percent of respondents
protections beyond this disease could services would be expected to be reported that they or a member of their
increase confidence in privacy regarding beneficial to the persons receiving the immediate family had chosen not to
HIV as well. Drug therapy for HIV care, to their families, and to society at seek services for a physical or mental
positive persons has proven to be a life- large. The direct benefit to the health condition due to fear of harm to
extending, cost-effective tool.65 A 1998 individual from treatment would job prospects or other life opportunities.
study showed that beginning treatment include improved quality of life, (See above for limitations to this data).
with HAART in the early asymptomatic reduced disability associated with We assume that the proportion of
stage is more cost-effective than mental conditions, reduced mortality people with a mental health disorder
beginning it late. After five years, only rate, and increased productivity who did not seek treatment due to fears
15 percent of patients with early associated with reduced disability and about job prospects or other
treatment are estimated to develop an mortality. The benefit to families would opportunities is the same as the
ADE (AIDS-defining event), whereas 29 include quality of life improvements proportion in the Harris-Equifax survey
percent would if treatment began later. and reduced medical costs for other sample who did not seek services for
Early treatment with HAART prolongs family members associated with abusive physical or mental health conditions
survival (adjusted for quality of life) by behavior by the treated individual. due to the same fears (7 percent). The
6.2 percent. The overall cost of early The potential economic benefits 1999 Surgeon General’s Report on
HAART treatment is estimated at associated with improving privacy of Mental Health estimates that 28 percent
$23,700 per quality-adjusted year of life individually identifiable health of the U.S. adult population has a
saved.66 information and thus encouraging some diagnosable mental and/or substance
Other Sexually Transmitted Diseases portion of individuals to seek initial abuse disorder and 20 percent of the
mental health treatment or increase population has a mental and/or
It is difficult to know how many service use are difficult to quantify well.
people are avoiding testing for STDs substance abuse disorder for which they
Nevertheless, using a methodology do not receive treatment.70 Based on the
despite having a sexually transmitted similar to the one used above to
disease. A 1998 study by the Kaiser Surgeon General’s Report, we estimate
estimate potential savings in cancer that 15 percent of the adult population
Family Foundation found that the costs, one can lay out a range of possible
incidence of disease was 15.3 million in has a mental disorder for which they do
benefit levels to illustrate the possibility not seek treatment.71 Assuming that 7
1996, though there is great uncertainty of cost savings associated with an
due to under-reporting.67 For a expansion of mental health and 69 Substance Abuse and Mental Health Services
potentially embarrassing disease such as treatment to individuals who, due to Administration. http://www.samhsa.gov/oas/srcbk/
an STD, seeking treatment requires trust protections offered by the privacy costs-02htm. Source of data: DP Rice, Costs of
regulation, might seek treatment that Mental Illness (unpublished data).
64 Promoting Health: Protecting Privacy, 70 Department of Health and Human Services,
California Health Care Foundation and Consumers they otherwise would not have. This Mental Health: A Report of the Surgeon General.
Union, January 1999, p 13 can be illustrated by drawing upon Rockville, MD: 1999, page 408.
65 For example, Roger Detels, M.D., et al., in existing data on the economic costs of 71 According to the Surgeon General’s Report, 28
‘‘Effectiveness of Potent Anti-retroviral Therapy. mental illness and the treatment percent of the adult population have either a mental
* * *’’ JAMA, 1998; 280:1497–1503 note the or addictive disorder, whether or not they receive
impact of therapy on HIV persons with respect to
effectiveness of interventions.
services: 19 percent have a mental disorder alone,
lengthening the time to development of AIDS, not The 1998 Substance Abuse and 6 percent have a substance abuse disorder alone,
just delaying death in persons who already have Mental Health Statistics Source Book and 3 percent have both. Subtracting the 3 percent
AIDS. from the Substance Abuse and Mental who have both, about three-quarters of the
66 John Hornberger et al., ‘‘Early treatment with
Health Services Administration population with either a mental or addictive
highly active anti-retroviral therapy (HAART) is disorder have a mental disorder and one-quarter
cost-effective compared to delayed treatment,’’ 12th (SAMHSA) estimates that the economic have a substance abuse disorder. We assume that
World AIDS conference, 1998. this ratio (three-quarter to one-quarter) is the same
67 Sexually Transmitted Diseases in America, 68 Standard Medical information; see http:// for the adult population with either a mental or
Kaiser Family Foundation, 1998, p. 12. www.mayohealth.org for examples. addictive disorder who do not receive services.
percent of those with mental disorders This analysis addresses four issues: Generally, the commenters argued that
did not seek treatment due to privacy (1) The need for, and objective of, the certain cost elements were not included
concerns, we estimate that 1.05 percent rule; (2) a summary of the public in the cost estimates presented in the
of the adult population 72 (15 percent comments to the NPRM and the NPRM. The Department has expanded
multiplied by 7 percent), or 2.07 million Department’s response; (3) a description our description of our data and
people, did not seek treatment for and estimate of the number of small methodology in both the final RIA and
mental illness due to privacy fears. entities affected by the rule; and (4) a this final RFA to try to clarify the data
The indirect (non-treatment) description of the steps the agency has and assumptions made and the rationale
economic cost of mental illness per taken to minimize the economic impact for using them.
person with mental illness is $2,590 on small entities, consistent with the Finally, a number of commenters
($112.6 billion divided by 43.4 million law and the intent of the rule. The suggested that small entities be
people with mental illness).73 The following sections provide details on exempted from coverage from the final
treatment cost of mental illness per each of these issues. A description of rule, or that they be given more time to
person with mental illness is $2,110 the projected reporting and record comply. As the Department has
($91.7 billion divided by 43.4 million keeping requirements of the rule are explained in the Response to Comment
individuals). If we assume that indirect included in Section IX, below. section above, such changes were
economic costs saved by encouraging considered but rejected. Small entities
B. Reasons for Promulgating the Rule
more individuals with mental illness to constitute the vast majority of all
enter treatment are offset by the This proposed rule is being entities that are covered; to exempt
additional treatment costs, the net promulgated in response to a statutory them would essentially nullify the
savings is about $480 per person. mandate to do so under section 264 of purpose of the rule. Extensions were
Public Law 104–191. Additional also considered but rejected. The rule
As stated above, appropriate information on the reasons for does not take effect for two years, which
treatment of mental health disorders can promulgating the rule can be found in is ample time for small entities to learn
result in 50-80 percent of individuals earlier preamble discussions (see about the rule and make the necessary
experiencing improvements in these Section I. B. above). changes to come into compliance.
types of conditions. Therefore, we
multiply the number of individuals with 1. Objectives and Legal Basis D. Economic Effects on Small Entities
mental disorders who would seek This information can be found in 1. Number and Types of Small Entities
treatment with greater privacy earlier preamble discussions (See I. C. Affected
protections (2.07 million) by the and IV., above).
treatment effectiveness rate by the net The Small Business Administration
savings per effective treatment ($480). 2. Relevant Federal Provisions defines small businesses in the health
Assuming a 50 percent success rate, this This information can be found in care sector as those organizations with
equation yields annual savings of $497 earlier preamble discussions (See I. C., less than $5 million in annual revenues.
million. Assuming an 80 percent above). Nonprofit organizations are also
success rate, this yields annual savings considered small entities;75 however,
of $795 million. C. Summary of Public Comments individuals and states are not included
Given the existing data on the annual The Department received only a few in the definition of a small entity.
economic costs of mental illness and the comments regarding the Initial Similarly, small government
rates of treatment effectiveness for these Regulatory Flexibility Analysis (IRFA) jurisdictions with a population of less
disorders, coupled with assumptions contained in the NPRM. A number of than 50,000 are considered small
regarding the percentage of individuals commenters argued that the estimates entities.76
who would seek mental health IRFA were too low or incomplete. The Small business in the health care
treatment with greater privacy estimates were incomplete to the extent sector affected by this rule may include
protections, the potential net economic that a number of significant policy such businesses as: Nonprofit health
benefits could range from approximately provisions in the proposal were not plans, hospitals, and skilled nursing
$497 million to $795 million annually. estimated because of too little facilities (SNFs); small businesses
information at the time. In the final providing health coverage; small
V. Final Regulatory Flexibility Analysis IRFA we have estimates for these physician practices; pharmacies;
A. Introduction provisions. As for the estimates being laboratories; durable medical equipment
too low, the Department has sought as (DME) suppliers; health care
Pursuant to the Regulatory Flexibility much information as possible. The clearinghouses; billing companies; and
Act 5 U.S.C. 601 et seq., the Department methodology employed for allocating vendors that supply software
must prepare a regulatory flexibility costs to the small business sectors is applications to health care entities.
analysis if the Secretary certifies that a explained in the following section. The U.S. Small Business
final rule would have a significant Most of the other comments Administration reports that as of 1997,
economic impact on a substantial pertaining to the IRFA criticized there were 562,916 small health care
number of small entities.74 specific estimates in the NPRM. entities 77 classified within the SIC
Thus, we assume that 15 percent of the population 73 The number of adults with mental illness is 75 ‘‘Entities’’ and ‘‘establishments’’ are used
have an untreated mental disorder (three-quarters of calculated by multiplying the U.S. Census Bureau synonymously in this RFA.
20 percent) and 5 percent have an untreated estimate of the U.S. adult population—197.1 76 ‘‘Small governments’’ were not included in this
addictive disorder (one-quarter of 20 percent). million—by the percent of the adult population
analysis directly; rather we have included the kinds
with mental illness—22 percent, according to the
72 According to the Population Estimates of institutions within those governments that are
Surgeon General’s Report on Mental Health, which
Program, Population Division, U.S. Census Bureau, says that 19 percent of the population have a mental likely to incur costs, such as government hospitals
the U.S. population age 20 and older is 197.1 disorder alone and three percent have a mental and and clinics.
million on Sept. 1, 2000. This estimate of the adult substance abuse disorder. 77 Entities are the physical location where an
population is used throughout this section. 74 ‘‘Entities’’ and ‘‘establishments’’ are enterprise conducts business. An enterprise may
synonymous in this analysis. conduct business in more than one establishment.
codes we have identified as being

