Federal RegisterVol. 65_ No. 250Thursday_ December 28_ 2000

Document Sample
Federal RegisterVol. 65_ No. 250Thursday_ December 28_ 2000 Powered By Docstoc
					            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82561

A covered entity may only extend the                include the name of a contact person for                determine the most effective means of
deadline one time per request for                   privacy matters.                                        achieving this training requirement for
accounting.                                            The final regulation retains the                     their workforce. We also proposed that,
   The NPRM did not address whether a               requirements for a privacy official and                 at least every three years after the initial
covered entity could charge a fee for the           contact person as specified in the                      training, covered entities would be
accounting of disclosures.                          NPRM. These designations must be                        required to have each member of the
   In the final rule, we provide that               documented. The designation of privacy                  workforce sign a new statement
individuals have a right to receive one             official and contact person positions                   certifying that he or she would honor all
free accounting per 12 month period.                within affiliated entities will depend on               of the entity’s privacy policies and
For each additional request by an                   how the covered entity chooses to                       procedures. The covered entity would
individual within the 12 month period,              designate the covered entity(ies) under                 have been required to document its
the covered entity may charge a                     § 164.504(b). If a subsidiary is defined as             policies and procedures for complying
reasonable, cost-based fee. If it imposes           a covered entity under this regulation,                 with the training requirements.
such a fee, the covered entity must                 then a separate privacy official and                       The final regulation requires covered
inform the individual of the fee in                 contact person is required for that                     entities to train all members of their
advance and provide the individual                  covered entity. If several subsidiaries                 workforce on the policies and
with an opportunity to withdraw or                  are designated as a single covered                      procedures with respect to protected
modify the request in order to avoid or             entity, pursuant to § 164.504(b), then                  health information required by this rule,
reduce the fee.                                     together they need have only a single                   as necessary and appropriate for the
                                                    privacy officer and contact person. If                  members of the workforce to carry out
Procedures and Documentation                        several covered entities share a notice                 their functions within the covered
  As in the proposed rule, we establish             for services provided on the same                       entity. We do not change the proposed
documentation requirements for                      premises, pursuant to § 164.520(d), that                time lines for training existing and new
covered entities subject to this                    notice need designate only one privacy                  members of the workforce, or for
provision. In accordance with                       official and contact person for the                     training due to material changes in the
§ 164.530(j), for disclosures that are              information collected under that notice.                covered entity’s policies and
subject to the accounting requirement,                 These requirements are consistent                    procedures. We eliminate both the
the covered entity must retain                      with the approach recommended by the                    requirement for employees to sign a
documentation of the information                    Joint Commission on Accreditation of                    certification following training and the
required to be included in the                      Healthcare Organizations, and the                       triennial re-certification requirement.
accounting. The covered entity must                 National Committee for Quality                          Covered entities are responsible for
also retain a copy of any accounting                Assurance, in its paper ‘‘Protecting                    implementing policies and procedures
provided and must document the titles               Personal Health Information; A                          to meet these requirements and for
of the persons or offices responsible for           framework for Meeting the Challenges                    documenting that training has been
receiving and processing requests for an            in a Managed Care Environment.’’ This                   provided.
accounting.                                         paper notes that ‘‘accountability is
                                                    enhanced by having focal points who                     Safeguards
Section 164.530—Administrative                      are responsible for assessing compliance                   In § 164.518(c) of the NPRM, we
Requirements                                        with policies and procedures * * * ’’                   proposed to require covered entities to
                                                    (p. 29)                                                 put in place administrative, technical,
Designation of a Privacy Official and
                                                                                                            and physical safeguards to protect the
Contact Person                                      Training                                                privacy of protected health information.
  In § 164.518(a) of the NPRM, we                      In § 164.518(b) of the NPRM we                       We made reference in the preamble to
proposed that covered entities be                   proposed to require that covered entities               similar requirements proposed for
required to designate an individual as              provide training on the entities’ policies              certain electronic information in the
the covered entity’s privacy official,              and procedures to all members of the                    Notice of Proposed Rulemaking entitled
responsible for the implementation and              workforce likely to have access to                      the Security and Electronic Signature
development of the entity’s privacy                 protected health information. Each                      Standards (HCFA–0049–P). We stated
policies and procedures. We also                    entity would be required to provide                     that we were proposing parallel and
proposed that covered entities be                   initial training by the date on which this              consistent requirements for safeguarding
required to designate a contact person to           rule became applicable. After that date,                the privacy of protected health
receive complaints about privacy and                each covered entity would have to                       information. In § 164.518(c)(3) of the
provide information about the matters               provide training to new members of the                  NPRM, we required covered entities to
covered by the entity’s notice. We                  workforce within a reasonable time after                have safeguards to ensure that
indicated that the contact person could             joining the entity. In addition, we                     information was not used in violation of
be, but was not required to be, the                 proposed that when a covered entity                     the requirements of this subpart or by
person designated as the privacy                    made material changes in its privacy                    people who did not have proper
official. We proposed to leave                      policies or procedures, it would be                     authorization to access the information.
implementation details to the discretion            required to retrain those members of the                   We do not change the basic proposed
of the covered entity. We expected                  workforce whose duties were related to                  requirements that covered entities have
implementation to vary widely                       the change within a reasonable time of                  administrative, technical and physical
depending on the size and nature of the             making the change.                                      safeguards to protect the privacy of
covered entity, with small offices                     The NPRM would have required that,                   protected health information. We
assigning this as an additional duty to             upon completion of the training, the                    combine the proposed requirements into
an existing staff person, and large                 trainee would be required to sign a                     a single standard that requires covered
organizations creating a full-time                  statement certifying that he or she                     entities to safeguard protected health
privacy official. In proposed § 164.512,            received the privacy training and would                 information from accidental or
we also proposed to require the covered             honor all of the entity’s privacy policies              intentional use or disclosure that is a
plan or provider’s privacy notice to                and procedures. Entities would                          violation of the requirements of this rule

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00101   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82562       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

and to protect against the inadvertent              Complaints to the Covered Entity                        language also stated that covered
disclosure of protected health                         In § 164.518(d) of the NPRM, we                      entities would be required to apply
information to persons other than the               proposed to require covered entities to                 sanctions against business associates
intended recipient. Limitations on                  have a mechanism for receiving                          that violated the proposed rule.
access to protected health information              complaints from individuals regarding                      In the final rule, we retain the
by the covered entities workforce will              the health plan’s or provider’s                         requirement for sanctions against
also be covered by the policies and                 compliance with the requirements of                     members of a covered entity’s
procedures for ‘‘minimum necessary’’                this proposed rule. We did not require                  workforce. We also require a covered
use of protected health information,                that the health plan or provider develop                entity to have written policies and
pursuant to § 164.514(d). We expect                                                                         procedures for the application of
                                                    a formal appeals mechanism, nor that
these provisions to work in tandem.                                                                         appropriate sanctions for violations of
                                                    ‘‘due process’’ or any similar standard
   We do not prescribe the particular                                                                       this subpart and to document those
measures that covered entities must take            be applied. Additionally, there was no
                                                    requirement to respond in any                           sanctions. These sanctions do not apply
to meet this standard, because the                                                                          to whistleblower activities that meet the
nature of the required policies and                 particular manner or time frame.
                                                       We proposed two basic requirements                   provisions of § 164.502(j) or complaints,
procedures will vary with the size of the                                                                   investigations, or opposition that meet
covered entity and the type of activities           for the complaint process. First, the
                                                    covered health plan or health care                      the provisions of § 164.530(g)(2). We
that the covered entity undertakes. (That                                                                   eliminate language regarding business
is, as with other provisions of this rule,          provider would be required to identify
                                                    in the notice of information practices a                associates from this section.
this requirement is ‘‘scalable.’’)                                                                          Requirements with respect to business
Examples of appropriate safeguards                  contact person or office for receiving
                                                    complaints. Second, the health plan or                  associates are stated in § 164.504.
include requiring that documents
containing protected health information             provider would be required to maintain                  Duty To Mitigate
be shredded prior to disposal, and                  a record of the complaints that are filed
                                                    and a brief explanation of their                           In proposed § 164.518(f), we would
requiring that doors to medical records                                                                     have required covered entities to have
departments (or to file cabinets housing            resolution, if any.
                                                       In the final rule, we retain the                     policies and procedures for mitigating,
such records) remain locked and                                                                             to the extent practicable, any deleterious
limiting which personnel are authorized             requirement for an internal complaint
                                                    process for compliance with this rule,                  effect of a use or disclosure of protected
to have the key or pass-code. We intend                                                                     health information in violation of the
this to be a common sense, scalable,                including the two basic requirements of
                                                    identifying a contact person and                        requirements of this subpart. The NPRM
standard. We do not require covered                                                                         preamble also included specific
entities to guarantee the safety of                 documenting complaints received and
                                                    their dispositions, if any. We expand the               language applying this requirement to
protected health information against all                                                                    harm caused by members of the covered
assaults. Theft of protected health                 scope of complaints that covered
                                                    entities must have a means of receiving                 entity’s workforce and business
information may or may not signal a                                                                         associates.
violation of this rule, depending on the            to include complaints concerning
                                                    violations of the covered entity’s                         With respect to business associates,
circumstances and whether the covered
                                                    privacy practices, not just violations of               the NPRM preamble but not the NPRM
entity had reasonable policies to protect
                                                    the rule. For example, a covered entity                 rule text, stated that covered entities
against theft. Organizations such as the
                                                    must have a mechanism for receiving a                   would have a duty to take reasonable
Association for Testing and Materials
                                                    complaint that patient information is                   steps in response to breaches of contract
(ASTM) and the American Health
                                                    used at a nursing station in a way that                 terms. Covered entities generally would
Information Management Association
                                                    it can also be viewed by visitors to the                not be required to monitor the activities
(AHIMA) have developed a body of
                                                    hospital, regardless of whether the                     of their business associates, but would
recommended practices for handling of
                                                    practices at the nursing stations might                 be required to take steps to address
protected health information that
                                                    constitute a violation of this rule.                    problems of which they become aware,
covered entities may find useful.
   We note that the proposed HIPAA                                                                          and, where the breach was serious or
                                                    Sanctions                                               repeated, would also be required to
Security Standards would require
covered entities to safeguard the privacy             In § 164.518(e) of the NPRM, we                       monitor the business associate’s
and integrity of health information. For            proposed to require all covered entities                performance to ensure that the wrongful
electronic information, compliance with             to develop, and apply when                              behavior had been remedied.
both regulations will be required.                  appropriate, sanctions against members                  Termination of the arrangement would
   In § 164.518(c)(2) of the NPRM we                of its workforce who failed to comply                   be required only if it became clear that
proposed requirements for verification              with privacy policies or procedures of                  a business associate could not be relied
procedures to establish identity and                the covered entity or with the                          upon to maintain the privacy of
authority for permitted disclosures of              requirements of the rule. Covered                       protected health information provided
protected health information.                       entities would be required to develop                   to it.
   In the final rule, this material has             and impose sanctions appropriate to the                    In the final rule, we clarify this
been moved to § 164.514(h).                         nature of the violation. The preamble                   requirement by imposing a duty for
                                                    stated that the type of sanction applied                covered entities to mitigate any harmful
Use or Disclosure of Protected Health               would vary depending on factors such                    effect of a use or disclosure of protected
Information by Whistleblowers                       as the severity of the violation, whether               health information that is known to the
   In § 164.518(c)(4) of the NPRM, this             the violation was intentional or                        covered entity. We apply the duty to
provision was entitled ‘‘Implementation             unintentional, and whether the                          mitigate to a violation of the covered
Specification: Disclosures by                       violation indicated a pattern or practice               entity’s policies and procedures, not just
whistleblowers.’’ It is now retitled                of improper use or disclosure of                        a violation of the requirements of the
‘‘Disclosures by whistleblowers,’’ with             protected health information. Sanctions                 subpart. We resolve the ambiguities in
certain changes, and moved to                       could range from a warning to                           the NPRM by imposing this duty on
§ 164.502(j)(1).                                    termination. The NPRM preamble                          covered entities for harm caused by

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00102   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82563

either members of their workforce or by             applies it to any person, only if the                   and establish requirements for making
their business associates.                          person ‘‘has a good faith belief that the               this change. We also establish the
   We eliminate the language regarding              practice opposed is unlawful, the                       conditions for making changes if the
potential breaches of business associate            manner of the opposition is reasonable                  covered entity has not reserved the right
contracts from this section. All other              and does not involve a disclosure of                    to change its practices.
requirements with respect to business               protected health information in                            We require covered entities to modify
associates are stated in § 164.504.                 violation of this subpart.’’ The final rule             in a prompt manner their policies and
                                                    provides additional protections, which                  procedures to comply with changes in
Refraining from Intimidating or
                                                    had been included in the preamble to                    relevant law and, where the change also
Retaliatory Acts
                                                    the proposed rule. Specifically, we                     affects the practices stated in the notice,
   In § 164.522(d)(4) of the NPRM, in the           prohibit retaliatory actions against                    to change the notice. We make clear that
Compliance and Enforcement section,                 individuals who exercise any right, or                  nothing in our requirements regarding
we proposed that one of the                         participate in any process established by               changes to policies and procedures or
responsibilities of a covered entity                the privacy rule (Part 164 Subpart E),                  changes to the notice may be used by a
would be to refrain from intimidating or            and include as an example the filing of                 covered entity to excuse a failure to
retaliatory acts. Specifically, the rule            a complaint with the covered entity.                    comply with applicable law.
provided that ‘‘[a] covered entity may                                                                         In § 164.530(j), we require that the
not intimidate, threaten, coerce,                   Waiver of Rights                                        policies and procedures required
discriminate against, or take other                    In the final regulation, but not in the              throughout the regulation be maintained
retaliatory action against any individual           proposed regulation, we provide that a                  in writing, and that any other
for the filing of a complaint under this            covered entity may not require                          communication, action, activity, or
section, for testifying, assisting,                 individuals to waive their rights to file               designation that must be documented
participating in any manner in an                   a complaint with the Secretary or their                 under this regulation be documented in
investigation, compliance review,                   other rights under this rule as a                       writing. We note that ‘‘writing’’ includes
proceeding or hearing under this Act, or            condition of the provision of treatment,                electronic storage; paper records are not
opposing any act or practice made                   payment, enrollment in a health plan or                 required. We also note that, if a covered
unlawful by this subpart.’’                         eligibility for benefits. This provision                entity is required to document the title
   In the final rule, we continue to                ensures that covered entities do not take               of a person, we mean the job title or
require that entities refrain from                  away the rights that individuals have                   similar description of the relevant
intimidating or retaliatory acts;                   been provided in Parts 160 and 164.                     position or office.
however, the provisions have been                                                                              We require covered entities to retain
moved to the Administrative                         Requirements for Policies and
                                                                                                            any documentation required under this
Requirements provisions in § 164.530.               Procedures, and Documentation
                                                                                                            rule for at least six years (the statute of
This change is not just clerical; in                Requirements
                                                                                                            limitations period for the civil penalties)
making this change, we apply this                      In § 164.520 of the NPRM, we                         from the date of the creation of the
provision to the privacy rule alone                 proposed to require covered entities to                 documentation, or the date when the
rather than to all the HIPAA                        develop and document their policies                     document was last in effect, which ever
administrative simplification rules. (The           and procedures for implementing the                     is later. This generalizes the NPRM
compliance and enforcement provisions               requirements of the rule. In the final                  provision to cover all documentation
that were in § 164 are now in Part 160,             regulation we retain this approach, but                 required under the rule. The language
Subpart C.)                                         specify which standards must be                         on ‘‘last was in effect’’ is a change from
   We continue to prohibit retaliation              documented in each of the relevant                      the NPRM which was worded ‘‘unless a
against individuals for filing a                    sections. In this section, we state the                 longer period applies under this
complaint with the Secretary, but also              general administrative requirements                     subpart.’’
prohibit retaliation against any other              applicable to all policies and procedures                  This approach is consistent with the
person who files such a complaint. This             required throughout the regulation.                     approach recommended by the Joint
is the case because the term                           In § 164.530(i), (j), and (k) of the final           Commission on Accreditation of
‘‘individual’’ is generally limited to the          rule, we amend the NPRM language in                     Healthcare Organizations, and the
person who is the subject of the                    several respects. In § 164.530(i) we                    National Committee for Quality
information. The final rule prohibits               require that the policies and procedures                Assurance, in its paper ‘‘Protecting
retaliation against persons, not just               be reasonably designed to comply with                   Personal Health Information; A
individuals, for testifying, assisting, or          the standards, implementation                           framework for Meeting the Challenges
participating in an investigation,                  specifications, and other requirements                  in a Managed Care Environment.’’ This
compliance review, proceeding or                    of the relevant part of the regulation,                 paper notes that ‘‘MCOs [Managed Care
hearing under Part C of Title XI. The               taking into account the size of the                     Organizations] should have clearly
proposed regulation referenced the                  covered entity and the nature of the                    defined policies and procedures for
‘‘Act,’’ which is defined in Part 160 as            activities undertaken by the covered                    dealing with confidentiality issues.’’ (p.
the Social Security Act. Because we                 entity that relate to protected health                  29).
only intend to protect activities such as           information. However, we clarify that
participation in investigations and                 the requirements that policies and                      Standards for Certain Group Health
hearings under the Administrative                   procedures be reasonably designed may                   Plans
Simplification provisions of HIPAA, the             not be interpreted to permit or excuse                     We add a new provision (§ 164.530(k))
final rule references Part C of Title XI of         any action that violates the privacy                    to clarify the administrative
the Social Security Act.                            regulation. Where the covered entity has                responsibilities of group health plans
   The proposed rule would have                     stated in its notice that it reserves the               that offer benefits through issuers and
prohibited retaliatory actions against              right to change information practices,                  HMOs. Specifically, a group health plan
individuals for opposing any act or                 we allow the new practice to apply to                   that provides benefits solely through an
practice made unlawful by this subpart.             information created or collected prior to               issuer or HMO, and that does not create,
The final rule retains this provision, but          the effective date of the new practice                  receive or maintain protected health