covered establishments (Table A).
These small businesses represent small health care businesses represented establishments that will be required to
82.6% of all health care establishments generated approximately $430 billion in comply with the rule. Note, however,
examined.78 Small businesses represent annual receipts, or 30.2% of the total that the SBA’s published annual
a significant portion of the total number revenue generated by health care receipts of health care industries differ
of health care establishments but a small establishments (Table B).79 The from the National Health Expenditure
portion of the revenue stream for all following sections provide estimates of data that the Health Care Financing
health care establishments. In 1997, the the number of small health care Administration (HCFA) maintains.
79 Op.cit, 1997.
78 Officeof Advocacy, U.S. Small Business
Administration, from data provided by the Bureau
of the Census, Statistics of U.S. Businesses, 1997.
These data do not provide the specific establishment and revenue data for this
revenue data required for a RFA; only analysis.
the SBA data has the requisite
The Small Business Administration information is generated or held by that institution. This approach allows
reports that approximately 74 percent of these small businesses. covered entities to strike a balance
the 18,000 medical laboratories and The guiding principle in our between protecting privacy of
dental laboratories in the U.S. are small considerations of how to address the individually identifiable health
entities.80 Furthermore, based on SBA burden on small entities has been to information and the economic cost of
data, 55 percent of the 3,300 durable make provisions performance rather doing so within prescribed boundaries
medical equipment suppliers that are than specification oriented—that is, the set forth in the rule. Health care entities
not part of drug and proprietary stores rule states the standard to be achieved must consider both factors when
in the U.S. are small entities. Over 90 but allows institutions flexibility to devising their privacy solutions. The
percent of health practitioner offices are determine how to achieve the standard Department assumes that professional
small businesses.81 Doctor offices within certain parameters. Moreover, to and trade associations will provide
(90%), dentist offices (99%), osteopathy the extent possible, we have allowed guidance to their members in
(97%) and other health practitioner entities to determine the extent to which understanding the rule and providing
offices (97%) are primarily considered they will address certain issues. This guidance on how they can best achieve
small businesses. ability to adapt provisions to minimize compliance. This philosophy is similar
burden has been addressed in the to the approach in the Transactions
There are also a number of hospitals,
regulatory impact analysis above, but it Rule.
home health agencies, non-profit
will be briefly discussed again in the The privacy standard must be
nursing facilities, and skilled nursing
following section. implemented by all covered entities,
facilities that will be affected by the Before discussing specific provisions, regardless of size. However, we believe
proposed rule. According to the it is important to note some of the that the flexible approach under this
American Hospital Association, there broader questions that were addressed rule is more efficient and appropriate
are approximately 3,131 nonprofit in formulating this rule. The then a single approach to safeguarding
hospitals nationwide. Additionally, Department considered extending the health information privacy. For
there are 2,788 nonprofit home health compliance period for small entities but example, in a small physician practice,
agencies in the U.S. and the Health Care concluded that it did not have the legal the office manager might be designated
Financing Administration reports that authority to do so (see discussion to serve as the privacy official as one of
there are 591 nonprofit nursing facilities above). The rule, pursuant to HIPAA, many of her duties. In a large health
and 4,280 nonprofit skilled nursing creates an extended compliance time of plan, the privacy official position may
facilities.82 36 months (rather than 24 months) only require more time and greater privacy
Some contractors that are not covered for small health plans and not for other experience, or the privacy official may
entities but that work with covered small entities. The Department also have the regular support and advice of
health care entities will be required to considered giving small entities longer a privacy staff or board. The entity can
adopt policies and procedures to protect response times for time limits set forth decide how to implement this privacy
information. We do not expect that the in the rule, but decided to establish official requirement based on the
additional burden placed on contractors standard time limits that we believe are entity’s structure and needs.
will be significant. We have not reasonable for covered entities of all The Department decided to use this
estimated the effect of the proposed rule sizes, with the understanding that larger scaled approach to minimize the burden
on these entities because we cannot entities may not need as much time as on all entities, with an emphasis on
reasonably anticipate the number or they have been allocated in certain small entities. The varying needs and
type of contracts affected by the situations. This permits each covered capacities of entities should be reflected
proposed rule. We also do not know the entity the flexibility to establish policies in the policies and procedures adopted
extent to which contractors would be regarding time limits that are consistent by the organization and the overall
required to modify their policy practices with the entity’s current practices. approach it takes to achieve compliance.
as a result of the rule. Although we considered the needs of
small entities during our discussions of Minimum Necessary
2. Activities and Costs Associated With all provisions for this final rule, we are The ‘‘minimum necessary’’ policy in
Compliance highlighting the most significant the final rule has essentially three
This section summarizes specific discussions in the following sections: components: first, it does not pertain to
activities that covered entities must certain uses and disclosures including
Scalability treatment-related exchange of
undertake to comply with the rule’s
Wherever possible, the final rule information among health care
provisions and options considered by
provides a covered entity with providers; second, for disclosures that
the Department that would reduce the
flexibility to create policies and are made on a routine basis, such as
burden to small entities. In developing
procedures that are best suited to the insurance claims, a covered entity is
this rule, the Department considered a
entity’s current practices in order to required to have policies and
variety of alternatives for minimizing
comply with the standards, procedures governing such exchanges
the economic burden that it will create
implementation specifications, and (but the rule does not require a case-by-
for small entities. We did not exempt
requirements of the rule. This allows the case determination in such cases); and
small businesses from the rule because
covered entity to assess its own needs third, providers must have a process for
they represent such a large and critical
in devising, implementing, and reviewing non-routine requests on a
proportion of the health care industry
maintaining appropriate privacy case-by-case basis to assure that only the
(82.6 percent); a significant portion of
policies, procedures, and minimum necessary information is
documentation to address these disclosed. The final rule makes changes
80 Office of Advocacy, U.S. Small Business
regulatory requirements. It also will to the NPRM that reduce the burden of
Administration, from data provided by the Bureau
allow a covered entity to take advantage compliance on small businesses.
of the Census, Statistics of U.S. Businesses, 1997. of developments and methods for Based on public comments and
81 Op.cit., 1997. protecting privacy that will evolve over subsequent fact-finding, the Department
82 Health Care Financing Administration, OSCAR. time in a manner that is best suited to sought to lessen the burden of this
provision. The NPRM proposed of the entity. For example, a small wide variety of options to be made
applying the minimum necessary physician’s practice might designate the available by associations, professional
standard to disclosures to providers for office manager as the privacy official in groups, and vendors. Methods might
treatment purposes and would have addition to her broader administrative include classroom instruction, videos,
required individual review of all uses of responsibilities. Once the privacy booklets, or brochures tailored to
protected health information. The final official has been trained, the time particular levels of need of workers and
rule exempts disclosures of protected required to accomplish the duties employers. Moreover, the recertification
health information from a covered entity imposed on such person is not likely to requirement of the NPRM has been
to a health care provider for treatment be much more than under current dropped to ease the burden on small
from the minimum necessary provision practice. Therefore, the requirement entities.
and eliminates the case-by-case imposes a minimal burden on small
Consent
determinations that would have been businesses.
necessary under the NPRM. The The NPRM proposed prohibiting
Internal Complaints covered entities from requiring
Department has concluded that the
requirements of the final rule are similar The final rule requires covered individuals to provide written consent
to the current practice of most health entities to have an internal process for for the use and disclosure of protected
care providers. For standard disclosure individuals to make complaints health information for treatment,
requests, for example, providers regarding the covered entities’ privacy payment, and health care operations
generally have established procedures. policies and procedures required by the purposes. The final rule requires certain
Under the final rule providers will have rule and its compliance with such health care providers to obtain written
to have policies and procedures to policies. The requirement includes consent before using or disclosing
determine the minimum amount of identifying a contact person or office protected health information for
protected health information to disclose responsible for receiving complaints treatment, payment, and health care
for standard disclosure requests as well, and documenting all complaints operations, with a few exceptions. This
but may need to review and revise received and the disposition of such requirement was included in the final
existing procedures to make sure they complaints, if any. The covered entity rule in response to comments that this
are consistent with the final rule. For only is required to receive and reflects current practice of health care
non-routine disclosures, providers have document a complaint (the complaint providers health care providers with
indicated that they currently ask can be oral or in writing), which should direct treatment relationships. Because
questions to discern how much take a short amount of time. The providers are already obtaining such
information should be disclosed. In Department believes that complaints consent, this requirement represents a
short, the minimum necessary about a covered entity’s privacy policies minimal burden.
requirements of this rule are similar to and procedures will be uncommon.
Notice of Privacy Rights
current practice, particularly among Thus, the burden on small businesses
small providers. should be minimal. The rule requires covered entities to
prepare and make available a notice that
Policy and Procedures Training informs individuals about uses and
The rule requires that covered entities In developing the NPRM, the disclosures of protected health
develop and document policies and Department considered a number of information that may be made by the
procedures with respect to protected alternatives for training, including covered entity and that informs of the
health information to establish and requiring specific training materials, individual’s rights and covered entity’s
maintain compliance with the training certification, and periodic legal duties with respect to protected
regulation. Through the standards, retraining. In the NPRM, the Department health information. The final rule makes
requirements, and implementation recommended flexibility in the changes to the NPRM that reduce the
specifications, we are proposing a materials and training method used, but burden of this provision on covered
framework for developing and proposed recertification every three entities and allows flexibility. The
documenting privacy policies and years and retraining in the event of NPRM proposed that the notice describe
procedures rather than adopting a rigid, material changes in policy. the uses and disclosures of information
prescriptive approach to accommodate Based on public comment, that the entity expected to make without
entities of different sizes, type of particularly from small businesses, the individual authorization. The final rule
activities, and business practices. Small Department has lessened the burden in only requires that the notice describe
providers will be able to develop more the final rule. As in the proposal, the uses and disclosures that the entity is
limited policies and procedures under final rule requires all employees who permitted or required to make under the
the rule, than will large providers and are likely to have contact with protected rule without an individual’s written
health plans, based on the volume of health information to be trained. consent or authorization. This change
protected health information. We also Covered entities will have to train will allow entities to use standardized
expect that provider and health plan employees by the compliance date notice language within a given state,
associations will develop model policies specific to the type of covered entity which will minimize the burden of each
and procedures for their members, and train new employees within a covered entity preparing a notice.
which will reduce the burden on small reasonable time of initial employment. Professional associations may develop
businesses. In addition, a covered entity will have model language to assist entities in
to train each member of its workforce developing notices required by the rule.
Privacy Official whose functions are affected by a While the final rule specifies minimum
The rule requires covered entities to material change in the policies or notice requirements, it allows entities
designate a privacy official who will be procedures of such entity. However, the flexibility to add more detail about a
responsible for the development and final rule leaves to the employer the covered entity’s privacy policies.
implementation of privacy policies and decisions regarding the nature and The NPRM also proposed that health
procedures. The implementation of this method of training to achieve this plans distribute the notice every three
requirement may vary based on the size requirement. The Department expects a years. The final rule reduced this
burden by requiring health plans (in Amendments to Protected Health made up to six years prior to the
addition to providing notice to Information request. In order to fulfill such requests,
individuals at enrollment and prior to Many health care providers and covered health care providers and
the compliance date of this rule) to health plans currently make provisions health plans may track disclosures by
inform individuals at least once every to help patients expedite amendments making a notation in the individual’s
three years about the availability of the and corrections of their medical record medical record regarding the (manual or
notice and how to obtain a copy rather where appropriate. If an error exists, electronic) when a disclosure is made.
than to distribute a copy of the notice. both the patient and the health care We have learned through fact-finding
In discussing the requirement for provider on health plan benefit from the that some health care providers
covered entities to prepare and make correction. However, as with inspection currently track various types of
available a notice, we considered and copying, a person’s right to request disclosures. Moreover, the Department
exempting small businesses (83 percent amendment and correction of does not expect many individuals will
of entities) or extremely small entities individually identifiable health request an accounting of disclosures.
(fewer than 10 employees). The information about them is not Thus, this requirement will impose a
Department decided that informing guaranteed by all states. Based on these minor burden on small businesses.
consumers of their privacy rights and of assumptions, the Department concludes De-Identification of Information
the activities of covered entities with that the principal economic effect of the
which they conduct business was too final rule will be to expand the right to In this rule, the Department allows
important a goal of this rule to exempt request amendments to protected health covered entities to determine that health
any entities. information held by health plans and information is de-identified (i.e. that it
In addition to requiring a basic notice, covered health care providers to those is not individually identifiable health
we considered requiring a longer more who are currently granted such right by information), if certain conditions are
detailed notice that would be available state law. In addition, the rule may draw met. Moreover, information that has
to individuals on request. However, we additional attention to the issue of been de-identified in accordance with
decided that it would be overly record inaccuracies and stimulate the rule is not considered individually
burdensome to all entities, especially patient demand for amendment of identifiable information and may be
small entities, to require two notice. medical records. used or disclosed without regard to the
We believe that the proposed rule Under the final regulation, if an requirements of the regulation. The
appropriately balances the benefits of individual requests an amendment to covered entity may assign a code or
providing individuals with information protected health information about him other means of record identification to
about uses and disclosures of protected or her, the health care provider must allow de-identified information to be re-
health information with covered either accept the amendment or provide identified if requirements regarding
entities’ need for flexibility in the individual with the opportunity to derivation and security are met.
describing such information. submit a statement disagreeing with the As with other components of this
denial. We expect the responses to rule, the approach used to remove
Access to Protected Health Information identifiers from data can be scaled to the
requests will vary; sometimes an
The public comments demonstrate assistant will only make the appropriate size of the entity. Individually
that inspection and copying of notation in the record, requiring only a identifiable health information can be
individually identifiable health few minutes; other times a health care de-identified in one of two ways; by
information is wide-spread today. provider or manager will review the either removing each of the identifiers
Individuals routinely request copies of request and make changes if listed in the rule or by engaging in a
such information, in whole or in part, appropriate, which may require as much statistical and scientific analysis to
for purposes that include providing as an hour. determine that information is very
health information to another health Unlike inspections, which currently unlikely to identify an individual. Small
care provider or as part of legal occur in a small percentage of cases, entities without the resources to
proceedings. The amount of inspection fact-finding suggests that individuals conduct such an analysis can create de-
and copying of individually identifiable rarely seek to amend their records identified information by removing the
health information that occurs for these today, but the establishment of this right full list of possible identifiers set forth
purposes is not expected to change as a in the rule may spur more requests, in this regulation. Unless the covered
result of the final regulation. including among those who in the past entity knows that the information could
The final regulation establishes the would have only sought to inspect their still identify an individual, the
right of individuals to inspect and copy records. Nevertheless, we expect that requirement of this rule would be
protected health information about the absolute number of additional fulfilled. However, larger, more
them. Although this is an important amendment requests caused by the rule sophisticated covered entities may close
right, the Department does not expect it to be small (about 200,000 per per to determine independently what
to result in dramatic increases in spread over more than 600,000 entities), information needs to be removed based
requests from individuals. We assume which will impose only a minor burden on sophisticated statistical and
that most health care providers on small businesses. scientific analysis.
currently have procedures for allowing Efforts to remove identifiers from
patients to inspect and copy this Accounting for Disclosures information are optional. If a covered
information. The economic impact on The rule grants individuals the right entity can not use or disclose protected
small businesses of requiring covered to receive an accounting of disclosures health information for a particular
entities to provide individuals with made by a health care provider or plan purpose but believes that removing
access to protected health information for purposes other than treatment, identifiers is excessively burdensome, it
should be relatively small. Moreover, payment, or health care operations, with can choose not to release the protected
entities can recoup the costs of copying certain exceptions such as disclosures to health information, or it can seek an
such information by charging reasonable the individual. The individual may authorization from individuals for the
cost-based fees. request an accounting of disclosures use or disclosure of protected health
information including some or all of the associate complies with the rule’s little, if any, need for such data. Any
identifiers. requirements. Entities will be required needs that sponsors of small group
Finally, as discussed in the to cure a breach or terminate a contract health plans may have for information
Regulatory Impact Analysis, the for business associate actions only if can be accomplished by receiving the
Department believes that very few small they knew about a contract violation. information in summary form from their
entities engage in de-identification The final rule is consistent with the health insurance issuers.
currently. Fewer small entities are oversight a business would provide for
expected to engage in such activity in 3. The Burden on a Typical Small
any contract, and therefore, the changes
the future because the increasing trend Business
in the final rule will impose no new
toward computerization of large record significant cost for small businesses in The Department expects small entities
sets will result in de-identification being monitoring their business associates’ to face a cost burden as a result of
performed by relatively few firms or behavior. complying with the proposed
associations over time. We expect that a regulation. We estimate that the burden
small covered entity will find it more Employers With Insured Group Health of developing privacy policies and
efficient to contract with specialists in Plans procedures is lower in dollar terms for
large firms to de-identify protected Some group health plans will use or small businesses than for large
health information. Larger entities are maintain individually identifiable businesses, but we recognize that the
more likely to have both the electronic health information, particularly group cost of implementing privacy provisions
systems and the volume of records that health plans that are self-insured. Also, could be a larger burden to small
will make them attractive for this some plan sponsors that perform entities as a proportion of total revenue.
business. administrative functions on behalf of Due to these concerns, we have relied
their group health plans may need on the principle of scalability
Monitoring Business Associates protected health information. The final throughout the rule, and have based our
The final rule requires a covered rule permits a group health plan, or a cost estimates on the expectation that
entity with a business associate to have health insurance issuer or HMO that small entities will develop less
a written contract or other arrangement provides benefits on behalf of the group expensive and less complex privacy
that documents satisfactory assurance health plan, to disclose protected health measures that comply with the rule than
that the business associate will information to a plan sponsor who large entities.
appropriately safeguard protected health performs administrative functions on its In many cases, we have specifically
information. The Department expects behalf for certain purposes and if certain considered the impact that rule may
business associate contracts to be fairly requirements are met. The plan have on solo practitioners or rural
standardized, except for language that documents must be amended to: health care providers. If a health care
will have to be tailored to the specific describe the permitted uses and provider only maintains paper records
arrangement between the parties, such disclosures of protected health and does not engage in any electronic
as the allowable uses and disclosures of information by the plan sponsor; specify transactions, the regulation would not
information. The Department assumes that disclosure is permitted only upon apply to such provider. We assume that
the standard language initially will be receipt of a certification by the plan those providers will be small health care
developed by trade and professional sponsor that the plan documents have providers. For small health care
associations for their members. Small been amended and the plan sponsor providers that are covered health care
health care providers are likely to agrees to certain restrictions on the use providers, we expect that they will not
simply adopt the language or make of protected health information; and be required to change their business
minor modifications. The regulation provide for adequate firewalls to assure practices dramatically, because we
includes a requirement that the covered unauthorized personnel do not have based many of the standards,
entity take steps to correct, and in some access to individually identifiable implementation specifications, and
cases terminate, a contract, if necessary, health information. requirements on current practice and we
if they know of violations by a business Some plan sponsors may need have taken a flexible approach to allow
associate. This oversight requirement is information, not to administer the group scalability based on a covered entity’s
consistent with standard oversight of a health plan, but to amend, modify, or activities and size. In developing
contract. The Department expects that terminate the health plan. ERISA case policies and procedures to comply with
most entities, particularly smaller ones, law describes such activities as settlor the proposed regulation, scalability
will utilize standard language that functions. For example a plan sponsor allows entities to consider their basic
restricts uses and disclosures of may want to change its contract from a functions and the ways in which
individually identifiable health preferred provider organization to a protected health information is used or
information their contracts with health maintenance organization disclosed. All covered entities must take
business associates. This will limit the (HMO). In order to obtain premium appropriate steps to address privacy
burden on small businesses. information, the health plan sponsor concerns, and in determining the scope
The NPRM proposed that covered may need to provide the HMO with and extent of their compliance
entities be held accountable for the uses aggregate claims information. Under the activities, businesses should weigh the
and disclosures of individually rule, the health plan sponsor can obtain costs and benefits of alternative
identifiable health information by their summary information with certain approaches and should scale their
business associates. An entity would identifiers removed, in order to provide compliance activities to their structure,
have been in violation of the rule if it it to the HMO and receive a premium functions, and capabilities within the
knew of a breach in the contract by a rate. requirements of the rule.
business associate and failed to cure the The Department assumes that most
breach or terminate the contract. The health plan sponsors who are small Cost Assumptions
final rule reduces the extent to which an employers (those with 50 or fewer To determine the cost burden to small
entity must monitor the actions of its employees) will elect not to receive businesses of complying with the final
business associates. The entity no longer individually identifiable health rule, we used as a starting point the
has to ‘‘ensure’’ that each business information because they will have overall cost of the regulation determined
in the regulatory impact analysis (RIA). revenue, because all non-profit purposes in this RFA to demonstrate the
Then we adopted a methodology that institutions are small businesses additional opportunity costs that will be
apportions the costs found in the RIA to regardless of revenue. To make this faced by those researchers who sit on
small business by using Census adjustment for hospitals, nursing IRBs. Therefore, assuming IRBs are
Bureau’s Statistics of U.S. Businesses. homes, and home health agencies, we small businesses, the initial costs are
This Census Bureau survey contains used data on the number of non-profit $.089 million and ongoing costs are
data on the number and proportion of institutions from industry sources and approximately $84.2 million over 9
establishments, by Standard Industrial from data reported to HCFA. With this years.
Classification Code (SIC code), that have data, we assumed the current count of The Cost Model Methodology
revenues of less than $5 million, which establishments in the SIC codes
meets the Small Business includes these non-profit entities and The RIA model employs two basic
Administration’s definition of a small that non-profits have the same methodologies to determine the costs to
business in the health care sector. This distribution of revenues as all small businesses that are covered
data permitted us to calculate the establishments reported in the entities. As stated above, the RFA
proportion of the cost of each applicable SIC codes. The proportions determines the cost to small businesses
requirement in the rule that is discussed below, which determine the by apportioning the total costs in the
attributable to small businesses. This cost for small business, therefore RIA using SIC code data. In places
methodology used for the regulatory include these non-profit establishments where the cost of a given provision of
flexibility analysis (RFA) section is in SIC codes 8030, 8060, and 8080. the final rule is a function of the number
therefore based on the methodology of covered entities, we determined the
The SIC code tables provided in this proportion of entities in each SIC code
used in the (RIA), which was discussed RFA do not include several categories of
earlier. that have less than $5 million in
businesses that are included in the total revenues (see Table A). We then
The businesses accounted for in the
cost to small businesses. Claims multiplied this proportion by the per-
SIC codes contain three groups of
clearinghouses are not included in the entity cost estimate of a given provision
covered entities: non-hospital health
table because claims clearinghouses as determined in the RIA. For example,
care providers, hospitals, and health
report their revenues under the SIC the cost of the privacy official provision
plans. Non-hospital health care
7374 ‘‘Computer Processing and Data is based on the fact that each covered
providers include: drug stores, offices
Preparation,’’ and the vast majority of entity will need to have a privacy
and clinics of doctors, dentists,
osteopaths, and other health businesses in this SIC code are involved official. Therefore, we multiplied the
practitioners, nursing and personal care in non-medical claims data processing. total cost of the privacy official, as
facilities, medical and dental In addition, claims processing is often determined in the RIA, by the
laboratories, home health care services, just one business-line of companies that proportion of small businesses in each
miscellaneous health and allied may be involved in multiple forms of SIC code to determine the small
services, and medical equipment rental data processing, and therefore, even if business cost. Using hospitals for
and leasing establishments. Health the claims processing line of the illustrative purposes, because small and
plans include accident and health business generates less than $5 million non-profit hospitals account for 50
insurance and medical service plans. in revenue, the company in total may percent of all hospitals, our
exceed the SBA definition for a small methodology assigned 50 percent of the
Data Adjustments business (the total firm revenue, not cost to small hospitals.
Several adjustments were made to the each line of business, is the standard for We used a second, though similar,
SIC code data to more accurately inclusion). Similarly, fully-insured method when the cost of a given
determine the cost to small and non- ERISA health plans sponsored by provision in the RIA did not depend on
profit businesses. For health plans (SIC employers are not identified as a the number of covered entities. For
code 6320), we adjusted the SIC data to separate category in the SIC code tables example, the requirement to provide
include self-insured, self-administered because employers in virtually all SIC notice of the privacy policy is a direct
health plans because these health plans codes may sponsor fully-insured health function of the number of patients in the
are not included in any SIC code, plans. We have identified the cost for health care system because the actual
though they are covered entities under small fully-insured ERISA health plans number of notices distributed depends
the rule. Similarly, we have added by using the Department of Labor on how many patients are seen.
third-party administrators (TPAs) into definition of a small ERISA plan, which Therefore, for provisions like the notice
this SIC. Although they are not covered is a plan with fewer than 100 insured requirement, we used SIC code revenue
entities, TPAs are likely to be business participants. Using this definition, the data in a two-step process. First, we
associates of covered entities. For initial cost for small fully-insured apportioned the cost of each provision
purposes of the regulatory analyses, we ERISA health plans is $7.1 million. among sectors of the health care
have assumed that TPAs would bear Finally, Institutional Review Boards industry by SIC code. For example,
many of the same costs of the health (IRBs) will not appear in a separate SIC because hospital revenue accounts for
plans to assure compliance for the code because IRBs are not ‘‘businesses’’; 27 percent of all health care revenue, we
covered entity. To make this rather, they are committees of multiplied the total cost of each such
adjustment, we assumed the self- researchers who work for institutions provision by 27 percent to determine
insured/self administered health plans where medical research is conducted, the cost for the hospital sector in total.
and TPAs have the average revenue of such as universities or teaching Then to determine the cost for small
the health plans contained in the SIC hospitals. IRB members usually serve as hospitals specifically, we calculated the
code, and then added those assumed a professional courtesy or as part of proportion by the overall cost. For
revenues to the SIC code and to the total their employment duties and are not example, 45.1 percent of all hospital
of all health care expenditures. paid separately for their IRB duties. revenue is generated by small hospital,
Moreover, we needed to account for the Although IRBs are not ‘‘businesses’’ that therefore, the cost to small hospitals was
cost to non-profit institutions that might generate revenues, we have treated them assumed to account for 45.1 percent of
receive more than $5 million in as small business for illustrative all hospital costs. Estimates, by nature
are inexact. However, we feel this is a the final rule in the initial year of 2003 However, much of the reason for the
reasonable way to determine the small is $1.9 billion. The ongoing costs to higher costs faced by these three groups
business costs attributable to this small business from 2004 to 2012 is $9.3 of small health care providers is
regulation given the limited data from billion. Table C presents the initial and explained by the fact that there are a
which to work. ongoing costs to small business by each significant number of health care
Total Costs and Costs Per Establishment SIC code. According to this table, small providers in these categories.
for Small Business doctors offices, small dentists offices BILLING CODE 4150–04–P
and small hospitals will face the highest
Based on the methodology described
cost of complying with the final rule.
above, the total cost of complying with
On a per-establishment basis, Table D health care provider is approximately respectively. For subsequent years, the
demonstrates that the average cost for 0.6 percent of per-establishment cost is only 0.1 percent and 2.9 percent
small business of complying with the revenues. In subsequent years, per- of pre-establishment revenues
proposed rule in the first year is $4,188 establishment costs about 0.3 percent of respectively. These costs may be offset
per-establishment. The ongoing costs of per-establishment revenues. For small in many firms by the savings realized
privacy compliance are approximately hospitals and health plans, the per- through requirements of the
$2,217 each year thereafter. We estimate establishment cost of compliance in the Transactions Rule.
that the average cost of compliance in first year is 0.2 percent and 6.3 percent
the first year for each small non-hospital of per-establishment revenues
Table E shows the cost to each SIC and then the cost of all other remaining to small business, while the remaining
code of the major cost items of the final provisions. The costs of the most provisions only represent 7 percent.
rule. Listed are the top-five most costly expensive five provisions represent 90
provisions of the rule (to small business) percent of the cost of the ongoing costs
Table E.—Average Annual Ongoing Cost to Small Business of Implementing Provisions of the Privacy Regulation,
After the First Year 1
VI. Unfunded Mandates productivity and growth in certain provide a 30-day notice in the Federal
The Unfunded Mandates Reform Act sectors of the health care industry could Register and solicit public comment
of 1995 (Pub. L. 104–4) requires cost- be slightly lower than otherwise because before a collection of information
benefit and other analyses for rules that of the need to divert research and requirement is submitted to the Office of
would cost more than $100 million in development resources to compliance Management and Budget (OMB) for
a single year. The rule qualifies as a activities. The diversion of resources to review and approval. In order to fairly
significant rule under the statute. The compliance activities would be evaluate whether an information
Department has carried out the cost- temporary. Moreover, the Department collection should be approved by OMB,
benefit analysis in sections D and E of anticipates that, because the benefits of section 3506(c)(2)(A) of the PRA
this document, which includes a privacy are large, both productivity and requires that we solicit comment on the
discussion of unfunded costs to state economic growth would be higher than following issues:
and local governments resulting from in the absence of the final rule. In • Whether the information collection
this regulation. In developing this section I.A. of this document, the is necessary and useful to carry out the
regulation, the Department adopted the Department discusses its expectation proper functions of the agency;
least burdensome alternatives, that this rule will increase • The accuracy of the agency’s
consistent with achieving the rule’s communication among consumers, estimate of the information collection
goals. health plans, and providers and that burden;
implementation of privacy protections • The quality, utility, and clarity of
A. Future Costs will lead more people to seek health the information to be collected; and
The Department estimates some of the care. The increased health of the • Recommendations to minimize the
future costs of the rule in Section E of population will lead to increased information collection burden on the
the Preliminary Regulatory Impact productivity and economic growth. affected public, including automated
Analysis of this document. The collection techniques.
estimates made include costs for the ten D. Full Employment and Job Creation Under the PRA, the time, effort, and
years after the effective date. As Some of the human resources devoted financial resources necessary to meet
discussed in section E, state and local to the delivery of health care services the information collection requirements
government costs will be in the order of will be redirected by rule. The rule referenced in this section are to be
$460 million in 2003 and $2.4 billion could lead to some short-run changes in considered. Due to the complexity of
over ten years. Estimates for later years employment patterns as a result of the this regulation, and to avoid
are not practical. The changes in structural changes within the health redundancy of effort, we are referring
technology are likely to alter the nature care industry. The growth of readers to Section V (Final Regulatory
of medical record-keeping, and the uses employment (job creation) for the roles Impact Analysis) above, to review the
of medical data are likely to vary typically associated with health care detailed cost assumptions associated
dramatically over this period. Therefore, profession could also temporarily with these PRA requirements. We
any estimates for years beyond 2012 are change but be balanced by an increased explicitly seek, and will consider,
not feasible. need for those who can assist entities public comment on our assumptions as
with complying with this rule. they relate to the PRA requirements
B. Particular Regions, Communities, or summarized in this section.
Therefore, while there could be a
Industrial Sectors
temporary slowing of growth in Section 160.204—Process for
The rule applies to the health care traditional health care professions, that Requesting Exception Determinations
industry and would, therefore, affect will be offset by a temporary increase in
that industry disproportionately. Any growth in fields that may assist with Section 160.204 would require
long-run increase in the costs of health compliance with this rule (e.g. worker persons requesting to except a provision
care services would largely be passed on training, and management consultants). of state law from preemption under
to the entire population of consumers. § 160.203(a) to submit a written request,
However, as discussed in the E. Exports that meets the requirements of this
administrative implication regulation, Because the rule does not mandate section, to the Secretary to except a
the Transactions Rule is estimated to any changes in products, current export provision of state law from preemption
save the health care industry nearly $30 products will not be required to change under § 160.203. The burden associated
billion over essentially the same time in any way. with these requirements is the time and
period. This more than offsets the costs The Department consulted with state effort necessary for a state to prepare
of the Privacy Rule; indeed, as and local governments, and Tribal and submit the written request for an
discussed above, the establishment of governments. See sections X and XI, exception determination to the
consistent, national standards for the below. Secretary for approval. On an annual
protection of medical information is basis it is estimated that it will take 40
essential to fully realize the savings VII. Environmental Impact states 16 hours each to prepare and
from electronic transactions standards The Department has determined submit a request. The total annual
and other advances that may be realized under 21 CFR 25.30(k) that this action burden associated with this requirement
through ‘‘e-health’’ over the next is of a type of does not individually or is 640 hours. The Department solicits
decade. Without strong privacy rules, cumulatively have a significant effect on public comment on the number of
patients and providers may be very the human environment. Therefore, requests and hours for others likely to
reluctant to fully participate in neither an environmental assessment submit requests.
electronic and e-health opportunities. nor an environmental impact statement
Section 160.306—Complaints to the
is required.
C. National Productivity and Economic Secretary
Growth VIII. Collection of Information A person who believes that a covered
The rule is not expected to Requirements entity is not complying with the
substantially affect productivity or Under the Paperwork Reduction Act applicable requirements of part 160 or
economic growth. It is possible that of 1995 PRA), agencies are required to the applicable standards, requirements,
and implementation specifications of PRA as stipulated under 5 CFR health information without individual
Subpart E of part 164 of this subchapter 1320.3(b)(2). authorization for a variety of purposes
may file a complaint with the Secretary. which represent important national
Section 164.508—Uses and Disclosures
This requirement is exempt from the priorities. Pursuant to § 164.512,
for Which Individual Authorization Is
PRA as stipulated under 5 CFR covered entities may disclose protected
Required
1320.4(a)(2), an audit/administrative health information for specified
action exemption. Under this section, a covered entity purposes as follows: as required by law;
will need to obtain a written for public health activities; to public
Section 160.310—Responsibilities of authorization from an individual, before officials regarding victims of abuse,
Covered Entities it uses or discloses protected health neglect, or domestic violence; for health
A covered entity must keep such information of the individual if the use oversight; for judicial and
records and submit such compliance or disclosure is not otherwise permitted administrative proceedings; for law
reports, in such time and manner and or required under the rule without enforcement; for specified purposes
containing such information, necessary authorization. The burden associated regarding decedents; for organ donation
to enable the Secretary to ascertain with these requirements is the time and and transplantation; for research; to
whether the covered entity has effort necessary for a covered entity to avert an imminent threat to health or
complied or is complying with the obtain written authorization prior to the safety; for specialized government
applicable requirements of part 160 and disclosure of individually identifiable functions (such as for intelligence and
the applicable standards, requirements, health information. On an annual basis, national security activities); and to
and implementation specifications of we estimate that it will take 764,799 comply with workers’ compensation
subpart E of part 164. Refer to § 164.530 entities, an annual average burden per laws. While these provisions are subject
for discussion. entity of one hour for a total annual to the PRA, we believe that the burden
burden of 764,799 burden hours. associated with this requirement is
Section 164.502—Uses and Disclosures exempt from the PRA as stipulated
Section 164.510—Uses and Disclosures
of Protected Health Information: under 5 CFR 1320.3(b)(2).
Requiring an Opportunity for the
General Rules For research, if a covered entity wants
Individual To Agree or To Object
A covered entity is permitted to to use or disclose protected health
Section 164.510 allows, but does not information without individual
disclose protected health information to require, covered entities to use or authorization, it must obtain
an individual, and is required to disclose protected health information: documentation that a waiver, in whole
provide and individual with access to (1) for health care institutions, or in part, of the individual
protected health information, in directories; and (2) to family members, authorization required by § 164.508 for
accordance with the requirements set close friends, or other persons assisting use or disclosure of protected health
forth under § 164.524. Refer to § 164.524 in an individual’s care, as well as information has been approved by either
for discussion. government agencies and disaster relief an Institutional Review Board (IRB),
Section 164.504—Uses and organizations conducting disaster relief established in accordance with 7 CFR
Disclosures—Organizational activities. This section of the rule 1c.107, 10 CFR 745.107, 14 CFR
Requirements addresses situations in which the 1230.107, 15 CFR 27.107, 16 CFR
interaction between the covered entity 1028.107, 21 CFR 56.107, 22 CFR
Except for disclosures of protected and the individual is relatively 225.107, 28 CFR 46.107, 32 CFR
health information by a covered entity informal, and agreements may be made 219.107, 34 CFR 97.107, 38 CFR 16.107,
that is a health care provider to another orally, without written authorizations 40 CFR 26.107, 45 CFR 46.107, 45 CFR
health care provider for treatment for use or disclosure. In general, to 690.107, or 49 CFR 11.107; or a privacy
purposes, § 164.504 requires a covered disclose protected health information board. The burden associated with these
entity to maintain documentation for these purposes, covered entities requirements is the time and effort
demonstrating that it meets the must inform individuals in advance and necessary for a covered entity to
requirements set forth in this section must provide a meaningful opportunity maintain documentation demonstrating
and to demonstrate that it has obtained for the individual to prevent or restrict that they have obtained IRB or privacy
satisfactory assurance from business the disclosure. In certain circumstances, board approval, which meet the
associates that meet the requirements of such as in an emergency, when this requirements of this section. On an
this part with each of its business informal discussion cannot practicably annual basis it is estimated that these
associates. The burden is 5 minutes per occur, covered entities can make requirements will affect 113,524 IRB
entity times an annual average of decisions about disclosure or use, in reviews. We further estimate that it will
764,799 entities for a total burden of accordance with the requirements of take an average of 5 minutes per review
63,733 burden hours. this section based on their professional to meet these requirements on an annual
Section 164.506—Consent for judgment of what is in the patient’s best basis. Therefore, the total estimated
Treatment, Payment, and Health Care interest. While these provisions are annual burden associated with this
Operations subject to the PRA, we believe that the requirement is 9,460 hours.
burden associated with this requirement
Except in certain circumstances, a Section 164.514—Other Procedural
is exempt from the PRA as stipulated
covered health care provider that has a Requirements Relating to Uses and
under 5 CFR 1320.3(b)(2).
direct treatment relationship must Disclosures of Protected Health
obtain an individual’s consent for use or Section 164.512—Uses and Disclosures Information
disclosure of protected health for Which Consent, Individual Prior to any disclosure permitted by
information for treatment, payment, or Authorization, or Opportunity To Agree this subpart, a covered entity must
health care operations. While this or Object Is Not Required verify the identity and authority of
requirement is subject to the PRA, we Section 164.1512 includes provisions persons requesting protected health
believe that the burden associated with that allow, but that do not require, information, if the identity or authority
this requirement is exempt from the covered entities to disclose protected of such person is not known to the
covered entity, and obtain any annual burden associated with this Section 164.526—Amendment of
documentation, statements, or requirement is calculated to be 1 million Protected Health Information
representations from the person hours.
requesting the protected health In addition, a covered entity must Given that burden associated with the
information that is required as a document compliance with the notice following information collection
condition of the disclosure. In addition, requirements by retaining copies of the requirements will differ significantly, by
a covered entity must retain any signed notices issued by the covered entity. the type and size of health plan or
consent pursuant to § 164.506 and any Refer to § 164.530 for discussion. health care provider, we are explicitly
signed authorization pursuant to soliciting comment on the burden
§ 164.508 for documentation purposes Section 164.522—Rights To Request associated with the following
as required by § 164.530(j). This Privacy Proteciton for Protected Health requirements: Individuals have the right
requirement is exempt from the PRA as Information to request amendment of protected
stipulated under 5 CFR 1320.4(a)(1) and health information about them in
Given that the burden associated with
(1)(2). designated record sets created by a
the following information collection
covered entity. Where the request is
Section 164.520—Notice of Privacy requirements will differ significantly, by
denied, a covered entity must provide
Practices for Protected Health the type and size of health plan or
the individual with a written statement
Information health care provider, we are explicitly
of the basis for the denial and an
soliciting comment on the burden
Except in certain circumstances set explanation of how the individual may
associated with the following
forth in this section, individuals have a pursue the matter, including how to file
requirements; as outlined and required
right to adequate notice of the uses and a complaint with the Secretary pursuant
by this section, covered entities must
disclosures of protected health to § 160.306 of this subpart. As
information that may be made by the provide individuals with the
appropriate, a covered entity must
covered entity, and of the individual’s opportunity to request restrictions
identify the protected health
rights and the covered entity’s legal related to the uses or disclosures of
information in the designated record set
duties with respect to protected health protected health information for
that is the subject of the disputed
information. To comply with this treatment, payment, or health care
amendment and append or otherwise
requirement a covered entity must operations. In addition, covered entities
link the individual’s request for an
provide a notice, written in plain must accommodate requests for
amendment, the covered entity’s denial
language, that includes the elements set confidential communications in certain
of the request, the individual’s
forth in this section. For health plans, situations.
statement of disagreement, if any, and
there will be an average of 160.2 million Section 164.524—Access of Individuals the covered entity’s rebuttal, if any, to
notices each year. We assume that the to Protected Health Information the designated record set.
most efficient means of distribution for
health plans will be to send them out As set forth in this section, covered Section 164.528—Accounting for
annually as part of the materials they entities must provide individuals with Disclosures of Protected Health
send to current and potential enrollees, access to inspect and obtain a copy of Information
even though it is not required by the protected health information about them
in designated record sets, for so long as Based upon public comment it is
regulation. The number of notices per
the protected health information is assumed that it will take 5 minutes per
health plan per year would be about
maintained in the designated record request times 1,081,000 requests for an
10,570. We further estimate that it will
sets. This includes such information in annual burden of 90,083 hours. An
require each health plan, on average,
a business associate’s designated record individual may request that a covered
only 10 seconds to disseminate each
notice. The total annual burden set that is not a duplicate of the entity provide an accounting for
associated with this requirement is information held by the health care disclosure for a period of time less than
calculated to be 267,000 hours. Health provider or health plan for so long as six years from the date of the
care providers with direct treatment the information is maintained. Where individual’s request, as outlined in this
relationships would provide a copy of the request is denied in whole or in section.
the notice to an individual at the time part, the covered entity must provide Section 164.530—Administrative
of first service delivery to the the individual with a written statement Requirements
individual, make the notice available at of the basis for the denial and a
the service delivery site for individuals description of how the individual may A covered entity must maintain such
to request and take with them, complain to the covered entity pursuant policies and procedures in written or
whenever the content of the notice is to the complaint procedures established electronic form where policies or
revised, make the notice available upon in § 164.530 or to the Secretary pursuant procedures with respect to protected
request and post the notice, if required to the procedures established in health information are required by this
by this section, and post a copy of the § 160.306 of this subpart. In certain subpart. Where a communication is
notice in a location where it is cases, the covered entity must provide required by this subpart to be in writing,
reasonable to expect individuals seeking the individual the opportunity to have a covered entity must maintain such
services from the provider to be able to another health care professional review writing, or an electronic copy, as
read the notice. The annual number of the denial. Pursuant to public comment, documentation; and where an action or
notices disseminated by all providers is we estimate that each disclosure will activity is required by this subpart to be
613 million. We further estimate that it contain 31 pages and that 150,000 documented, it must maintain a written
will require each health provider, on disclosures will be made on an annual or electronic record of such action or
average, 10 seconds to disseminate each basis at three minutes per disclosure for activity. While these requirements are
notice. This estimate is based upon the a total burden of 7,500 hours. Refer to subject to the PRA, we believe the
assumption that the required notice will section V.E. for detailed discussion burden associated with these
be incorporated into and disseminated related to the costs associated with requirements is exempt from the PRA as
with other patient materials. The total meeting these requirements. stipulated under 5 CFR 1320.3(b)(2).
We have submitted a copy of this rule provisions of state law relating to the agency’s goal of ensuring that all
to OMB for its review of the information privacy of individually identifiable patients who receive medical services
collection requirements in §§ 160.204, health information that are also ‘‘more are assured a minimum level of personal
160.306, 160.310, 164.502, 164.504, stringent’’ than the federal regulatory privacy. Particularly where the absence
164.506, 164.508, 164.510, 164.512, requirements or implementation of privacy protection undermines an
164.514, 164.520, 164.522, 164.524, specifications will continue to be individual’s access to health care
164.526, 164.528, and Sec. 164.530. enforceable. services, both the personal and public
These requirements are not effective Section 3(b) of Executive Order 13132 interest is served by establishing federal
until they have been approved by OMB. recognizes that national action limiting rules.
If you comment on any of these the policymaking discretion of states The final rule would establish
information collection and record will be imposed ‘‘* * * only where national minimum standards with
keeping requirements, please mail there is constitutional and statutory respect to the collection, maintenance,
copies directly to the following: Health authority for the action and the national access, use, and disclosure of
Care Financing Administration, Office activity is appropriate in light of the individually identifiable health
of Information Services, Division of presence of a problem of national information. The federal law will
HCFA Enterprise Standards, Room N2– significance.’’ Personal privacy issues preempt state law only where state and
14–26, 7500 Security Boulevard, are widely identified as a national federal laws are ‘‘contradictory’’ and the
Baltimore, MD 21244–1850. ATTN: John concern by virtue of the scope of federal regulation is judged to establish
Burke and to the Office of Information interstate health commerce. HIPAA’s ‘‘more stringent’’ privacy protections
and Regulatory Affairs, Office of provisions reflect this position. HIPAA than state laws.
Management and Budget, Room 10235, attempts to facilitate the electronic As required by the previous Executive
New Executive Office Building, exchange of financial and Order (E.O. 13132), states and local
Washington, DC 20503. ATTN: Allison administrative health plan transactions governments were given, through the
Herron Eydt, HCFA Desk Officer. while recognizing challenges that local, notice of proposed rule making, an
national, and international information opportunity to participate in the
IX. Executive Order 13132: Federalism sharing raise to confidentiality and proceedings to preempt state and local
The Department has examined the privacy of health information. laws (section 4(e)). The Secretary also
effects of provisions in the final privacy Section 3(d)(2) of the Executive Order provided a review of preemption issues
regulation on the relationship between 13132 requires the federal government upon requests from states. In addition,
the federal government and the states, as defer to the states to establish standards anticipating the promulgation of the
required by Executive Order 13132 on where possible. HIPAA requires the Executive Order, appropriate officials
‘‘Federalism.’’ Our conclusion is that Department to establish standards, and and organizations were consulted before
the final rule does have federalism we have done so accordingly. This this proposed action is implemented
implications because the rule has approach is a key component of the (Section 3(a) of Executive Order 13132).
substantial direct effects on states, on final Privacy Rule, and it adheres to The same section also includes some
the relationship between the national section 4(a) of Executive Order 13132, qualitative discussion of costs that
government and states, and on the which expressly contemplates would occur beyond that time period.
distribution of power and preemption when there is a conflict Most of the costs of proposed rule,
responsibilities among the various between exercising state and federal however, would occur in the years
levels of government. The federalism authority under federal statute. Section immediately after the publication of a
implications of the rule, however, flow 262 of HIPAA enacted Section 1178 of final rule. Future costs beyond the ten
from, and are consistent with the the Social Security Act, developing a year period will continue but will not be
underlying statute. The statute allows us ‘‘general rule’’ that state laws or as great as the initial compliance costs.
to preempt state or local rules that provisions that are contrary to the Finally, we have considered the cost
provide less stringent privacy protection provisions or requirements of Part C of burden that this proposed rule would
requirements than federal law is Title XI, or the standards or impose on state and local health care
consistent with this Executive Order. implementation specifications adopted, programs, such as Medicaid, county
Overall, the final rule attempts to or established thereunder are hospitals, and other state health benefits
balance both the autonomy of the states preempted. Several exceptions to this programs. As discussed in Section E of
with the necessity to create a federal rule exist, each of which is designed to the Regulatory Impact Analysis of this
benchmark to preserve the privacy of maintain a high degree of state document, we estimate state and local
personally identifiable health autonomy. government costs will be in the order of
information. Moreover, section 4(b) of the $460 million in 2003 and $2.4 billion
It is recognized that the states Executive Order authorizes preemption over ten years.
generally have laws that relate to the of state law in the federal rule making The agency concludes that the policy
privacy of individually identifiable context when there is ‘‘the exercise of in this final document has been assessed
health information. The HIPAA statue state authority is directly conflicts with in light of the principles, criteria, and
dictates the relationship between state the exercise of federal authority under requirements in Executive Order 13132;
law and this final rule. Except for laws federal statute * * *.’’ Section 1178 that this policy is not inconsistent with
that are specifically exempted by the (a)(2)(B) of HIPAA specifically preempts that Order; that this policy will not
HIPAA statute, state laws continue to be state laws related to the privacy of impose significant additional costs and
enforceable, unless they are contrary to individually identifiable health burdens on the states; and that this
Part C of Title XI of the standards, information unless the state law is more policy will not affect the ability of the
requirements, or implementation stringent. Thus, we have interpreted states to discharge traditional state
specifications adopted or pursuant to state and local laws and regulations that governmental functions.
subpart x. However, under section would impose less stringent During our consultation with the
264(c)(2), not all contrary provisions of requirements for protection of states, representatives from various state
state privacy laws are preempted; rather, individually identifiable health agencies and offices expressed concern
the law provides that contrary information as undermining the that the final regulation would preempt
all state privacy laws. As explained in transactions and identifiers, and new Part Portability Act of 1996, (Pub. L. 104–
this section, the regulation would only 164 consists of the regulations implementing 191), nothing in this subchapter shall be
preempt state laws where there is a the security and privacy requirements of the construed to diminish the authority of
direct conflict between state laws and legislation. any Inspector General, including such
the regulation, and where the regulation Dated: December 19, 2000. authority as provided in the Inspector
provides more stringent privacy Donna Shalala, General Act of 1978, as amended (5
protection than state law. We discussed Secretary, U.S.C. App.).
this issue during our consultation with
state representatives, who generally For the reasons set forth in the § 160.103 Definitions.
accepted our approach to the preamble, 45 CFR Subtitle A, Except as otherwise provided, the
preemption issue. During the Subchapter C, is amended as follows: following definitions apply to this
consultation, we requested further 1. Part 160 is revised to read as subchapter:
information from the states about follows: Act means the Social Security Act.
whether they currently have laws ANSI stands for the American
requiring that providers have a ‘‘duty to PART 160—GENERAL National Standards Institute.
ADMINISTRATIVE REQUIREMENTS Business associate: (1) Except as
warn’’ family members or third parties
provided in paragraph (2) of this
about a patient’s condition other than in Subpart A—General Provisions definition, business associate means,
emergency circumstances. Since the 160.101 Statutory basis and purpose. with respect to a covered entity, a
consultation, we have not received 160.102 Applicability. person who:
additional comments or questions from 160.103 Definitions. (i) On behalf of such covered entity or
the states. 160.104 Modifications. of an organized health care arrangement
X. Executive Order 13086; Consultation Subpart B—Preemption of State Law (as defined in § 164.501 of this
and Coordination With Indian Tribal 160.201 Applicability. subchapter) in which the covered entity
Governments 160.202 Definitions. participates, but other than in the
In drafting the proposed rule, the 160.203 General rule and exceptions. capacity of a member of the workforce
Department consulted with 160.204 Process for requesting exception of such covered entity or arrangement,
determinations. performs, or assists in the performance
representatives of the National Congress 160.205 Duration of effectiveness of
of American Indians and the National of:
exception determinations. (A) A function or activity involving
Indian Health Board, as well as with a
representative of the self-governance Subpart C—Compliance and Enforcement the use or disclosure of individually
Tribes. During the consultation, we 160.300 Applicability. identifiable health information,
discussed issues regarding the 160.302 Definitions. including claims processing or
application of Title II of HIPAA to the 160.304 Principles for achieving administration, data analysis,
Tribes, and potential variations based compliance. processing or administration, utilization
160.306 Complaints to the Secretary. review, quality assurance, billing,
on the relationship of each Tribe with 160.308 Compliance reviews.
the IHS for the purpose of providing benefit management, practice
160.310 Responsibilities of covered entities. management, and repricing; or
health services. Participants raised 160.312 Secretarial action regarding (B) Any other function or activity
questions about the status of Tribal laws complaints and compliance reviews.
regulated by this subchapter; or
regarding the privacy of health Authority: Sec. 1171 through 1179 of the (ii) Provides, other than in the
information. Social Security Act, (42 U.S.C. 1320d– capacity of a member of the workforce
List of Subjects 1329d–8) as added by sec. 262 of Pub. L. of such covered entity, legal, actuarial,
104–191, 110 Stat. 2021–2031 and sec. 264 of accounting, consulting, data aggregation
45 CFR Part 160 Pub. L. 104–191 (42 U.S.C. 1320d–2(note)).
(as defined in § 164.501 of this
Electronic transactions, Employer subchapter), management,
Subpart A—General Provisions
benefit plan, Health, Health care, Health administrative, accreditation, or
facilities, Health insurance, Health § 160.101 Statutory basis and purpose. financial services to or for such covered
records, Medicaid, Medical research, The requirements of this subchapter entity, or to or for an organized health
Medicare, Privacy, Reporting and record implement sections 1171 through 1179 care arrangement in which the covered
keeping requirements. of the Social Security Act (the Act), as entity participates, where the provision
45 CFR Part 164 added by section 262 of Public Law of the service involves the disclosure of
104–191, and section 264 of Public Law individually identifiable health
Electronic transactions, Employer information from such covered entity or
104–191.
benefit plan, Health, Health care, Health arrangement, or from another business
facilities, Health insurance, Health § 160.102 Applicability. associate of such covered entity or
records, Medicaid, Medical research, (a) Except as otherwise provided, the arrangement, to the person.
Medicare, Privacy, Reporting and record standards, requirements, and (2) A covered entity participating in
keeping requirements. implementation specifications adopted an organized health care arrangement
Note: to reader: This final rule is one of under this subchapter apply to the that performs a function or activity as
several proposed and final rules that are following entities: described by paragraph (1)(i) of this
being published to implement the (1) A health plan. definition for or on behalf of such
Administrative Simplification provisions of (2) A health care clearinghouse. organized health care arrangement, or
the Health Insurance Portability and (3) A health care provider who that provides a service as described in
Accountability Act of 1996. 45 CFR
subchapter C consisting of Parts 160 and 162
transmits any health information in paragraph (1)(ii) of this definition to or
was added at 65 FR 50365, Aug. 17, 2000. electronic form in connection with a for such organized health care
Part 160 consists of general provisions, Part transaction covered by this subchapter. arrangement, does not, simply through
162 consists of the various administrative (b) To the extent required under the performance of such function or
simplification regulations relating to section 201(a)(5) of the Health Insurance activity or the provision of such service,
become a business associate of other (1) Processes or facilitates the (ii) A health insurance issuer, as
covered entities participating in such processing of health information defined in this section.
organized health care arrangement. received from another entity in a (iii) An HMO, as defined in this
(3) A covered entity may be a business nonstandard format or containing section.
associate of another covered entity. nonstandard data content into standard (iv) Part A or Part B of the Medicare
Compliance date means the date by data elements or a standard transaction. program under title XVIII of the Act.
which a covered entity must comply (2) Receives a standard transaction (v) The Medicaid program under title
with a standard, implementation from another entity and processes or XIX of the Act, 42 U.S.C. 1396, et seq.
specification, requirement, or facilitates the processing of health (vi) An issuer of a Medicare
modification adopted under this information into nonstandard format or supplemental policy (as defined in
subchapter. nonstandard data content for the section 1882(g)(1) of the Act, 42 U.S.C.
Covered entity means: receiving entity. 1395ss(g)(1)).
(1) A health plan. Health care provider means a (vii) An issuer of a long-term care
(2) A health care clearinghouse. provider of services (as defined in policy, excluding a nursing home fixed-
(3) A health care provider who section 1861(u) of the Act, 42 U.S.C. indemnity policy.
transmits any health information in 1395x(u)), a provider of medical or (viii) An employee welfare benefit
electronic form in connection with a health services (as defined in section plan or any other arrangement that is
transaction covered by this subchapter. 1861(s) of the Act, 42 U.S.C. 1395x(s)), established or maintained for the
Group health plan (also see definition and any other person or organization purpose of offering or providing health
of health plan in this section) means an who furnishes, bills, or is paid for benefits to the employees of two or more
employee welfare benefit plan (as health care in the normal course of employers.
defined in section 3(1) of the Employee business. (ix) The health care program for active
Retirement Income and Security Act of military personnel under title 10 of the
Health information means any
1974 (ERISA), 29 U.S.C. 1002(1)), United States Code.
information, whether oral or recorded in
including insured and self-insured (x) The veterans health care program
any form or medium, that:
plans, to the extent that the plan under 38 U.S.C. chapter 17.
(1) Is created or received by a health
provides medical care (as defined in (xi) The Civilian Health and Medical
care provider, health plan, public health
section 2791(a)(2) of the Public Health Program of the Uniformed Services
authority, employer, life insurer, school
Service Act (PHS Act), 42 U.S.C. 300gg– (CHAMPUS) (as defined in 10 U.S.C.
or university, or health care
91(a)(2)), including items and services 1072(4)).
clearinghouse; and
paid for as medical care, to employees (xii) The Indian Health Service
(2) Relates to the past, present, or
or their dependents directly or through program under the Indian Health Care
future physical or mental health or
insurance, reimbursement, or otherwise, Improvement Act, 25 U.S.C. 1601, et
condition of an individual; the
that: seq.
provision of health care to an (xiii) The Federal Employees Health
(1) Has 50 or more participants (as
individual; or the past, present, or Benefits Program under 5 U.S.C. 8902,
defined in section 3(7) of ERISA, 29
future payment for the provision of et seq.
U.S.C. 1002(7)); or
(2) Is administered by an entity other health care to an individual. (xiv) An approved State child health
than the employer that established and Health insurance issuer (as defined in plan under title XXI of the Act,
maintains the plan. section 2791(b)(2) of the PHS Act, 42 providing benefits for child health
HCFA stands for Health Care U.S.C. 300gg–91(b)(2) and used in the assistance that meet the requirements of
Financing Administration within the definition of health plan in this section) section 2103 of the Act, 42 U.S.C. 1397,
Department of Health and Human means an insurance company, insurance et seq.
Services. service, or insurance organization (xv) The Medicare+Choice program
HHS stands for the Department of (including an HMO) that is licensed to under Part C of title XVIII of the Act, 42
Health and Human Services. engage in the business of insurance in U.S.C. 1395w–21 through 1395w–28.
Health care means care, services, or a State and is subject to State law that (xvi) A high risk pool that is a
supplies related to the health of an regulates insurance. Such term does not mechanism established under State law
individual. Health care includes, but is include a group health plan. to provide health insurance coverage or
not limited to, the following: Health maintenance organization comparable coverage to eligible
(1) Preventive, diagnostic, (HMO) (as defined in section 2791(b)(3) individuals.
therapeutic, rehabilitative, maintenance, of the PHS Act, 42 U.S.C. 300gg–91(b)(3) (xvii) Any other individual or group
or palliative care, and counseling, and used in the definition of health plan plan, or combination of individual or
service, assessment, or procedure with in this section) means a federally group plans, that provides or pays for
respect to the physical or mental qualified HMO, an organization the cost of medical care (as defined in
condition, or functional status, of an recognized as an HMO under State law, section 2791(a)(2) of the PHS Act, 42
individual or that affects the structure or or a similar organization regulated for U.S.C. 300gg–91(a)(2)).
function of the body; and solvency under State law in the same (2) Health plan excludes:
(2) Sale or dispensing of a drug, manner and to the same extent as such (i) Any policy, plan, or program to the
device, equipment, or other item in an HMO. extent that it provides, or pays for the
accordance with a prescription. Health plan means an individual or cost of, excepted benefits that are listed
Health care clearinghouse means a group plan that provides, or pays the in section 2791(c)(1) of the PHS Act, 42
public or private entity, including a cost of, medical care (as defined in U.S.C. 300gg–91(c)(1); and
billing service, repricing company, section 2791(a)(2) of the PHS Act, 42 (ii) A government-funded program
community health management U.S.C. 300gg–91(a)(2)). (other than one listed in paragraph
information system or community (1) Health plan includes the (1)(i)–(xvi) of this definition):
health information system, and ‘‘value- following, singly or in combination: (A) Whose principal purpose is other
added’’ networks and switches, that (i) A group health plan, as defined in than providing, or paying the cost of,
does either of the following functions: this section. health care; or
(B) Whose principal activity is: (2) Health care payment and remittance requirement, or implementation
(1) The direct provision of health care advice. specification adopted under this
to persons; or (3) Coordination of benefits. subchapter, means:
(2) The making of grants to fund the (4) Health care claim status. (1) A covered entity would find it
direct provision of health care to (5) Enrollment and disenrollment in a impossible to comply with both the
persons. health plan. State and federal requirements; or
Implementation specification means (6) Eligibility for a health plan. (2) The provision of State law stands