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00103   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82564       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

information other than summary health               the covered entity must comply with all                 for a specific research project that
information or information regarding                limitations expressed in the consent,                   includes the treatment of individuals,
enrollment and disenrollment, is not                authorization, or permission. Thus, we                  such as clinical trials. These consents,
subject to the requirements of this                 do not require a covered entity to obtain               authorizations, or permissions may
section regarding designation of a                  a consent that meets the requirements of                specifically permit a use or disclosure of
privacy official and contact person,                § 164.506 to use or disclose this                       individually identifiable health
workforce training, safeguards,                     previously obtained protected health                    information for purposes of the project.
complaints, mitigation, or policies and             information as long as the use or                       Alternatively, they may be general
procedures. Such a group health plan is             disclosure is consistent with the                       consents to participate in the project. A
only subject to the requirements of this            requirements of this section. However, a                covered entity may use or disclose
section regarding documentation with                covered entity will need to obtain a                    protected health information it created
respect to its plan documents. Issuers              consent that meets the requirements of                  or received before or after to the
and HMOs are covered entities under                 § 164.506 to the extent that it is required             applicable compliance date of this rule
this rule, and thus have independent                to obtain a consent under § 164.506                     for purposes of the project provided that
obligations to comply with this section             from an individual before it may use or                 the covered entity complies with all
with respect to the protected health                disclose any protected health                           limitations expressed in the consent,
information they maintain about the                 information it creates or receives after                authorization, or permission.
enrollees in such group health plans.               the date by which it must comply with                      If, pursuant to this section, a covered
The group health plans subject to this              this rule.                                              entity relies upon a previously obtained
provision will have only limited                       Similarly, we recognize that a covered               consent, authorization, or other express
protected health information. Therefore,            entity may wish to rely upon a consent,                 legal permission and agrees to a request
imposing these requirements on the                  authorization, or other express legal                   for a restriction by an individual under
group health plan would impose                      permission obtained from an individual                  § 164.522(a), any subsequent use or
burdens not outweighed by a                         prior to the applicable compliance date                 disclosure under that consent,
corresponding enhancement in privacy                of this regulation that specifically                    authorization, or permission must
protections.                                        permits the covered entity to use or                    comply with the agreed upon restriction
                                                    disclose individually identifiable health               as well.
Section 164.532—Transition Provisions               information for activities other than to                   We believe it is necessary to
   In the NPRM, we did not address the              carry out treatment, payment, or health                 grandfather in previously obtained
effect of the regulation on consents and            care operations. In the final rule, we                  consents, authorizations, or other
authorizations covered entities obtained            permit a covered entity to rely upon                    express legal permissions in these
prior to the compliance date of the                 such a consent, authorization, or                       circumstances to ensure that important
regulation.                                         permission to use or disclose protected                 functions of the health care system are
   In the final rule, we clarify that, in           health information that it created or                   not impeded. We link the effectiveness
certain circumstances, a covered entity             received before the applicable                          of such consents, authorizations, or
may continue to rely upon consents,                 compliance date of the regulation for the               permissions in these circumstances to
authorizations, or other express legal              specific activities described in the                    the applicable compliance date to give
permissions obtained prior to the                   consent, authorization, or permission as                covered entities sufficient notice of the
compliance date of this regulation to use           long as the covered entity complies with                requirements set forth in §§ 164.506 and
or disclose protected health information            two requirements. First, the covered                    164.508.
even if these consents, authorizations,             entity may not make any use or                             The rule does not change the past
or permissions do not meet the                      disclosure that is expressly excluded                   effectiveness of consents,
requirements set forth in §§ 164.506 or             from the consent, authorization, or                     authorizations, or other express legal
164.508.                                            permission. Second, the covered entity                  permissions that do not come within
   We realize that a covered entity may             must comply with all limitations                        this section. This means that uses or
wish to rely upon a consent,                        expressed in the consent, authorization,                disclosures of individually identifiable
authorization, or other express legal               or permission. Thus, we do not required                 health information made prior to the
permission obtained from an individual              a covered entity to obtain an                           compliance date of this regulation are
prior to the compliance date of this                authorization that meets the                            not subject to sanctions, even if they
regulation which permits the use or                 requirements of § 164.508 to use or                     were made pursuant to documents or
disclosure of individually identifiable             disclose this previously obtained                       permissions that do not meet the
health information for activities that              protected health information so long as                 requirements of this rule or were made
come within treatment, payment, or                  the use or disclosure is consistent with                without permission. This rule alters
health care operations (as defined in               the requirements of this section.                       only the future effectiveness of the
§ 164.501), but that do not meet the                However, a covered entity will need to                  previously obtained consents,
requirements for consents set forth in              obtain an authorization that meets the                  authorizations, or permissions. Covered
§ 164.506. In the final rule, we permit a           requirements of § 164.508, to the extent                entities are not required to rely upon
covered entity to rely upon such                    that it is required to obtain an                        these consents, authorizations, or
consent, authorization, or permission to            authorization under this rule, from an                  permissions and may obtain new
use or disclose protected health                    individual before it may use or disclose                consents or authorizations that meet the
information that it created or received             any protected health information it                     applicable requirements of §§ 164.506
before the applicable compliance date of            creates or receives after the date by                   and 164.508.
the regulation to carry out the treatment,          which it must comply with this rule.                       When reaching this decision, we
payment, or health care operations as                  Additionally, the final rule                         considered requiring all covered entities
long as it meets two requirements. First,           acknowledges that covered entities may                  to obtain new consents or authorizations
the covered entity may not make any                 wish to rely upon consents,                             consistent with the requirements of
use or disclosure that is expressly                 authorizations, or other express legal                  §§ 164.506 and 164.508 before they
excluded from the consent,                          permission obtained from an individual                  would be able to use or disclose
authorization, or permission. Second,               prior to the applicable compliance date                 protected health information obtained

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00104   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82565

after the compliance date of these rules.           the corresponding section of the final                     Response: This regulation does not,
We rejected this option because we                  rule, not the NPRM.                                     and cannot, reduce current privacy
recognize that covered entities may not                                                                     protections. The statutory language of
                                                    General Comments
always be able to obtain new consents                                                                       the HIPAA specifically mandates that
or authorizations consistent with the                 We received many comments on the                      this regulation does not preempt state
requirements of §§ 164.506 and 164.508              rule overall, not to a particular                       laws that are more protective of privacy.
from all individuals upon whose                     provision. We respond to those                             As discussed in more detail in later
information they rely. We also refrained            comments here. Similar comments, but                    this preamble, while many people
from impeding the rights of covered                 directed to a specific provision in the                 believe that they must be asked
entities to exercise their interests in the         proposed rule, are answered below in                    permission prior to any release of health
records they have created. We do not                the corresponding section of this                       information about them, current laws
require covered entities with existing              preamble.                                               generally do not impose such a
records or databases to destroy or                                                                          requirement. Similarly, as discussed in
                                                    Comments on the Need for Privacy
remove the protected health information                                                                     more detail later in this preamble,
                                                    Standards, and Effects of this
for which they do not have valid                                                                            judicial review is required today only
                                                    Regulation on Current Protections
consents or authorizations that meet the                                                                    for a small proportion of releases of
requirements of §§ 164.506 and 164.508.               Comment: Many commenters                              health information.
Covered entities may rely upon the                  expressed the opinion that federal                         Comment: Many commenters asserted
consents, authorizations, or permissions            legislation is necessary to protect the                 that today, medical records ‘‘belong’’ to
they obtained from individuals prior to             privacy of individuals’ health                          patients. Others asserted that patients
the applicable compliance date of this              information. One comment advocated                      own their medical information and
regulation consistent with the                      Congressional efforts to provide a                      health care providers and insurance
constraints of those documents and the              comprehensive federal health privacy                    companies who maintain health records
requirements discussed above.                       law that would integrate the substance                  should be viewed as custodians of the
   We note that if a covered entity                 abuse regulations with the privacy                      patients’ property.
obtains before the applicable                       regulation.                                                Response: We do not intend to change
compliance date of this regulation a                  Response: We agree that                               current law regarding ownership of or
consent that meets the requirements of              comprehensive privacy legislation is                    responsibility for medical records. In
§ 164.506, an authorization that meets              urgently needed. This administration                    developing this rule we reviewed
the requirements of § 164.508, or an IRB            has urged the Congress to pass such                     current law on this and related issues,
or privacy board waiver of authorization            legislation. While this regulation will                 and built on that foundation.
that meets the requirements of                      improve the privacy of individuals’                        Under state laws, medical records are
§ 164.512(i), the consent, authorization,           health information, only legislation can                often the property of the health care
or waiver is effective for uses or                  provide the full array of privacy                       provider or medical facility that created
disclosures that occur after the                    protection that individuals need and                    them. Some state laws also provide
compliance date and that are consistent             deserve.                                                patients with access to medical records
with the terms of the consent,                        Comment: Many commenters noted                        or an ownership interest in the health
authorization, or waiver.                           that they do not go to a physician, or do               information in medical records.
                                                    not completely share health information                 However, these laws do not divest the
Section 164.534—Compliance Dates for
                                                    with their physician, because they are                  health care provider or the medical
Initial Implementation of the Privacy
                                                    concerned about who will have access                    facility of its ownership interest in
                                                    to that information. Many physicians                    medical records. These statutes
  In the NPRM, we provided that a                   commented on their patients’ reluctance                 typically provide a patient the right to
covered entity must be in compliance                to share information because of fear that               inspect or copy health information from
with this subpart not later than 24                 their information will later be used                    the medical record, but not the right to
months following the effective date of              against them.                                           take the provider’s original copy of an
this rule, except that a covered entity               Response: We agree that strong federal                item in the medical record. If a
that is a small health plan must be in              privacy protections are necessary to                    particular state law provides greater
compliance with this subpart not later              enhance patients’ trust in the health                   ownership rights, this regulation leaves
than 36 months following the effective              care system.                                            such rights in place.
date of the rule.                                     Comment: Many commenters                                 Comment: Some commenters argued
  The final rule did not make any                   expressed concerns that this regulation                 that the use and disclosure of sensitive
substantive changes. The format is                  will allow access to health information                 personal information must be strictly
changed so as to more clearly present               by those who today do not have such                     regulated, and violation of such
the various compliance dates. The final             access, or would allow their physician                  regulations should subject an entity to
rule lists the types of covered entities            to disclose information which may not                   significant penalties and sanctions.
and then the various dates that would               lawfully be disclosed today. Many of                       Response: We agree, and share the
apply to each of these entities.                    these commenters stated that today,                     commenters’ concern that the penalties
                                                    they consent to every disclosure of                     in the HIPAA statute are not sufficient
III. Section-by-Section Discussion of
                                                    health information about them, and that                 to fully protect individuals’ privacy
                                                    absent their consent the privacy of their               interests. The need for stronger
  The following describes the                       health information is ‘‘absolute.’’ Others              penalties is among the reasons we
provisions in the final regulation, and             stated that, today, health information is               believe Congress should pass
the changes we make to the proposed                 disclosed only pursuant to a judicial                   comprehensive privacy legislation.
provisions section-by-section. Following            order. Several commenters were                             Comment: Many commenters
each section are our responses to the               concerned that this regulation would                    expressed the opinion that the proposed
comments to that section. This section              override stronger state privacy                         ruled should provide stricter privacy
of the preamble is organized to follow              protection.                                             protections.

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00105   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82566       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

   Response: We received nearly 52,000              would impose substantial new                            privacy is urgent and that this
comments on the proposed regulation,                restrictions on private sector use and                  regulation is in the public’s interest.
and make substantial changes to the                 disclosure of protected health                             Comment: Many commenters express
proposal in response to those                       information, but would make                             the opinion that their consent should be
comments. Many of these changes will                government access to protected health                   required for all disclosure of their health
strengthen the protections that were                information easy. One consumer                          information.
proposed in the NPRM.                               advocacy group made the same                               Response: We agree that consent
   Comment: Many comments express                   observation.                                            should be required prior to release of
concerns that their health information                Response: We acknowledge that many                    health information for many purposes,
will be given to their employers.                   of the national priority purposes for                   and impose such a requirement in this
   Response: We agree that employer                 which we allow disclosure of protected                  regulation. Requiring consent prior to
access to health information is a                   health information without consent or                   all release of health information,
particular concern. In this final                   authorization are for government                        however, would unduly jeopardize
regulation, we make significant changes             functions, and that many of the                         public safety and make many operations
to the NPRM that clarify and provide                governmental recipients of such                         of the health care system impossible.
additional safeguards governing when                information are not governed by this                    For example, requiring consent prior to
and how the health plans covered by                 rule. It is the role of government to                   release of health information to a public
this regulation may disclose health                 undertake functions in the broader                      health official who is attempting to track
information to employers.                           public interest, such as public health                  the source of an outbreak or epidemic
   Comment: Several commenters argued               activities, law enforcement,                            could endanger thousands of lives.
that individuals should be able to sue              identification of deceased individuals                  Similarly, requiring consent before an
for breach of privacy.                              through coroners’ offices, and military                 oversight official could audit a health
   Response: We agree, but do not have              activities. It is these public purposes                 plan would make detection of health
the legislative authority to grant a                which can sometimes outweigh an                         care fraud all but impossible; it could
private right of action to sue under this           individual’s privacy interest. In this                  take health plans months or years to
statute. Only Congress can grant that                                                                       locate and obtain the consent of all
                                                    rule, we specify the circumstances in
right.                                                                                                      current and past enrollees, and the
                                                    which that balance is tipped toward the
                                                                                                            health plan would not have a strong
Objections to Government Access to                  public interest with respect to health
                                                                                                            incentive to do so. These uses of
Protected Health Information                        information. We discuss the rationale
                                                                                                            medical information are clearly in the
  Comment: Many commenters urged                    behind each of these permitted
                                                                                                            public interest.
the Department not to create a                      disclosures in the relevant preamble                       In this regulation, we must balance
government database of health                       sections below.                                         individuals’ privacy interests against the
information, or a tracking system that              Miscellaneous Comments                                  legitimate public interests in certain
would enable the government to track                                                                        uses of health information. Where there
                                                      Comment: Many commenters objected                     is an important public interest, this
individuals health information.
  Response: This regulation does not                to the establishment of a unique                        regulation imposes procedural
create such a database or tracking                  identifier for health care or other                     safeguards that must be met prior to
system, nor does it enable future                   purposes.                                               release of health information, in lieu of
creation of such a database. This                     Response: This regulation does not                    a requirement for consent. In some
regulation describes the ways in which              create an identifier. We assume these                   instances the procedural safeguards
health plans, health care clearinghouses,           comments refer to the unique health                     consist of limits on the circumstances in
and certain health care providers may               identifier that Congress directed the                   which information may be disclosed, in
use and disclose identifiable health                Secretary to promulgate under                           others the safeguards consist of limits
information with and without the                    section1173(b) of the Social Security                   on what information may be disclosed,
individual’s consent.                               Act, added by section 262 of the HIPAA.                 and in other cases we require some form
  Comment: Many commenters objected                 Because of the public concerns about                    of legal process (e.g., a warrant or
to government access to or control over             such an identifier, in the summer of                    subpoena) prior to release of health
their health information, which they                1998 Vice President Gore announced                      information. We also allow disclosure of
believe the proposed regulation would               that the Administration would not                       health information without consent
provide.                                            promulgate such a regulation until                      where other law mandates the
  Response: This regulation does not                comprehensive medical privacy                           disclosures. Where such other law
increase current government access to               protections were in place. In the fall of               exists, another public entity has made
health information. This rule sets                  that year, Congress prohibited the                      the determination that the public
minimum privacy standards. It does not              Department from promulgating such an                    interests outweigh the individual’s
require disclosure of health information,           identifier, and that prohibition remains                privacy interests, and we do not upset
other than to the subject of the records            in place. The Department has no plans                   that determination in this regulation. In
or for enforcement of this rule. Health             to promulgate a unique health identifier.               short, we tailor the safeguards to match
plans and health care providers are free              Comment: Many commenters asked                        the specific nature of the public
to use their own professional ethics and            that we withdraw the proposed                           purpose. The specific safeguards are
judgement to adopt stricter policies for            regulation and not publish a final rule.                explained in each section of this
disclosing health information.                        Response: Under section 264 of the                    regulation below.
  Comment: Some commenters viewed                   HIPAA, the Secretary is required by                        Comment: Many comments address
the NPRM as creating fewer hurdles for              Congress to promulgate a regulation                     matters not relevant to this regulation,
government access to protected health               establishing standards for health                       such as alternative fuels, hospital
information than for access to protected            information privacy. Further, for the                   reimbursement, and gulf war syndrome.
health information by private                       reasons explained throughout this                          Response: These and similar matters
organizations. Some health care                     preamble above, we believe that the                     are not relevant to this regulation and
providers commented that the NPRM                   need to protect health information                      will not be addressed further.

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00106   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82567

   Comment: A few commenters                        standards. In particular, this comment                  covered entities for purposes of this
questioned why this level of detail is              focused on the belief that the Security                 rule. One commenter recommended that
needed in response to the HIPAA                     Standards should be compatible with                     Pharmacy Benefit Management (PBM)
Congressional mandate.                              the existing and emerging health care                   companies be considered covered
   Response: This level of detail is                and information technology industry                     entities so that they may use and
necessary to ensure that individuals’               standards.                                              disclose protected health information
rights with respect to their health                    Response: We agree that both this                    without authorization.
information are clear, while also                   regulation and the final Security                          In addition, a few commenters asked
ensuring that information necessary for             Regulation should be compatible with                    the Department to clarify that the
important public functions, such as                 existing and emerging technology                        definition includes providers who do
protecting public health, promoting                 industry standards. This regulation is                  not directly conduct electronic
biomedical research, fighting health care           ‘‘technology neutral.’’ We do not                       transactions if another entity, such as a
fraud, and notifying family members in              mandate the use of any particular                       billing service or hospital, does so on
disaster situations, will not be impaired           technologies, but rather set standards                  their behalf.
by this regulation. We designed this rule           which can be met through a variety of                      Response: We understand that many
to reflect current practices and change             means.                                                  entities may use and disclose
some of them. The comments and our                     Comment: Several commenters                          individually identifiable health
fact finding revealed the complexity of             claimed that the statutory authority                    information. However, our jurisdiction
current health information practices,               given under HIPAA cannot provide                        under the statute is limited to health
and we believe that the complexity                  meaningful privacy protections because                  plans, health care clearinghouses, and
entailed in reflecting those practices is           many entities with access to protected                  health care providers who transmit any
better public policy than a perhaps                 health information, such as employers,                  health information electronically in
simpler rule that disturbed important               worker’s compensation carriers, and life                connection with any of the standard
information flows.                                  insurance companies, are not covered                    financial or administrative transactions
   Comment: A few comments stated                   entities. These commenters expressed                    in section 1173(a) of the Act. These are
that the goal of administrative                     support for comprehensive legislation to                the entities referred to in section
simplification should never override the            close many of the existing loopholes.                   1173(a)(1) of the Act and thus listed in
privacy of individuals.                                Response: We agree with the                          § 160.103 of the final rule.
   Response: We believe that privacy is             commenters that comprehensive                           Consequently, once protected health
a necessary component of                            legislation is necessary to provide full                information leaves the purview of one of
administrative simplification, not a                privacy protection and have called for                  these covered entities, their business
competing interest.                                 members of Congress to pass such
   Comment: At least one commenter                                                                          associates, or other related entities (such
                                                    legislation to prevent unauthorized and                 as plan sponsors), the information is no
said that the goal of administrative                potentially harmful uses and disclosures
simplification is not well served by the                                                                    longer afforded protection under this
                                                    of information.                                         rule. We again highlight the need for
proposed rule.
   Response: Congress recognized that               Part 160—Subpart A—General                              comprehensive federal legislation to
privacy is a necessary component of                 Provisions                                              eliminate such gaps in privacy
administrative simplification. The                                                                          protection.
                                                    Section 160.103—Definitions
standardization of electronic health                                                                           We also provide the following
information mandated by the HIPAA                   Business Associate                                      clarifications with regard to specific
that make it easier to share that                     The response to comments on the                       entities.
information for legitimate purposes also            definition of ‘‘business partner,’’                        We clarify that employers and
make the inappropriate sharing of that              renamed in this rule as ‘‘business                      marketing firms are not covered entities.
information easier. For this reason,                associate,’’ is included in the response                However, employers may be plan
Congress included a mandate for                     to comments on the requirements for                     sponsors of a group health plan that is
privacy standards in this section of the            business associates in the preamble                     a covered entity under the rule. In such
HIPAA. Without appropriate privacy                  discussion of § 164.504.                                a case, specific requirements apply to
protections, public fear and instances of                                                                   the group health plan. See the preamble
                                                    Covered Entity                                          on § 164.504 for a discussion of specific
abuse would make it impossible for us
to take full advantage of the                         Comment: A number of commenters                       ‘‘firewall’’ and other organizational
administrative and costs benefits                   urged the Department to expand or                       requirements for group health plans and
inherent in the administrative                      clarify the definition of ‘‘covered entity’’            their employer sponsors. The final rule
simplification standards.                           to include certain entities other than                  also contains provisions addressing
   Comment: At least one commenter                  health care clearinghouses, health plans,               when an insurance issuer providing
asked us to require psychotherapists to             and health care providers who conduct                   benefits under a group health plan may
assert any applicable legal privilege on            standard transactions. For example,                     disclose summary health information to
patients’ behalf when protected health              several commenters asked that the                       a plan sponsor.
information is requested.                           Department generally expand the scope                      With regard to life and casualty
   Response: Whether and when to                    of the rule to cover all entities that                  insurers, we understand that such
assert a claim of privilege on a patient’s          receive or maintain individually                        benefit providers may use and disclose
behalf is a matter for other law and for            identifiable health information; others                 individually identifiable health
the ethics of the individual health care            specifically urged the Department to                    information. However, Congress did not
provider. This is not a decision that can           cover employers, marketing firms, and                   include life insurers and casualty
or should be made by the federal                    legal entities that have access to                      insurance carriers as ‘‘health plans’’ for
government.                                         individually identifiable health                        the purposes of this rule and therefore
   Comment: One commenter called for                information. Some commenters asked                      they are not covered entities. See the
HHS to consider the privacy regulation              that life insurance and casualty                        discussion regarding the definition of
in conjunction with the other HIPAA                 insurance carriers be considered                        ‘‘health plan’’ and excepted benefits.

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00107   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82568       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

   In addition, we clarify that a PBM is            reinsurance, including stop-loss                        health care provider ‘‘component’’ of
a covered entity only to the extent that            insurance, are health care operations in                the agency is the covered entity if that
it meets the definition of one or more of           the final rule. As such, reinsurers and                 component conducts standard
the entities listed in § 160.102. When              stop-loss insurers may obtain protected                 transactions. See discussion of ‘‘health
providing services to patients through              health information from covered                         care components’’ below. As to the data
managed care networks, it is likely that            entities.                                               collection activities of a public health
a PBM is acting as a business associate                Also, in response to the comment                     agency, the final rule in § 164.512(b)
of a health plan, and may thus use and              regarding religious practitioners, the                  permits a covered entity to disclose
disclose protected health information               Department clarifies that ‘‘health care’’               protected health information to public
pursuant to the relevant provisions of              as defined under the rule does not                      health authorities under specified
this rule. PBMs may also be business                include methods of healing that are                     circumstances, and permits public
associates of health care providers. See            solely spiritual. Therefore, clergy or                  health agencies that are also covered
the preamble sections on §§ 164.502,                other religious practitioners that provide              entities to use protected health
164.504, and 164.506 for discussions of             solely religious healing services are not               information for these purposes. See
the specific requirements related to                health care providers within the                        § 164.512(b) for further details.
business associates and consent.                    meaning of this rule, and consequently                     Comment: A few commenters
   Lastly, we clarify that health care              not covered entities for the purposes of                requested that the Department clarify
providers who do not submit HIPAA                   this rule.                                              that device manufacturers are not
transactions in standard form become                   Comment: A few commenters                            covered entities. They stated that the
covered by this rule when other entities,           expressed general uncertainty and                       proposal did not provide enough
such as a billing service or a hospital,            requested clarification as to whether                   guidance in cases where the
transmit standard electronic                        certain entities were covered entities for              ‘‘manufacturer supplier’’ has only one
transactions on their behalf. The                   the purposes of this rule. One                          part of its business that acts as the
provider could not circumvent these                 commenter was uncertain as to whether                   ‘‘supplier,’’ and additional detail is
requirements by assigning the task to a             the rule applies to certain social service              needed about the relationship of the
contractor.                                         entities, in addition to clinical social                ‘‘supplier component’’ of the company
   Comment: Many commenters urged                   workers that the commenter believes are                 to the rest of the business. Similarly,
the Department to restrict or clarify the           providers. Other commenters asked                       another commenter asserted that drug,
definition of ‘‘covered entity’’ to                 whether researchers or non-                             biologics, and device manufacturers
exclude certain entities, such as                   governmental entities that collect and                  should not be covered entities simply by
department-operated hospitals (public               analyze patient data to monitor and                     virtue of their manufacturing activities.
hospitals); state Crime Victim                      evaluate quality of care are covered                       Response: We clarify that if a supplier
Compensation Programs; employers;                   entities. Another commenter requested                   manufacturer is a Medicare supplier,
and certain lines of insurers, such as              clarification regarding the definition’s                then it is a health care provider, and it
workers’ compensation insurers,                     application to public health agencies                   is a covered entity if it conducts
property and casualty insurers,                     that also are health care providers as                  standard transactions. Further, we
reinsurers, and stop-loss insurers. One             well as how the rule affects public                     clarify that a manufacturer of supplies
commenter expressed concern that                    health agencies in their data collection                related to the health of a particular
clergy, religious practitioners, and other          from covered entities.                                  individual, e.g., prosthetic devices, is a
faith-based service providers would                    Response: Whether the professionals                  health care provider because the
have to abide by the rule and asked that            described in these comments are                         manufacturer is providing ‘‘health care’’
the Department exempt prayer healing                covered by this rule depends on the                     as defined in the rule. However, that
and non-medical health care.                        activities they undertake, not on their                 manufacturer is a covered entity only if
   Response: The Secretary provides the             profession or degree. The definitions in                it conducts standard transactions. We
following clarifications in response to             this rule are based on activities and                   do not intend that a manufacturer of
these comments. To the extent that a                functions, not titles. For example, a                   supplies that are generic and not
‘‘department-operated hospital’’ meets              social service worker whose activities                  customized or otherwise specifically
the definition of a ‘‘health care                   meet this rule’s definition of health care              designed for particular individuals, e.g.,
provider’’ and conducts any of the                  will be a health care provider. If that                 ace bandages for a hospital, is a health
standard transactions, it is a covered              social service worker also transmits                    care provider. Such a manufacturer is
entity for the purposes of this rule. We            information in a standard HIPAA                         not providing ‘‘health care’’ as defined
agree that a state Crime Victim                     transaction, he or she will be a covered                in the rule and is therefore not a covered
Compensation Program is not a covered               health entity under this rule. Another                  entity. We note that, even if such a
entity if it is not a health care provider          social service worker may provide                       manufacturer is a covered entity, it may
that conducts standard transactions,                services that do not meet the rule’s                    be an ‘‘indirect treatment provider’’
health plan, or health care                         definition of health care, or may not                   under this rule, and thus not subject to
clearinghouse. Further, as described                transmit information in a standard                      all of the rule’s requirements.
above, employers are not covered                    transaction. Such a social service                         With regard to a ‘‘supplier
entities.                                           worker is not a covered entity under this               component,’’ the final rule addresses the
   In addition, we agree that workers’              rule. Similarly, researchers in and of                  status of the unit or unit(s) of a larger
compensation insurers, property and                 themselves are not covered entities.                    entity that constitute a ‘‘health care
casualty insurers, reinsurers, and stop-            However, researchers may also be health                 component.’’ See further discussion
loss insurers are not covered entities, as          care providers if they provide health                   under § 164.504 of this preamble.
they do not meet the statutory definition           care. In such cases, the persons, or                       Finally, we clarify that drug,
of ‘‘health plan.’’ See further discussion          entities in their role as health care                   biologics, and device manufacturers are
in the preamble on § 160.103 regarding              providers may be covered entities if                    not health care providers simply by
the definition of ‘‘health plan.’’                  they conduct standard transactions.                     virtue of their manufacturing activities.
However, activities related to ceding,                 With regard to public health agencies                The manufacturer must be providing
securing, or placing a contract for                 that are also health care providers, the                health care consistent with the final

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00108   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82569

rule’s definition in order to be                    care components of the entity.                          entity, we point out that if the research
considered a health care provider.                  Similarly, others recommended that                      activities fall outside of the health care
   Comment: A few commenters asked                  only the component of a government                      component they would not be subject to
that the Department clarify that                    agency that is a provider, health plan, or              the rule. One organization may have one
pharmaceutical manufacturers are not                clearinghouse should be considered a                    or several ‘‘health care component(s)’’
covered entities. It was explained that             covered entity.                                         that each perform one or more of the
pharmaceutical manufacturers provide                   Other commenters requested that we                   health care functions of a covered
support and guidance to doctors and                 revise proposed § 160.102 to apply only                 entity, i.e., health care provider, health
patients with respect to the proper use             to the component of an entity that                      plan, health care clearinghouse. In
of their products, provide free products            engages in the transactions specified in                addition, the final rule permits covered
for doctors to distribute to patients, and          the rule. Commenters stated that                        entities that are affiliated, i.e., share
operate charitable programs that provide            companies should remain free to                         common ownership or control, to
pharmaceutical drugs to patients who                employ licensed health care providers                   designate themselves, or their health
cannot afford to buy the drugs they                 and to enter into corporate relationships               care components, together to be a single
need.                                               with provider institutions without fear                 covered entity for purposes of the rule.
   Response: A pharmaceutical                       of being considered to be a covered                        It appears from the comments that
manufacturer is only a covered entity if            entity. Another commenter suggested                     there is not a common understanding of
the manufacturer provides ‘‘health care’’           that the regulation not apply to the                    the meaning of ‘‘integrated delivery
according to the rule’s definition and              provider-employee or employer when                      system.’’ Arrangements that apply this
conducts standard transactions. In the              neither the provider nor the company                    label to themselves operate and share
above case, a pharmaceutical                        are a covered entity.                                   information many different ways, and
manufacturer that provides support and                 Some commenters specifically argued                  may or may not be financially or
guidance to doctors and patients                    that the definition of ‘‘covered entity’’               clinically integrated. In some cases,
regarding the proper use of their                   did not contemplate an integrated                       multiple entities hold themselves out as
products is providing ‘‘health care’’ for           health care system and one commenter                    one enterprise and engage together in
the purposes of this rule, and therefore,           stated that the proposal would disrupt                  clinical or financial activities. In others,
is a health care provider to the extent             the multi-disciplinary, collaborative                   separate entities share information but
that it provides such services. The                 approach that many take to health care                  do not provide treatment together or
pharmaceutical manufacturer that is a               today by treating all components as                     share financial risk. Many health care
health care provider is only a covered              separate entities. Commenters,                          providers participate in more than one
entity, however, if it conducts standard            therefore, recommended that the rule                    such arrangement.
transactions. We note that this rule                treat the integrated entity, not its                       Therefore, we do not include a
permits a covered entity to disclose                constituent parts, as the covered entity.               separate category of ‘‘covered entity’’
protected health information to any                    A few commenters asked that the                      under this rule for ‘‘integrated delivery
person for treatment purposes, without              Department further clarify the definition               systems’’ but instead accommodate the
specific authorization from the                     with respect to the unique                              operations of these varied arrangements
individual. Therefore, a covered health             organizational models and relationships                 through the functional provisions of the
care provider is permitted to disclose              of academic medical centers and their                   rule. For example, covered entities that
protected health information to a                   parent universities and the rules that                  operate as ‘‘organized health care
pharmaceutical manufacturer for                     govern information exchange within the                  arrangements’’ as defined in this rule
treatment purposes. Providing free                  institution. One commenter asked                        may share protected health information
samples to a health care provider does              whether faculty physicians who are                      for the operation of such arrangement
not in itself constitute health care. For           paid by a medical school or faculty                     without becoming business associates of
further analysis of pharmacy assistance             practice plan and who are on the                        one another. Similarly, the regulation
programs, see response to comment on                medical staff of, but not paid directly                 does not require a business associate
§ 164.501, definition of ‘‘payment.’’               by, a hospital are included within the                  arrangement when protected health
   Comment: Several commenters asked                covered entity. Another commenter                       information is shared for purposes of
about the definition of ‘‘covered entity’’          stated that it appears that only the                    providing treatment. The application of
and its application to health care                  health center at an academic institution                this rule to any particular ‘‘integrated
entities within larger organizations.               is the covered entity. Uncertainty was                  system’’ will depend on the nature of
   Response: A detailed discussion of               also expressed as to whether other                      the common activities the participants
the final rule’s organizational                     components of the institution that might                in the system perform. When the
requirements and firewall restrictions              create protected health information only                participants in such an arrangement are
for ‘‘health care components’’ of larger            incidentally through the conduct of                     ‘‘affiliated’’ as defined in this rule, they
entities, as well as for affiliated, and            research would also be covered.                         may consider themselves a single
other entities is found at the discussion              Response: The Department                             covered entity (see § 164. 504).
of § 164.504 of this preamble. The                  understands that in today’s health care                    The arrangements between academic
following responses to comments                     industry, the relationships among health                health centers, faculty practice plans,
provide additional information with                 care entities and non-health care                       universities, and hospitals are similarly
respect to particular ‘‘component                   organizations are highly complex and                    diverse. We cannot describe a blanket
entity’’ circumstances.                             varied. Accordingly, the final rule gives               rule that covers all such arrangements.
   Comment: Several commenters asked                covered entities some flexibility to                    The application of this rule will depend
that we clarify the definition of covered           segregate or aggregate its operations for               on the purposes for which the
entity to state that with respect to                purposes of the application of this rule.               participants in such arrangements share
persons or organizations that provide               The new component entity provision                      protected health information, whether
health care or have created health plans            can be found at §§ 164.504(b)-(c). In                   some or all participants are under
but are primarily engaged in other                  response to the request for clarification               common ownership or control, and
unrelated businesses, the term ‘‘covered            on whether the rule would apply to a                    similar matters. We note that physicians
entity’’ encompasses only the health                research component of the covered                       who have staff privileges at a covered