specific requirements or instructions for (7) Health plan premium payments. as an obstacle to the accomplishment
implementing a standard. (8) Referral certification and and execution of the full purposes and
Modify or modification refers to a authorization. objectives of part C of title XI of the Act
change adopted by the Secretary, (9) First report of injury. or section 264 of Pub. L. 104–191, as
through regulation, to a standard or an (10) Health claims attachments. applicable.
implementation specification. (11) Other transactions that the More stringent means, in the context
Secretary means the Secretary of Secretary may prescribe by regulation. of a comparison of a provision of State
Health and Human Services or any other law and a standard, requirement, or
officer or employee of HHS to whom the Workforce means employees,
volunteers, trainees, and other persons implementation specification adopted
authority involved has been delegated. under subpart E of part 164 of this
Small health plan means a health whose conduct, in the performance of
work for a covered entity, is under the subchapter, a State law that meets one
plan with annual receipts of $5 million or more of the following criteria:
or less. direct control of such entity, whether or
not they are paid by the covered entity. (1) With respect to a use or disclosure,
Standard means a rule, condition, or the law prohibits or restricts a use or
requirement: § 160.104 Modifications. disclosure in circumstances under
(1) Describing the following
(a) Except as provided in paragraph which such use or disclosure otherwise
information for products, systems,
(b) of this section, the Secretary may would be permitted under this
services or practices:
(i) Classification of components. adopt a modification to a standard or subchapter, except if the disclosure is:
(ii) Specification of materials, implementation specification adopted (i) Required by the Secretary in
performance, or operations; or under this subchapter no more connection with determining whether a
(iii) Delineation of procedures; or frequently than once every 12 months. covered entity is in compliance with
(2) With respect to the privacy of (b) The Secretary may adopt a this subchapter; or
individually identifiable health modification at any time during the first (ii) To the individual who is the
information. year after the standard or subject of the individually identifiable
Standard setting organization (SSO) implementation specification is initially health information.
means an organization accredited by the adopted, if the Secretary determines that (2) With respect to the rights of an
American National Standards Institute the modification is necessary to permit individual who is the subject of the
that develops and maintains standards compliance with the standard or individually identifiable health
for information transactions or data implementation specification. information of access to or amendment
elements, or any other standard that is (c) The Secretary will establish the of individually identifiable health
necessary for, or will facilitate the compliance date for any standard or information, permits greater rights of
implementation of, this part. implementation specification modified access or amendment, as applicable;
State refers to one of the following: under this section. provided that, nothing in this
(1) For a health plan established or (1) The compliance date for a subchapter may be construed to
regulated by Federal law, State has the modification is no earlier than 180 days preempt any State law to the extent that
meaning set forth in the applicable after the effective date of the final rule it authorizes or prohibits disclosure of
section of the United States Code for in which the Secretary adopts the protected health information about a
such health plan. modification. minor to a parent, guardian, or person
(2) For all other purposes, State (2) The Secretary may consider the acting in loco parentis of such minor.
means any of the several States, the (3) With respect to information to be
extent of the modification and the time
District of Columbia, the provided to an individual who is the
needed to comply with the modification
Commonwealth of Puerto Rico, the subject of the individually identifiable
in determining the compliance date for
Virgin Islands, and Guam. health information about a use, a
the modification.
Trading partner agreement means an disclosure, rights, and remedies,
(3) The Secretary may extend the
agreement related to the exchange of provides the greater amount of
information in electronic transactions, compliance date for small health plans,
information.
whether the agreement is distinct or part as the Secretary determines is (4) With respect to the form or
of a larger agreement, between each appropriate. substance of an authorization or consent
party to the agreement. (For example, a Subpart B—Preemption of State Law for use or disclosure of individually
trading partner agreement may specify, identifiable health information,
among other things, the duties and § 160.201 Applicability. provides requirements that narrow the
responsibilities of each party to the The provisions of this subpart scope or duration, increase the privacy
agreement in conducting a standard implement section 1178 of the Act, as protections afforded (such as by
transaction.) added by section 262 of Public Law expanding the criteria for), or reduce the
Transaction means the transmission 104–191. coercive effect of the circumstances
of information between two parties to surrounding the authorization or
carry out financial or administrative § 160.202 Definitions. consent, as applicable.
activities related to health care. It For purposes of this subpart, the (5) With respect to recordkeeping or
includes the following types of following terms have the following requirements relating to accounting of
information transmissions: meanings: disclosures, provides for the retention or
(1) Health care claims or equivalent Contrary, when used to compare a reporting of more detailed information
encounter information. provision of State law to a standard, or for a longer duration.
(6) With respect to any other matter, (d) The provision of State law requires Subpart C—Compliance and
provides greater privacy protection for a health plan to report, or to provide Enforcement
the individual who is the subject of the access to, information for the purpose of
individually identifiable health management audits, financial audits, § 160.300 Applicability.
information. program monitoring and evaluation, or This subpart applies to actions by the
Relates to the privacy of individually the licensure or certification of facilities Secretary, covered entities, and others
identifiable health information means, or individuals. with respect to ascertaining the
with respect to a State law, that the compliance by covered entities with and
§ 160.204 Process for requesting the enforcement of the applicable
State law has the specific purpose of
exception determinations. requirements of this part 160 and the
protecting the privacy of health
information or affects the privacy of (a) A request to except a provision of applicable standards, requirements, and
health information in a direct, clear, and State law from preemption under implementation specifications of
substantial way. § 160.203(a) may be submitted to the subpart E of part 164 of this subchapter.
State law means a constitution, Secretary. A request by a State must be
submitted through its chief elected § 160.302 Definitions.
statute, regulation, rule, common law, or
official, or his or her designee. The As used in this subpart, terms defined
other State action having the force and
request must be in writing and include in § 164.501 of this subchapter have the
effect of law.
the following information: same meanings given to them in that
§ 160.203 General rule and exceptions. (1) The State law for which the section.
A standard, requirement, or exception is requested;
(2) The particular standard, § 160.304 Principles for achieving
implementation specification adopted compliance.
under this subchapter that is contrary to requirement, or implementation
specification for which the exception is (a) Cooperation. The Secretary will, to
a provision of State law preempts the the extent practicable, seek the
provision of State law. This general rule requested;
(3) The part of the standard or other cooperation of covered entities in
applies, except if one or more of the obtaining compliance with the
provision that will not be implemented
following conditions is met: applicable requirements of this part 160
(a) A determination is made by the based on the exception or the additional
data to be collected based on the and the applicable standards,
Secretary under § 160.204 that the requirements, and implementation
provision of State law: exception, as appropriate;
(4) How health care providers, health specifications of subpart E of part 164 of
(1) Is necessary: this subchapter.
(i) To prevent fraud and abuse related plans, and other entities would be
affected by the exception; (b) Assistance. The Secretary may
to the provision of or payment for health provide technical assistance to covered
(5) The reasons why the State law
care; entities to help them comply voluntarily
should not be preempted by the federal
(ii) To ensure appropriate State with the applicable requirements of this
standard, requirement, or
regulation of insurance and health plans part 160 or the applicable standards,
implementation specification, including
to the extent expressly authorized by requirements, and implementation
how the State law meets one or more of
statute or regulation; specifications of subpart E of part 164 of
(iii) For State reporting on health care the criteria at § 160.203(a); and
(6) Any other information the this subchapter.
delivery or costs; or
(iv) For purposes of serving a Secretary may request in order to make
§ 160.306 Complaints to the Secretary.
compelling need related to public the determination.
(b) Requests for exception under this (a) Right to file a complaint. A person
health, safety, or welfare, and, if a who believes a covered entity is not
section must be submitted to the
standard, requirement, or complying with the applicable
Secretary at an address that will be
implementation specification under part requirements of this part 160 or the
published in the Federal Register. Until
164 of this subchapter is at issue, if the applicable standards, requirements, and
the Secretary’s determination is made,
Secretary determines that the intrusion implementation specifications of
the standard, requirement, or
into privacy is warranted when subpart E of part 164 of this subchapter
implementation specification under this
balanced against the need to be served; may file a complaint with the Secretary.
subchapter remains in effect.
or (c) The Secretary’s determination (b) Requirements for filing
(2) Has as its principal purpose the complaints. Complaints under this
under this section will be made on the
regulation of the manufacture, section must meet the following
basis of the extent to which the
registration, distribution, dispensing, or requirements:
information provided and other factors
other control of any controlled (1) A complaint must be filed in
demonstrate that one or more of the
substances (as defined in 21 U.S.C. 802), writing, either on paper or
criteria at § 160.203(a) has been met.
or that is deemed a controlled substance electronically.
by State law. § 160.205 Duration of effectiveness of (2) A complaint must name the entity
(b) The provision of State law relates exception determinations. that is the subject of the complaint and
to the privacy of health information and An exception granted under this describe the acts or omissions believed
is more stringent than a standard, subpart remains in effect until: to be in violation of the applicable
requirement, or implementation (a) Either the State law or the federal requirements of this part 160 or the
specification adopted under subpart E of standard, requirement, or applicable standards, requirements, and
part 164 of this subchapter. implementation specification that implementation specifications of
(c) The provision of State law, provided the basis for the exception is subpart E of part 164 of this subchapter.
including State procedures established materially changed such that the ground (3) A complaint must be filed within
under such law, as applicable, provides for the exception no longer exists; or 180 days of when the complainant knew
for the reporting of disease or injury, (b) The Secretary revokes the or should have known that the act or
child abuse, birth, or death, or for the exception, based on a determination omission complained of occurred,
conduct of public health surveillance, that the ground supporting the need for unless this time limit is waived by the
investigation, or intervention. the exception no longer exists. Secretary for good cause shown.
(4) The Secretary may prescribe must permit access by the Secretary at 164.502 Uses and disclosures of protected
additional procedures for the filing of any time and without notice. health information: General rules.
complaints, as well as the place and (2) If any information required of a 164.504 Uses and disclosures:
Organizational requirements.
manner of filing, by notice in the covered entity under this section is in 164.506 Consent for uses or disclosures to
Federal Register. the exclusive possession of any other carry out treatment, payment, and health
(c) Investigation. The Secretary may agency, institution, or person and the care operations.
investigate complaints filed under this other agency, institution, or person fails 164.508 Uses and disclosures for which an
section. Such investigation may include or refuses to furnish the information, the authorization is required.
a review of the pertinent policies, covered entity must so certify and set 164.510 Uses and disclosures requiring an
procedures, or practices of the covered forth what efforts it has made to obtain opportunity for the individual to agree or
entity and of the circumstances the information. to object.
regarding any alleged acts or omissions 164.512 Uses and disclosures for which
(3) Protected health information consent, an authorization, or opportunity
concerning compliance. obtained by the Secretary in connection to agree or object is not required.
with an investigation or compliance 164.514 Other requirements relating to uses
§ 160.308 Compliance reviews.
review under this subpart will not be and disclosures of protected health
The Secretary may conduct disclosed by the Secretary, except if information.
compliance reviews to determine necessary for ascertaining or enforcing 164.520 Notice of privacy practices for
whether covered entities are complying compliance with the applicable protected health information.
with the applicable requirements of this requirements of this part 160 and the 164.522 Rights to request privacy protection
part 160 and the applicable standards, applicable standards, requirements, and
for protected health information.
requirements, and implementation 164.524 Access of individuals to protected
implementation specifications of health information.
specifications of subpart E of part 164 of subpart E of part 164 of this subchapter,
this subchapter. 164.526 Amendment of protected health
or if otherwise required by law. information.
§ 160.310 Responsibilities of covered 164.528 Accounting of disclosures of
§ 160.312 Secretarial action regarding protected health information.
entities. complaints and compliance reviews. 164.530 Administrative requirements.
(a) Provide records and compliance
(a) Resolution where noncompliance 164.532 Transition requirements.
reports. A covered entity must keep 164.534 Compliance dates for initial
is indicated. (1) If an investigation
such records and submit such implementation of the privacy standards.
pursuant to § 160.306 or a compliance
compliance reports, in such time and
review pursuant to § 160.308 indicates a Authority: 42 U.S.C. 1320d–2 and 1320d–
manner and containing such
failure to comply, the Secretary will so 4, sec. 264 of Pub. L. 104–191, 110 Stat.
information, as the Secretary may 2033–2034 (42 U.S.C. 1320(d–2(note)).
inform the covered entity and, if the
determine to be necessary to enable the
matter arose from a complaint, the
Secretary to ascertain whether the Subpart A—General Provisions
complainant, in writing and attempt to
covered entity has complied or is
resolve the matter by informal means § 164.102 Statutory basis.
complying with the applicable
whenever possible. The provisions of this part are
requirements of this part 160 and the
(2) If the Secretary finds the covered adopted pursuant to the Secretary’s
applicable standards, requirements, and
entity is not in compliance and authority to prescribe standards,
implementation specifications of
determines that the matter cannot be requirements, and implementation
subpart E of part 164 of this subchapter.
(b) Cooperate with complaint resolved by informal means, the standards under part C of title XI of the
investigations and compliance reviews. Secretary may issue to the covered Act and section 264 of Public Law 104–
A covered entity must cooperate with entity and, if the matter arose from a 191.
the Secretary, if the Secretary complaint, to the complainant written
undertakes an investigation or findings documenting the non- § 164.104 Applicability.
compliance review of the policies, compliance. Except as otherwise provided, the
procedures, or practices of a covered (b) Resolution when no violation is provisions of this part apply to covered
entity to determine whether it is found. If, after an investigation or entities: health plans, health care
complying with the applicable compliance review, the Secretary clearinghouses, and health care
requirements of this part 160 and the determines that further action is not providers who transmit health
standards, requirements, and warranted, the Secretary will so inform information in electronic form in
implementation specifications of the covered entity and, if the matter connection with any transaction
subpart E of part 164 of this subchapter. arose from a complaint, the complainant referred to in section 1173(a)(1) of the
(c) Permit access to information. (1) A in writing. Act.
covered entity must permit access by 2. A new Part 164 is added to read as
§ 164.106 Relationship to other parts.
the Secretary during normal business follows:
In complying with the requirements
hours to its facilities, books, records,
PART 164—SECURITY AND PRIVACY of this part, covered entities are required
accounts, and other sources of
to comply with the applicable
information, including protected health Subpart A—General Provisions provisions of parts 160 and 162 of this
information, that are pertinent to
Sec. subchapter.
ascertaining compliance with the 164.102 Statutory basis.
applicable requirements of this part 160 164.104 Applicability. Subpart B–D—[Reserved]
and the applicable standards, 164.106 Relationship to other parts.
requirements, and implementation Subpart E—Privacy of Individually
specifications of subpart E of part 164 of Subparts B–D—[Reserved]
Identifiable Health Information
this subchapter. If the Secretary Subpart E—Privacy of Individually
determines that exigent circumstances Identifiable Health Information § 164.500 Applicability.
exist, such as when documents may be 164.500 Applicability. (a) Except as otherwise provided
hidden or destroyed, a covered entity 164.501 Definitions. herein, the standards, requirements, and
implementation specifications of this reformatory, detention center, work health care arrangement in which the
subpart apply to covered entities with farm, halfway house, or residential covered entity participates:
respect to protected health information. community program center operated by, (1) Conducting quality assessment
(b) Health care clearinghouses must or under contract to, the United States, and improvement activities, including
comply with the standards, a State, a territory, a political outcomes evaluation and development
requirements, and implementation subdivision of a State or territory, or an of clinical guidelines, provided that the
specifications as follows: Indian tribe, for the confinement or obtaining of generalizable knowledge is
(1) When a health care clearinghouse rehabilitation of persons charged with not the primary purpose of any studies
creates or receives protected health or convicted of a criminal offense or resulting from such activities;
information as a business associate of other persons held in lawful custody. population-based activities relating to
another covered entity, the Other persons held in lawful custody improving health or reducing health
clearinghouse must comply with: includes juvenile offenders adjudicated care costs, protocol development, case
(i) Section 164.500 relating to delinquent, aliens detained awaiting management and care coordination,
applicability; deportation, persons committed to contacting of health care providers and
(ii) Section 164.501 relating to mental institutions through the criminal patients with information about
definitions; justice system, witnesses, or others treatment alternatives; and related
(iii) Section 164.502 relating to uses awaiting charges or trial. functions that do not include treatment;
and disclosures of protected health Covered functions means those (2) Reviewing the competence or
information, except that a clearinghouse functions of a covered entity the qualifications of health care
is prohibited from using or disclosing performance of which makes the entity professionals, evaluating practitioner
protected health information other than a health plan, health care provider, or and provider performance, health plan
as permitted in the business associate health care clearinghouse. performance, conducting training
contract under which it created or Data aggregation means, with respect programs in which students, trainees, or
received the protected health to protected health information created practitioners in areas of health care
information; or received by a business associate in its learn under supervision to practice or
(iv) Section 164.504 relating to the capacity as the business associate of a improve their skills as health care
organizational requirements for covered covered entity, the combining of such providers, training of non-health care
entities, including the designation of protected health information by the professionals, accreditation,
health care components of a covered business associate with the protected certification, licensing, or credentialing
entity; health information received by the activities;
(v) Section 164.512 relating to uses business associate in its capacity as a (3) Underwriting, premium rating,
and disclosures for which consent, business associate of another covered and other activities relating to the
individual authorization or an entity, to permit data analyses that creation, renewal or replacement of a
opportunity to agree or object is not relate to the health care operations of contract of health insurance or health
required, except that a clearinghouse is the respective covered entities. benefits, and ceding, securing, or
prohibited from using or disclosing Designated record set means: placing a contract for reinsurance of risk
protected health information other than (1) A group of records maintained by relating to claims for health care
as permitted in the business associate or for a covered entity that is: (including stop-loss insurance and
contract under which it created or (i) The medical records and billing excess of loss insurance), provided that
received the protected health records about individuals maintained by the requirements of § 164.514(g) are met,
information; or for a covered health care provider; if applicable;
(vi) Section 164.532 relating to (4) Conducting or arranging for
(ii) The enrollment, payment, claims
transition requirements; and medical review, legal services, and
(vii) Section 164.534 relating to adjudication, and case or medical
auditing functions, including fraud and
compliance dates for initial management record systems maintained
abuse detection and compliance
implementation of the privacy by or for a health plan; or
programs;
standards. (iii) Used, in whole or in part, by or (5) Business planning and
(2) When a health care clearinghouse for the covered entity to make decisions development, such as conducting cost-
creates or receives protected health about individuals. management and planning-related
information other than as a business (2) For purposes of this paragraph, the analyses related to managing and
associate of a covered entity, the term record means any item, collection, operating the entity, including
clearinghouse must comply with all of or grouping of information that includes formulary development and
the standards, requirements, and protected health information and is administration, development or
implementation specifications of this maintained, collected, used, or improvement of methods of payment or
subpart. disseminated by or for a covered entity. coverage policies; and
(c) The standards, requirements, and Direct treatment relationship means a (6) Business management and general
implementation specifications of this treatment relationship between an administrative activities of the entity,
subpart do not apply to the Department individual and a health care provider including, but not limited to:
of Defense or to any other federal that is not an indirect treatment (i) Management activities relating to
agency, or non-governmental relationship. implementation of and compliance with
organization acting on its behalf, when Disclosure means the release, transfer, the requirements of this subchapter;
providing health care to overseas foreign provision of access to, or divulging in (ii) Customer service, including the
national beneficiaries. any other manner of information outside provision of data analyses for policy
the entity holding the information. holders, plan sponsors, or other
§ 164.501 Definitions. Health care operations means any of customers, provided that protected
As used in this subpart, the following the following activities of the covered health information is not disclosed to
terms have the following meanings: entity to the extent that the activities are such policy holder, plan sponsor, or
Correctional institution means any related to covered functions, and any of customer.
penal or correctional facility, jail, the following activities of an organized (iii) Resolution of internal grievances;
(iv) Due diligence in connection with Inmate means a person incarcerated (2) An organized system of health care
the sale or transfer of assets to a in or otherwise confined to a in which more than one covered entity
potential successor in interest, if the correctional institution. participates, and in which the
potential successor in interest is a Law enforcement official means an participating covered entities:
covered entity or, following completion officer or employee of any agency or (i) Hold themselves out to the public
of the sale or transfer, will become a authority of the United States, a State, as participating in a joint arrangement;
covered entity; and a territory, a political subdivision of a and
(v) Consistent with the applicable State or territory, or an Indian tribe, who (ii) Participate in joint activities that
requirements of § 164.514, creating de- is empowered by law to: include at least one of the following:
identified health information, (1) Investigate or conduct an official (A) Utilization review, in which
fundraising for the benefit of the inquiry into a potential violation of law; health care decisions by participating
covered entity, and marketing for which or covered entities are reviewed by other
an individual authorization is not (2) Prosecute or otherwise conduct a participating covered entities or by a
required as described in § 164.514(e)(2). criminal, civil, or administrative third party on their behalf;
Health oversight agency means an proceeding arising from an alleged (B) Quality assessment and
agency or authority of the United States, violation of law. improvement activities, in which
a State, a territory, a political Marketing means to make a treatment provided by participating
subdivision of a State or territory, or an communication about a product or covered entities is assessed by other
Indian tribe, or a person or entity acting service a purpose of which is to participating covered entities or by a
under a grant of authority from or encourage recipients of the third party on their behalf; or
contract with such public agency, communication to purchase or use the (C) Payment activities, if the financial
including the employees or agents of product or service. risk for delivering health care is shared,
such public agency or its contractors or (1) Marketing does not include in part or in whole, by participating
persons or entities to whom it has communications that meet the covered entities through the joint
granted authority, that is authorized by requirements of paragraph (2) of this arrangement and if protected health
law to oversee the health care system definition and that are made by a information created or received by a
(whether public or private) or covered entity: covered entity is reviewed by other
government programs in which health (i) For the purpose of describing the participating covered entities or by a
information is necessary to determine entities participating in a health care third party on their behalf for the
eligibility or compliance, or to enforce provider network or health plan purpose of administering the sharing of
civil rights laws for which health network, or for the purpose of financial risk.
information is relevant. (3) A group health plan and a health
describing if and the extent to which a
Indirect treatment relationship means insurance issuer or HMO with respect to
product or service (or payment for such
a relationship between an individual such group health plan, but only with
product or service) is provided by a
and a health care provider in which: respect to protected health information
covered entity or included in a plan of
(1) The health care provider delivers created or received by such health
benefits; or
health care to the individual based on insurance issuer or HMO that relates to
(ii) That are tailored to the
the orders of another health care individuals who are or who have been
circumstances of a particular individual
provider; and participants or beneficiaries in such
and the communications are:
(2) The health care provider typically group health plan;
(A) Made by a health care provider to (4) A group health plan and one or
provides services or products, or reports
an individual as part of the treatment of more other group health plans each of
the diagnosis or results associated with
the individual, and for the purpose of which are maintained by the same plan
the health care, directly to another
furthering the treatment of that sponsor; or
health care provider, who provides the
individual; or (5) The group health plans described
services or products or reports to the
(B) Made by a health care provider or in paragraph (4) of this definition and
individual.
Individual means the person who is health plan to an individual in the health insurance issuers or HMOs with
the subject of protected health course of managing the treatment of that respect to such group health plans, but
information. individual, or for the purpose of only with respect to protected health
Individually identifiable health directing or recommending to that information created or received by such
information is information that is a individual alternative treatments, health insurance issuers or HMOs that
subset of health information, including therapies, health care providers, or relates to individuals who are or have
demographic information collected from settings of care. been participants or beneficiaries in any
an individual, and: (2) A communication described in of such group health plans.
(1) Is created or received by a health paragraph (1) of this definition is not Payment means:
care provider, health plan, employer, or included in marketing if: (1) The activities undertaken by:
health care clearinghouse; and (i) The communication is made orally; (i) A health plan to obtain premiums
(2) Relates to the past, present, or or or to determine or fulfill its
future physical or mental health or (ii) The communication is in writing responsibility for coverage and
condition of an individual; the and the covered entity does not receive provision of benefits under the health
provision of health care to an direct or indirect remuneration from a plan; or
individual; or the past, present, or third party for making the (ii) A covered health care provider or
future payment for the provision of communication. health plan to obtain or provide
health care to an individual; and Organized health care arrangement reimbursement for the provision of
(i) That identifies the individual; or means: health care; and
(ii) With respect to which there is a (1) A clinically integrated care setting (2) The activities in paragraph (1) of
reasonable basis to believe the in which individuals typically receive this definition relate to the individual to
information can be used to identify the health care from more than one health whom health care is provided and
individual. care provider; include, but are not limited to:
(i) Determinations of eligibility or monitoring, counseling session start and § 164.502 Uses and disclosures of
coverage (including coordination of stop times, the modalities and protected health information: general rules.
benefits or the determination of cost frequencies of treatment furnished, (a) Standard. A covered entity may
sharing amounts), and adjudication or results of clinical tests, and any not use or disclose protected health
subrogation of health benefit claims; summary of the following items: information, except as permitted or
(ii) Risk adjusting amounts due based Diagnosis, functional status, the required by this subpart or by subpart C
on enrollee health status and treatment plan, symptoms, prognosis, of part 160 of this subchapter.
demographic characteristics; and progress to date. (1) Permitted uses and disclosures. A
(iii) Billing, claims management, covered entity is permitted to use or
collection activities, obtaining payment Public health authority means an disclose protected health information as
under a contract for reinsurance agency or authority of the United States, follows:
(including stop-loss insurance and a State, a territory, a political (i) To the individual;
excess of loss insurance), and related subdivision of a State or territory, or an (ii) Pursuant to and in compliance
health care data processing; Indian tribe, or a person or entity acting with a consent that complies with
(iv) Review of health care services under a grant of authority from or § 164.506, to carry out treatment,
with respect to medical necessity, contract with such public agency, payment, or health care operations;
coverage under a health plan, including the employees or agents of (iii) Without consent, if consent is not
appropriateness of care, or justification such public agency or its contractors or required under § 164.506(a) and has not
of charges; persons or entities to whom it has been sought under § 164.506(a)(4), to
(v) Utilization review activities, granted authority, that is responsible for carry out treatment, payment, or health
including precertification and public health matters as part of its care operations, except with respect to
preauthorization of services, concurrent official mandate. psychotherapy notes;
and retrospective review of services; (iv) Pursuant to and in compliance
Required by law means a mandate
and with a valid authorization under
contained in law that compels a covered
(vi) Disclosure to consumer reporting § 164.508;
entity to make a use or disclosure of (v) Pursuant to an agreement under, or
agencies of any of the following
protected health information and that is as otherwise permitted by, § 164.510;
protected health information relating to
enforceable in a court of law. Required and
collection of premiums or
reimbursement: by law includes, but is not limited to, (vi) As permitted by and in
(A) Name and address; court orders and court-ordered warrants; compliance with this section, § 164.512,
(B) Date of birth; subpoenas or summons issued by a or § 164.514(e), (f), and (g).
(C) Social security number; court, grand jury, a governmental or (2) Required disclosures. A covered
(D) Payment history; tribal inspector general, or an entity is required to disclose protected
(E) Account number; and administrative body authorized to health information:
(F) Name and address of the health require the production of information; a (i) To an individual, when requested
care provider and/or health plan. civil or an authorized investigative under, and required by § 164.524 or
Plan sponsor is defined as defined at demand; Medicare conditions of § 164.528; and
section 3(16)(B) of ERISA, 29 U.S.C. participation with respect to health care (ii) When required by the Secretary
1002(16)(B). providers participating in the program; under subpart C of part 160 of this
Protected health information means and statutes or regulations that require subchapter to investigate or determine
individually identifiable health the production of information, the covered entity’s compliance with
information: including statutes or regulations that this subpart.
(1) Except as provided in paragraph require such information if payment is (b) Standard: Minimum necessary. (1)
(2) of this definition, that is: sought under a government program Minimum necessary applies. When
(i) Transmitted by electronic media; providing public benefits. using or disclosing protected health
(ii) Maintained in any medium information or when requesting
described in the definition of electronic Research means a systematic protected health information from
media at § 162.103 of this subchapter; or investigation, including research another covered entity, a covered entity
(iii) Transmitted or maintained in any development, testing, and evaluation, must make reasonable efforts to limit
other form or medium. designed to develop or contribute to protected health information to the
(2) Protected health information generalizable knowledge. minimum necessary to accomplish the
excludes individually identifiable Treatment means the provision, intended purpose of the use, disclosure,
health information in: coordination, or management of health or request.
(i) Education records covered by the care and related services by one or more (2) Minimum necessary does not
Family Educational Right and Privacy health care providers, including the apply. This requirement does not apply
Act, as amended, 20 U.S.C. 1232g; and coordination or management of health to:
(ii) Records described at 20 U.S.C. care by a health care provider with a (i) Disclosures to or requests by a
1232g(a)(4)(B)(iv). health care provider for treatment;
third party; consultation between health
Psychotherapy notes means notes (ii) Uses or disclosures made to the
care providers relating to a patient; or
recorded (in any medium) by a health individual, as permitted under
the referral of a patient for health care
care provider who is a mental health paragraph (a)(1)(i) of this section, as
professional documenting or analyzing from one health care provider to
required by paragraph (a)(2)(i) of this
the contents of conversation during a another.
section, or pursuant to an authorization
private counseling session or a group, Use means, with respect to under § 164.508, except for
joint, or family counseling session and individually identifiable health authorizations requested by the covered
that are separated from the rest of the information, the sharing, employment, entity under § 164.508(d), (e), or (f);
individual’s medical record. application, utilization, examination, or (iii) Disclosures made to the Secretary
Psychotherapy notes excludes analysis of such information within an in accordance with subpart C of part 160
medication prescription and entity that maintains such information. of this subchapter;
(iv) Uses or disclosures that are health plan to the plan sponsor, to the health care, a covered entity must treat
required by law, as described by extent that the requirements of such person as a personal representative
§ 164.512(a); and § 164.504(f) apply and are met; or under this subchapter, with respect to
(v) Uses or disclosures that are (C) With respect to uses or disclosures protected health information relevant to
required for compliance with applicable by a health plan that is a government such personal representation, except
requirements of this subchapter. program providing public benefits, if that such person may not be a personal
(c) Standard: Uses and disclosures of eligibility for, or enrollment in, the representative of an unemancipated
protected health information subject to health plan is determined by an agency minor, and the minor has the authority