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00109   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82570       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

hospital do not become part of that                 Medicaid, which are both listed in the                  does not apply to financial institutions
hospital covered entity by virtue of                statute as health plans. Medicare                       or to entities acting on behalf of such
having such privileges.                             managed care organizations are also                     institutions that are covered by the
   We reject the recommendation to                  covered entities under this regulation.                 section 1179 exemption. Thus, under
apply the rule only to components of an             As noted elsewhere in this preamble,                    the definition of covered entity, they
entity that engage in the transactions.             covered entities that jointly administer                comment that financial institutions and
This would omit as covered entities, for            a health plan, such as Medicare +                       other entities that come within the
example, the health plan components                 Choice, are both covered entities, and                  scope of the section 1179 exemption are
that do not directly engage in the                  are not business associates of each other               appropriately not covered entities.
transactions, including components that             by virtue of such joint administration.                    Other commenters maintained that
engage in important health plan                        We do not exclude state Medicaid                     section 1179 of the Act means that the
functions such as coverage                          programs. Congress explicitly included                  Act’s privacy requirements do not apply
determinations and quality review.                  the Medicaid program as a covered                       to the request for, or the use or
Indeed, we do not believe that the                  health plan in the HIPAA statute.                       disclosure of, information by a covered
statute permits this result with respect               Comment: A commenter asked the                       entity with respect to payment: (a) For
to health plans or health care                      Department to provide detailed                          transferring receivables; (b) for auditing;
clearinghouses as a matter of negative              guidance as to when providers, plans,                   (c) in connection with—(i) a customer
implication from section 1172(a)(3). We             and clearinghouses become covered                       dispute; or (ii) an inquiry from or to a
clarify that only a health care provider            entities. The commenter provided the                    customer; (d) in a communication to a
must conduct transactions to be a                   following example: if a provider submits                customer of the entity regarding the
covered entity for purposes of this rule.           claims only in paper form, and a                        customer’s transactions payment card,
   We also clarify that health care                 coordination of benefits (COB)                          account, check, or electronic funds
providers (such as doctors or nurses)               transaction is created due to other                     transfer; (e) for reporting to consumer
who work for a larger organization and              insurance coverage, will the original                   reporting agencies; or (f) for complying
do not conduct transactions on their                provider need to be notified that the                   with: (i) a civil or criminal subpoena; or
own behalf are workforce members of                 claim is now in electronic form, and                    (ii) a federal or state law regulating the
the covered entity, not covered entities            that it has become a covered entity?                    entity. These companies expressed
themselves.                                         Another commenter voiced concern as                     concern that the proposed rule did not
   Comment: A few commenters asked                  to whether physicians who do not                        include the full text of section 1179
the Department to clarify the definition            conduct electronic transactions would                   when discussing the list of activities
to provide that a multi-line insurer that           become covered entities if another                      that were exempt from the rule’s
sells insurance coverages, some of                  entity using its records downstream                     requirements. Accordingly, they
which do and others which do not meet               transmits information in connection                     recommended including in the final
the definition of ‘‘health plan,’’ is not a         with a standard transaction on their                    rule either a full listing of or a reference
covered entity with respect to actions              behalf.                                                 to section 1179’s full list of exemptions.
taken in connection with coverages that                Response: We clarify that health care                Furthermore, these firms opposed
are not ‘‘health plans.’’                           providers who submit the transactions                   applying the proposed rule’s minimum
   Response: The final rule clarifies that          in standard electronic form, health                     necessary standard for disclosure of
the requirements below apply only to                plans, and health care clearinghouses                   protected health information to
the organizational unit or units of the             are covered entities if they meet the                   financial institutions because of section
organization that are the ‘‘health care             respective definitions. Health care                     1179.
component’’ of a covered entity, where              providers become subject to the rule if                    These commenters suggest that in
the ‘‘covered functions’’ are not the               they conduct standard transactions. In                  light of section 1179, HHS lacks the
primary functions of the entity.                    the above example, the health care                      authority to impose restrictions on
Therefore, for a multi-line insurer, the            provider would not be a covered entity                  financial institutions and other entities
‘‘health care component’’ is the                    if the coordination of benefits                         when they engage in activities described
insurance line(s) that conduct, or                  transaction was generated by a payor.                   in that section. One commenter
support the conduct of, the health care                We also clarify that health care                     expressed concern that even though
function of the covered entity. Also, it            providers who do not submit                             proposed § 164.510(i) would have
should be noted that excepted benefits,             transactions in standard form become                    permitted covered entities to disclose
such as life insurance, are not included            covered by this rule when other entities,               certain information to financial
in the definition of ‘‘health plan.’’ (See          such as a billing service or a hospital,                institutions for banking and payment
preamble discussion of § 164.504).                  transmit standard electronic                            processes, it did not state clearly that
   Comment: A commenter questioned                  transactions on the providers’ behalf.                  financial institutions and other entities
whether the Health Care Financing                   However, where the downstream                           described in section 1179 are exempt
Administration (HCFA) is a covered                  transaction is not conducted on behalf                  from the rule’s requirements.
entity and how HCFA will share data                 of the health care provider, the provider                  Response: We interpret section 1179
with Medicare managed care                          does not become a covered entity due to                 of the Act to mean that entities engaged
organizations. The commenter also                   the downstream transaction.                             in the activities of a financial
questioned why the regulation must                     Comment: Several commenters                          institution, and those acting on behalf of
apply to Medicaid since the existing                discussed the relationship between                      a financial institution, are not subject to
Medicaid statute requires that states               section 1179 of the Act and the privacy                 this regulation when they are engaged in
have privacy standards in place. It was             regulations. One commenter suggested                    authorizing, processing, clearing,
also requested that the Department                  that HHS retain the statement that a                    settling, billing, transferring,
provide a definition of ‘‘health plan’’ to          covered entity means ‘‘the entities to                  reconciling, or collecting payments for a
clarify that state Medicaid Programs are            which part C of title XI of the Act                     financial institution. The statutory
considered as such.                                 applies.’’ In particular, the commenter                 reference to 12 U.S.C. 3401 indicates
   Response: HCFA is a covered entity               observed that section 1179 of the Act                   that Congress chose to adopt the
because it administers Medicare and                 provides that part C of title XI of the Act             definition of financial institutions found

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00110   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
             Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                82571

in the Right to Financial Privacy Act,                 Comment: One commenter                               Group Health Plan
which defines financial institutions as             recommended that HHS include a                             For response to comments relating to
any office of a bank, savings bank, card            definition of ‘‘entity’’ in the final rule              ‘‘group health plan,’’ see the response to
issuer, industrial loan company, trust              because HIPAA did not define it. The                    comments on ‘‘health plan’’ below and
company, savings association, building              commenter explained that in a modern                    the response to comments on § 164.504.
and loan, homestead association,                    health care environment, the
cooperative bank, credit union, or                  organization acting as the health plan or               Health Care
consumer finance institution located in             health care provider may involve many                      Comment: A number of commenters
the United States or one of its                     interrelated corporate entities and that                asked that we include disease
Territories. Thus, when we use the term             this could lead to difficulties in                      management activities and other similar
‘‘financial institution’’ in this                   determining what ‘‘entities’’ are actually              health improvement programs, such as
regulation, we turn to the definition               subject to the regulation.                              preventive medicine, health education
with which Congress provided us. We                    Response: We reject the commenter’s                  services and maintenance, health and
interpret this provision to mean that               suggestion. We believe it is clear in the               case management, and risk assessment,
when a financial institution, or its agent          final rule that the entities subject to the             in the definition of ‘‘health care.’’
on behalf of the financial institution,             regulation are those listed at § 160.102.               Commenters maintained that the rule
conducts the activities described in                However, we acknowledge that how the                    should avoid limiting technological
section 1179, the privacy regulation will           rule applies to integrated or other                     advances and new health care trends
not govern the activity.                            complex health systems needs to be                      intended to improve patient ‘‘health
   If, however, these activities are
                                                    addressed; we have done so in § 164.504                 care.’’
performed by a covered entity or by
                                                    and in other provisions, such as those                     Response: Review of these and other
another entity, including a financial
                                                    addressing organized health care                        comments, and our fact-finding,
institution, on behalf of a covered
                                                    arrangements.                                           indicate that there are multiple,
entity, the activities are subject to this
                                                       Comment: The preamble should                         different, understandings of the
rule. For example, if a bank operates the
accounts payable system or other ‘‘back             clarify that self-insured group health                  definition of these terms. Therefore,
office’’ functions for a covered health             and workmen’s compensation plans are                    rather than create a blanket rule that
care provider, that activity is not                 not covered entities or business                        includes such terms in or excludes such
described in section 1179. In such                  partners.                                               terms from the definition of ‘‘health
instances, because the bank would meet                                                                      care,’’ we define health care based on
                                                       Response: In the preamble to the
the rule’s definition of ‘‘business                                                                         the underlying activities that constitute
                                                    proposed rule we stated that certain
associate,’’ the provider must enter into                                                                   health care. The activities described by
                                                    types of insurance entities, such as
a business associate contract with the                                                                      these commenters are considered
                                                    workers’ compensation, would not be
bank before disclosing protected health                                                                     ‘‘health care’’ under this rule to the
                                                    covered entities under the rule. We do
information pursuant to this                                                                                extent that they meet this functional
                                                    not change this position in this final
relationship. However, if the same                                                                          definition. Listing activities by label or
                                                    rule. The statutory definition of health
provider maintains an account through                                                                       title would create the risk that important
                                                    plan does not include workers’
which he/she cashes checks from                                                                             activities would be left out and, given
                                                    compensation products, and the
patients, no business associate contract                                                                    the lack of consensus on what these
                                                    regulatory definition of the term
would be necessary because the bank’s                                                                       terms mean, could also create
                                                    specifically excludes them. However,
activities are not undertaken for or on                                                                     confusion.
                                                    HIPAA specifically includes most group
behalf of the covered entity, and fall                                                                         Comment: Several commenters urged
                                                    health plans within the definition of
within the scope of section 1179. In part                                                                   that the Department clarify that the
                                                    ‘‘health plan.’’
to give effect to section 1179, in this rule                                                                activities necessary to procure and
                                                       Comment: A health insurance issuer                   distribute eyes and eye tissue will not
we do not consider a financial
                                                    asserted that health insurers and third                 be hampered by the rule. Some of these
institution to be acting on behalf of a
                                                    party administrators are usually                        commenters explicitly requested that we
covered entity when it processes
                                                    required by employers to submit reports                 include ‘‘eyes and eye tissue’’ in the list
consumer-conducted financial
                                                    describing the volume, amount, payee,                   of procurement biologicals as well as
transactions by debit, credit or other
                                                    basis for services rendered, types of                   ‘‘eye procurement’’ in the definition of
payment card, clears checks, initiates or
                                                    claims paid and services for which                      ‘‘health care.’’ In addition, it was argued
processes electronic funds transfers, or
                                                    payment was requested on behalf of it                   that ‘‘administration to patients’’ be
conducts any other activity that directly
                                                    covered employees. They recommended                     excluded in the absence of a clear
facilitates or effects the transfer of funds
for compensation for health care.                   that the rule permit the disclosure of                  definition. Also, commenters
   We do not agree with the comment                 protected health information for such                   recommended that the definition
that section 1179 of the Act means that             purposes.                                               include other activities associated with
the privacy regulation’s requirements                  Response: We agree that health plans                 the transplantation of organs, such as
cannot apply to the activities listed in            should be able to disclose protected                    processing, screening, and distribution.
that section; rather, it means that the             health information to employers                            Response: We delete from the
entities expressly mentioned, financial             sponsoring health plans under certain                   definition of ‘‘health care’’ activities
institutions (as defined in the Right to            circumstances. Section 164.504(f)                       related to the procurement or banking of
Financial Privacy Act), and their agents            explains the conditions under which                     blood, sperm, organs, or any other tissue
that engage in the listed activities for the        protected health information may be                     for administration to patients. We do so
financial institution are not within the            disclosed to plan sponsors. We believe                  because persons who make such
scope of the regulation. Nor do we                  that this provision gives sponsors access               donations are not seeking to be treated,
interpret section 1179 to support an                to the information they need, but                       diagnosed, or assessed or otherwise
exemption for disclosures to financial              protects individual’s information to the                seeking health care for themselves, but
institutions from the minimum                       extent possible under our legislative                   are seeking to contribute to the health
necessary provisions of this regulation.            authority.                                              care of others. In addition, the nature of

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00111   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82572       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

these activities entails a unique kind of           Health Care Clearinghouse                               and patient’s direct access rights to
information sharing and tracking                       Comment: The largest set of                          inspect, copy and amend records
necessary to safeguard the nation’s                 comments relating to health care                        (§§ 164.524 and 164.526), on the
organ and blood supply, and those                   clearinghouses focused on our proposal                  grounds that a health care clearinghouse
seeking to donate are aware that this               to exempt health care clearinghouses                    is engaged in business-to-business
information sharing will occur.                     from the patient notice and access rights               operations, and is not dealing directly
Consequently, such procurement or                   provisions of the regulation. In our                    with individuals. Moreover, as business
banking activities are not considered               NPRM, we proposed to exempt health                      associates of plans and providers, health
health care and the organizations that              care clearinghouses from certain                        care clearinghouses are bound by the
perform such activities are not                     provisions of the regulation that deal                  notices of information practices of the
considered health care providers for                                                                        covered entities with whom they
                                                    with the covered entities’ notice of
purposes of this rule.                                                                                      contract.
                                                    information practices and consumers’
                                                                                                               Where a health care clearinghouse
   With respect to disclosure of                    rights to inspect, copy, and amend their                creates or receives protected health
protected health information by covered             records. The rationale for this                         information other than as a business
entities to facilitate cadaveric organ and          exemption was based on our belief that                  associate, however, it must comply with
tissue donation, the final rule explicitly          health care clearinghouses engage                       all the standards, requirements, and
permits a covered entity to disclose                primarily in business-to-business                       implementation specifications of the
protected health information without                transactions and do not initiate or                     rule. We describe and delimit the exact
authorization, consent, or agreement to             maintain direct relationships with                      nature of the exemption in the
organ procurement organizations or                  individuals. We proposed this position                  regulatory text. See § 164.500(b). We
other entities engaged in the                       with the caveat that the exemptions                     will monitor developments in this
procurement, banking, or                            would be void for any health care                       sector should the basic business-to-
transplantation of cadaveric organs,                clearinghouse that had direct contact                   business relationship change.
eyes, or tissue for the purpose of                  with individuals in a capacity other                       Comment: A number of comments
facilitating donation and                           than that of a business partner. In                     relate to the proposed definition of
transplantation. See § 164.512(h). We do            addition, we indicated that, in most                    health care clearinghouse. Many
not include blood or sperm banking in               instances, clearinghouses also would be                 commenters suggested that we expand
this provision because, for those                   considered business partners under this                 the definition. They suggested that
activities, there is direct contact with            rule and would be bound by their                        additional types of entities be included
the donor, and thus opportunity to                  contracts with covered plans and                        in the definition of health care
obtain the individual’s authorization.              providers. They also would be subject to                clearinghouse, specifically medical
                                                    the notice of information practices                     transcription services, billing services,
   Comment: A large number of                       developed by the plans and providers
commenters urged that the term                                                                              coding services, and ‘‘intermediaries.’’
                                                    with whom they contract.                                One commenter suggested that the
‘‘assessment’’ be included in the list of              Commenters stated that, although                     definition be expanded to add entities
services in the definition, as                      health care clearinghouses do not have                  that receive standard transactions,
‘‘assessment’’ is used to determine the             direct contact with individuals, they do                process them and clean them up, and
baseline health status of an individual.            have individually identifiable health                   then send them on, without converting
It was explained that assessments are               information that may be subject to                      them to any standard format. Another
conducted in the initial step of                    misuse or inappropriate disclosure.                     commenter suggested that the health
diagnosis and treatment of a patient. If            They expressed concern that we were                     care clearinghouse definition be
assessment is not included in the list of           proposing to exempt health care                         expanded to include entities that do not
services, they pointed out that the                 clearinghouses from all or many aspects                 perform translation but may receive
services provided by occupational                   of the regulation. These commenters                     protected health information in a
health nurses and employee health                   suggested that we either delete the                     standard format and have access to that
information may not be covered.                     exemption or make it very narrow,                       information. Another commenter stated
   Response: We agree and have added                specific and explicit in the final                      that the list of covered entities should
the term ‘‘assessment’’ to the definition           regulatory text.                                        include any organization that receives
to clarify that this activity is considered            Clearinghouse commenters, on the                     or maintains individually identifiable
‘‘health care’’ for the purposes of the             other hand, were in agreement with our                  health information. One organization
rule.                                               proposal, including the exemption                       recommended that we expand the
                                                    provision and the provision that the                    health care clearinghouse definition to
   Comment: One commenter asked that
                                                    exemption is voided when the entity                     include the concept of a research data
we revise the definition to explicitly
                                                    does have direct contact with                           clearinghouse, which would collect
exclude plasmapheresis from paragraph
                                                    individuals. They also stated that a                    individually identifiable health
(3) of the definition. It was explained
                                                    health care clearinghouse that has a                    information from other covered entities
that plasmapheresis centers do not have
                                                    direct contact with individuals is no                   to generate research data files for release
direct access to health care recipients or
                                                    longer a health care clearinghouse as                   as de-identified data or with appropriate
their health information, and that the              defined and should be subject to all                    confidentiality safeguards. One
limited health information collected                requirements of the regulation.                         commenter stated that HHS had gone
about plasma donors is not used to                     Response: In the final rule, where a                 beyond Congressional intent by
provide health care services as indicated           clearinghouse creates or receives                       including billing services in the
by the definition of health care.                   protected health information as a                       definition.
   Response: We address the                         business associate of another covered                      Response: We cannot expand the
commenters’ concerns by removing the                entity, we maintain the exemption for                   definition of ‘‘health care
provision related to procurement and                health care clearinghouses from certain                 clearinghouse’’ to cover entities not
banking of human products from the                  provisions of the regulation dealing                    covered by the definition of this term in
definition.                                         with the notice of information practices                the statute. In the final regulation, we

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00112   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82573

make a number of changes to address                 their trade associations, suggested that                form. For more detailed information, see
public comments relating to definition.             we not treat health care clearinghouses                 the preamble discussion of § 164.504(d).
We modify the definition of health care             as playing a dual role as covered entity                   We understand the need for
clearinghouse to conform to the                     and business partner in the final rule                  additional guidance on whether specific
definition published in the Transactions            because such a dual role causes                         entities or persons are health care
Rule (with the addition of a few words,             confusion as to which rules actually                    providers under the final rule. We
as noted above). We clarify in the                  apply to clearinghouses. In their view,                 provide guidance below and will
preamble that, while the term ‘‘health              the definition of health care                           provide additional guidance as the rule
care clearinghouse’’ may have other                 clearinghouse is sufficiently clear to                  is implemented.
meanings and connotations in other                  stand alone and identify a health care                     Comment: One commenter observed
contexts, for purposes of this regulation           clearinghouse as a covered entity, and                  that sections 1171(3), 1861(s) and
an entity is considered a health care               allows health care clearinghouses to                    1861(u) of the Act do not include
clearinghouse only to the extent that it            operate under one consistent set of                     pharmacists in the definition of health
actually meets the criteria in our                  rules.                                                  care provider or pharmacist services in
definition. Entities performing other                  Response: For reasons explained in                   the definition of ‘‘medical or other
functions but not meeting the criteria for          § 164.504 of this preamble, we do not                   health services,’’ and questioned
a health care clearinghouse are not                 create an exception to the business                     whether pharmacists were covered by
clearinghouses, although they may be                associate requirements when the                         the rule.
business associates. Billing services are                                                                      Response: The statutory definition of
                                                    business associate is also a covered
included in the regulatory definition of                                                                    ‘‘health care provider’’ at section
                                                    entity. We retain the concept that a
‘‘health care clearinghouse,’’ if they                                                                      1171(3) includes ‘‘any other person or
                                                    health care clearinghouse may be a
perform the specified clearinghouse                                                                         organization who furnishes, bills, or is
                                                    covered entity and a business associate
functions. Although we have not added                                                                       paid for health care in the normal
                                                    of a covered entity under the regulation.
or deleted any entities from our original                                                                   course of business.’’ Pharmacists’
                                                    As business associates, they would be
definition, we will monitor industry                                                                        services are clearly within this statutory
                                                    bound by their contracts with covered
practices and may add other entities in                                                                     definition of ‘‘health care.’’ There is no
                                                    plans and providers.
the future as changes occur in the health                                                                   basis for excluding pharmacists who
system.                                             Health Care Provider                                    meet these statutory criteria from this
   Comment: Several commenters                                                                              regulation.
                                                       Comment: One commenter pointed                          Comment: Some commenters
suggested that we clarify that an entity            out that the preamble referred to the
acting solely as a conduit through which                                                                    recommended that the scope of the
                                                    obligations of providers and did not use                definition be broadened or clarified to
individually identifiable health                    the term, ‘‘covered entity,’’ and thus
information is transmitted or through                                                                       cover additional persons or
                                                    created ambiguity about the obligations                 organizations. Several commenters
which protected health information                  of health care providers who may be
flows but is not stored is not a covered                                                                    argued for expanding the reach of the
                                                    employed by persons other than covered                  health care provider definition to cover
entity, e.g., a telephone company or                entities, e.g., pharmaceutical companies.
Internet Service Provider. Other                                                                            entities such as state and local public
                                                    It was suggested that a better reading of               health agencies, maternity support
commenters indicated that once a
                                                    the statute and rule is that where neither              services (provided by nutritionists,
transaction leaves a provider or plan
                                                    the provider nor the company is a                       social workers, and public health nurses
electronically, it may flow through
                                                    covered entity, the rule does not impose                and the Special Supplemental Nutrition
several entities before reaching a
                                                    an obligation on either the provider-                   Program for Women, Infants and
clearinghouse. They asked that the
                                                    employee or the employer.                               Children), and those companies that
regulation protect the information in
that interim stage, just as the security               Response: We agree. We use the term                  conduct cost-effectiveness reviews, risk
NPRM established a chain of trust                   ‘‘covered entity’’ whenever possible in                 management, and benchmarking
arrangement for such a network. Others              the final rule, except for the instances                studies. One commenter queried
noted that these ‘‘conduit’’ entities are           where the final rule treats the entities                whether auxiliary providers such as
likely to be business partners of the               differently, or where use of the term                   child play therapists, and speech and
provider, clearinghouse or plan, and we             ‘‘health care provider’’ is necessary for               language therapists are considered to be
should clarify that they are subject to             purposes of illustrating an example.                    health care providers. Other
business partner obligations as in the                 Comment: Several commenters stated                   commenters questioned whether
proposed Security Rule.                             that the proposal’s definition was broad,               ‘‘alternative’’ or ‘‘complementary’’
   Response: We clarify that entities               unclear, and/or confusing. Further, we                  providers, such as naturopathic
acting as simple and routine                        received many comments requesting                       physicians and acupuncturists would be
communications conduits and carriers                clarification as to whether specific                    considered health care providers
of information, such as telephone                   entities or persons were ‘‘health care                  covered by the rule.
companies and Internet Service                      providers’’ for the purposes of our rule.                  Response: As with other aspects of
Providers, are not clearinghouses as                One commenter questioned whether                        this rule, we do not define ‘‘health care
defined in the rule unless they carry out           affiliated members of a health care                     provider’’ based on the title or label of
the functions outlined in our definition.           group (even though separate legal                       the professional. The professional
Similarly, we clarify that value added              entities) would be considered as one                    activities of these kinds of providers
networks and switches are not health                primary health care provider.                           vary; a person is a ‘‘health care
care clearinghouses unless they carry                  Response: We permit legally distinct                 provider’’ if those activities are
out the functions outlined in the                   covered entities that share common                      consistent with the rule’s definition of
definition, and clarify that such entities          ownership or control to designate                       ‘‘health care provider.’’ Thus, health
may be business associates if they meet             themselves together to be a single                      care providers include persons, such as
the definition in the regulation.                   covered entity. Such organizations may                  those noted by the commenters, to the
   Comment: Several commenters,                     promulgate a single shared notice of                    extent that they meet the definition. We
including the large clearinghouses and              information practices and a consent                     note that health care providers are only

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00113   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82574       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

subject to this rule if they conduct                ‘‘health clinic or licensed health care                 the Secretary did not intend that
certain transactions. See the definition            professional located at a school or                     manufacturers, such as pharmaceutical,
of ‘‘covered entity.’’                              business in the preamble’s discussion of                biologics, and device manufacturers,
   However companies that conduct                   ‘‘health care provider.’’ It was stated                 health care suppliers, medical-surgical
cost-effectiveness reviews, risk                    that including ‘‘licensed health care                   supply distributors, health care vendors
management, and benchmarking studies                professionals located at a school or                    that offer medical record documentation
are not health care providers for the               business’’ highlights the need for these                templates and that typically do not deal
purposes of this rule unless they                   individuals to understand they have the                 directly with the patient, be considered
perform other functions that meet the               authority to disclose information to the                health care providers and thus covered
definition. These entities would be                 Social Security Administration (SSA)                    entities. However, in contrast, one
business associates if they perform such            without authorization.                                  commenter argued that, as an in vitro
activities on behalf of a covered entity.              However, several commenters urged                    diagnostics manufacturer, it should be
   Comment: Another commenter                       HHS to create an exception for or delete                covered as a health care provider.
recommended that the Secretary expand               that reference in the preamble                             Response: We disagree with the
the definition of health care provider to           discussion to primary and secondary                     comments that urged that direct
cover health care providers who                     schools because of employer or business                 dealings with an individual be a
transmit or ‘‘or receive’’ any health care          partner relationships. One federal                      prerequisite to meeting the definition of
information in electronic form.                     agency suggested that the reference                     health care provider. Many providers
   Response: We do not accept this                  ‘‘licensed health care professionals                    included in the statutory definition of
suggestion. Section 1172(a)(3) states that          located at a [school]’’ be deleted from                 provider, such as clinical labs, do not
providers that ‘‘transmit’’ health                  the preamble because the definition of                  have direct contact with patients.
information in connection with one of               health care provider does not include a                 Further, the use and disclosure of
the HIPAA transactions are covered, but             reference to schools. The commenter                     protected health information by indirect
does not use the term ‘‘receive’’ or a              also suggested that the Secretary                       treatment providers can have a
similar term.                                       consider: adding language to the                        significant effect on individuals’
   Comment: Some comments related to                preamble to clarify that the rules do not               privacy. We acknowledge, however, that
online companies as health care                     apply to clinics or school health care                  providers who treat patients only
providers and covered entities. One                 providers that only maintain records                    indirectly need not have the full array
commenter argued that there was no                  that have been excepted from the                        of responsibilities as direct treatment
reason ‘‘why an Internet pharmacy                   definition of protected health                          providers, and modify the NPRM to
should not also be covered’’ by the rule            information, adding an exception to the                 make this distinction with respect to
as a health care provider. Another                  definition of covered entities for those                several provisions (see, for example
commenter stated that online health                 schools, and limiting paperwork                         § 164.506 regarding consent). We also
care service and content companies,                 requirements for these schools. Another                 clarify that manufacturers and health
including online medical record                     commenter argued for deleting                           care suppliers who are considered
companies, should be covered by the                 references to schools because the                       providers by Medicare are providers
definition of health care provider.                 proposed rule appeared to supersede or                  under this rule.
Another commenter pointed out that the              create ambiguity as to the Family                          Comment: Some commenters
definitions of covered entities cover               Educational Rights and Privacy Act                      suggested that blood centers and plasma
‘‘Internet providers who ‘bill’ or are              (FERPA), which gives parents the right                  donor centers that collect and distribute
‘paid’ for health care services or                  to access ‘‘education’’ and health                      source plasma not be considered
supplies, but not those who finance                 records of their unemancipated minor                    covered health care providers because
those services in other ways, such as               children. However, in contrast, one                     the centers do not provide ‘‘health care
through sale of identifiable health                 commenter supported the inclusion of                    services’’ and the blood donors are not
information or advertising.’’ It was                health care professionals who provide                   ‘‘patients’’ seeking health care.
pointed out that thousands of Internet              services at schools or businesses.                      Similarly, commenters expressed
sites use information provided by                      Response: We realize that our                        concern that organ procurement
individuals who access the sites for                discussion of schools in the NPRM may                   organizations might be considered
marketing or other purposes.                        have been confusing. Therefore, we                      health care providers.
   Response: We agree that online                   address these concerns and set forth our                   Response: We agree and have deleted
companies are covered entities under                policy regarding protected health                       from the definition of ‘‘health care’’ the
the rule if they otherwise meet the                 information in educational agencies and                 term ‘‘procurement or banking of blood,
definition of health care provider or               institutions in the ‘‘Relationship to                   sperm, organs, or any other tissue for
health plan and satisfy the other                   Other Federal Laws’’ discussion of                      administration to patients.’’ See prior
requirements of the rule, i.e., providers           FERPA, above.                                           discussion under ‘‘health care.’’
must also transmit health information in               Comment: Many commenters urged                          Comment: Several commenters
electronic form in connection with a                that direct contact with the patient be                 proposed to restrict coverage to only
HIPAA transaction. We restate here the              necessary for an entity to be considered                those providers who furnished and were
language in the preamble to the                     a health care provider. Commenters                      paid for services and supplies. It was
proposed rule that ‘‘An individual or               suggested that persons and                              argued that a salaried employee of a
organization that bills and/or is paid for          organizations that are remote to the                    covered entity, such as a hospital-based
health care services or supplies in the             patient and have no direct contact                      provider, should not be covered by the
normal course of business, such as                  should not be considered health care                    rule because that provider would be
* * * an ‘‘online’’ pharmacy accessible             providers. Several commenters argued                    subject both directly to the rule as a
on the Internet, is also a health care              that the definition of health care                      covered entity and indirectly as an
provider for purposes of this statute’’             provider covers a person that provides                  employee of a covered entity.
(64 FR 59930).                                      health care services or supplies only                      Response: The ‘‘dual’’ direct and
   Comment: We received many                        when the provider furnishes to or bills                 indirect situation described in these
comments related to the reference to                the patient directly. It was stated that                comments can arise only when a health