an agreed upon restriction. A covered other than the agency administering the to act as an individual, with respect to
entity that has agreed to a restriction health plan, or if the protected health protected health information pertaining
pursuant to § 164.522(a)(1) may not use information used to determine to a health care service, if:
or disclose the protected health enrollment or eligibility in the health (i) The minor consents to such health
information covered by the restriction in plan is collected by an agency other care service; no other consent to such
violation of such restriction, except as than the agency administering the health care service is required by law,
otherwise provided in § 164.522(a). health plan, and such activity is regardless of whether the consent of
(d) Standard: Uses and disclosures of authorized by law, with respect to the another person has also been obtained;
de-identified protected health collection and sharing of individually and the minor has not requested that
information. identifiable health information for the such person be treated as the personal
(1) Uses and disclosures to create de- performance of such functions by the representative;
identified information. A covered entity health plan and the agency other than (ii) The minor may lawfully obtain
may use protected health information to the agency administering the health such health care service without the
create information that is not plan. consent of a parent, guardian, or other
individually identifiable health (iii) A covered entity that violates the person acting in loco parentis, and the
information or disclose protected health satisfactory assurances it provided as a minor, a court, or another person
information only to a business associate business associate of another covered authorized by law consents to such
for such purpose, whether or not the de- entity will be in noncompliance with health care service; or
identified information is to be used by the standards, implementation (iii) A parent, guardian, or other
the covered entity. specifications, and requirements of this person acting in loco parentis assents to
(2) Uses and disclosures of de- paragraph and § 164.504(e). an agreement of confidentiality between
identified information. Health (2) Implementation specification: a covered health care provider and the
information that meets the standard and documentation. A covered entity must minor with respect to such health care
implementation specifications for de- document the satisfactory assurances service.
identification under § 164.514(a) and (b) required by paragraph (e)(1) of this (4) Implementation specification:
is considered not to be individually section through a written contract or Deceased individuals. If under
identifiable health information, i.e., de- other written agreement or arrangement applicable law an executor,
identified. The requirements of this with the business associate that meets administrator, or other person has
subpart do not apply to information that the applicable requirements of authority to act on behalf of a deceased
has been de-identified in accordance § 164.504(e). individual or of the individual’s estate,
with the applicable requirements of (f) Standard: Deceased individuals. A a covered entity must treat such person
§ 164.514, provided that: covered entity must comply with the as a personal representative under this
(i) Disclosure of a code or other means requirements of this subpart with subchapter, with respect to protected
of record identification designed to respect to the protected health health information relevant to such
enable coded or otherwise de-identified information of a deceased individual. personal representation.
information to be re-identified (g)(1) Standard: Personal (5) Implementation specification:
constitutes disclosure of protected representatives. As specified in this Abuse, neglect, endangerment
health information; and paragraph, a covered entity must, except situations. Notwithstanding a State law
(ii) If de-identified information is re- as provided in paragraphs (g)(3) and or any requirement of this paragraph to
identified, a covered entity may use or (g)(5) of this section, treat a personal the contrary, a covered entity may elect
disclose such re-identified information representative as the individual for not to treat a person as the personal
only as permitted or required by this purposes of this subchapter. representative of an individual if:
subpart. (2) Implementation specification: (i) The covered entity has a reasonable
(e)(1) Standard: Disclosures to adults and emancipated minors. If belief that:
business associates. (i) A covered entity under applicable law a person has (A) The individual has been or may be
may disclose protected health authority to act on behalf of an subjected to domestic violence, abuse,
information to a business associate and individual who is an adult or an or neglect by such person; or
may allow a business associate to create emancipated minor in making decisions (B) Treating such person as the
or receive protected health information related to health care, a covered entity personal representative could endanger
on its behalf, if the covered entity must treat such person as a personal the individual; and
obtains satisfactory assurance that the representative under this subchapter, (ii) The covered entity, in the exercise
business associate will appropriately with respect to protected health of professional judgment, decides that it
safeguard the information. information relevant to such personal is not in the best interest of the
(ii) This standard does not apply: representation. individual to treat the person as the
(A) With respect to disclosures by a (3) Implementation specification: individual’s personal representative.
covered entity to a health care provider unemancipated minors. If under (h) Standard: Confidential
concerning the treatment of the applicable law a parent, guardian, or communications. A covered health care
individual; other person acting in loco parentis has provider or health plan must comply
(B) With respect to disclosures by a authority to act on behalf of an with the applicable requirements of
group health plan or a health insurance individual who is an unemancipated § 164.522(b) in communicating
issuer or HMO with respect to a group minor in making decisions related to protected health information.
(i) Standard: Uses and disclosures Common control exists if an entity has (i) A reference in such provision to a
consistent with notice. A covered entity the power, directly or indirectly, ‘‘covered entity’’ refers to a health care
that is required by § 164.520 to have a significantly to influence or direct the component of the covered entity;
notice may not use or disclose protected actions or policies of another entity. (ii) A reference in such provision to
health information in a manner Common ownership exists if an entity a ‘‘health plan,’’ ‘‘covered health care
inconsistent with such notice. A or entities possess an ownership or provider,’’ or ‘‘health care
covered entity that is required by equity interest of 5 percent or more in clearinghouse’’ refers to a health care
§ 164.520(b)(1)(iii) to include a specific another entity. component of the covered entity if such
statement in its notice if it intends to Health care component has the health care component performs the
engage in an activity listed in following meaning: functions of a health plan, covered
§ 164.520(b)(1)(iii)(A)–(C), may not use (1) Components of a covered entity health care provider, or health care
or disclose protected health information that perform covered functions are part clearinghouse, as applicable; and
for such activities, unless the required of the health care component. (iii) A reference in such provision to
statement is included in the notice. (2) Another component of the covered ‘‘protected health information’’ refers to
(j) Standard: Disclosures by entity is part of the entity’s health care protected health information that is
whistleblowers and workforce member component to the extent that: created or received by or on behalf of
crime victims. (i) It performs, with respect to a the health care component of the
(1) Disclosures by whistleblowers. A component that performs covered covered entity.
covered entity is not considered to have functions, activities that would make (2) Implementation specifications:
violated the requirements of this subpart such other component a business Safeguard requirements. The covered
if a member of its workforce or a associate of the component that entity that is a hybrid entity must
business associate discloses protected performs covered functions if the two ensure that a health care component of
health information, provided that: components were separate legal entities; the entity complies with the applicable
(i) The workforce member or business and requirements of this subpart. In
associate believes in good faith that the (ii) The activities involve the use or particular, and without limiting this
covered entity has engaged in conduct disclosure of protected health requirement, such covered entity must
that is unlawful or otherwise violates information that such other component ensure that:
professional or clinical standards, or creates or receives from or on behalf of (i) Its health care component does not
that the care, services, or conditions the component that performs covered disclose protected health information to
provided by the covered entity functions. another component of the covered entity
potentially endangers one or more Hybrid entity means a single legal in circumstances in which this subpart
patients, workers, or the public; and entity that is a covered entity and whose would prohibit such disclosure if the
(ii) The disclosure is to: covered functions are not its primary health care component and the other
(A) A health oversight agency or functions. component were separate and distinct
public health authority authorized by Plan administration functions means legal entities;
law to investigate or otherwise oversee administration functions performed by (ii) A component that is described by
the relevant conduct or conditions of the plan sponsor of a group health plan paragraph (2)(i) of the definition of
the covered entity or to an appropriate on behalf of the group health plan and health care component in this section
health care accreditation organization excludes functions performed by the does not use or disclose protected
for the purpose of reporting the plan sponsor in connection with any health information that is within
allegation of failure to meet professional other benefit or benefit plan of the plan paragraph (2)(ii) of such definition for
standards or misconduct by the covered sponsor. purposes of its activities other than
entity; or Summary health information means those described by paragraph (2)(i) of
(B) An attorney retained by or on information, that may be individually such definition in a way prohibited by
behalf of the workforce member or identifiable health information, and: this subpart; and
business associate for the purpose of (1) That summarizes the claims (iii) If a person performs duties for
determining the legal options of the history, claims expenses, or type of both the health care component in the
workforce member or business associate claims experienced by individuals for capacity of a member of the workforce
with regard to the conduct described in whom a plan sponsor has provided of such component and for another
paragraph (j)(1)(i) of this section. health benefits under a group health component of the entity in the same
(2) Disclosures by workforce members plan; and capacity with respect to that
who are victims of a crime. A covered (2) From which the information component, such workforce member
entity is not considered to have violated described at § 164.514(b)(2)(i) has been must not use or disclose protected
the requirements of this subpart if a deleted, except that the geographic health information created or received
member of its workforce who is the information described in in the course of or incident to the
victim of a criminal act discloses § 164.514(b)(2)(i)(B) need only be member’s work for the health care
protected health information to a law aggregated to the level of a five digit zip component in a way prohibited by this
enforcement official, provided that: code. subpart.
(i) The protected health information (b) Standard: Health care component. (3) Implementation specifications:
disclosed is about the suspected If a covered entity is a hybrid entity, the Responsibilities of the covered entity. A
perpetrator of the criminal act; and requirements of this subpart, other than covered entity that is a hybrid entity has
(ii) The protected health information the requirements of this section, apply the following responsibilities:
disclosed is limited to the information only to the health care component(s) of (i) For purposes of subpart C of part
listed in § 164.512(f)(2)(i). the entity, as specified in this section. 160 of this subchapter, pertaining to
(c)(1) Implementation specification: compliance and enforcement, the
§ 164.504 Uses and disclosures: Application of other provisions. In covered entity has the responsibility to
Organizational requirements. applying a provision of this subpart, comply with this subpart.
(a) Definitions. As used in this other than this section, to a hybrid (ii) The covered entity has the
section: entity: responsibility for complying with
§ 164.530(i), pertaining to the (2) Implementation specifications: (I) At termination of the contract, if
implementation of policies and Business associate contracts. A contract feasible, return or destroy all protected
procedures to ensure compliance with between the covered entity and a health information received from, or
this subpart, including the safeguard business associate must: created or received by the business
requirements in paragraph (c)(2) of this (i) Establish the permitted and associate on behalf of, the covered entity
section. required uses and disclosures of such that the business associate still
(iii) The covered entity is responsible information by the business associate. maintains in any form and retain no
for designating the components that are The contract may not authorize the copies of such information or, if such
part of one or more health care business associate to use or further return or destruction is not feasible,
components of the covered entity and disclose the information in a manner extend the protections of the contract to
documenting the designation as that would violate the requirements of the information and limit further uses
required by § 164.530(j). this subpart, if done by the covered and disclosures to those purposes that
(d)(1) Standard: Affiliated covered entity, except that: make the return or destruction of the
entities. Legally separate covered (A) The contract may permit the information infeasible.
entities that are affiliated may designate business associate to use and disclose (iii) Authorize termination of the
themselves as a single covered entity for protected health information for the contract by the covered entity, if the
purposes of this subpart. proper management and administration covered entity determines that the
(2) Implementation specifications: of the business associate, as provided in business associate has violated a
Requirements for designation of an paragraph (e)(4) of this section; and material term of the contract.
affiliated covered entity. (i) Legally (B) The contract may permit the (3) Implementation specifications:
separate covered entities may designate business associate to provide data Other arrangements. (i) If a covered
themselves (including any health care aggregation services relating to the entity and its business associate are both
component of such covered entity) as a health care operations of the covered governmental entities:
(A) The covered entity may comply
single affiliated covered entity, for entity.
with paragraph (e) of this section by
purposes of this subpart, if all of the (ii) Provide that the business associate
entering into a memorandum of
covered entities designated are under will: understanding with the business
common ownership or control. (A) Not use or further disclose the associate that contains terms that
(ii) The designation of an affiliated information other than as permitted or accomplish the objectives of paragraph
covered entity must be documented and required by the contract or as required (e)(2) of this section.
the documentation maintained as by law; (B) The covered entity may comply
required by § 164.530(j). (B) Use appropriate safeguards to with paragraph (e) of this section, if
(3) Implementation specifications: prevent use or disclosure of the other law (including regulations
Safeguard requirements. An affiliated information other than as provided for adopted by the covered entity or its
covered entity must ensure that: by its contract; business associate) contains
(i) The affiliated covered entity’s use (C) Report to the covered entity any requirements applicable to the business
and disclosure of protected health use or disclosure of the information not associate that accomplish the objectives
information comply with the applicable provided for by its contract of which it of paragraph (e)(2) of this section.
requirements of this subpart; and becomes aware; (ii) If a business associate is required
(ii) If the affiliated covered entity (D) Ensure that any agents, including by law to perform a function or activity
combines the functions of a health plan, a subcontractor, to whom it provides on behalf of a covered entity or to
health care provider, or health care protected health information received provide a service described in the
clearinghouse, the affiliated covered from, or created or received by the definition of business associate in
entity complies with paragraph (g) of business associate on behalf of, the § 160.103 of this subchapter to a covered
this section. covered entity agrees to the same entity, such covered entity may disclose
(e)(1) Standard: Business associate restrictions and conditions that apply to protected health information to the
contracts. (i) The contract or other the business associate with respect to business associate to the extent
arrangement between the covered entity such information; necessary to comply with the legal
and the business associate required by (E) Make available protected health mandate without meeting the
§ 164.502(e)(2) must meet the information in accordance with requirements of this paragraph (e),
requirements of paragraph (e)(2) or (e)(3) § 164.524; provided that the covered entity
of this section, as applicable. (F) Make available protected health attempts in good faith to obtain
(ii) A covered entity is not in information for amendment and satisfactory assurances as required by
compliance with the standards in incorporate any amendments to paragraph (e)(3)(i) of this section, and, if
§ 164.502(e) and paragraph (e) of this protected health information in such attempt fails, documents the
section, if the covered entity knew of a accordance with § 164.526; attempt and the reasons that such
pattern of activity or practice of the (G) Make available the information assurances cannot be obtained.
business associate that constituted a required to provide an accounting of (iii) The covered entity may omit from
material breach or violation of the disclosures in accordance with its other arrangements the termination
business associate’s obligation under the § 164.528; authorization required by paragraph
contract or other arrangement, unless (H) Make its internal practices, books, (e)(2)(iii) of this section, if such
the covered entity took reasonable steps and records relating to the use and authorization is inconsistent with the
to cure the breach or end the violation, disclosure of protected health statutory obligations of the covered
as applicable, and, if such steps were information received from, or created or entity or its business associate.
unsuccessful: received by the business associate on (4) Implementation specifications:
(A) Terminated the contract or behalf of, the covered entity available to Other requirements for contracts and
arrangement, if feasible; or the Secretary for purposes of other arrangements. (i) The contract or
(B) If termination is not feasible, determining the covered entity’s other arrangement between the covered
reported the problem to the Secretary. compliance with this subpart; and entity and the business associate may
permit the business associate to use the information by the plan sponsor, plan sponsor. The plan documents
information received by the business provided that such permitted and must:
associate in its capacity as a business required uses and disclosures may not (A) Describe those employees or
associate to the covered entity, if be inconsistent with this subpart. classes of employees or other persons
necessary: (ii) Provide that the group health plan under the control of the plan sponsor to
(A) For the proper management and will disclose protected health be given access to the protected health
administration of the business associate; information to the plan sponsor only information to be disclosed, provided
or upon receipt of a certification by the that any employee or person who
(B) To carry out the legal plan sponsor that the plan documents receives protected health information
responsibilities of the business have been amended to incorporate the relating to payment under, health care
associate. following provisions and that the plan operations of, or other matters
(ii) The contract or other arrangement sponsor agrees to: pertaining to the group health plan in
between the covered entity and the (A) Not use or further disclose the the ordinary course of business must be
business associate may permit the information other than as permitted or included in such description;
business associate to disclose the required by the plan documents or as (B) Restrict the access to and use by
information received by the business required by law; such employees and other persons
associate in its capacity as a business (B) Ensure that any agents, including described in paragraph (f)(2)(iii)(A) of
associate for the purposes described in a subcontractor, to whom it provides this section to the plan administration
paragraph (e)(4)(i) of this section, if: protected health information received functions that the plan sponsor
(A) The disclosure is required by law; from the group health plan agree to the performs for the group health plan; and
or same restrictions and conditions that (C) Provide an effective mechanism
(B)(1) The business associate obtains apply to the plan sponsor with respect for resolving any issues of
reasonable assurances from the person to such information; noncompliance by persons described in
to whom the information is disclosed (C) Not use or disclose the paragraph (f)(2)(iii)(A) of this section
that it will be held confidentially and information for employment-related with the plan document provisions
used or further disclosed only as actions and decisions or in connection required by this paragraph.
required by law or for the purpose for with any other benefit or employee (3) Implementation specifications:
which it was disclosed to the person; benefit plan of the plan sponsor; Uses and disclosures. A group health
and (D) Report to the group health plan plan may:
(2) The person notifies the business any use or disclosure of the information
(i) Disclose protected health
associate of any instances of which it is that is inconsistent with the uses or
information to a plan sponsor to carry
aware in which the confidentiality of disclosures provided for of which it
out plan administration functions that
the information has been breached. becomes aware;
(f)(1) Standard: Requirements for the plan sponsor performs only
(E) Make available protected health
group health plans. (i) Except as consistent with the provisions of
information in accordance with
provided under paragraph (f)(1)(ii) of paragraph (f)(2) of this section;
§ 164.524;
this section or as otherwise authorized (F) Make available protected health (ii) Not permit a health insurance
under § 164.508, a group health plan, in information for amendment and issuer or HMO with respect to the group
order to disclose protected health incorporate any amendments to health plan to disclose protected health
information to the plan sponsor or to protected health information in information to the plan sponsor except
provide for or permit the disclosure of accordance with § 164.526; as permitted by this paragraph;
protected health information to the plan (G) Make available the information (iii) Not disclose and may not permit
sponsor by a health insurance issuer or required to provide an accounting of a health insurance issuer or HMO to
HMO with respect to the group health disclosures in accordance with disclose protected health information to
plan, must ensure that the plan § 164.528; a plan sponsor as otherwise permitted
documents restrict uses and discloses of (H) Make its internal practices, books, by this paragraph unless a statement
such information by the plan sponsor and records relating to the use and required by § 164.520(b)(1)(iii)(C) is
consistent with the requirements of this disclosure of protected health included in the appropriate notice; and
subpart. information received from the group (iv) Not disclose protected health
(ii) The group health plan, or a health health plan available to the Secretary for information to the plan sponsor for the
insurance issuer or HMO with respect to purposes of determining compliance by purpose of employment-related actions
the group health plan, may disclose the group health plan with this subpart; or decisions or in connection with any
summary health information to the plan (I) If feasible, return or destroy all other benefit or employee benefit plan
sponsor, if the plan sponsor requests the protected health information received of the plan sponsor.
summary health information for the from the group health plan that the (g) Standard: Requirements for a
purpose of : sponsor still maintains in any form and covered entity with multiple covered
(A) Obtaining premium bids from retain no copies of such information functions.
health plans for providing health when no longer needed for the purpose (1) A covered entity that performs
insurance coverage under the group for which disclosure was made, except multiple covered functions that would
health plan; or that, if such return or destruction is not make the entity any combination of a
(B) Modifying, amending, or feasible, limit further uses and health plan, a covered health care
terminating the group health plan. disclosures to those purposes that make provider, and a health care
(2) Implementation specifications: the return or destruction of the clearinghouse, must comply with the
Requirements for plan documents. The information infeasible; and standards, requirements, and
plan documents of the group health (J) Ensure that the adequate separation implementation specifications of this
plan must be amended to incorporate required in paragraph (f)(2)(iii) of this subpart, as applicable to the health plan,
provisions to: section is established. health care provider, or health care
(i) Establish the permitted and (iii) Provide for adequate separation clearinghouse covered functions
required uses and disclosures of such between the group health plan and the performed.
(2) A covered entity that performs (4) If a covered entity is not required (3) If the covered entity has reserved
multiple covered functions may use or to obtain consent by paragraph (a)(1) of the right to change its privacy practices
disclose the protected health this section, it may obtain an that are described in the notice in
information of individuals who receive individual’s consent for the covered accordance with § 164.520(b)(1)(v)(C),
the covered entity’s health plan or entity’s own use or disclosure of state that the terms of its notice may
health care provider services, but not protected health information to carry change and describe how the individual
both, only for purposes related to the out treatment, payment, or health care may obtain a revised notice;
appropriate function being performed. operations, provided that such consent (4) State that:
meets the requirements of this section. (i) The individual has the right to
§ 164.506 Consent for uses or disclosures request that the covered entity restrict
(5) Except as provided in paragraph
to carry out treatment, payment, or health how protected health information is
care operations. (f)(1) of this section, a consent obtained
by a covered entity under this section is used or disclosed to carry out treatment,
(a) Standard: Consent requirement. (1) payment, or health care operations;
not effective to permit another covered
Except as provided in paragraph (a)(2) (ii) The covered entity is not required
entity to use or disclose protected health
or (a)(3) of this section, a covered health to agree to requested restrictions; and
information.
care provider must obtain the (iii) If the covered entity agrees to a
(b) Implementation specifications:
individual’s consent, in accordance requested restriction, the restriction is
General requirements. (1) A covered
with this section, prior to using or binding on the covered entity;
health care provider may condition
disclosing protected health information (5) State that the individual has the
treatment on the provision by the
to carry out treatment, payment, or right to revoke the consent in writing,
individual of a consent under this
health care operations. except to the extent that the covered
section.
(2) A covered health care provider entity has taken action in reliance
may, without consent, use or disclose (2) A health plan may condition
enrollment in the health plan on the thereon; and
protected health information to carry (6) Be signed by the individual and
out treatment, payment, or health care provision by the individual of a consent
under this section sought in conjunction dated.
operations, if: (d) Implementation specifications:
(i) The covered health care provider with such enrollment.
Defective consents. There is no consent
has an indirect treatment relationship (3) A consent under this section may
under this section, if the document
with the individual; or not be combined in a single document
submitted has any of the following
(ii) The covered health care provider with the notice required by § 164.520.
defects:
created or received the protected health (4)(i) A consent for use or disclosure (1) The consent lacks an element
information in the course of providing may be combined with other types of required by paragraph (c) of this section,
health care to an individual who is an written legal permission from the as applicable; or
inmate. individual (e.g., an informed consent for (2) The consent has been revoked in
(3)(i) A covered health care provider treatment or a consent to assignment of accordance with paragraph (b)(5) of this
may, without prior consent, use or benefits), if the consent under this section.
disclose protected health information section: (e) Standard: Resolving conflicting
created or received under paragraph (A) Is visually and organizationally consents and authorizations. (1) If a
(a)(3)(i)(A)–(C) of this section to carry separate from such other written legal covered entity has obtained a consent
out treatment, payment, or health care permission; and under this section and receives any
operations: (B) Is separately signed by the other authorization or written legal
(A) In emergency treatment situations, individual and dated. permission from the individual for a
if the covered health care provider (ii) A consent for use or disclosure disclosure of protected health
attempts to obtain such consent as soon may be combined with a research information to carry out treatment,
as reasonably practicable after the authorization under § 164.508(f). payment, or health care operations, the
delivery of such treatment; (5) An individual may revoke a covered entity may disclose such
(B) If the covered health care provider consent under this section at any time, protected health information only in
is required by law to treat the except to the extent that the covered accordance with the more restrictive
individual, and the covered health care entity has taken action in reliance consent, authorization, or other written
provider attempts to obtain such thereon. Such revocation must be in legal permission from the individual.
consent but is unable to obtain such writing. (2) A covered entity may attempt to
consent; or (6) A covered entity must document resolve a conflict between a consent and
(C) If a covered health care provider and retain any signed consent under an authorization or other written legal
attempts to obtain such consent from this section as required by § 164.530(j). permission from the individual
the individual but is unable to obtain (c) Implementation specifications: described in paragraph (e)(1) of this
such consent due to substantial barriers Content requirements. A consent under section by:
to communicating with the individual, this section must be in plain language (i) Obtaining a new consent from the
and the covered health care provider and: individual under this section for the
determines, in the exercise of (1) Inform the individual that disclosure to carry out treatment,
professional judgment, that the protected health information may be payment, or health care operations; or
individual’s consent to receive used and disclosed to carry out (ii) Communicating orally or in
treatment is clearly inferred from the treatment, payment, or health care writing with the individual in order to
circumstances. operations; determine the individual’s preference in
(ii) A covered health care provider (2) Refer the individual to the notice resolving the conflict. The covered
that fails to obtain such consent in required by § 164.520 for a more entity must document the individual’s
accordance with paragraph (a)(3)(i) of complete description of such uses and preference and may only disclose
this section must document its attempt disclosures and state that the individual protected health information in
to obtain consent and the reason why has the right to review the notice prior accordance with the individual’s
consent was not obtained. to signing the consent; preference.
(f)(1) Standard: Joint consents. originator of the psychotherapy notes; (4) Prohibition on conditioning of
Covered entities that participate in an § 164.512(g)(1); or § 164.512(j)(1)(i). authorizations. A covered entity may
organized health care arrangement and (b) Implementation specifications: not condition the provision to an
that have a joint notice under General requirements.—(1) Valid individual of treatment, payment,
§ 164.520(d) may comply with this authorizations. enrollment in the health plan, or
section by a joint consent. (i) A valid authorization is a eligibility for benefits on the provision
(2) Implementation specifications: document that contains the elements of an authorization, except:
Requirements for joint consents. (i) A listed in paragraph (c) and, as (i) A covered health care provider
joint consent must: applicable, paragraph (d), (e), or (f) of may condition the provision of research-
(A) Include the name or other specific this section. related treatment on provision of an
identification of the covered entities, or (ii) A valid authorization may contain authorization under paragraph (f) of this
classes of covered entities, to which the elements or information in addition to section;
joint consent applies; and the elements required by this section, (ii) A health plan may condition
(B) Meet the requirements of this provided that such additional elements enrollment in the health plan or
section, except that the statements or information are not be inconsistent eligibility for benefits on provision of an
required by this section may be altered with the elements required by this authorization requested by the health
to reflect the fact that the consent covers section. plan prior to an individual’s enrollment
more than one covered entity. (2) Defective authorizations. An in the health plan, if:
(ii) If an individual revokes a joint authorization is not valid, if the (A) The authorization sought is for the
consent, the covered entity that receives document submitted has any of the health plan’s eligibility or enrollment
the revocation must inform the other following defects: determinations relating to the
entities covered by the joint consent of (i) The expiration date has passed or individual or for its underwriting or risk
the revocation as soon as practicable. the expiration event is known by the rating determinations; and
covered entity to have occurred; (B) The authorization is not for a use
§ 164.508 Uses and disclosures for which or disclosure of psychotherapy notes
an authorization is required. (ii) The authorization has not been
filled out completely, with respect to an under paragraph (a)(2) of this section;
(a) Standard: Authorizations for uses (iii) A health plan may condition
and disclosures. (1) Authorization element described by paragraph (c), (d),
(e), or (f) of this section, if applicable; payment of a claim for specified benefits
required: General rule. Except as on provision of an authorization under
otherwise permitted or required by this (iii) The authorization is known by
the covered entity to have been revoked; paragraph (e) of this section, if:
subchapter, a covered entity may not (A) The disclosure is necessary to
use or disclose protected health (iv) The authorization lacks an
determine payment of such claim; and
information without an authorization element required by paragraph (c), (d), (B) The authorization is not for a use
that is valid under this section. When a (e), or (f) of this section, if applicable; or disclosure of psychotherapy notes
covered entity obtains or receives a (v) The authorization violates under paragraph (a)(2) of this section;
valid authorization for its use or paragraph (b)(3) of this section, if and
disclosure of protected health applicable; (iv) A covered entity may condition
information, such use or disclosure (vi) Any material information in the the provision of health care that is
must be consistent with such authorization is known by the covered solely for the purpose of creating
authorization. entity to be false. protected health information for
(2) Authorization required: (3) Compound authorizations. An disclosure to a third party on provision
psychotherapy notes. Notwithstanding authorization for use or disclosure of of an authorization for the disclosure of
any other provision of this subpart, protected health information may not be the protected health information to such
other than transition provisions combined with any other document to third party.
provided for in § 164.532, a covered create a compound authorization, (5) Revocation of authorizations. An
entity must obtain an authorization for except as follows: individual may revoke an authorization
any use or disclosure of psychotherapy (i) An authorization for the use or provided under this section at any time,
notes, except: disclosure of protected health provided that the revocation is in
(i) To carry out the following information created for research that writing, except to the extent that:
treatment, payment, or health care includes treatment of the individual (i) The covered entity has taken action
operations, consistent with consent may be combined as permitted by in reliance thereon; or
requirements in § 164.506: § 164.506(b)(4)(ii) or paragraph (f) of this (ii) If the authorization was obtained
(A) Use by originator of the section; as a condition of obtaining insurance
psychotherapy notes for treatment; (ii) An authorization for a use or coverage, other law provides the insurer
(B) Use or disclosure by the covered disclosure of psychotherapy notes may with the right to contest a claim under
entity in training programs in which only be combined with another the policy.
students, trainees, or practitioners in authorization for a use or disclosure of (6) Documentation. A covered entity
mental health learn under supervision psychotherapy notes; must document and retain any signed
to practice or improve their skills in (iii) An authorization under this authorization under this section as
group, joint, family, or individual section, other than an authorization for required by § 164.530(j).
counseling; or a use or disclosure of psychotherapy (c) Implementation specifications:
(C) Use or disclosure by the covered notes may be combined with any other Core elements and requirements. (1)
entity to defend a legal action or other such authorization under this section, Core elements. A valid authorization
proceeding brought by the individual; except when a covered entity has under this section must contain at least
and conditioned the provision of treatment, the following elements:
(ii) A use or disclosure that is payment, enrollment in the health plan, (i) A description of the information to
required by § 164.502(a)(2)(ii) or or eligibility for benefits under be used or disclosed that identifies the
permitted by § 164.512(a); § 164.512(d) paragraph (b)(4) of this section on the information in a specific and
with respect to the oversight of the provision of one of the authorizations. meaningful fashion;
(ii) The name or other specific direct or indirect remuneration to the accordance with §§ 164.510 and
identification of the person(s), or class covered entity from a third party, a 164.512, provided that the covered
of persons, authorized to make the statement that such remuneration will entity may not include a limitation
requested use or disclosure; result. affecting its right to make a use or
(iii) The name or other specific (2) Copy to the individual. A covered disclosure that is required by law or
identification of the person(s), or class entity must provide the individual with permitted by § 164.512(j)(1)(i); and
of persons, to whom the covered entity a copy of the signed authorization. (C) If the covered entity has obtained
may make the requested use or (e) Implementation specifications: or intends to obtain the individual’s
disclosure; Authorizations requested by a covered consent under § 164.506, or has
(iv) An expiration date or an entity for disclosures by others. If an provided or intends to provide the
expiration event that relates to the authorization is requested by a covered individual with a notice under
individual or the purpose of the use or entity for another covered entity to § 164.520, the authorization must refer
disclosure; disclose protected health information to to that consent or notice, as applicable,
(v) A statement of the individual’s the covered entity requesting the and state that the statements made
right to revoke the authorization in authorization to carry out treatment, pursuant to this section are binding.
writing and the exceptions to the right payment, or health care operations, the (2) Optional procedure. An
to revoke, together with a description of covered entity requesting the authorization under this paragraph may
how the individual may revoke the authorization must comply with the be in the same document as:
authorization; following requirements. (i) A consent to participate in the
(vi) A statement that information used (1) Required elements. The research;
or disclosed pursuant to the authorization for the disclosures (ii) A consent to use or disclose
authorization may be subject to described in this paragraph must, in protected health information to carry
redisclosure by the recipient and no addition to meeting the requirements of out treatment, payment, or health care
longer be protected by this rule; paragraph (c) of this section, contain the operations under § 164.506; or
(vii) Signature of the individual and following elements: (iii) A notice of privacy practices
date; and (i) A description of each purpose of
(viii) If the authorization is signed by under § 164.520.
the requested disclosure;
a personal representative of the (ii) Except for an authorization on § 164.510 Uses and disclosures requiring
individual, a description of such which payment may be conditioned an opportunity for the individual to agree or
representative’s authority to act for the under paragraph (b)(4)(iii) of this to object.
individual. section, a statement that the covered A covered entity may use or disclose
(2) Plain language requirement. The entity will not condition treatment, protected health information without
authorization must be written in plain payment, enrollment in the health plan, the written consent or authorization of
language. or eligibility for benefits on the the individual as described by
(d) Implementation specifications: individual’s providing authorization for §§ 164.506 and 164.508, respectively,
Authorizations requested by a covered the requested use or disclosure; and provided that the individual is informed
entity for its own uses and disclosures. (iii) A statement that the individual in advance of the use or disclosure and
If an authorization is requested by a may refuse to sign the authorization. has the opportunity to agree to or
covered entity for its own use or (2) Copy to the individual. A covered prohibit or restrict the disclosure in
disclosure of protected health entity must provide the individual with accordance with the applicable
information that it maintains, the a copy of the signed authorization. requirements of this section. The
covered entity must comply with the (f) Implementation specifications: covered entity may orally inform the
following requirements. Authorizations for uses and disclosures individual of and obtain the
(1) Required elements. The of protected health information created individual’s oral agreement or objection
authorization for the uses or disclosures for research that includes treatment of to a use or disclosure permitted by this
described in this paragraph must, in the individual. section.
addition to meeting the requirements of (1) Required elements. Except as
(a) Standard: use and disclosure for
paragraph (c) of this section, contain the otherwise permitted by § 164.512(i), a
facility directories. (1) Permitted uses
following elements: covered entity that creates protected
and disclosure. Except when an
(i) For any authorization to which the health information for the purpose, in
objection is expressed in accordance
prohibition on conditioning in whole or in part, of research that
with paragraphs (a)(2) or (3) of this
paragraph (b)(4) of this section applies, includes treatment of individuals must
section, a covered health care provider
a statement that the covered entity will obtain an authorization for the use or
may:
not condition treatment, payment, disclosure of such information. Such
(i) Use the following protected health
enrollment in the health plan, or authorization must:
(i) For uses and disclosures not information to maintain a directory of
eligibility for benefits on the
otherwise permitted or required under individuals in its facility:
individual’s providing authorization for
the requested use or disclosure; this subpart, meet the requirements of (A) The individual’s name;
(ii) A description of each purpose of paragraphs (c) and (d) of this section; (B) The individual’s location in the
the requested use or disclosure; and covered health care provider’s facility;
(iii) A statement that the individual (ii) Contain: (C) The individual’s condition
may: (A) A description of the extent to described in general terms that does not
(A) Inspect or copy the protected which such protected health communicate specific medical
health information to be used or information will be used or disclosed to information about the individual; and
disclosed as provided in § 164.524; and carry out treatment, payment, or health (D) The individual’s religious
(B) Refuse to sign the authorization; care operations; affiliation; and
and (B) A description of any protected (ii) Disclose for directory purposes
(iv) If use or disclosure of the health information that will not be used such information:
requested information will result in or disclosed for purposes permitted in (A) To members of the clergy; or
(B) Except for religious affiliation, to paragraphs (b)(2), (3), or (4) of this the individual as described in
other persons who ask for the individual section, as applicable. §§ 164.506 and 164.508, respectively, or
by name. (2) Uses and disclosures with the the opportunity for the individual to
(2) Opportunity to object. A covered individual present. If the individual is agree or object as described in § 164.510,
health care provider must inform an present for, or otherwise available prior in the situations covered by this section,
individual of the protected health to, a use or disclosure permitted by subject to the applicable requirements of
information that it may include in a paragraph (b)(1) of this section and has this section. When the covered entity is
directory and the persons to whom it the capacity to make health care required by this section to inform the
may disclose such information decisions, the covered entity may use or individual of, or when the individual
(including disclosures to clergy of disclose the protected health may agree to, a use or disclosure
information regarding religious information if it: permitted by this section, the covered
affiliation) and provide the individual (i) Obtains the individual’s agreement; entity’s information and the individual’s
with the opportunity to restrict or (ii) Provides the individual with the agreement may be given orally.
prohibit some or all of the uses or opportunity to object to the disclosure, (a) Standard: Uses and disclosures
disclosures permitted by paragraph and the individual does not express an required by law. (1) A covered entity
(a)(1) of this section. objection; or may use or disclose protected health
(3) Emergency circumstances. (i) If the (iii) Reasonably infers from the information to the extent that such use
opportunity to object to uses or circumstances, based the exercise of or disclosure is required by law and the
disclosures required by paragraph (a)(2) professional judgment, that the use or disclosure complies with and is
of this section cannot practicably be individual does not object to the limited to the relevant requirements of
provided because of the individual’s disclosure. such law.
incapacity or an emergency treatment (3) Limited uses and disclosures when (2) A covered entity must meet the
circumstance, a covered health care the individual is not present. If the requirements described in paragraph (c),
provider may use or disclose some or all individual is not present for, or the (e), or (f) of this section for uses or
of the protected health information opportunity to agree or object to the use disclosures required by law.
permitted by paragraph (a)(1) of this or disclosure cannot practicably be (b) Standard: uses and disclosures for
section for the facility’s directory, if provided because of the individual’s public health activities. (1) Permitted
such disclosure is: incapacity or an emergency disclosures. A covered entity may
(A) Consistent with a prior expressed circumstance, the covered entity may, in disclose protected health information
preference of the individual, if any, that the exercise of professional judgment, for the public health activities and
is known to the covered health care determine whether the disclosure is in purposes described in this paragraph to:
provider; and the best interests of the individual and, (i) A public health authority that is
(B) In the individual’s best interest as if so, disclose only the protected health authorized by law to collect or receive
determined by the covered health care information that is directly relevant to such information for the purpose of
provider, in the exercise of professional the person’s involvement with the preventing or controlling disease,
judgment. individual’s health care. A covered injury, or disability, including, but not
(ii) The covered health care provider entity may use professional judgment limited to, the reporting of disease,
must inform the individual and provide and its experience with common injury, vital events such as birth or
an opportunity to object to uses or practice to make reasonable inferences death, and the conduct of public health
disclosures for directory purposes as of the individual’s best interest in surveillance, public health
required by paragraph (a)(2) of this allowing a person to act on behalf of the investigations, and public health
section when it becomes practicable to individual to pick up filled interventions; or, at the direction of a
do so. prescriptions, medical supplies, X-rays, public health authority, to an official of
(b) Standard: uses and disclosures for or other similar forms of protected a foreign government agency that is
involvement in the individual’s care and health information. acting in collaboration with a public
notification purposes. (1) Permitted uses (4) Use and disclosures for disaster health authority;
and disclosures. (i) A covered entity relief purposes. A covered entity may (ii) A public health authority or other
may, in accordance with paragraphs use or disclose protected health appropriate government authority
(b)(2) or (3) of this section, disclose to information to a public or private entity authorized by law to receive reports of
a family member, other relative, or a authorized by law or by its charter to child abuse or neglect;
close personal friend of the individual, assist in disaster relief efforts, for the (iii) A person subject to the
or any other person identified by the purpose of coordinating with such jurisdiction of the Food and Drug
individual, the protected health entities the uses or disclosures Administration:
information directly relevant to such permitted by paragraph (b)(1)(ii) of this (A) To report adverse events (or
person’s involvement with the section. The requirements in paragraphs similar reports with respect to food or
individual’s care or payment related to (b)(2) and (3) of this section apply to dietary supplements), product defects or
the individual’s health care. such uses and disclosure to the extent problems (including problems with the
(ii) A covered entity may use or that the covered entity, in the exercise use or labeling of a product), or
disclose protected health information to of professional judgment, determines biological product deviations if the
notify, or assist in the notification of that the requirements do not interfere disclosure is made to the person
(including identifying or locating), a with the ability to respond to the required or directed to report such
family member, a personal emergency circumstances. information to the Food and Drug
representative of the individual, or Administration;
another person responsible for the care § 164.512 Uses and disclosures for which (B) To track products if the disclosure
of the individual of the individual’s consent, an authorization, or opportunity to is made to a person required or directed
location, general condition, or death. agree or object is not required. by the Food and Drug Administration to
Any such use or disclosure of protected A covered entity may use or disclose track the product;
health information for such notification protected health information without (C) To enable product recalls, repairs,
purposes must be in accordance with the written consent or authorization of or replacement (including locating and
notifying individuals who have received Except for reports of child abuse or or actions; or other activities necessary
products of product recalls, neglect permitted by paragraph (b)(1)(ii) for appropriate oversight of:
withdrawals, or other problems); or of this section, a covered entity may (i) The health care system;
(D) To conduct post marketing disclose protected health information (ii) Government benefit programs for
surveillance to comply with about an individual whom the covered which health information is relevant to
requirements or at the direction of the entity reasonably believes to be a victim beneficiary eligibility;
Food and Drug Administration; of abuse, neglect, or domestic violence (iii) Entities subject to government
(iv) A person who may have been to a government authority, including a regulatory programs for which health
exposed to a communicable disease or social service or protective services information is necessary for determining
may otherwise be at risk of contracting agency, authorized by law to receive compliance with program standards; or
or spreading a disease or condition, if reports of such abuse, neglect, or (iv) Entities subject to civil rights laws
the covered entity or public health domestic violence: for which health information is
authority is authorized by law to notify (i) To the extent the disclosure is necessary for determining compliance.
such person as necessary in the conduct required by law and the disclosure (2) Exception to health oversight
of a public health intervention or complies with and is limited to the activities. For the purpose of the
investigation; or relevant requirements of such law; disclosures permitted by paragraph
(v) An employer, about an individual (ii) If the individual agrees to the (d)(1) of this section, a health oversight
who is a member of the workforce of the disclosure; or activity does not include an
employer, if: (iii) To the extent the disclosure is investigation or other activity in which
(A) The covered entity is a covered expressly authorized by statute or the individual is the subject of the
health care provider who is a member regulation and: investigation or activity and such
of the workforce of such employer or (A) The covered entity, in the exercise investigation or other activity does not
who provides a health care to the of professional judgment, believes the arise out of and is not directly related
individual at the request of the disclosure is necessary to prevent to:
employer: serious harm to the individual or other (i) The receipt of health care;
(1) To conduct an evaluation relating potential victims; or (ii) A claim for public benefits related
to medical surveillance of the (B) If the individual is unable to agree to health; or
workplace; or because of incapacity, a law (iii) Qualification for, or receipt of,
(2) To evaluate whether the enforcement or other public official public benefits or services when a
individual has a work-related illness or authorized to receive the report patient’s health is integral to the claim
injury; represents that the protected health for public benefits or services.
(B) The protected health information information for which disclosure is (3) Joint activities or investigations.
that is disclosed consists of findings sought is not intended to be used Nothwithstanding paragraph (d)(2) of
concerning a work-related illness or against the individual and that an this section, if a health oversight activity
injury or a workplace-related medical immediate enforcement activity that or investigation is conducted in
surveillance; depends upon the disclosure would be conjunction with an oversight activity
(C) The employer needs such findings materially and adversely affected by or investigation relating to a claim for
in order to comply with its obligations, waiting until the individual is able to public benefits not related to health, the
under 29 CFR parts 1904 through 1928, agree to the disclosure. joint activity or investigation is
30 CFR parts 50 through 90, or under (2) Informing the individual. A considered a health oversight activity
state law having a similar purpose, to covered entity that makes a disclosure for purposes of paragraph (d) of this
record such illness or injury or to carry permitted by paragraph (c)(1) of this section.
out responsibilities for workplace section must promptly inform the (4) Permitted uses. If a covered entity
medical surveillance; individual that such a report has been also is a health oversight agency, the
(D) The covered health care provider or will be made, except if: covered entity may use protected health
provides written notice to the (i) The covered entity, in the exercise information for health oversight
individual that protected health of professional judgment, believes activities as permitted by paragraph (d)
information relating to the medical informing the individual would place of this section.
surveillance of the workplace and work- the individual at risk of serious harm; or (e) Standard: Disclosures for judicial
related illnesses and injuries is (ii) The covered entity would be and administrative proceedings.
disclosed to the employer: informing a personal representative, and (1) Permitted disclosures. A covered
(1) By giving a copy of the notice to the covered entity reasonably believes entity may disclose protected health
the individual at the time the health the personal representative is information in the course of any judicial
care is provided; or responsible for the abuse, neglect, or or administrative proceeding:
(2) If the health care is provided on other injury, and that informing such (i) In response to an order of a court
the work site of the employer, by person would not be in the best interests or administrative tribunal, provided that
posting the notice in a prominent place of the individual as determined by the the covered entity discloses only the
at the location where the health care is covered entity, in the exercise of protected health information expressly
provided. professional judgment. authorized by such order; or
(2) Permitted uses. If the covered (d) Standard: Uses and disclosures for (ii) In response to a subpoena,
entity also is a public health authority, health oversight activities. (1) Permitted discovery request, or other lawful
the covered entity is permitted to use disclosures. A covered entity may process, that is not accompanied by an
protected health information in all cases disclose protected health information to order of a court or administrative
in which it is permitted to disclose such a health oversight agency for oversight tribunal, if:
information for public health activities activities authorized by law, including (A) The covered entity receives
under paragraph (b)(1) of this section. audits; civil, administrative, or criminal satisfactory assurance, as described in
(c) Standard: Disclosures about investigations; inspections; licensure or paragraph (e)(1)(iii) of this section, from
victims of abuse, neglect or domestic disciplinary actions; civil, the party seeking the information that
violence. (1) Permitted disclosures. administrative, or criminal proceedings reasonable efforts have been made by
such party to ensure that the individual a stipulation by the parties to the practicable in light of the purpose for
who is the subject of the protected litigation or administrative proceeding which the information is sought; and
health information that has been that: (3) De-identified information could
requested has been given notice of the (A) Prohibits the parties from using or not reasonably be used.
request; or disclosing the protected health (2) Permitted disclosures: Limited
(B) The covered entity receives information for any purpose other than information for identification and
satisfactory assurance, as described in the litigation or proceeding for which location purposes. Except for
paragraph (e)(1)(iv) of this section, from such information was requested; and disclosures required by law as permitted
the party seeking the information that (B) Requires the return to the covered by paragraph (f)(1) of this section, a
reasonable efforts have been made by entity or destruction of the protected covered entity may disclose protected
such party to secure a qualified health information (including all copies health information in response to a law
protective order that meets the made) at the end of the litigation or enforcement official’s request for such
requirements of paragraph (e)(1)(v) of proceeding. information for the purpose of
this section. (vi) Nothwithstanding paragraph identifying or locating a suspect,
(iii) For the purposes of paragraph (e)(1)(ii) of this section, a covered entity fugitive, material witness, or missing
(e)(1)(ii)(A) of this section, a covered may disclose protected health person, provided that:
entity receives satisfactory assurances information in response to lawful (i) The covered entity may disclose
from a party seeking protecting health process described in paragraph (e)(1)(ii) only the following information:
information if the covered entity of this section without receiving (A) Name and address;
receives from such party a written satisfactory assurance under paragraph (B) Date and place of birth;
statement and accompanying (e)(1)(ii)(A) or (B) of this section, if the (C) Social security number;
documentation demonstrating that: covered entity makes reasonable efforts (D) ABO blood type and rh factor;
(A) The party requesting such (E) Type of injury;
to provide notice to the individual
information has made a good faith (F) Date and time of treatment;
sufficient to meet the requirements of (G) Date and time of death, if
attempt to provide written notice to the paragraph (e)(1)(iii) of this section or to
individual (or, if the individual’s applicable; and
seek a qualified protective order (H) A description of distinguishing
location is unknown, to mail a notice to sufficient to meet the requirements of
the individual’s last known address); physical characteristics, including
paragraph (e)(1)(iv) of this section. height, weight, gender, race, hair and
(B) The notice included sufficient (2) Other uses and disclosures under
information about the litigation or eye color, presence or absence of facial
this section. The provisions of this hair (beard or moustache), scars, and
proceeding in which the protected paragraph do not supersede other
health information is requested to tattoos.
provisions of this section that otherwise (ii) Except as permitted by paragraph
permit the individual to raise an permit or restrict uses or disclosures of
objection to the court or administrative (f)(2)(i) of this section, the covered
protected health information. entity may not disclose for the purposes
tribunal; and (f) Standard: Disclosures for law
(C) The time for the individual to of identification or location under
enforcement purposes. A covered entity paragraph (f)(2) of this section any
raise objections to the court or
may disclose protected health protected health information related to
administrative tribunal has elapsed,
information for a law enforcement the individual’s DNA or DNA analysis,
and:
purpose to a law enforcement official if dental records, or typing, samples or
(1) No objections were filed; or
(2) All objections filed by the the conditions in paragraphs (f)(1) analysis of body fluids or tissue.
individual have been resolved by the through (f)(6) of this section are met, as (3) Permitted disclosure: Victims of a
court or the administrative tribunal and applicable. crime. Except for disclosures required
the disclosures being sought are (1) Permitted disclosures: Pursuant to by law as permitted by paragraph (f)(1)
consistent with such resolution. process and as otherwise required by of this section, a covered entity may
(iv) For the purposes of paragraph law. A covered entity may disclose disclose protected health information in
(e)(1)(ii)(B) of this section, a covered protected health information: response to a law enforcement official’s
entity receives satisfactory assurances (i) As required by law including laws request for such information about an
from a party seeking protected health that require the reporting of certain individual who is or is suspected to be
information, if the covered entity types of wounds or other physical a victim of a crime, other than
receives from such party a written injuries, except for laws subject to disclosures that are subject to paragraph
statement and accompanying paragraph (b)(1)(ii) or (c)(1)(i) of this (b) or (c) of this section, if:
documentation demonstrating that: section; or (ii) The individual agrees to the
(A) The parties to the dispute giving (ii) In compliance with and as limited disclosure; or
rise to the request for information have by the relevant requirements of: (iii) The covered entity is unable to
agreed to a qualified protective order (A) A court order or court-ordered obtain the individual’s agreement
and have presented it to the court or warrant, or a subpoena or summons because of incapacity or other
administrative tribunal with jurisdiction issued by a judicial officer; emergency circumstance, provided that:
over the dispute; or (B) A grand jury subpoena; or (A) The law enforcement official
(B) The party seeking the protected (C) An administrative request, represents that such information is
health information has requested a including an administrative subpoena or needed to determine whether a violation
qualified protective order from such summons, a civil or an authorized of law by a person other than the victim
court or administrative tribunal. investigative demand, or similar process has occurred, and such information is
(v) For purposes of paragraph (e)(1) of authorized under law, provided that: not intended to be used against the
this section, a qualified protective order (1) The information sought is relevant victim;
means, with respect to protected health and material to a legitimate law (B) The law enforcement official
information requested under paragraph enforcement inquiry; represents that immediate law
(e)(1)(ii) of this section, an order of a (2) The request is specific and limited enforcement activity that depends upon
court or of an administrative tribunal or in scope to the extent reasonably the disclosure would be materially and
adversely affected by waiting until the consistent with applicable law, as (B) No protected health information is
individual is able to agree to the necessary to carry out their duties with to be removed from the covered entity
disclosure; and respect to the decedent. If necessary for by the researcher in the course of the
(C) The disclosure is in the best funeral directors carry out their duties, review; and
interests of the individual as determined the covered entity may disclose the (C) The protected health information
by the covered entity, in the exercise of protected health information prior to, for which use or access is sought is
professional judgment. and in reasonable anticipation of, the necessary for the research purposes.
(4) Permitted disclosure: Decedents. A individual’s death. (iii) Research on decedent’s
covered entity may disclose protected (h) Standard: Uses and disclosures for information. The covered entity obtains
health information about an individual cadaveric organ, eye or tissue donation from the researcher:
who has died to a law enforcement purposes. A covered entity may use or (A) Representation that the use or
official for the purpose of alerting law disclose protected health information to disclosure is sought is solely for
enforcement of the death of the organ procurement organizations or research on the protected health
individual if the covered entity has a other entities engaged in the information of decedents;
suspicion that such death may have procurement, banking, or (B) Documentation, at the request of
resulted from criminal conduct. transplantation of cadaveric organs, the covered entity, of the death of such
(5) Permitted disclosure: Crime on eyes, or tissue for the purpose of individuals; and
premises. A covered entity may disclose facilitating organ, eye or tissue donation (C) Representation that the protected
to a law enforcement official protected and transplantation. health information for which use or
health information that the covered (i) Standard: Uses and disclosures for disclosure is sought is necessary for the
entity believes in good faith constitutes research purposes. (1) Permitted uses research purposes.
evidence of criminal conduct that and disclosures. A covered entity may (2) Documentation of waiver
occurred on the premises of the covered use or disclose protected health approval. For a use or disclosure to be
entity. information for research, regardless of permitted based on documentation of
(6) Permitted disclosure: Reporting the source of funding of the research, approval of an alteration or waiver,
crime in emergencies. (i) A covered provided that: under paragraph (i)(1)(i) of this section,
health care provider providing (i) Board approval of a waiver of the documentation must include all of
emergency health care in response to a authorization. The covered entity the following:
medical emergency, other than such obtains documentation that an alteration (i) Identification and date of action. A
emergency on the premises of the to or waiver, in whole or in part, of the statement identifying the IRB or privacy
covered health care provider, may individual authorization required by board and the date on which the
disclose protected health information to § 164.508 for use or disclosure of alteration or waiver of authorization was
a law enforcement official if such protected health information has been approved;
disclosure appears necessary to alert (ii) Waiver criteria. A statement that
approved by either:
law enforcement to: the IRB or privacy board has determined
(A) An Institutional Review Board
(A) The commission and nature of a that the alteration or waiver, in whole
(IRB), established in accordance with 7
crime; or in part, of authorization satisfies the
(B) The location of such crime or of CFR lc.107, 10 CFR 745.107, 14 CFR
following criteria:
the victim(s) of such crime; and 1230.107, 15 CFR 27.107, 16 CFR
(A) The use or disclosure of protected
(C) The identity, description, and 1028.107, 21 CFR 56.107, 22 CFR
health information involves no more
location of the perpetrator of such 225.107, 24 CFR 60.107, 28 CFR 46.107,
than minimal risk to the individuals;
crime. 32 CFR 219.107, 34 CFR 97.107, 38 CFR (B) The alteration or waiver will not
(ii) If a covered health care provider 16.107, 40 CFR 26.107, 45 CFR 46.107, adversely affect the privacy rights and
believes that the medical emergency 45 CFR 690.107, or 49 CFR 11.107; or the welfare of the individuals;
described in paragraph (f)(6)(i) of this (B) A privacy board that: (C) The research could not practicably
section is the result of abuse, neglect, or (1) Has members with varying be conducted without the alteration or
domestic violence of the individual in backgrounds and appropriate waiver;
need of emergency health care, professional competency as necessary to (D) The research could not practicably
paragraph (f)(6)(i) of this section does review the effect of the research be conducted without access to and use
not apply and any disclosure to a law protocol on the individual’s privacy of the protected health information;
enforcement official for law rights and related interests; (E) The privacy risks to individuals
enforcement purposes is subject to (2) Includes at least one member who whose protected health information is to
paragraph (c) of this section. is not affiliated with the covered entity, be used or disclosed are reasonable in
(g) Standard: Uses and disclosures not affiliated with any entity conducting relation to the anticipated benefits if any
about decedents. (1) Coroners and or sponsoring the research, and not to the individuals, and the importance
medical examiners. A covered entity related to any person who is affiliated of the knowledge that may reasonably
may disclose protected health with any of such entities; and be expected to result from the research;
information to a coroner or medical (3) Does not have any member (F) There is an adequate plan to
examiner for the purpose of identifying participating in a review of any project protect the identifiers from improper
a deceased person, determining a cause in which the member has a conflict of use and disclosure;
of death, or other duties as authorized interest. (G) There is an adequate plan to
by law. A covered entity that also (ii) Reviews preparatory to research. destroy the identifiers at the earliest
performs the duties of a coroner or The covered entity obtains from the opportunity consistent with conduct of
medical examiner may use protected researcher representations that: the research, unless there is a health or
health information for the purposes (A) Use or disclosure is sought solely research justification for retaining the
described in this paragraph. to review protected health information identifiers, or such retention is
(2) Funeral directors. A covered entity as necessary to prepare a research otherwise required by law; and
may disclose protected health protocol or for similar purposes (H) There are adequate written
information to funeral directors, preparatory to research; assurances that the protected health
information will not be reused or waiver of authorization must be signed on a credible representation by a person
disclosed to any other person or entity, by the chair or other member, as with apparent knowledge or authority.
except as required by law, for designated by the chair, of the IRB or (k) Standard: Uses and disclosures for
authorized oversight of the research the privacy board, as applicable. specialized government functions. (1)
project, or for other research for which (j) Standard: Uses and disclosures to Military and veterans activities. (i)
the use or disclosure of protected health avert a serious threat to health or safety. Armed Forces personnel. A covered
information would be permitted by this (1) Permitted disclosures. A covered entity may use and disclose the
subpart. entity may, consistent with applicable protected health information of
(iii) Protected health information law and standards of ethical conduct, individuals who are Armed Forces
needed. A brief description of the use or disclose protected health personnel for activities deemed
protected health information for which information, if the covered entity, in necessary by appropriate military
use or access has been determined to be good faith, believes the use or command authorities to assure the
necessary by the IRB or privacy board disclosure: proper execution of the military
has determined, pursuant to paragraph (i)(A) Is necessary to prevent or lessen mission, if the appropriate military
(i)(2)(ii)(D) of this section; a serious and imminent threat to the authority has published by notice in the
(iv) Review and approval procedures. health or safety of a person or the Federal Register the following
A statement that the alteration or waiver public; and information:
of authorization has been reviewed and (B) Is to a person or persons (A) Appropriate military command
approved under either normal or reasonably able to prevent or lessen the authorities; and
expedited review procedures, as (B) The purposes for which the
threat, including the target of the threat;
follows: protected health information may be
or
(A) An IRB must follow the used or disclosed.
(ii) Is necessary for law enforcement (ii) Separation or discharge from
requirements of the Common Rule,
authorities to identify or apprehend an military service. A covered entity that is
including the normal review procedures
individual: a component of the Departments of
(7 CFR 1c.108(b), 10 CFR 745.108(b), 14
CFR 1230.108(b), 15 CFR 27.108(b), 16 (A) Because of a statement by an Defense or Transportation may disclose
CFR 1028.108(b), 21 CFR 56.108(b), 22 individual admitting participation in a to the Department of Veterans Affairs
CFR 225.108(b), 24 CFR 60.108(b), 28 violent crime that the covered entity (DVA) the protected health information
CFR 46.108(b), 32 CFR 219.108(b), 34 reasonably believes may have caused of an individual who is a member of the
CFR 97.108(b), 38 CFR 16.108(b), 40 serious physical harm to the victim; or Armed Forces upon the separation or
CFR 26.108(b), 45 CFR 46.108(b), 45 (B) Where it appears from all the discharge of the individual from
CFR 690.108(b), or 49 CFR 11.108(b)) or circumstances that the individual has military service for the purpose of a
the expedited review procedures (7 CFR escaped from a correctional institution determination by DVA of the
1c.110, 10 CFR 745.110, 14 CFR or from lawful custody, as those terms individual’s eligibility for or entitlement
1230.110, 15 CFR 27.110, 16 CFR are defined in § 164.501. to benefits under laws administered by
1028.110, 21 CFR 56.110, 22 CFR (2) Use or disclosure not permitted. A the Secretary of Veterans Affairs.
225.110, 24 CFR 60.110, 28 CFR 46.110, use or disclosure pursuant to paragraph (iii) Veterans. A covered entity that is
32 CFR 219.110, 34 CFR 97.110, 38 CFR (j)(1)(ii)(A) of this section may not be a component of the Department of
16.110, 40 CFR 26.110, 45 CFR 46.110, made if the information described in Veterans Affairs may use and disclose
45 CFR 690.110, or 49 CFR 11.110); paragraph (j)(1)(ii)(A) of this section is protected health information to
(B) A privacy board must review the learned by the covered entity: components of the Department that
proposed research at convened meetings (i) In the course of treatment to affect determine eligibility for or entitlement
at which a majority of the privacy board the propensity to commit the criminal to, or that provide, benefits under the
members are present, including at least conduct that is the basis for the laws administered by the Secretary of
one member who satisfies the criterion disclosure under paragraph (j)(1)(ii)(A) Veterans Affairs.
stated in paragraph (i)(1)(i)(B)(2) of this of this section, or counseling or therapy; (iv) Foreign military personnel. A
section, and the alteration or waiver of or covered entity may use and disclose the
authorization must be approved by the (ii) Through a request by the protected health information of
majority of the privacy board members individual to initiate or to be referred individuals who are foreign military
present at the meeting, unless the for the treatment, counseling, or therapy personnel to their appropriate foreign
privacy board elects to use an expedited described in paragraph (j)(2)(i) of this military authority for the same purposes