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00114   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82575

care provider conducts standard HIPAA               standard transactions, that researcher/                    Comment: Several commenters sought
transactions both for itself and for its            provider is subject to the rule with                    to distinguish a health care provider
employer. For example, when the                     regard to its provider activities.                      from a business partner as proposed in
services of a provider such as a hospital-             As to applicability to a researcher/                 the NPRM. For example, a number of
based physician are billed through a                provider versus the researcher’s home                   commenters argued that disease
standard HIPAA transaction conducted                institution, we provide the following                   managers that provide services ‘‘on
for the employer, in this example the               guidance. The rule applies to the                       behalf of’’ health plans and health care
hospital, the physician does not become             researcher as a covered entity if the                   providers, and case managers (a
a covered provider. Only when the                   researcher is a health care provider who                variation of a disease management
provider uses a standard transaction on             conducts standard transactions for                      service) are business partners and not
its own behalf does he or she become a              services on his or her own behalf,                      ‘‘health care providers.’’ Another
covered health care provider. Thus, the             regardless of whether he or she is part                 commenter argued that a disease
result is typically as suggested by this            of a larger organization. However, if the               manager should be recognized
commenter. When a hospital-based                    services and transactions are conducted                 (presumably as a covered entity)
provider is not paid directly, that is,             on behalf of the home institution, then                 because of its involvement from the
when the standard HIPAA transaction is              the home institution is the covered                     physician-patient level through complex
not on its behalf, it will not become a             entity for purposes of the rule and the                 interactions with health care providers.
covered provider.                                   researcher/provider is a workforce
   Comment: Other commenters argued                 member, not a covered entity.                              Response: To the extent that a disease
that an employer who provides health                   Comment: One commenter expressed                     or case manager provides services on
care services to its employees for whom             confusion about those instances when a                  behalf of or to a covered entity as
it neither bills the employee nor pays              health care provider was a covered                      described in the rule’s definition of
for the health care should not be                   entity one day, and one who ‘‘works                     business associate, the disease or case
considered health care providers                    under a contract’’ for a manufacturer the               manager is a business associate for
covered by the proposed rule.                       next day.                                               purposes of this rule. However, if
   Response: We clarify that the                       Response: If persons are covered                     services provided by the disease or case
employer may be a health care provider              under the rule in one role, they are not                manager meet the definition of
under the rule, and may be covered by               necessarily covered entities when they                  treatment and the person otherwise
the rule if it conducts standard                    participate in other activities in another              meets the definition of ‘‘health care
transactions. The provisions of                     role. For example, that person could be                 provider,’’ such a person is a health care
§ 164.504 may also apply.                           a covered health care provider in a                     provider for purposes of this rule.
   Comment: Some commenters were                    hospital one day but the next day read                     Comment: One commenter argued
confused about the preamble statement:              research records for a different
                                                                                                            that pharmacy employees who assist
‘‘in order to implement the principles in           employer. In its role as researcher, the
                                                                                                            pharmacists, such as technicians and
the Secretary’s Recommendations, we                 person is not covered, and protections
                                                                                                            cashiers, are not business partners.
must impose any protections on the                  do not apply to those research records.
health care providers that use and                     Comment: One commenter suggested                        Response: We agree. Employees of a
disclose the information, rather than on            that the Secretary modify proposed                      pharmacy that is a covered entity are
the researcher seeking the information,’’           § 160.102, to add the following clause at               workforce members of that covered
with respect to the rule’s policy that a            the end (after (c)) (regarding health care              entity for purposes of this rule.
researcher who provides care to subjects            provider), ‘‘With respect to any entity                    Comment: A number of commenters
in a trial will be considered a health              whose primary business is not that of a                 requested that we clarify the definition
care provider. Some commenters were                 health plan or health care provider                     of health care provider (‘‘* * * who
also unclear about whether the                      licensed under the applicable laws of                   furnishes, bills, or is paid for health care
individual researcher providing health              any state, the standards, requirements,                 services or supplies in the normal
care to subjects in a trial would be                and implementation specifications of                    course of business’’) by defining the
considered a health care provider or                this subchapter shall apply solely to the               various terms ‘‘furnish’’, ‘‘supply’’, and
whether the researcher’s home                       component of the entity that engages in                 ‘‘in the normal course of business.’’ For
institution would be considered a health            the transactions specified in [§]                       instance, it was stated that this would
care provider and thus subject to the               160.103.’’ (Emphasis added.) Another                    help employers recognize when services
rule.                                               commenter also suggested that the                       such as an employee assistance program
   Response: We clarify that, in general,           definition of ‘‘covered entity’’ be revised             constituted health care covered by the
a researcher is also a health care                  to mean entities that are ‘‘primarily or
provider if the researcher provides                 exclusively engaged in health care-
health care to subjects in a clinical               related activities as a health plan, health                Response: Although we understand
research study and otherwise meets the              care provider, or health care                           the concern expressed by the
definition of ‘‘health care provider’’              clearinghouse.’’                                        commenters, we decline to follow their
under the rule. However, a health care                 Response: The Secretary rejects these                suggestion to define terms at this level
provider is only a covered entity and               suggestions because they will                           of specificity. These terms are in
subject to the rule if that provider                impermissibly limit the entities covered                common use today, and an attempt at
conducts standard transactions. With                by the rule. An entity that is a health                 specific definition would risk the
respect to the above preamble statement,            plan, health care provider, or health                   inadvertent creations of conflict with
we meant that our jurisdiction under the            care clearinghouse meets the statutory                  industry practices. There is a significant
statute is limited to covered entities.             definition of covered entity regardless of              variation in the way employers structure
Therefore, we cannot apply any                      how much time is devoted to carrying                    their employee assistance programs
restrictions or requirements on a                   out health care-related functions, or                   (EAPs) and the type of services that they
researcher in that person’s role as a               regardless of what percentage of their                  provide. If the EAP provides direct
researcher. However, if a researcher is             total business applies to health care-                  treatment to individuals, it may be a
also a health care provider that conducts           related functions.                                      health care provider.

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00115   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82576         Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

Health Information                                  Thus, since the statutory definition of a               plans are administered by a third party.
  The response to comments on health                health plan both on its face and through                The proposed regulation will not
information is included in the response             legislative history evidence Congress’                  regulate the employer plans but will
to comments on individually                         intention to exclude such programs, we                  regulate the third party administrators
identifiable health information, in the             do not have the authority to require that               of the plan.’’ The commenter urged us
preamble discussion of § 164.501.                   these programs comply with the                          not to repeat the statutory definition,
                                                    standards. We have added explicit                       and to adopt the policy implied in the
Health Plan                                         language to the final rule which                        footnote.
   Comment: One commenter suggested                 excludes the excepted benefit programs,                    Response: We agree with the
that to eliminate any ambiguity, the                as defined in section 2971(c)(1) of the                 commenter’s observation that footnote
Secretary should clarify that the catch-            PHS Act, 42 U.S.C. 300gg-91(c)(1).                      18 (64 FR 60014) was inconsistent with
all category under the definition of                   Comment: Some commenters urged                       the proposed definition. We erred in
                                                    HHS to include entities such as stop                    drafting that note. The definition of
health plan includes ‘‘24-hour coverage
                                                    loss insurers and reinsurers in the                     ‘‘group health plan’’ is adopted from the
plans’’ (whether insured or self-insured)
                                                    definition of ‘‘health plan.’’ It was                   statutory definition at section
that integrate traditional employee
                                                    observed that such entities have come to                1171(5)(A), and excludes from the rule
health benefits coverage and workers’
                                                    play important roles in managed care                    as ‘‘health plans’’ only the few insured
compensation coverage for the treatment
                                                    delivery systems. They asserted that                    or self-insured ERISA plans that have
of on-the-job injuries and illnesses
                                                    increasingly, capitated health plans and                less than 50 participants and are self
under one program. It was stated that
                                                    providers contract with their reinsurers                administered. We reject the
this clarification was essential if the
                                                    and stop loss carriers to medically                     commenter’s proposed change to the
Secretary persisted in excluding
                                                    manage their high cost outlier cases                    definition as inconsistent with the
workers’ compensation from the final                such as organ and bone marrow                           statute.
rule.                                               transplants, and therefore should be                       Comment: A number of insurance
   Response: We understand concerns                 specifically cited as subject to the                    companies asked that long term care
that such plans may use and disclose                regulations.                                            insurance policies be excluded from the
individually identifiable health                       Response: Stop-loss and reinsurers do                definition of ‘‘health plan.’’ It was
information. We therefore clarify that to           not meet the statutory definition of                    argued that such policies do not provide
the extent that 24-hour coverage plans              health plan. They do not provide or pay                 sufficiently comprehensive coverage of
have a health care component that                   for the costs of medical care, as                       the cost of medical care, and are limited
meets the definition of ‘‘health plan’’ in          described in the statute, but rather                    benefit plans that provide or pay for the
the final rule, such components must                insure health plans and providers                       cost of custodial and other related
abide by the provisions of the final rule.          against unexpected losses. Therefore,                   services in connection with a long term,
In the final rule, we have added a new              we cannot include them as health plans                  chronic illness or disability.
provision to § 164.512 that permits                 in the regulation.                                         These commenters asserted that
covered entities to disclose information               Comment: A commenter asserted that                   HIPAA recognizes this nature of long
under workers’ compensation and                     there is a significant discrepancy                      term care insurance, observing that,
similar laws. A health plan that is a 24-           between the effect of the definition of                 with respect to HIPAA’s portability
hour plan is permitted to make                      ‘‘group health plan’’ as proposed in                    requirements, Congress enacted a series
disclosures as necessary to comply with             § 160.103, and the anticipated impact in                of exclusions for certain defined types
such laws.                                          the cost estimates of the proposed rule                 of health plan arrangements that do not
   Comment: A number of commenters                  at 64 FR 60014. Paragraph (1) of the                    typically provide comprehensive
urged that certain types of insurance               proposed definition of ‘‘health plan’’                  coverage. They maintained that
entities, such as workers’ compensation             defined a ‘‘group health plan’’ as an                   Congress recognized that long term care
and automobile insurance carriers,                  ERISA-defined employee welfare benefit                  insurance is excluded, so long as it is
property and casualty insurance health              plan that provides medical care and                     not a part of a group health plan. Where
plans, and certain forms of limited                 that: ‘‘(i) Has 50 or more participants, or             a long term care policy is offered
benefits coverage, be included in the               (ii) Is administered by an entity other                 separately from a group health plan it is
definition of ‘‘health plan.’’ It was               than the employer that established and                  considered an excepted benefit and is
argued that consumers deserve the same              maintains the plan[.]’’ (emphasis added)                not subject to the portability and
protection with respect to their health             According to this commenter, under this                 guarantee issue requirements of HIPAA.
information, regardless of the entity               definition, the only insured or self-                   Although this exception does not appear
using it, and that it would be                      insured ERISA plans that would not be                   in the Administrative Simplification
inequitable to subject health insurance             regulated ‘‘health plans’’ would be those               provisions of HIPAA, it was asserted
carriers to more stringent standards than           that have less than 50 participants and                 that it is guidance with respect to the
other types of insurers that use                    are self administered.                                  treatment of long term care insurance as
individually identifiable health                       The commenter presumed that the we                   a limited benefit coverage and not as
information.                                        had intended to exclude from the                        coverage that is so ‘‘sufficiently
   Response: The Congress did not                   definition of ‘‘health plan’’ (and from                 comprehensive’’ that it is to be treated
include these programs in the definition            coverage under the proposed rule) all                   in the same manner as a typical,
of a ‘‘health plan’’ under section 1171 of          ERISA plans that are small (less than 50                comprehensive major medical health
the Act. Further, HIPAA’s legislative               participants) or are administered by a                  plan arrangement.
history shows that the House Report’s               third party, whether large or small,                       Another commenter offered a
(H. Rep. 104–496) definition of ‘‘health            based on the statement at 64 FR 60014,                  different perspective observing that
plan’’ originally included certain benefit          note 18. That footnote stated that the                  there are some long-term care policies—
programs, such as workers’                          Department had ‘‘not included the 3.9                   that do not pay for medical care and
compensation and liability insurance,               million ‘other’ employer-health plans                   therefore are not ‘‘health plans.’’ It was
but was later amended to clarify the                listed in HCFA’s administrative                         noted that most long-term care policies
definition and remove these programs.               simplification regulations because these                are reimbursement policies—that is,

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00116   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82577

they reimburse the policyholder for the             they can obtain health care, including                  requirements imposed on ‘‘health
actual expenses that the insured incurs             prescription drugs, at reduced prices.                  plans.’’ They asserted that this would
for long-term care services. To the                 The commenter asserted that if these                    promote consistency in the federal
extent that these constitute ‘‘medical              discount and membership incentive                       regulatory structure for health plans.
care,’’ this commenter presumed that                programs were covered by the                               It was suggested that HHS clarify
these policies would be considered                  regulation, many smaller employers                      whether the definition of health plan,
‘‘health plans.’’ Other long-term care              might discontinue offering them to their                particularly the ‘‘group health plan’’ and
policies, they pointed out, simply pay a            employees, rather than deal with the                    ‘‘health insurance issuer’’ components,
fixed dollar amount when the insured                administrative burdens and costs of                     includes a disability plan or disability
becomes chronically ill, without regard             complying with the rule.                                insurer. It was noted that a disability
to the actual cost of any long-term care              Response: Only those special                          plan or disability insurer may cover
services received, and thus are similar             employee discounts or membership                        only income lost from disability and, as
to fixed indemnity critical illness                 incentives that are ‘‘employee welfare                  mentioned above, some rehabilitation
policies. The commenter suggested that              benefit plans’’ as defined in section 3(1)              services, or a combination of lost
while there was an important                        of the Employee Retirement Income                       income, rehabilitation services and
distinction between indemnity based                 Security Act of 1974, 29 U.S.C. 1002(1),                medical care. The commenter suggested
long-term care policies and expenses                and provide ‘‘medical care’’ (as defined                that in addressing this coverage issue, it
based long-term care policies, it may be            in section 2791(a)(2) of the Public                     may be useful to refer to the definitions
wise to exclude all long-term care                  Health Service Act, 42 U.S.C. 300gg-                    of group health plan, health insurance
policies from the scope of the rule to              91(a)(2)), are health plans for the                     issuer and medical care set forth in Part
achieve consistency with HIPAA.                     purposes of this rule. Discount or                      I of HIPAA, which the statutory
   Response: We disagree. The statutory             membership incentive programs that are                  provisions of the Administrative
language regarding long-term care                   not group health plans are not covered                  Simplification subtitle expressly
policies in the portability title of HIPAA          by the rule.                                            reference. See 42 U.S.C. 1320d(5)(A)
is different from the statutory language              Comment: Several commenters agreed                    and (B).
regarding long-term care policies in the            with the proposal to exclude ‘‘excepted                    Response: We agree that the NPRM
Administrative Simplification title of              benefits’’ such as disability income                    may have been ambiguous regarding the
HIPAA. Section 1171(5)(G) of the Act                insurance policies, fixed indemnity                     types of plans the rule covers. To
means that issuers of long-term care                critical illness policies, and per diem                 remedy this confusion, we have added
policies are considered health plans for            long-term care policies from the                        language that specifically excludes from
purposes of administrative                          definition of ‘‘health plan,’’ but were                 the definition any policy, plan, or
simplification. We also interpret the               concerned that the language of the                      program providing or paying the cost of
statute as authorizing the Secretary to             proposed rule did not fully reflect this                the excepted benefits, as defined in
exclude nursing home fixed-indemnity                intent. They asserted that clarification                section 2971(c)(1) of the PHS Act, 42
policies, not all long-term care policies,          was necessary in order to avoid                         U.S.C. 300gg–91(c)(1). As defined in the
from the definition of ‘‘health plan,’’ if          confusion and costs to both consumers                   statute, this includes but is not limited
she determines that these policies do               and insurers.                                           to benefits under one or more (or any
not provide ‘‘sufficiently comprehensive              One commenter stated that, while                      combination thereof) of the following:
coverage of a benefit’’ to be treated as a          HHS did not intend for the rule to apply                coverage only for accident, or disability
health plan (see section 1171 of the                to every type of insurance coverage that                income insurance, or any combination
Act). We interpret the term                         paid for medical care, the language of                  thereof; liability insurance, including
‘‘comprehensive’’ to refer to the breadth           the proposed rule did not bear this out.                general liability insurance and
or scope of coverage of a policy.                   The problem, it was asserted, is that                   automobile liability insurance; and
‘‘Comprehensive’’ policies are those that           under the proposed rule any insurance                   workers’ compensation or similar
cover a range of possible service                   policy that pays for ‘‘medical care’’                   insurance.
options. Since nursing home fixed                   would technically be a ‘‘health plan.’’ It                 However, the other excepted benefits
indemnity policies are, by their own                was argued that despite the statements                  as defined in section 2971(c)(2) of the
terms, limited to payments made solely              in the narrative, there are no provisions               PHS Act, 42 U.S.C. 300gg–91(c)(2), such
for nursing facility care, we have                  that would exempt any of the ‘‘excepted                 as limited scope dental or vision
determined that they should not be                                                                          benefits, not explicitly excepted from
                                                    benefits’’ from the definition of ‘‘health
included as health plans for the                                                                            the regulation could be considered
                                                    care.’’ It was stated that:
purposes of the HIPAA regulations. The                                                                      ‘‘health plans’’ under paragraph (1)(xvii)
Secretary, therefore, explicitly excluded             Although (with the exception of long-term             of the definition of ‘‘health plan’’ in the
                                                    care insurance), the proposed rule does not             final rule if and to the extent that they
nursing home fixed-indemnity policies               include the ‘excepted benefits’ in its list of
from the definition of ‘‘health plan’’ in           sixteen examples of a health plan (proposed
                                                                                                            meet the criteria for the definition of
the Transactions Rule, and this                     45 CFR 160.104), it does not explicitly                 ‘‘health plan.’’ Such plans, unlike the
exclusion is thus reflected in this final           exclude them either. Because these types of             programs and plans listed at section
rule. Issuers of other long-term care               policies in some instances pay benefits that            2971(c)(1), directly and exclusively
policies are considered to be health                could be construed as payments for medical              provide health insurance, even if
plans under this rule and the                       care, we are concerned by the fact that they            limited in scope.
Transactions Rule.                                  are not explicitly excluded from the                       Comment: One commenter
   Comment: One commenter was                       definition of ‘health plan’ or the                      recommended that the Secretary clarify
concerned about the potential impact of             requirements of the proposed rule.’’                    that ‘‘health plan’’ does not include
the proposed regulations on ‘‘unfunded                 Several commenters proposed that                     property and casualty benefit providers.
health plans,’’ which the commenter                 HHS adopt the same list of ‘‘excepted                   The commenter stated that the clarifying
described as programs used by smaller               benefits’’ contained in 29 U.S.C. 1191b,                language is needed given the ‘‘catchall’’
companies to provide their associates               suggesting that they could be adopted                   category of entities defined as ‘‘any
with special employee discounts or                  either as exceptions to the definition of               other individual plan or group health
other membership incentives so that                 ‘‘health plan’’ or as exceptions to the                 plan, or combination thereof, that