review procedure in accordance with section. for which uses and disclosures are
paragraph (i)(2)(iv)(C) of this section; (3) Limit on information that may be permitted for Armed Forces personnel
(C) A privacy board may use an disclosed. A disclosure made pursuant under the notice published in the
expedited review procedure if the to paragraph (j)(1)(ii)(A) of this section Federal Register pursuant to paragraph
research involves no more than minimal shall contain only the statement (k)(1)(i) of this section.
risk to the privacy of the individuals described in paragraph (j)(1)(ii)(A) of (2) National security and intelligence
who are the subject of the protected this section and the protected health activities. A covered entity may disclose
health information for which use or information described in paragraph protected health information to
disclosure is being sought. If the privacy (f)(2)(i) of this section. authorized federal officials for the
board elects to use an expedited review (4) Presumption of good faith belief. A conduct of lawful intelligence, counter-
procedure, the review and approval of covered entity that uses or discloses intelligence, and other national security
the alteration or waiver of authorization protected health information pursuant activities authorized by the National
may be carried out by the chair of the to paragraph (j)(1) of this section is Security Act (50 U.S.C. 401, et seq.) and
privacy board, or by one or more presumed to have acted in good faith implementing authority (e.g., Executive
members of the privacy board as with regard to a belief described in Order 12333).
designated by the chair; and paragraph (j)(1)(i) or (ii) of this section, (3) Protective services for the
(v) Required signature. The if the belief is based upon the covered President and others. A covered entity
documentation of the alteration or entity’s actual knowledge or in reliance may disclose protected health
information to authorized federal (iii) No application after release. For (1) A person with appropriate
officials for the provision of protective the purposes of this provision, an knowledge of and experience with
services to the President or other individual is no longer an inmate when generally accepted statistical and
persons authorized by 18 U.S.C. 3056, released on parole, probation, scientific principles and methods for
or to foreign heads of state or other supervised release, or otherwise is no rendering information not individually
persons authorized by 22 U.S.C. longer in lawful custody. identifiable:
2709(a)(3), or to for the conduct of (6) Covered entities that are (i) Applying such principles and
investigations authorized by 18 U.S.C. government programs providing public methods, determines that the risk is
871 and 879. benefits. (i) A health plan that is a very small that the information could be
(4) Medical suitability determinations. government program providing public used, alone or in combination with
A covered entity that is a component of benefits may disclose protected health other reasonably available information,
the Department of State may use information relating to eligibility for or by an anticipated recipient to identify
protected health information to make enrollment in the health plan to another an individual who is a subject of the
medical suitability determinations and agency administering a government information; and
may disclose whether or not the program providing public benefits if the (ii) Documents the methods and
individual was determined to be sharing of eligibility or enrollment results of the analysis that justify such
medically suitable to the officials in the information among such government determination; or
Department of State who need access to agencies or the maintenance of such (2)(i) The following identifiers of the
such information for the following information in a single or combined individual or of relatives, employers, or
purposes: data system accessible to all such household members of the individual,
(i) For the purpose of a required government agencies is required or are removed:
security clearance conducted pursuant expressly authorized by statute or (A) Names;
to Executive Orders 10450 and 12698; (B) All geographic subdivisions
regulation.
smaller than a State, including street
(ii) As necessary to determine (ii) A covered entity that is a address, city, county, precinct, zip code,
worldwide availability or availability for government agency administering a and their equivalent geocodes, except
mandatory service abroad under government program providing public for the initial three digits of a zip code
sections 101(a)(4) and 504 of the Foreign benefits may disclose protected health if, according to the current publicly
Service Act; or information relating to the program to available data from the Bureau of the
(iii) For a family to accompany a another covered entity that is a Census:
Foreign Service member abroad, government agency administering a (1) The geographic unit formed by
consistent with section 101(b)(5) and government program providing public combining all zip codes with the same
904 of the Foreign Service Act. benefits if the programs serve the same three initial digits contains more than
(5) Correctional institutions and other or similar populations and the 20,000 people; and
law enforcement custodial situations. (i) disclosure of protected health (2) The initial three digits of a zip
Permitted disclosures. A covered entity information is necessary to coordinate code for all such geographic units
may disclose to a correctional the covered functions of such programs containing 20,000 or fewer people is
institution or a law enforcement official or to improve administration and changed to 000.
having lawful custody of an inmate or management relating to the covered (C) All elements of dates (except year)
other individual protected health functions of such programs. for dates directly related to an
information about such inmate or (l) Standard: Disclosures for workers’ individual, including birth date,
individual, if the correctional institution compensation. A covered entity may admission date, discharge date, date of
or such law enforcement official disclose protected health information as death; and all ages over 89 and all
represents that such protected health authorized by and to the extent elements of dates (including year)
information is necessary for: necessary to comply with laws relating indicative of such age, except that such
(A) The provision of health care to to workers’ compensation or other ages and elements may be aggregated
such individuals; similar programs, established by law, into a single category of age 90 or older;
(B) The health and safety of such that provide benefits for work-related (D) Telephone numbers;
individual or other inmates; injuries or illness without regard to (E) Fax numbers;
(C) The health and safety of the fault. (F) Electronic mail addresses;
officers or employees of or others at the (G) Social security numbers;
correctional institution; § 164.514 Other requirements relating to (H) Medical record numbers;
(D) The health and safety of such uses and disclosures of protected health (I) Health plan beneficiary numbers;
individuals and officers or other persons information. (J) Account numbers;
(a) Standard: de-identification of (K) Certificate/license numbers;
responsible for the transporting of
protected health information. Health (L) Vehicle identifiers and serial
inmates or their transfer from one
information that does not identify an numbers, including license plate
institution, facility, or setting to another;
individual and with respect to which numbers;
(E) Law enforcement on the premises (M) Device identifiers and serial
of the correctional institution; and there is no reasonable basis to believe
numbers;
(F) The administration and that the information can be used to (N) Web Universal Resource Locators
maintenance of the safety, security, and identify an individual is not (URLs);
good order of the correctional individually identifiable health (O) Internet Protocol (IP) address
institution. information. numbers;
(ii) Permitted uses. A covered entity (b) Implementation specifications: (P) Biometric identifiers, including
that is a correctional institution may use requirements for de-identification of finger and voice prints;
protected health information of protected health information. A covered (Q) Full face photographic images and
individuals who are inmates for any entity may determine that health any comparable images; and
purpose for which such protected health information is not individually (R) Any other unique identifying
information may be disclosed. identifiable health information only if: number, characteristic, or code; and
(ii) The covered entity does not have disclosed to the information reasonably (e)(1) Standard: Uses and disclosures
actual knowledge that the information necessary to accomplish the purpose for of protected health information for
could be used alone or in combination which disclosure is sought; and marketing. A covered entity may not use
with other information to identify an (B) Review requests for disclosure on or disclose protected health information
individual who is a subject of the an individual basis in accordance with for marketing without an authorization
information. such criteria. that meets the applicable requirements
(c) Implementation specifications: re- (iii) A covered entity may rely, if such of § 164.508, except as provided for by
identification. A covered entity may reliance is reasonable under the paragraph (e)(2) of this section.
assign a code or other means of record circumstances, on a requested (2) Implementation specifications:
identification to allow information de- disclosure as the minimum necessary Requirements relating to marketing. (i)
identified under this section to be re- for the stated purpose when: A covered entity is not required to
identified by the covered entity, (A) Making disclosures to public obtain an authorization under § 164.508
provided that: officials that are permitted under when it uses or discloses protected
(1) Derivation. The code or other § 164.512, if the public official health information to make a marketing
means of record identification is not represents that the information communication to an individual that:
derived from or related to information requested is the minimum necessary for (A) Occurs in a face-to-face encounter
about the individual and is not the stated purpose(s); with the individual;
otherwise capable of being translated so (B) The information is requested by (B) Concerns products or services of
as to identify the individual; and another covered entity; nominal value; or
(2) Security. The covered entity does (C) The information is requested by a (C) Concerns the health-related
not use or disclose the code or other professional who is a member of its products and services of the covered
means of record identification for any workforce or is a business associate of entity or of a third party and the
other purpose, and does not disclose the the covered entity for the purpose of communication meets the applicable
mechanism for re-identification. providing professional services to the conditions in paragraph (e)(3) of this
(d)(1) Standard: minimum necessary covered entity, if the professional section.
requirements. A covered entity must represents that the information (ii) A covered entity may disclose
reasonably ensure that the standards, requested is the minimum necessary for protected health information for
requirements, and implementation the stated purpose(s); or purposes of such communications only
specifications of § 164.502(b) and this (D) Documentation or representations to a business associate that assists the
section relating to a request for or the that comply with the applicable covered entity with such
use and disclosure of the minimum requirements of § 164.512(i) have been communications.
necessary protected health information provided by a person requesting the (3) Implementation specifications:
are met. information for research purposes. Requirements for certain marketing
(2) Implementation specifications:
(4) Implementation specifications: communications. For a marketing
minimum necessary uses of protected
Minimum necessary requests for communication to qualify under
health information. (i) A covered entity
protected health information. (i) A paragraph (e)(2)(i) of this section, the
must identify:
(A) Those persons or classes of covered entity must limit any request following conditions must be met:
persons, as appropriate, in its workforce for protected health information to that (i) The communication must:
who need access to protected health which is reasonably necessary to (A) Identify the covered entity as the
information to carry out their duties; accomplish the purpose for which the party making the communication;
and request is made, when requesting such (B) If the covered entity has received
(B) For each such person or class of information from other covered entities. or will receive direct or indirect
persons, the category or categories of (ii) For a request that is made on a remuneration for making the
protected health information to which routine and recurring basis, a covered communication, prominently state that
access is needed and any conditions entity must implement policies and fact; and
appropriate to such access. procedures (which may be standard (C) Except when the communication
(ii) A covered entity must make protocols) that limit the protected health is contained in a newsletter or similar
reasonable efforts to limit the access of information requested to the amount type of general communication device
such persons or classes identified in reasonably necessary to accomplish the that the covered entity distributes to a
paragraph (d)(2)(i)(A) of this section to purpose for which the request is made. broad cross-section of patients,
protected health information consistent (iii) For all other requests, a covered enrollees, or other broad groups of
with paragraph (d)(2)(i)(B) of this entity must review the request on an individuals, contain instructions
section. individual basis to determine that the describing how the individual may opt
(3) Implementation specification: protected health information sought is out of receiving future such
Minimum necessary disclosures of limited to the information reasonably communications.
protected health information. (i) For any necessary to accomplish the purpose for (ii) If the covered entity uses or
type of disclosure that it makes on a which the request is made. discloses protected health information
routine and recurring basis, a covered (5) Implementation specification: to target the communication to
entity must implement policies and Other content requirement. For all uses, individuals based on their health status
procedures (which may be standard disclosures, or requests to which the or condition:
protocols) that limit the protected health requirements in paragraph (d) of this (A) The covered entity must make a
information disclosed to the amount section apply, a covered entity may not determination prior to making the
reasonably necessary to achieve the use, discloses or request an entire communication that the product or
purpose of the disclosure. medical record, except when the entire service being marketed may be
(ii) For all other disclosures, a covered medical record is specifically justified beneficial to the health of the type or
entity must: as the amount that is reasonably class of individual targeted; and
(A) Develop criteria designed to limit necessary to accomplish the purpose of (B) The communication must explain
the protected health information the use, disclosure, or request. why the individual has been targeted
and how the product or service relates such person is not known to the covered public official or a person acting on
to the health of the individual. entity; and behalf of the public official:
(iii) The covered entity must make (ii) Obtain any documentation, (A) A written statement of the legal
reasonable efforts to ensure that statements, or representations, whether authority under which the information
individuals who decide to opt out of oral or written, from the person is requested, or, if a written statement
receiving future marketing requesting the protected health would be impracticable, an oral
communications, under paragraph information when such documentation, statement of such legal authority;
(e)(3)(i)(C) of this section, are not sent statement, or representation is a (B) If a request is made pursuant to
such communications. condition of the disclosure under this legal process, warrant, subpoena, order,
(f)(1) Standard: Uses and disclosures subpart. or other legal process issued by a grand
for fundraising. A covered entity may (2) Implementation specifications: jury or a judicial or administrative
use, or disclose to a business associate Verification. (i) Conditions on tribunal is presumed to constitute legal
or to an institutionally related disclosures. If a disclosure is authority.
foundation, the following protected conditioned by this subpart on (iv) Exercise of professional judgment.
health information for the purpose of particular documentation, statements, or The verification requirements of this
raising funds for its own benefit, representations from the person paragraph are met if the covered entity
without an authorization meeting the requesting the protected health relies on the exercise of professional
requirements of § 164.508: information, a covered entity may rely, judgment in making a use or disclosure
(i) Demographic information relating if such reliance is reasonable under the in accordance with § 164.510 or acts on
to an individual; and circumstances, on documentation, a good faith belief in making a
(ii) Dates of health care provided to an statements, or representations that, on disclosure in accordance with
individual. their face, meet the applicable § 164.512(j).
(2) Implementation specifications: requirements. § 164.520 Notice of privacy practices for
Fundraising requirements. (i) The (A) The conditions in protected health information.
covered entity may not use or disclose § 164.512(f)(1)(ii)(C) may be satisfied by (a) Standard: notice of privacy
protected health information for the administrative subpoena or similar practices. (1) Right to notice. Except as
fundraising purposes as otherwise process or by a separate written provided by paragraph (a)(2) or (3) of
permitted by paragraph (f)(1) of this statement that, on its face, demonstrates this section, an individual has a right to
section unless a statement required by that the applicable requirements have adequate notice of the uses and
§ 164.520(b)(1)(iii)(B) is included in the been met. disclosures of protected health
covered entity’s notice; (B) The documentation required by information that may be made by the
(ii) The covered entity must include § 164.512(i)(2) may be satisfied by one covered entity, and of the individual’s
in any fundraising materials it sends to or more written statements, provided rights and the covered entity’s legal
an individual under this paragraph a that each is appropriately dated and duties with respect to protected health
description of how the individual may signed in accordance with information.
opt out of receiving any further § 164.512(i)(2)(i) and (v). (2) Exception for group health plans.
fundraising communications. (ii) Identity of public officials. A (i) An individual enrolled in a group
(iii) The covered entity must make covered entity may rely, if such reliance health plan has a right to notice:
reasonable efforts to ensure that is reasonable under the circumstances, (A) From the group health plan, if,
individuals who decide to opt out of on any of the following to verify identity and to the extent that, such an
receiving future fundraising when the disclosure of protected health individual does not receive health
communications are not sent such information is to a public official or a benefits under the group health plan
communications. person acting on behalf of the public through an insurance contract with a
(g) Standard: Uses and disclosures for official: health insurance issuer or HMO; or
underwriting and related purposes. If a (A) If the request is made in person, (B) From the health insurance issuer
health plan receives protected heath presentation of an agency identification or HMO with respect to the group health
information for the purpose of badge, other official credentials, or other plan through which such individuals
underwriting, premium rating, or other proof of government status; receive their health benefits under the
activities relating to the creation, (B) If the request is in writing, the group health plan.
renewal, or replacement of a contract of request is on the appropriate (ii) A group health plan that provides
health insurance or health benefits, and government letterhead; or health benefits solely through an
if such health insurance or health (C) If the disclosure is to a person insurance contract with a health
benefits are not placed with the health acting on behalf of a public official, a insurance issuer or HMO, and that
plan, such health plan may not use or written statement on appropriate creates or receives protected health
disclose such protected health government letterhead that the person is information in addition to summary
information for any other purpose, acting under the government’s authority health information as defined in
except as may be required by law. or other evidence or documentation of § 164.504(a) or information on whether
(h)(1) Standard: Verification agency, such as a contract for services, the individual is participating in the
requirements. Prior to any disclosure memorandum of understanding, or group health plan, or is enrolled in or
permitted by this subpart, a covered purchase order, that establishes that the has disenrolled from a health insurance
entity must: person is acting on behalf of the public issuer or HMO offered by the plan,
(i) Except with respect to disclosures official. must:
under § 164.510, verify the identity of a (iii) Authority of public officials. A (A) Maintain a notice under this
person requesting protected health covered entity may rely, if such reliance section; and
information and the authority of any is reasonable under the circumstances, (B) Provide such notice upon request
such person to have access to protected on any of the following to verify to any person. The provisions of
health information under this subpart, if authority when the disclosure of paragraph (c)(1) of this section do not
the identity or any such authority of protected health information is to a apply to such group health plan.
(iii) A group health plan that provides that the individual may revoke such (C) For the covered entity to apply a
health benefits solely through an authorization as provided by change in a privacy practice that is
insurance contract with a health § 164.508(b)(5). described in the notice to protected
insurance issuer or HMO, and does not (iii) Separate statements for certain health information that the covered
create or receive protected health uses or disclosures. If the covered entity entity created or received prior to
information other than summary health intends to engage in any of the issuing a revised notice, in accordance
information as defined in § 164.504(a) or following activities, the description with § 164.530(i)(2)(ii), a statement that
information on whether an individual is required by paragraph (b)(1)(ii)(A) of it reserves the right to change the terms
participating in the group health plan, this section must include a separate of its notice and to make the new notice
or is enrolled in or has disenrolled from statement, as applicable, that: provisions effective for all protected
a health insurance issuer or HMO (A) The covered entity may contact health information that it maintains.
offered by the plan, is not required to the individual to provide appointment The statement must also describe how it
maintain or provide a notice under this reminders or information about will provide individuals with a revised
section. treatment alternatives or other health- notice.
(3) Exception for inmates. An inmate related benefits and services that may be (vi) Complaints. The notice must
does not have a right to notice under of interest to the individual; contain a statement that individuals
this section, and the requirements of (B) The covered entity may contact may complain to the covered entity and
this section do not apply to a the individual to raise funds for the to the Secretary if they believe their
correctional institution that is a covered covered entity; or privacy rights have been violated, a brief
entity. (C) A group health plan, or a health description of how the individual may
(b) Implementation specifications: insurance issuer or HMO with respect to file a complaint with the covered entity,
content of notice. a group health plan, may disclose and a statement that the individual will
(1) Required elements. The covered protected health information to the not be retaliated against for filing a
entity must provide a notice that is sponsor of the plan. complaint.
written in plain language and that (iv) Individual rights. The notice must (vii) Contact. The notice must contain
contains the elements required by this contain a statement of the individual’s the name, or title, and telephone
paragraph. rights with respect to protected health number of a person or office to contact
(i) Header. The notice must contain information and a brief description of for further information as required by
the following statement as a header or how the individual may exercise these § 164.530(a)(1)(ii).
otherwise prominently displayed: rights, as follows: (viii) Effective date. The notice must
‘‘THIS NOTICE DESCRIBES HOW (A) The right to request restrictions on contain the date on which the notice is
MEDICAL INFORMATION ABOUT certain uses and disclosures of protected first in effect, which may not be earlier
YOU MAY BE USED AND DISCLOSED health information as provided by than the date on which the notice is
AND HOW YOU CAN GET ACCESS TO § 164.522(a), including a statement that printed or otherwise published.
THIS INFORMATION. PLEASE the covered entity is not required to (2) Optional elements. (i) In addition
REVIEW IT CAREFULLY.’’ agree to a requested restriction; to the information required by
(ii) Uses and disclosures. The notice (B) The right to receive confidential paragraph (b)(1) of this section, if a
must contain: communications of protected health covered entity elects to limit the uses or
(A) A description, including at least information as provided by § 164.522(b), disclosures that it is permitted to make
one example, of the types of uses and as applicable; under this subpart, the covered entity
disclosures that the covered entity is (C) The right to inspect and copy may describe its more limited uses or
permitted by this subpart to make for protected health information as disclosures in its notice, provided that
each of the following purposes: provided by § 164.524; the covered entity may not include in its
treatment, payment, and health care (D) The right to amend protected notice a limitation affecting its right to
operations. health information as provided by make a use or disclosure that is required
(B) A description of each of the other § 164.526; by law or permitted by § 164.512(j)(1)(i).
purposes for which the covered entity is (E) The right to receive an accounting (ii) For the covered entity to apply a
permitted or required by this subpart to of disclosures of protected health change in its more limited uses and
use or disclose protected health information as provided by § 164.528; disclosures to protected health
information without the individual’s and information created or received prior to
written consent or authorization. (F) The right of an individual, issuing a revised notice, in accordance
(C) If a use or disclosure for any including an individual who has agreed with § 164.530(i)(2)(ii), the notice must
purpose described in paragraphs to receive the notice electronically in include the statements required by
(b)(1)(ii)(A) or (B) of this section is accordance with paragraph (c)(3) of this paragraph (b)(1)(v)(C) of this section.
prohibited or materially limited by other section, to obtain a paper copy of the (3) Revisions to the notice. The
applicable law, the description of such notice from the covered entity upon covered entity must promptly revise and
use or disclosure must reflect the more request. distribute its notice whenever there is a
stringent law as defined in § 160.202 of (v) Covered entity’s duties. The notice material change to the uses or
this subchapter. must contain: disclosures, the individual’s rights, the
(D) For each purpose described in (A) A statement that the covered covered entity’s legal duties, or other
paragraph (b)(1)(ii)(A) or (B) of this entity is required by law to maintain the privacy practices stated in the notice.
section, the description must include privacy of protected health information Except when required by law, a material
sufficient detail to place the individual and to provide individuals with notice change to any term of the notice may
on notice of the uses and disclosures of its legal duties and privacy practices not be implemented prior to the
that are permitted or required by this with respect to protected health effective date of the notice in which
subpart and other applicable law. information; such material change is reflected.
(E) A statement that other uses and (B) A statement that the covered (c) Implementation specifications:
disclosures will be made only with the entity is required to abide by the terms Provision of notice. A covered entity
individual’s written authorization and of the notice currently in effect; and must make the notice required by this
section available on request to any site and make the notice available specifications of paragraph (c) of this
person and to individuals as specified electronically through the web site. section. Provision of the joint notice to
in paragraphs (c)(1) through (c)(4) of this (ii) A covered entity may provide the an individual by any one of the covered
section, as applicable. notice required by this section to an entities included in the joint notice will
(1) Specific requirements for health individual by e-mail, if the individual satisfy the provision requirement of
plans. (i) A health plan must provide agrees to electronic notice and such paragraph (c) of this section with
notice: agreement has not been withdrawn. If respect to all others covered by the joint
(A) No later than the compliance date the covered entity knows that the e-mail notice.
for the health plan, to individuals then transmission has failed, a paper copy of (e) Implementation specifications:
covered by the plan; the notice must be provided to the Documentation. A covered entity must
(B) Thereafter, at the time of individual. Provision of electronic document compliance with the notice
enrollment, to individuals who are new notice by the covered entity will satisfy requirements by retaining copies of the
enrollees; and the provision requirements of paragraph notices issued by the covered entity as
(C) Within 60 days of a material (c) of this section when timely made in required by § 164.530(j).
revision to the notice, to individuals accordance with paragraph (c)(1) or (2)
§ 164.522 Rights to request privacy
then covered by the plan. of this section. protection for protected health information.
(ii) No less frequently than once every (iii) For purposes of paragraph (c)(2)(i)
of this section, if the first service (a)(1) Standard: Right of an individual
three years, the health plan must notify to request restriction of uses and
individuals then covered by the plan of delivery to an individual is delivered
disclosures. (i) A covered entity must
the availability of the notice and how to electronically, the covered health care
permit an individual to request that the
obtain the notice. provider must provide electronic notice
covered entity restrict:
(iii) The health plan satisfies the automatically and contemporaneously (A) Uses or disclosures of protected
requirements of paragraph (c)(1) of this in response to the individual’s first health information about the individual
section if notice is provided to the request for service. to carry out treatment, payment, or
named insured of a policy under which (iv) The individual who is the
health care operations; and
coverage is provided to the named recipient of electronic notice retains the (B) Disclosures permitted under
insured and one or more dependents. right to obtain a paper copy of the notice § 164.510(b).
(iv) If a health plan has more than one from a covered entity upon request. (ii) A covered entity is not required to
(d) Implementation specifications: agree to a restriction.
notice, it satisfies the requirements of
Joint notice by separate covered entities. (iii) A covered entity that agrees to a
paragraph (c)(1) of this section by
Covered entities that participate in restriction under paragraph (a)(1)(i) of
providing the notice that is relevant to
organized health care arrangements may this section may not use or disclose
the individual or other person
comply with this section by a joint protected health information in
requesting the notice.
notice, provided that: violation of such restriction, except that,
(2) Specific requirements for certain
(1) The covered entities participating if the individual who requested the
covered health care providers. A
in the organized health care restriction is in need of emergency
covered health care provider that has a
arrangement agree to abide by the terms treatment and the restricted protected
direct treatment relationship with an
of the notice with respect to protected health information is needed to provide
individual must:
health information created or received the emergency treatment, the covered
(i) Provide the notice no later than the by the covered entity as part of its
date of the first service delivery, entity may use the restricted protected
participation in the organized health health information, or may disclose
including service delivered care arrangement;
electronically, to such individual after such information to a health care
(2) The joint notice meets the provider, to provide such treatment to
the compliance date for the covered implementation specifications in
health care provider; the individual.
paragraph (b) of this section, except that (iv) If restricted protected health
(ii) If the covered health care provider the statements required by this section
maintains a physical service delivery information is disclosed to a health care
may be altered to reflect the fact that the provider for emergency treatment under
site: notice covers more than one covered
(A) Have the notice available at the paragraph (a)(1)(iii) of this section, the
entity; and covered entity must request that such
service delivery site for individuals to (i) Describes with reasonable health care provider not further use or
request to take with them; and specificity the covered entities, or class disclose the information.
(B) Post the notice in a clear and of entities, to which the joint notice (v) A restriction agreed to by a
prominent location where it is applies; covered entity under paragraph (a) of
reasonable to expect individuals seeking (ii) Describes with reasonable this section, is not effective under this
service from the covered health care specificity the service delivery sites, or subpart to prevent uses or disclosures
provider to be able to read the notice; classes of service delivery sites, to permitted or required under
and which the joint notice applies; and §§ 164.502(a)(2)(i), 164.510(a) or
(iii) Whenever the notice is revised, (iii) If applicable, states that the 164.512.
make the notice available upon request covered entities participating in the (2) Implementation specifications:
on or after the effective date of the organized health care arrangement will Terminating a restriction. A covered
revision and promptly comply with the share protected health information with entity may terminate its agreement to a
requirements of paragraph (c)(2)(ii) of each other, as necessary to carry out restriction, if :
this section, if applicable. treatment, payment, or health care (i) The individual agrees to or
(3) Specific requirements for operations relating to the organized requests the termination in writing;
electronic notice. (i) A covered entity health care arrangement. (ii) The individual orally agrees to the
that maintains a web site that provides (3) The covered entities included in termination and the oral agreement is
information about the covered entity’s the joint notice must provide the notice documented; or
customer services or benefits must to individuals in accordance with the (iii) The covered entity informs the
prominently post its notice on the web applicable implementation individual that it is terminating its
agreement to a restriction, except that maintained in the designated record set, (3) Reviewable grounds for denial. A
such termination is only effective with except for: covered entity may deny an individual
respect to protected health information (i) Psychotherapy notes; access, provided that the individual is
created or received after it has so (ii) Information compiled in given a right to have such denials
informed the individual. reasonable anticipation of, or for use in, reviewed, as required by paragraph
(3) Implementation specification: a civil, criminal, or administrative (a)(4) of this section, in the following
Documentation. A covered entity that action or proceeding; and circumstances:
agrees to a restriction must document (iii) Protected health information (i) A licensed health care professional
the restriction in accordance with maintained by a covered entity that is: has determined, in the exercise of
§ 164.530(j). (A) Subject to the Clinical Laboratory professional judgment, that the access
(b)(1) Standard: Confidential Improvements Amendments of 1988, 42 requested is reasonably likely to
communications requirements. (i) A U.S.C. 263a, to the extent the provision endanger the life or physical safety of
covered health care provider must of access to the individual would be the individual or another person;
permit individuals to request and must prohibited by law; or (ii) The protected health information
accommodate reasonable requests by (B) Exempt from the Clinical makes reference to another person
individuals to receive communications Laboratory Improvements Amendments (unless such other person is a health
of protected health information from the of 1988, pursuant to 42 CFR 493.3(a)(2). care provider) and a licensed health care
covered health care provider by (2) Unreviewable grounds for denial. professional has determined, in the
alternative means or at alternative A covered entity may deny an exercise of professional judgment, that
locations. the access requested is reasonably likely
individual access without providing the
to cause substantial harm to such other
(ii) A health plan must permit individual an opportunity for review, in
person; or
individuals to request and must the following circumstances. (iii) The request for access is made by
accommodate reasonable requests by (i) The protected health information is the individual’s personal representative
individuals to receive communications excepted from the right of access by and a licensed health care professional
of protected health information from the paragraph (a)(1) of this section. has determined, in the exercise of
health plan by alternative means or at (ii) A covered entity that is a professional judgment, that the
alternative locations, if the individual correctional institution or a covered provision of access to such personal
clearly states that the disclosure of all or health care provider acting under the representative is reasonably likely to
part of that information could endanger direction of the correctional institution cause substantial harm to the individual
the individual. may deny, in whole or in part, an or another person.
(2) Implementation specifications: inmate’s request to obtain a copy of (4) Review of a denial of access. If
Conditions on providing confidential protected health information, if access is denied on a ground permitted
communications. obtaining such copy would jeopardize under paragraph (a)(3) of this section,
(i) A covered entity may require the the health, safety, security, custody, or the individual has the right to have the
individual to make a request for a rehabilitation of the individual or of denial reviewed by a licensed health
confidential communication described other inmates, or the safety of any care professional who is designated by
in paragraph (b)(1) of this section in officer, employee, or other person at the the covered entity to act as a reviewing
writing. correctional institution or responsible official and who did not participate in
(ii) A covered entity may condition for the transporting of the inmate. the original decision to deny. The
the provision of a reasonable (iii) An individual’s access to covered entity must provide or deny
accommodation on: protected health information created or access in accordance with the
(A) When appropriate, information as obtained by a covered health care determination of the reviewing official
to how payment, if any, will be handled; provider in the course of research that under paragraph (d)(4) of this section.
and includes treatment may be temporarily (b) Implementation specifications:
(B) Specification of an alternative suspended for as long as the research is requests for access and timely action. (1)
address or other method of contact. in progress, provided that the individual Individual’s request for access. The
(iii) A covered health care provider has agreed to the denial of access when covered entity must permit an
may not require an explanation from the consenting to participate in the research individual to request access to inspect
individual as to the basis for the request that includes treatment, and the covered or to obtain a copy of the protected
as a condition of providing health care provider has informed the health information about the individual
communications on a confidential basis. individual that the right of access will that is maintained in a designated
(iv) A health plan may require that a be reinstated upon completion of the record set. The covered entity may
request contain a statement that research. require individuals to make requests for
disclosure of all or part of the (iv) An individual’s access to access in writing, provided that it
information to which the request protected health information that is informs individuals of such a
pertains could endanger the individual. contained in records that are subject to requirement.
the Privacy Act, 5 U.S.C. 552a, may be (2) Timely action by the covered
§ 164.524 Access of individuals to denied, if the denial of access under the entity. (i) Except as provided in
protected health information. Privacy Act would meet the paragraph (b)(2)(ii) of this section, the
(a) Standard: Access to protected requirements of that law. covered entity must act on a request for
health information. (1) Right of access. (v) An individual’s access may be access no later than 30 days after receipt
Except as otherwise provided in denied if the protected health of the request as follows.
paragraph (a)(2) or (a)(3) of this section, information was obtained from someone (A) If the covered entity grants the
an individual has a right of access to other than a health care provider under request, in whole or in part, it must
inspect and obtain a copy of protected a promise of confidentiality and the inform the individual of the acceptance
health information about the individual access requested would be reasonably of the request and provide the access
in a designated record set, for as long as likely to reveal the source of the requested, in accordance with paragraph
the protected health information is information. (c) of this section.
(B) If the covered entity denies the health information to which access has (iii) A description of how the
request, in whole or in part, it must been provided, if: individual may complain to the covered
provide the individual with a written (A) The individual agrees in advance entity pursuant to the complaint
denial, in accordance with paragraph (d) to such a summary or explanation; and procedures in § 164.530(d) or to the
of this section. (B) The individual agrees in advance Secretary pursuant to the procedures in
(ii) If the request for access is for to the fees imposed, if any, by the § 160.306. The description must include
protected health information that is not covered entity for such summary or the name, or title, and telephone
maintained or accessible to the covered explanation. number of the contact person or office
entity on-site, the covered entity must (3) Time and manner of access. The designated in § 164.530(a)(1)(ii).
take an action required by paragraph covered entity must provide the access (3) Other responsibility. If the covered
(b)(2)(i) of this section by no later than as requested by the individual in a entity does not maintain the protected
60 days from the receipt of such a timely manner as required by paragraph health information that is the subject of
request. (b)(2) of this section, including the individual’s request for access, and
(iii) If the covered entity is unable to arranging with the individual for a the covered entity knows where the
take an action required by paragraph convenient time and place to inspect or requested information is maintained,
(b)(2)(i)(A) or (B) of this section within obtain a copy of the protected health the covered entity must inform the
the time required by paragraph (b)(2)(i) information, or mailing the copy of the individual where to direct the request
or (ii) of this section, as applicable, the protected health information at the for access.
covered entity may extend the time for individual’s request. The covered entity (4) Review of denial requested. If the
such actions by no more than 30 days, may discuss the scope, format, and individual has requested a review of a
provided that: other aspects of the request for access denial under paragraph (a)(4) of this
(A) The covered entity, within the with the individual as necessary to section, the covered entity must
time limit set by paragraph (b)(2)(i) or facilitate the timely provision of access. designate a licensed health care
(ii) of this section, as applicable, (4) Fees. If the individual requests a professional, who was not directly
provides the individual with a written copy of the protected health information involved in the denial to review the
statement of the reasons for the delay or agrees to a summary or explanation decision to deny access. The covered
and the date by which the covered of such information, the covered entity entity must promptly refer a request for
entity will complete its action on the may impose a reasonable, cost-based review to such designated reviewing
request; and fee, provided that the fee includes only official. The designated reviewing
(B) The covered entity may have only the cost of: official must determine, within a
one such extension of time for action on (i) Copying, including the cost of reasonable period of time, whether or
a request for access. supplies for and labor of copying, the not to deny the access requested based
(c) Implementation specifications: protected health information requested on the standards in paragraph (a)(3) of
Provision of access. If the covered entity by the individual; this section. The covered entity must
provides an individual with access, in (ii) Postage, when the individual has promptly provide written notice to the
whole or in part, to protected health requested the copy, or the summary or individual of the determination of the
information, the covered entity must explanation, be mailed; and designated reviewing official and take
comply with the following (iii) Preparing an explanation or other action as required by this section
requirements. summary of the protected health to carry out the designated reviewing
(1) Providing the access requested. information, if agreed to by the official’s determination.
The covered entity must provide the individual as required by paragraph (e) Implementation specification:
access requested by individuals, (c)(2)(ii) of this section. Documentation. A covered entity must
including inspection or obtaining a (d) Implementation specifications: document the following and retain the
copy, or both, of the protected health Denial of access. If the covered entity documentation as required by
information about them in designated denies access, in whole or in part, to § 164.530(j):
record sets. If the same protected health protected health information, the (1) The designated record sets that are
information that is the subject of a covered entity must comply with the subject to access by individuals; and
request for access is maintained in more following requirements. (2) The titles of the persons or offices
than one designated record set or at (1) Making other information responsible for receiving and processing
more than one location, the covered accessible. The covered entity must, to requests for access by individuals.
entity need only produce the protected the extent possible, give the individual
health information once in response to access to any other protected health § 164.526 Amendment of protected health
a request for access. information requested, after excluding information.
(2) Form of access requested. (i) The the protected health information as to (a) Standard: Right to amend. (1)
covered entity must provide the which the covered entity has a ground Right to amend. An individual has the
individual with access to the protected to deny access. right to have a covered entity amend
health information in the form or format (2) Denial. The covered entity must protected health information or a record
requested by the individual, if it is provide a timely, written denial to the about the individual in a designated
readily producible in such form or individual, in accordance with record set for as long as the protected
format; or, if not, in a readable hard paragraph (b)(2) of this section. The health information is maintained in the
copy form or such other form or format denial must be in plain language and designated record set.
as agreed to by the covered entity and contain: (2) Denial of amendment. A covered
the individual. (i) The basis for the denial; entity may deny an individual’s request
(ii) The covered entity may provide (ii) If applicable, a statement of the for amendment, if it determines that the
the individual with a summary of the individual’s review rights under protected health information or record
protected health information requested, paragraph (a)(4) of this section, that is the subject of the request:
in lieu of providing access to the including a description of how the (i) Was not created by the covered
protected health information or may individual may exercise such review entity, unless the individual provides a
provide an explanation of the protected rights; and reasonable basis to believe that the
originator of protected health (2) Informing the individual. In with the denial of all or part of a
information is no longer available to act accordance with paragraph (b) of this requested amendment and the basis of
on the requested amendment; section, the covered entity must timely such disagreement. The covered entity
(ii) Is not part of the designated record inform the individual that the may reasonably limit the length of a
set; amendment is accepted and obtain the statement of disagreement.
(iii) Would not be available for individual’s identification of and (3) Rebuttal statement. The covered
inspection under § 164.524; or agreement to have the covered entity entity may prepare a written rebuttal to
(iv) Is accurate and complete. notify the relevant persons with which the individual’s statement of
(b) Implementation specifications: the amendment needs to be shared in disagreement. Whenever such a rebuttal
requests for amendment and timely accordance with paragraph (c)(3) of this is prepared, the covered entity must
action. (1) Individual’s request for section. provide a copy to the individual who
amendment. The covered entity must (3) Informing others. The covered submitted the statement of
permit an individual to request that the entity must make reasonable efforts to disagreement.
covered entity amend the protected inform and provide the amendment (4) Recordkeeping. The covered entity
health information maintained in the within a reasonable time to: must, as appropriate, identify the record
designated record set. The covered (i) Persons identified by the or protected health information in the
entity may require individuals to make individual as having received protected designated record set that is the subject
requests for amendment in writing and health information about the individual of the disputed amendment and append
to provide a reason to support a and needing the amendment; and or otherwise link the individual’s
requested amendment, provided that it (ii) Persons, including business request for an amendment, the covered
informs individuals in advance of such associates, that the covered entity entity’s denial of the request, the
requirements. knows have the protected health individual’s statement of disagreement,
information that is the subject of the if any, and the covered entity’s rebuttal,
(2) Timely action by the covered
amendment and that may have relied, or if any, to the designated record set.
entity. (i) The covered entity must act on (5) Future disclosures. (i) If a
the individual’s request for an could foreseeably rely, on such
information to the detriment of the statement of disagreement has been
amendment no later than 60 days after submitted by the individual, the
receipt of such a request, as follows. individual.
(d) Implementation specifications: covered entity must include the material
(A) If the covered entity grants the appended in accordance with paragraph
requested amendment, in whole or in Denying the amendment. If the covered
entity denies the requested amendment, (d)(4) of this section, or, at the election
part, it must take the actions required by of the covered entity, an accurate
paragraphs (c)(1) and (2) of this section. in whole or in part, the covered entity
must comply with the following summary of any such information, with
(B) If the covered entity denies the any subsequent disclosure of the
requirements.
requested amendment, in whole or in protected health information to which
(1) Denial. The covered entity must
part, it must provide the individual with the disagreement relates.
provide the individual with a timely,
a written denial, in accordance with (ii) If the individual has not submitted
written denial, in accordance with
paragraph (d)(1) of this section. a written statement of disagreement, the
paragraph (b)(2) of this section. The
(ii) If the covered entity is unable to denial must use plain language and covered entity must include the
act on the amendment within the time contain: individual’s request for amendment and
required by paragraph (b)(2)(i) of this (i) The basis for the denial, in its denial, or an accurate summary of
section, the covered entity may extend accordance with paragraph (a)(2) of this such information, with any subsequent
the time for such action by no more than section; disclosure of the protected health
30 days, provided that: (ii) The individual’s right to submit a information only if the individual has
(A) The covered entity, within the written statement disagreeing with the requested such action in accordance
time limit set by paragraph (b)(2)(i) of denial and how the individual may file with paragraph (d)(1)(iii) of this section.
this section, provides the individual such a statement; (iii) When a subsequent disclosure
with a written statement of the reasons (iii) A statement that, if the individual described in paragraph (d)(5)(i) or (ii) of
for the delay and the date by which the does not submit a statement of this section is made using a standard
covered entity will complete its action disagreement, the individual may transaction under part 162 of this
on the request; and request that the covered entity provide subchapter that does not permit the
(B) The covered entity may have only the individual’s request for amendment additional material to be included with
one such extension of time for action on and the denial with any future the disclosure, the covered entity may
a request for an amendment. disclosures of the protected health separately transmit the material
(c) Implementation specifications: information that is the subject of the required by paragraph (d)(5)(i) or (ii) of
Accepting the amendment. If the amendment; and this section, as applicable, to the
covered entity accepts the requested (iv) A description of how the recipient of the standard transaction.
amendment, in whole or in part, the individual may complain to the covered (e) Implementation specification:
covered entity must comply with the entity pursuant to the complaint Actions on notices of amendment. A
following requirements. procedures established in § 164.530(d) covered entity that is informed by
(1) Making the amendment. The or to the Secretary pursuant to the another covered entity of an amendment
covered entity must make the procedures established in § 160.306. to an individual’s protected health
appropriate amendment to the protected The description must include the name, information, in accordance with
health information or record that is the or title, and telephone number of the paragraph (c)(3) of this section, must
subject of the request for amendment by, contact person or office designated in amend the protected health information
at a minimum, identifying the records in § 164.530(a)(1)(ii). in designated record sets as provided by
the designated record set that are (2) Statement of disagreement. The paragraph (c)(1) of this section.
affected by the amendment and covered entity must permit the (f) Implementation specification:
appending or otherwise providing a link individual to submit to the covered Documentation. A covered entity must
to the location of the amendment. entity a written statement disagreeing document the titles of the persons or
offices responsible for receiving and entity must provide the individual with section, provides the individual with a
processing requests for amendments by a written accounting that meets the written statement of the reasons for the
individuals and retain the following requirements. delay and the date by which the covered
documentation as required by (1) Except as otherwise provided by entity will provide the accounting; and
§ 164.530(j). paragraph (a) of this section, the (B) The covered entity may have only
accounting must include disclosures of one such extension of time for action on
§ 164.528 Accounting of disclosures of protected health information that
protected health information. a request for an accounting.
occurred during the six years (or such (2) The covered entity must provide
(a) Standard: Right to an accounting shorter time period at the request of the the first accounting to an individual in
of disclosures of protected health individual as provided in paragraph any 12 month period without charge.
information. (1) An individual has a (a)(3) of this section) prior to the date of
right to receive an accounting of The covered entity may impose a
the request for an accounting, including reasonable, cost-based fee for each
disclosures of protected health disclosures to or by business associates
information made by a covered entity in subsequent request for an accounting by
of the covered entity. the same individual within the 12
the six years prior to the date on which (2) The accounting must include for
the accounting is requested, except for month period, provided that the covered
each disclosure: entity informs the individual in advance
disclosures: (i) The date of the disclosure;
(i) To carry out treatment, payment of the fee and provides the individual
(ii) The name of the entity or person
and health care operations as provided with an opportunity to withdraw or
who received the protected health
in § 164.502; modify the request for a subsequent
information and, if known, the address
(ii) To individuals of protected health of such entity or person; accounting in order to avoid or reduce
information about them as provided in (iii) A brief description of the the fee.
§ 164.502; protected health information disclosed; (d) Implementation specification:
(iii) For the facility’s directory or to and Documentation. A covered entity must
persons involved in the individual’s (iv) A brief statement of the purpose document the following and retain the
care or other notification purposes as of the disclosure that reasonably documentation as required by
provided in § 164.510; informs the individual of the basis for § 164.530(j):
(iv) For national security or the disclosure; or, in lieu of such (1) The information required to be
intelligence purposes as provided in statement: included in an accounting under
§ 164.512(k)(2); (A) A copy of the individual’s written paragraph (b) of this section for
(v) To correctional institutions or law authorization pursuant to § 164.508; or disclosures of protected health
enforcement officials as provided in (B) A copy of a written request for a information that are subject to an
§ 164.512(k)(5); or disclosure under §§ 164.502(a)(2)(ii) or accounting under paragraph (a) of this
(vi) That occurred prior to the 164.512, if any. section;
compliance date for the covered entity. (3) If, during the period covered by (2) The written accounting that is
(2)(i) The covered entity must the accounting, the covered entity has provided to the individual under this
temporarily suspend an individual’s made multiple disclosures of protected section; and
right to receive an accounting of health information to the same person (3) The titles of the persons or offices
disclosures to a health oversight agency or entity for a single purpose under responsible for receiving and processing
or law enforcement official, as provided §§ 164.502(a)(2)(ii) or 164.512, or requests for an accounting by
in § 164.512(d) or (f), respectively, for pursuant to a single authorization under individuals.
the time specified by such agency or § 164.508, the accounting may, with
official, if such agency or official respect to such multiple disclosures, § 164.530 Administrative requirements.
provides the covered entity with a provide: (a)(1) Standard: Personnel
written statement that such an (i) The information required by designations. (i) A covered entity must
accounting to the individual would be paragraph (b)(2) of this section for the designate a privacy official who is
reasonably likely to impede the agency’s first disclosure during the accounting responsible for the development and
activities and specifying the time for period; implementation of the policies and
which such a suspension is required. (ii) The frequency, periodicity, or procedures of the entity.
(ii) If the agency or official statement number of the disclosures made during (ii) A covered entity must designate a
in paragraph (a)(2)(i) of this section is the accounting period; and contact person or office who is
made orally, the covered entity must: (iii) The date of the last such
(A) Document the statement, responsible for receiving complaints
disclosure during the accounting period.
including the identity of the agency or (c) Implementation specifications: under this section and who is able to
official making the statement; Provision of the accounting. (1) The provide further information about
(B) Temporarily suspend the covered entity must act on the matters covered by the notice required
individual’s right to an accounting of individual’s request for an accounting, by § 164.520.
disclosures subject to the statement; and no later than 60 days after receipt of (2) Implementation specification:
(C) Limit the temporary suspension to such a request, as follows. Personnel designations. A covered
no longer than 30 days from the date of (i) The covered entity must provide entity must document the personnel
the oral statement, unless a written the individual with the accounting designations in paragraph (a)(1) of this
statement pursuant to paragraph (a)(2)(i) requested; or section as required by paragraph (j) of
of this section is submitted during that (ii) If the covered entity is unable to this section.
time. provide the accounting within the time (b)(1) Standard: Training. A covered
(3) An individual may request an required by paragraph (c)(1) of this entity must train all members of its
accounting of disclosures for a period of section, the covered entity may extend workforce on the policies and
time less than six years from the date of the time to provide the accounting by no procedures with respect to protected
the request. more than 30 days, provided that: health information required by this
(b) Implementation specifications: (A) The covered entity, within the subpart, as necessary and appropriate
Content of the accounting. The covered time limit set by paragraph (c)(1) of this for the members of the workforce to
carry out their function within the paragraph (j) of this section, a covered necessary and appropriate to comply
covered entity. entity must document the sanctions that with changes in the law, including the
(2) Implementation specifications: are applied, if any. standards, requirements, and
Training. (i) A covered entity must (f) Standard: Mitigation. A covered implementation specifications of this
provide training that meets the entity must mitigate, to the extent subpart;
requirements of paragraph (b)(1) of this practicable, any harmful effect that is (ii) When a covered entity changes a
section, as follows: known to the covered entity of a use or privacy practice that is stated in the
(A) To each member of the covered disclosure of protected health notice described in § 164.520, and
entity’s workforce by no later than the information in violation of its policies makes corresponding changes to its
compliance date for the covered entity; and procedures or the requirements of policies and procedures, it may make
(B) Thereafter, to each new member of this subpart by the covered entity or its the changes effective for protected
the workforce within a reasonable business associate. health information that it created or
period of time after the person joins the (g) Standard: Refraining from received prior to the effective date of the
covered entity’s workforce; and intimidating or retaliatory acts. A notice revision, if the covered entity
(C) To each member of the covered covered entity may not intimidate, has, in accordance with
entity’s workforce whose functions are threaten, coerce, discriminate against, or § 164.520(b)(1)(v)(C), included in the
affected by a material change in the take other retaliatory action against: notice a statement reserving its right to
policies or procedures required by this (1) Individuals. Any individual for the make such a change in its privacy
subpart, within a reasonable period of exercise by the individual of any right practices; or
time after the material change becomes under, or for participation by the (iii) A covered entity may make any
effective in accordance with paragraph individual in any process established by other changes to policies and
(i) of this section. this subpart, including the filing of a procedures at any time, provided that
(ii) A covered entity must document complaint under this section; the changes are documented and
that the training as described in (2) Individuals and others. Any implemented in accordance with
paragraph (b)(2)(i) of this section has individual or other person for: paragraph (i)(5) of this section.
been provided, as required by paragraph (i) Filing of a complaint with the (3) Implementation specification:
(j) of this section. Secretary under subpart C of part 160 of Changes in law. Whenever there is a
(c)(1) Standard: Safeguards. A this subchapter; change in law that necessitates a change
covered entity must have in place (ii) Testifying, assisting, or to the covered entity’s policies or
appropriate administrative, technical, participating in an investigation, procedures, the covered entity must
and physical safeguards to protect the compliance review, proceeding, or promptly document and implement the
privacy of protected health information. hearing under Part C of Title XI; or revised policy or procedure. If the
(2) Implementation specification: (iii) Opposing any act or practice change in law materially affects the
Safeguards. A covered entity must made unlawful by this subpart, content of the notice required by
reasonably safeguard protected health provided the individual or person has a § 164.520, the covered entity must
information from any intentional or good faith belief that the practice promptly make the appropriate
unintentional use or disclosure that is in opposed is unlawful, and the manner of revisions to the notice in accordance
violation of the standards, the opposition is reasonable and does with § 164.520(b)(3). Nothing in this
implementation specifications or other not involve a disclosure of protected paragraph may be used by a covered
requirements of this subpart. health information in violation of this entity to excuse a failure to comply with
(d)(1) Standard: Complaints to the subpart. the law.
covered entity. A covered entity must (h) Standard: Waiver of rights. A (4) Implementation specifications:
provide a process for individuals to covered entity may not require Changes to privacy practices stated in
make complaints concerning the individuals to waive their rights under the notice. (i) To implement a change as
covered entity’s policies and procedures § 160.306 of this subchapter or this provided by paragraph (i)(2)(ii) of this
required by this subpart or its subpart as a condition of the provision section, a covered entity must:
compliance with such policies and of treatment, payment, enrollment in a (A) Ensure that the policy or
procedures or the requirements of this health plan, or eligibility for benefits. procedure, as revised to reflect a change
subpart. (i)(1) Standard: Policies and in the covered entity’s privacy practice
(2) Implementation specification: procedures. A covered entity must as stated in its notice, complies with the
Documentation of complaints. As implement policies and procedures with standards, requirements, and
required by paragraph (j) of this section, respect to protected health information implementation specifications of this
a covered entity must document all that are designed to comply with the subpart;
complaints received, and their standards, implementation (B) Document the policy or procedure,
disposition, if any. specifications, or other requirements of as revised, as required by paragraph (j)
(e)(1) Standard: Sanctions. A covered this subpart. The policies and of this section; and
entity must have and apply appropriate procedures must be reasonably (C) Revise the notice as required by
sanctions against members of its designed, taking into account the size of § 164.520(b)(3) to state the changed
workforce who fail to comply with the and the type of activities that relate to practice and make the revised notice
privacy policies and procedures of the protected health information available as required by § 164.520(c).
covered entity or the requirements of undertaken by the covered entity, to The covered entity may not implement
this subpart. This standard does not ensure such compliance. This standard a change to a policy or procedure prior
apply to a member of the covered is not to be construed to permit or to the effective date of the revised
entity’s workforce with respect to excuse an action that violates any other notice.
actions that are covered by and that standard, implementation specification, (ii) If a covered entity has not reserved
meet the conditions of § 164.502(j) or or other requirement of this subpart. its right under § 164.520(b)(1)(v)(C) to
paragraph (g)(2) of this section. (2) Standard: Changes to policies or change a privacy practice that is stated
(2) Implementation specification: procedures. (i) A covered entity must in the notice, the covered entity is
Documentation. As required by change its policies and procedures as bound by the privacy practices as stated
in the notice with respect to protected (B) Information on whether the authorization, or other express legal
health information created or received individual is participating in the group permission obtained from an individual.
while such notice is in effect. A covered health plan, or is enrolled in or has (2) If the consent, authorization, or
entity may change a privacy practice disenrolled from a health insurance other express legal permission obtained
that is stated in the notice, and the issuer or HMO offered by the plan. from an individual specifically permits
related policies and procedures, without (2) A group health plan described in a use or disclosure for a purpose other
having reserved the right to do so, paragraph (k)(1) of this section is subject than to carry out treatment, payment, or
provided that: to the standard and implementation health care operations, the covered
(A) Such change meets the specification in paragraph (j) of this entity may, with respect to protected
implementation the requirements in section only with respect to plan health information that it created or
paragraphs (i)(4)(i)(A)–(C) of this documents amended in accordance with received before the applicable
section; and § 164.504(f). compliance date of this subpart and to
(B) Such change is effective only with which the consent, authorization, or
§ 164.532 Transition provisions. other express legal permission obtained
respect to protected health information
(a) Standard: Effect of prior consents from an individual applies, make such
created or received after the effective
and authorizations. Notwithstanding use or disclosure, provided that:
date of the notice.
other sections of this subpart, a covered (i) The covered entity does not make
(5) Implementation specification:
entity may continue to use or disclose any use or disclosure that is expressly
Changes to other policies or procedures.
protected health information pursuant excluded from the consent,
A covered entity may change, at any
to a consent, authorization, or other authorization, or other express legal
time, a policy or procedure that does not
express legal permission obtained from permission obtained from an individual;
materially affect the content of the
an individual permitting the use or and
notice required by § 164.520, provided
disclosure of protected health (ii) The covered entity complies with
that:
information that does not comply with all limitations placed by the consent,
(i) The policy or procedure, as §§ 164.506 or 164.508 of this subpart authorization, or other express legal
revised, complies with the standards, consistent with paragraph (b) of this permission obtained from an individual.
requirements, and implementation section. (3) In the case of a consent,
specifications of this subpart; and (b) Implementation specification: authorization, or other express legal
(ii) Prior to the effective date of the Requirements for retaining effectiveness permission obtained from an individual
change, the policy or procedure, as of prior consents and authorizations. that identifies a specific research project
revised, is documented as required by Notwithstanding other sections of this that includes treatment of individuals:
paragraph (j) of this section. subpart, the following provisions apply (i) If the consent, authorization, or
(j)(1) Standard: Documentation. A to use or disclosure by a covered entity other express legal permission obtained
covered entity must: of protected health information from an individual specifically permits
(i) Maintain the policies and pursuant to a consent, authorization, or a use or disclosure for purposes of the
procedures provided for in paragraph (i) other express legal permission obtained project, the covered entity may, with
of this section in written or electronic from an individual permitting the use or respect to protected health information
form; disclosure of protected health that it created or received either before
(ii) If a communication is required by information, if the consent, or after the applicable compliance date
this subpart to be in writing, maintain authorization, or other express legal of this subpart and to which the consent
such writing, or an electronic copy, as permission was obtained from an or authorization applies, make such use
documentation; and individual before the applicable or disclosure for purposes of that
(iii) If an action, activity, or compliance date of this subpart and project, provided that the covered entity
designation is required by this subpart does not comply with §§ 164.506 or complies with all limitations placed by
to be documented, maintain a written or 164.508 of this subpart. the consent, authorization, or other
electronic record of such action, (1) If the consent, authorization, or express legal permission obtained from
activity, or designation. other express legal permission obtained an individual.
(2) Implementation specification: from an individual permits a use or (ii) If the consent, authorization, or
Retention period. A covered entity must disclosure for purposes of carrying out other express legal permission obtained
retain the documentation required by treatment, payment, or health care from an individual is a general consent
paragraph (j)(1) of this section for six operations, the covered entity may, with to participate in the project, and a
years from the date of its creation or the respect to protected health information covered entity is conducting or
date when it last was in effect, that it created or received before the participating in the research, such
whichever is later. applicable compliance date of this covered entity may, with respect to
(k) Standard: Group health plans. (1) subpart and to which the consent, protected health information that it
A group health plan is not subject to the authorization, or other express legal created or received as part of the project
standards or implementation permission obtained from an individual before or after the applicable
specifications in paragraphs (a) through applies, use or disclose such compliance date of this subpart, make a
(f) and (i) of this section, to the extent information for purposes of carrying out use or disclosure for purposes of that
that: treatment, payment, or health care project, provided that the covered entity
(i) The group health plan provides operations, provided that: complies with all limitations placed by
health benefits solely through an (i) The covered entity does not make the consent, authorization, or other
insurance contract with a health any use or disclosure that is expressly express legal permission obtained from
insurance issuer or an HMO; and excluded from the a consent, an individual.
(ii) The group health plan does not authorization, or other express legal (4) If, after the applicable compliance
create or receive protected health permission obtained from an individual; date of this subpart, a covered entity
information, except for: and agrees to a restriction requested by an
(A) Summary health information as (ii) The covered entity complies with individual under § 164.522(a), a
defined in § 164.504(a); or all limitations placed by the consent, subsequent use or disclosure of
protected health information that is § 164.534 Compliance dates for initial (1) Health plans other than small
subject to the restriction based on a implementation of the privacy standards. health plans—February 26, 2003.
consent, authorization, or other express (a) Health care providers. A covered (2) Small health plans—February 26,
legal permission obtained from an health care provider must comply with 2004.
individual as given effect by paragraph the applicable requirements of this (c) Health care clearinghouses. A
(b) of this section, must comply with subpart no later than February 26, 2003. health care clearinghouse must comply
such restriction. with the applicable requirements of this
(b) Health plans. A health plan must subpart no later than February 26, 2003.
comply with the applicable [FR Doc. 00–32678 Filed 12–20–00; 11:21
requirements of this subpart no later am]
than the following date, as applicable: BILLING CODE 4150–04–P

Prdecember2000all8parts PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Prdecember2000all8parts PDF

Caricato da

Copyright:

Formati disponibili

Thursday,

December 28, 2000

45 CFR Parts 160 and 164

Revocation of Authorizations by a representative, a description of the know which information the

§ 164.510(f)(5)(iii) on disclosure of individual in need of emergency health additional provisions permitting

Response: We are concerned that 1178(a)(2)(A); contrary state laws Article II

Comment: Several commenters Response: We disagree. Congress Comment: Other comments

U.S.C. 552a) requires government the Joint Commission on Accreditation of

a compound authorization in therefore, required authorizations from monitor the effectiveness of an

TABLE 1.—THE COST OF COMPLYING WITH THE PROPOSED PRIVACY REGULATION

Initial or first Average an- Ten year

Policy Development ................................................................................................................................. 597.7 0 597.7

Total * ................................................................................................................................................ 3,242.0 1,556.9 17,554.7

Net Present Value ................................................................................................................................... 3,242.0 917.8 11,801.8

codes we have identified as being

Potrebbero piacerti anche