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00117   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82578        Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

provides or pays for the cost of medical            that are not health plans. They said that               providers and may be covered entities if
care,’’ and asserted that absent                    examples include the WIC program                        they conduct standard transactions.
clarification there could be serious                (Special Supplemental Nutrition                            We further clarify that, where a public
confusion as to whether property and                Program for Women, Infants, and                         program meets the definition of ‘‘health
casualty benefit providers are ‘‘health             Children) which pays for nutritional                    plan,’’ the government agency that
plans’’ under the rule.                             assessment and counseling, among other                  administers the program is the covered
   Response: We agree and as described              services; the AIDS Client Services                      entity. Where two agencies administer a
above have added language to the final              Program (including AIDS prescription                    program jointly, they are both a health
rule to clarify that the ‘‘excepted                 drug payment) under the federal Ryan                    plan. For example, both the Health Care
benefits’’ as defined under 42 U.S.C.               White Care Act and state law; the                       Financing Administration and the
300gg–91(c)(1), which includes liability            distribution of federal family planning                 insurers that offers a Medicare+Choice
programs such as property and casualty              funds under Title X of the Public Health                plan are ‘‘health plans’’ with respect to
benefit providers, are not health plans             Services Act; and the breast and cervical               Medicare beneficiaries. An agency that
for the purposes of this rule.                      health program which pays for cancer                    does not administer a program but
   Comment: Some commenters                         screening in targeted populations.                      which provides services for such a
recommended that the Secretary replace              Commenters argued that these are not                    program is not a covered entity by virtue
the term ‘‘medical care’’ with ‘‘health             insurance plans and do not fall within                  of providing such services. Whether an
care.’’ It was observed that ‘‘health care’’        the ‘‘health plan’’ definition’s list of                agency providing services is a business
was defined in the proposal, and that               examples, all of which are either                       associate of the covered entity depends
this definition was used to define what             insurance or broad-scope programs of                    on whether its functions for the covered
a health care provider does. However,               care under a contract or statutory                      entity meet the definition of business
they observed that the definition of                entitlement. However, paragraph (16) in                 associate in § 164.501 and, in the
‘‘health plan’’ refers to the provision of          that list opens the door to broader                     example described by this comment, in
or payment for ‘‘medical care,’’ which is           interpretation through the catchall                     particular on whether the arrangement
not defined. Another commenter                      phrase, ‘‘any other individual or group                 falls into the exception in
recommended that HHS add the                        plan that provides or pays for the cost                 § 164.504(e)(1)(ii)(C) for government
parenthetical phrase ‘‘as such term is              of medical care.’’ Commenters assert                    agencies that collect eligibility or
defined in section 2791 of the Public               that clarification is needed.                           enrollment information for covered
Health Service Act’’ after the phrase                                                                       government programs.
                                                       A few commenters stated that other
‘‘medical care.’’                                                                                              Comment: Some commenters
   Response: We disagree with the first             state agencies often work in partnership
                                                                                                            expressed support for retaining the
recommendation. We understand that                  with the state Medicaid program to                      category in paragraph (16) of the
the term ‘‘medical care’’ can be easily             implement certain Medicaid benefits,                    proposal’s definition: ‘‘Any other
confused with the term ‘‘health care.’’             such as maternity support services and                  individual or group health plan, or
However, the two terms are not                      prenatal genetics screening. They                       combination thereof, that provides or
synonymous. The term ‘‘medical care’’               concluded that while this probably                      pays for the cost of medical care.’’
is a statutorily defined term and its use           makes parts of the agency the ‘‘business                Others asked that the Secretary clarify
is critical in making a determination as            partner’’ of a covered entity, they were                this category. One commenter urged that
to whether a health plan is considered              uncertain whether it also makes the                     the final rule clearly define which plans
a ‘‘health plan’’ for purposes of                   same agency parts a ‘‘health plan’’ as                  would meet the criteria for this category.
administrative simplification. In                   well.                                                      Response: As described in the
addition, since the term ‘‘medical care’’              Response: We agree with the                          proposed rule, this category implements
is used in the regulation only in the               commenters that clarification is needed                 the language at the beginning of the
context of the definition of ‘‘health               as to the rule’s application to                         statutory definition of the term ‘‘health
plan’’ and we believe that its inclusion            government programs that pay for                        plan’’: ‘‘The term ‘health plan’ means an
in the regulatory text may cause                    health care services. Accordingly, in the               individual or group plan that provides,
confusion, we did not add a definition              final rule we have excepted from the                    or pays the cost of, medical care * * *
of ‘‘medical care’’ in the final rule.              definition of ‘‘health plan’’ a                         Such term includes the following, and
However, consistent with the second                 government funded program which does                    any combination thereof * * *’’ This
recommendation above, the statutory                 not have as its principal purpose the                   statutory language is general, not
cite for ‘‘medical care’’ was added to the          provision of, or payment for, the cost of               specific, and as such, we are leaving it
definition of ‘‘health plan’’ in the                health care or which has as its principal               general in the final rule. However, as
Transactions Rule, and thus is reflected            purpose the provision, either directly or               described above, we add explicit
in this final rule.                                 by grant, of health care. For example,                  language which excludes certain
   Comment: A number of commenters                  the principal purpose of the WIC                        ‘‘excepted benefits’’ from the definition
urged that the Secretary define more                program is not to provide or pay for the                of ‘‘health plan’’ in an effort to clarify
narrowly what characteristics would                 cost of health care, and thus, the WIC                  which plans are not health plans for the
make a government program that pays                 program is not a health plan for                        purposes of this rule. Therefore, to the
for specific health care services a                 purposes of this rule. The program of                   extent that a certain benefits plan or
‘‘health plan.’’ Commenters argued that             health care services for individuals                    program otherwise meets the definition
there are many ‘‘payment’’ programs                 detained by the INS provides health                     of ‘‘health plan’’ and is not explicitly
that should not be included, as                     care directly, and so is not a health plan.             excepted, that program or plan is
discussed below, and that if no                     Similarly, the family planning program                  considered a ‘‘health plan’’ under
distinctions were made, ‘‘health plan’’             authorized by Title X of the Public                     paragraph (1)(xvii) of the final rule.
would mean the same as ‘‘purchaser’’ or             Health Service Act pays for care                           Comment: A commenter explained
even ‘‘payor.’’                                     exclusively through grants, and so is not               that HIPAA defines a group health plan
   Commenters asserted that there are a             a health plan under this rule. These                    by expressly cross-referencing the
number of state programs that pay for               programs (the grantees under the Title X                statutory sections in the PHS Act and
‘‘health care’’ (as defined in the rule) but        program) may be or include health care                  the Employee Retirement Income

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00118   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82579

Security Act of 1974 (ERISA), 29 U.S.C.             definition of a health plan refers to ‘‘50                Comment: One commenter asked that
1001, et seq., which define the terms               or more participants,’’ and that using a                the rule clarify that employees
‘‘group health plan,’’ ‘‘employee welfare           dollar factor to define a ‘‘small health                administering a group health or other
benefit plan’’ and ‘‘participant.’’ See 29          plan’’ would be inconsistent with this                  employee welfare benefit plan on their
U.S.C. 1002(l) (definition of ‘‘employee            definition.                                             employers’ behalf are considered part of
welfare benefit plan,’’ which is the core              Response: We disagree. The Small                     the covered entity’s workforce.
of the definition of group health plan              Business Administration (SBA)                             Response: As long as the employees
under both ERISA and the PHS Act); 29               promulgates size standards that indicate                have been identified by the group health
U.S.C. 100217) (definition of                       the maximum number of employees or                      plan in plan documents as performing
participant); 29 U.S.C. 1193(a)                     annual receipts allowed for a concern                   functions related to the group health
(definition of ‘‘group health plan,’’               (13 CFR 121.105) and its affiliates to be               plan (consistent with the requirements
which is identical to that in section               considered ‘‘small.’’ The size standards                of § 164.504(f)), those employees may
2791(a) of the PHS Act).                            themselves are expressed either in                      have access to protected health
   It was pointed out that the preamble             number of employees or annual receipts                  information. However, they are not
and the text of the proposed rule both              (13 CFR 121.201). The size standards for                permitted to use or disclose protected
limit the definition of all three terms to          compliance with programs of other                       health information for employment-
their current definitions. The                      agencies are those for SBA programs                     related purposes or in connection with
commenter reasoned that since the                   which are most comparable to the                        any other employee benefit plan or
ERISA definitions may change over time              programs of such other agencies, unless                 employee benefit of the plan sponsor.
through statutory amendment,                        otherwise agreed by the agency and the                  Part 160—Subpart B—Preemption of
Department of Labor regulations or                  SBA (13 CFR 121.902). With respect to                   State Law
judicial interpretation, it would not be            the insurance industry, the SBA has
clear what point in time is to be                                                                              We summarize and respond below to
                                                    specified that annual receipts of $5                    comments received in the Transactions
considered current. Therefore, they                 million is the maximum allowed for a
suggested deleting references to                                                                            rulemaking on the issue of preemption,
                                                    concern and its affiliates to be                        as well as those received on this topic
‘‘current’’ or ‘‘currently’’ in the                 considered small (13 CFR 121.201).
preamble and in the regulation with                                                                         in the Privacy rulemaking. Because no
                                                    Consequently, we retain the proposal’s                  process was proposed in the
respect to these three ERISA definitions.           definition in the final rule to be
   In addition, the commenter stated that                                                                   Transactions rulemaking for granting
                                                    consistent with SBA requirements.                       exceptions under section 1178(a)(2)(A),
as the preamble to the NPRM correctly
reflected, HIPAA expressly cross-                      We understand there may be some                      a process for making exception
references ERISA’s definition of                    confusion as to the meaning of ‘‘annual                 determinations was not adopted in the
‘‘participant’’ in section 3(7) of ERISA,           receipts’’ when applied to a health plan.               Transactions Rule. Instead, since a
29 U.S.C. 1002(7). 42 U.S.C.                        For our purposes, therefore, we consider                process for making exception
1320d(5)(A). The text of the privacy                ‘‘pure premiums’’ to be equivalent to                   determinations was proposed in the
regulation, however, omits this cross-              ‘‘annual receipts.’’                                    Privacy rulemaking, we decided that the
reference. It was suggested that the                Workforce                                               comments received in the Transactions
reference to section 3(7) of ERISA,                                                                         rulemaking should be considered and
defining ‘‘participant,’’ be included in               Comment: Some commenters                             addressed in conjunction with the
the regulation.                                     requested that we exclude ‘‘volunteers’’                comments received on the process
   Finally, HIPAA incorporates the                  from the definition of workforce. They                  proposed in the Privacy rulemaking. See
definition of a group health plan as set            stated that volunteers are important                    65 FR 50318 for a fuller discussion.
forth in section 2791(a) of the PHS Act,            contributors within many covered                        Accordingly, we discuss the preemption
42 U.S.C. 300gg–91(a)(l). That definition           entities, and in particular hospitals.                  comments received in the Transactions
refers to the provision of medical care             They argued that it was unfair to ask                   rulemaking where relevant below.
‘‘directly or through insurance,                    that these people donate their time and                    Comment: The majority of comments
reimbursement, or otherwise.’’ The                  at the same time subject them to the                    on preemption addressed the subject in
word ‘‘reimbursement’’ is omitted in                penalties placed upon the paid                          general terms. Numerous comments,
both the preamble and the text of the               employees by these regulations, and that                particularly from plans and providers,
regulation; the commenter suggested                 it would discourage people from                         argued that the proposed preemption
restoring it to both.                               volunteering in the health care setting.                provisions were burdensome,
   Response: We agree. These changes                   Response: We disagree. We believe                    ineffective, or insufficient, and that
were made to the definition of ‘‘health             that differentiating those persons under                complete federal preemption of the
plan’’ as promulgated in the                        the direct control of a covered entity                  ‘‘patchwork’’ of state privacy laws is
Transactions Rule, and are reflected in             who are paid from those who are not is                  needed. They also argued that the
this final rule.                                    irrelevant for the purposes of protecting               proposed preemption provisions are
                                                    the privacy of health information, and                  likely to invite litigation. Various
Small Health Plan                                   for a covered entity’s management of its                practical arguments in support of this
  Comment: One commenter                            workforce. In either case, the person is                position were made. Some of these
recommended that we delete the                      working for the covered entity. With                    comments recognized that the
reference to $5 million in the definition           regard to implications for the                          Secretary’s authority under section 1178
and instead define a ‘‘small health plan’’          individual, persons in a covered entity’s               of the Act is limited and acknowledged
as a health plan with fewer than 50                 workforce are not held personally liable                that the Secretary’s proposals were
participants. It was stated that using a            for violating the standards or                          within her statutory authority. One
dollar limitation to define a ‘‘small               requirements of the final rule. Rather,                 commenter suggested that the exception
health plan’’ is not meaningful for self-           the Secretary has the authority to                      determination process would result in a
insured plans and some other types of               impose civil monetary penalties and in                  very costly and laborious and
health plan coverage arrangements. A                some cases criminal penalties for such                  sometimes inconsistent analysis of the
commenter pointed out that the general              violations on only the covered entity.                  occasions in which state law would

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00119   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82580       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

survive federal preemption, and thus                these areas, and the Department is not                  decision. First, the assumption by
suggested the final privacy regulations             free to disregard this Congressional                    commenters that an advisory opinion
preempt state law with only limited                 choice. As is more fully explained                      would establish what law applied in a
exceptions, such as reporting child                 below, we have interpreted the statutory                given situation and thereby simplify the
abuse. Many other comments, however,                criteria for exceptions under section                   task of ascertaining what legal
recommended changing the proposed                   1178(a)(2)(A) to balance the need for                   requirements apply to a covered entity
preemption provisions to preempt state              relative uniformity with respect to the                 or entities is incorrect. Any such
privacy laws on as blanket a basis as               HIPAA standards with state needs to set                 opinion would be advisory only.
possible.                                           certain policies in the statutorily                     Although an advisory opinion issued by
   One comment argued that the                      defined areas.                                          the Department would indicate to
assumption that more stringent privacy                 The situation is different with respect              covered entities how the Department
laws are better is not necessarily true,            to state laws relating to the privacy of                would resolve the legal conflict in
citing a 1999 GAO report finding                    protected health information. Many of                   question and would apply the law in
evidence that the stringent state                   the comments arguing for uniform                        determining compliance, it would not
confidentiality laws of Minnesota halted            standards were particularly concerned                   bind the courts. While we assume that
the collection of comparative                       with discrepancies between the federal                  most courts would give such opinions
information on health care quality.                 privacy standards and various state                     deference, the outcome could not be
   Several comments in this vein were               privacy requirements. Unlike the                        guaranteed.
also received in the Transactions                   situation with respect to the                              Second, the thousands of questions
rulemaking. The majority of these                   transactions standards, where states                    raised in the public comment about the
comments took the position that                     have generally not entered the field, all               interpretation, implications, and
exceptions to the federal standards                 states regulate the privacy of some                     consequences of all of the proposed
should either be prohibited or                      medical information to a greater or                     regulatory provisions have led us to
discouraged. It was argued that granting            lesser extent. Thus, we understand the                  conclude that significant advice and
exceptions to the standards, particularly           private sector’s concern at having to                   technical assistance about all of the
the transactions standards, would be                reconcile differing state and federal                   regulatory requirements will have to be
inconsistent with the statute’s objective           privacy requirements.                                   provided on an ongoing basis. We
of promoting administrative                            This is, however, likewise an area                   recognize that the preemption concerns
simplification through the use of                   where the policy choice has been made                   that would have been addressed by the
uniform transactions.                               by Congress. Under section                              proposed advisory opinions were likely
   Many other commenters, however,                  1178(a)(2)(B) of the Act and section                    to be substantial. However, there is no
endorsed the ‘‘federal floor’’ approach of          264(c)(2) of HIPAA, provisions of state                 reason to assume that they will be the
the proposed rules. (These comments                 privacy laws that are contrary to and                   most substantial or urgent of the
were made in the context of the                     more stringent than the corresponding                   questions that will most likely need to
proposed privacy regulations.) These                federal standard, requirement, or                       be addressed. It is our intent to provide
comments argued that this approach                  implementation specification are not                    as much technical advice and assistance
was preferable because it would not                 preempted. The effect of these                          to the regulated community as we can
impair the effectiveness of state privacy           provisions is to let the law that is most               with the resources available. Our
laws that are more protective of privacy,           protective of privacy control (the                      concern is that setting up an advisory
while raising the protection afforded               ‘‘federal floor’’ approach referred to by               opinion process for just one of the many
medical information in states that do               many commenters), and this policy                       types of issues that will have to be
not enact laws that are as protective as            choice is one with which we agree.                      addressed will lead to a non-optimal
the rules below. Some comments                      Thus, the statute makes it impossible for               allocation of those resources. Upon
argued, however, that the rules should              the Secretary to accommodate the                        careful consideration, therefore, we
give even more deference to state law,              requests to establish uniformly                         have decided that we will be better able
questioning in particular the definitions           controlling federal privacy standards,                  to prioritize our workload and be better
and the proposed addition to the ‘‘other            even if doing so were viewed as                         able to be responsive to the most urgent
purposes’’ criterion for exception                  desirable.                                              and substantial questions raised to the
determinations in this regard.                         Comment: Numerous comments                           Department, if we do not provide for a
   Response: With respect to the                    stated support for the proposal at                      formal advisory opinion process on
exception process provided for by                   proposed Subpart B to issue advisory                    preemption as proposed.
section 1178(a)(2)(A), the contention               opinions with respect to the preemption                    Comment: A few commenters argued
that the HIPAA standards should                     of state laws relating to the privacy of                that the Privacy Rule should preempt
uniformly control is an argument that               individually identifiable health                        state laws that would impose more
should be addressed to the Congress,                information. A number of these                          stringent privacy requirements for the
not this agency. Section 1178 of the Act            comments appeared to assume that the                    conduct of clinical trials. One
expressly gives the Secretary authority             Secretary’s advisory opinions would be                  commenter asserted that the existing
to grant exceptions to the general rule             dispositive of the issue of whether or                  federal regulations and guidelines for
that the HIPAA standards preempt                    not a state law was preempted. Many of                  patient informed consent, together with
contrary state law in the circumstances             these commenters suggested what they                    the proposed rule, would adequately
she determines come within the                      saw as improvements to the proposed                     protect patient privacy.
provisions at section 1178(a)(2)(A). We             process, but supported the proposal to                     Response: The Department does not
agree that the underlying statutory goal            have the Department undertake this                      have the statutory authority under
of standardizing financial and                      function.                                               HIPAA to preempt state laws that would
administrative health care transactions                Response: Despite the general support                impose more stringent privacy
dictates that exceptions should be                  for the advisory opinion proposal, we                   requirements on covered entities.
granted only on narrow grounds.                     decided not to provide specifically for                 HIPAA provides that the rule
Nonetheless, Congress clearly intended              the issuance of such opinions. The                      promulgated by the Secretary may not
to accommodate some state laws in                   following considerations led to this                    preempt state laws that are in conflict

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00120   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82581

with the regulatory requirements and                preemption.’’ Since preemption is a                     State Law
that provide greater privacy protections.           judicially developed doctrine, it is                       Comment: Comments noted that the
                                                    reasonable to interpret this term as                    definition of ‘‘state law’’ does not
Section 160.201—Applicability
                                                    indicating that the statutory analysis                  explicitly include common law and
   Comment: Several commenters                      should tie in to the analytical                         recommended that it be revised to do so
indicated that the guidance provided by             formulations employed by the courts.                    or to clarify that the term includes
the definitions at proposed § 160.202               Also, while the court-developed tests                   evidentiary privileges recognized at
would be of substantial benefit both to             may not be as clear as commenters                       state law. Guidance concerning the
regulated entities and to the public.               would like, they represent a long-term,
                                                                                                            impact of state privileges was also
However, these commenters argued that               thoughtful consideration of the problem
the applicability of such definitions               of defining when a state/federal conflict
                                                                                                               Response: As requested, we clarify
would be too limited as drafted, since              exists. They will also, we assume,
                                                                                                            that the definition of ‘‘state law’’
proposed § 160.201 provided that the                generally be employed by the courts
                                                                                                            includes common law by including the
definitions applied only to                         when conflict issues arise under the
                                                                                                            term ‘‘common law.’’ In our view, this
‘‘determinations and advisory opinions              rules below. We thus see no practical
                                                                                                            phrase encompasses evidentiary
issued by the Secretary pursuant to 42              alternative to the proposed definition
                                                                                                            privileges recognized at state law
U.S.C. 1320d–7.’’ The commenters                    and have retained it unchanged. With
                                                                                                            (which may also, we note, be embodied
stated that it would be far more helpful            respect to various suggestions for
                                                                                                            in state statutes).
to make the definitions in proposed                 shorthand versions of the proposed
                                                                                                               Comment: One comment criticized
§ 160.202 more broadly applicable, to               tests, such as the arguably broader term
                                                                                                            this definition as unwieldy, in that
provide general guidance on the issue of            ‘‘inconsistent with,’’ we see no
                                                                                                            locating state laws pertaining to privacy
preemption.                                         operational advantages to such terms.
                                                       Comment: One comment asked that                      is likely to be difficult. It was noted that
   Response: We agree with the
                                                    the Department clarify that if state law                Florida, for example, has more than 60
comments on this issue, and have
                                                    is not preempted, then the federal law                  statutes that address health privacy.
revised the applicability provision of
                                                    would not also apply.                                      Response: To the extent that state
subpart B below accordingly. Section
                                                       Response: This comment raises two                    laws currently apply to covered entities,
160.201 below sets out that Subpart B
                                                    issues, both of which deserve                           they have presumably determined what
implements section 1178. This means,
                                                    discussion. First, a state law may not be               those laws require in order to comply
in our view, that the definitions of the
                                                    preempted because there is no conflict                  with them. Thus, while determining
statutory terms at § 160.202 are
                                                    with the analogous federal requirement;                 which laws are ‘‘contrary’’ to the federal
legislative rules that apply when those
                                                    in such a situation, both laws can, and                 requirements will require additional
statutory terms are employed, whether
                                                    must, be complied with. We thus do not                  work in terms of comparing state law
by HHS, covered entities, or the courts.
                                                    accept this suggestion, to the extent that              with the federal requirements, entities
Section 160.202—Definitions                         it suggests that the federal law would                  should already have acquired the
                                                    give way in this situation. Second, a                   knowledge of state law needed for this
                                                    state law may also not be preempted                     task in the ordinary course of doing
   Comment: Some commenters asserted                because it comes within section                         business.
that term ‘‘contrary’’ as defined at                1178(a)(2)(B), section 1178(b), or section                 Comment: The New York City
§ 160.202 was overly broad and that its             1178(c); in this situation, a contrary                  Department of Health noted that in
application would be time-consuming                 federal law would give way.                             many cases, provisions of New York
and confusing for states. These                        Comment: One comment urged the                       State law are inapplicable within New
commenters argued that, under the                   Department to take the position that                    York City, because the state legislature
proposed definition, a state would be               where state law exists and no analogous                 has recognized that the local code is
required to examine all of its laws                 federal requirement exists, the state                   tailored to the particular needs of the
relating to health information privacy in           requirement would not be ‘‘contrary to’’                City. It urged that the New York City
order to determine whether or not its               the federal requirement and would                       Code be treated as state law, for
law were contrary to the requirements               therefore not trigger preemption.                       preemption purposes.
proposed. It was also suggested that the               Response: We agree with this                            Response: We agree that, to the extent
definition contain examples of how it               comment.                                                a state treats local law as substituting for
would work in practical terms.                         Comment: One commenter criticized                    state law it could be considered to be
   A few commenters, however, argued                the definition as unhelpful in the multi-               ‘‘state law’’ for purposes of this
that the definition of ‘‘contrary’’ as              state transaction context. For example, it              definition. If, however, a local law is
proposed was too narrow. One                        was asked whether the issue of whether                  local in scope and effect, and a tier of
commenter argued that the Secretary                 a state law was ‘‘contrary to’’ should be               state law exists over the same subject
erred in her assessment of the case law             determined by the law of the state                      matter, we do not think that the local
analyzing what is known as ‘‘conflict               where the treatment is provided, where                  law could or should be treated as ‘‘state
preemption’’ and which is set forth in              the claim processor is located, where                   law’’ for preemption purposes. We do
shorthand in the tests set out at                   the payment is issued, or the data                      not have sufficient information to assess
§ 160.202.                                          maintained, assuming all are in different               the situation raised by this comment
   Response: We believe that the                    states.                                                 with respect to this principle, and so
definition proposed represents a policy                Response: This is a choice of law                    express no opinion thereon.
that is as clear as is feasible and which           issue, and, as is discussed more fully
can be applied nationally and                       below, is a determination that is                       More Stringent
uniformly. As was noted in the                      routinely made today in connection                        Comment: Many commenters
preamble to the proposed rules (at 64 FR            with multi-state transactions. See                      supported the policy in the proposed
59997), the tests in the proposed                   discussion below under Exception                        definition of ‘‘individual’’ at proposed
definition of ‘‘contrary’’ are adopted              Determinations (Criteria for Exception                  § 164.502, which would have permitted
from the jurisprudence of ‘‘conflict                Determinations).                                        unemancipated minors to exercise, on

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00121   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82582       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

their own behalf, rights granted to                    Response: These concerns are                         however, the statute dictates a
individuals in cases where they                     fundamentally addressed to the ‘‘federal                provision-by-provision comparison of
consented to the underlying health care.            floor’’ approach of the statute, not to the             state and federal requirements, not the
Commenters stated, however, that the                definition proposed: even if the                        overall comparison suggested by these
proposed preemption provision would                 definition of ‘‘more stringent’’ were                   comments. We also note that the
leave in place state laws authorizing or            narrowed, these concerns would still                    approach suggested would be
prohibiting disclosure to parents of the            exist. As discussed above, since the                    practically and analytically problematic,
protected health information of their               ‘‘federal floor’’ approach is statutory, it             in that it would be extremely difficult,
minor children and would negate the                 is not within the Secretary’s authority to              if not impossible, to determine what is
proposed policy for the treatment of                change the dynamics that are of                         a legitimate stopping point for the
minors under the rule. The comments                 concern.                                                provisions to be weighed on either the
stated that such state laws should be                  Comment: One comment stated that                     state side or the federal side of the scale
treated like other state laws, and                  the proposed rule seemed to indicate                    in determining which set of laws was
preempted to the extent that they are               that the ‘‘more stringent’’ and ‘‘contrary              the ‘‘more stringent.’’ We accordingly do
less protective of the privacy of minors.           to’’ definitions implied that these                     not accept the approach suggested by
   Other commenters supported the                   standards would apply to ERISA plans                    these comments.
proposed preemption provision—not to                as well as to non-ERISA plans.                             With respect to the comment of the
preempt a state law to the extent it                   Response: The concern underlying                     Vermont group, nothing in the rules
authorizes or prohibits disclosure of               this comment is that ERISA plans,                       below prohibits or places any limits on
protected health information regarding a            which are not now subject to certain                    states enacting stronger or more
minor to a parent.                                  state laws because of the ‘‘field’’                     comprehensive privacy laws. To the
   Response: Laws regarding access to               preemption provision of ERISA but                       extent that states enact privacy laws that
health care for minors and                          which are subject to the rules below,                   are stronger or more comprehensive
                                                    will become subject to state privacy                    than contrary federal requirements, they
confidentiality of their medical records
                                                    laws that are ‘‘more stringent’’ than the               will presumably not be preempted
vary widely; this regulation recognizes
                                                    federal requirements, due to the                        under section 1178(a)(2)(B). To the
and respects the current diversity of
                                                    operation of section 1178(a)(2)(B),                     extent that such state laws are not
state law in this area. Where states have
                                                    together with section 264(c)(2). We                     contrary to the federal requirements,
considered the balance involved in
                                                    disagree that this is the case. While the               they will act as an overlay on the federal
protecting the confidentiality of minors’
                                                    courts will have the final say on these                 requirements and will have effect.
health information and have explicitly
                                                    questions, it is our view that these                       Comment: One comment raised the
acted, for example, to authorize
                                                    sections simply leave in place more                     issue of whether a private right of action
disclosure, defer the decision to disclose
                                                    stringent state laws that would                         is a greater penalty, since the proposed
to the discretion of the health care                otherwise apply; to the extent that such                federal rule has no comparable remedy.
provider, or prohibit disclosure of                 state laws do not apply to ERISA plans                     Response: We have reconsidered the
minor’s protected health information to             because they are preempted by ERISA,                    proposed ‘‘penalty’’ provision of the
a parent, the rule defers to these                  we do not think that section 264(c)(2)                  proposed definition of ‘‘more stringent’’
decisions to the extent that they regulate          overcomes the preemption effected by                    and have eliminated it. The HIPAA
such disclosures.                                   section 514(a) of ERISA. For more                       statute provides for only two types of
   Comment: The proposed definition of              discussion of this point, see 64 FR                     penalties: fines and imprisonment. Both
‘‘more stringent’’ was criticized as                60001.                                                  types of penalties could be imposed in
affording too much latitude to for                     Comment: The Lieutenant Governor’s                   addition to the same type of penalty
granting exceptions for state laws that             Office of the State of Hawaii requested                 imposed by a state law, and should not
are not protective of privacy. It was               a blanket exemption for Hawaii from the                 interfere with the imposition of other
suggested that the test should be ‘‘most            federal rules, on the ground that its                   types of penalties that may be available
protective of the individual’s privacy.’’           recently enacted comprehensive health                   under state law. Thus, we think it is
   Response: We considered adopting                 privacy law is, as a whole, more                        unlikely that there would be a conflict
this test. However, for the reasons set             stringent than the proposed federal                     between state and federal law in this
out at 64 FR 59997, we concluded that               standards. It was suggested that, for                   respect, so that the proposed criterion is
this test would not provide sufficient              example, special weight should be given                 unnecessary and confusing. In addition,
guidance. The comments did not                      to the severity of Hawaii’s penalties. It               the fact that a state law allows an
address the concerns we raised in this              was suggested that a new definition                     individual to file a lawsuit to protect
regard in the preamble to the proposed              (‘‘comprehensive’’) be added, and that                  privacy does not conflict with the
rules, and we continue to believe that              ‘‘more stringent’’ be defined in that                   HIPAA penalty provisions.
they are valid.                                     context as whether the state act or code
   Comment: A drug company expressed                                                                        Relates to the Privacy of Individually
                                                    as a whole provides greater protection.
concern with what it saw as the                        An advocacy group in Vermont                         Identifiable Health Information
expansive definition of this term,                  argued that the Vermont legislature was                    Comment: One comment criticized
arguing that state governments may                  poised to enact stronger and more                       the definition of this term as too narrow
have less experience with the special               comprehensive privacy laws and stated                   in scope and too uncertain. The
needs of researchers than federal                   that the group would resent a federal                   commenter argued that determining the
agencies and may unknowingly adopt                  prohibition on that.                                    specific purpose of a state law may be
laws that have a deleterious effect on                 Response: The premise of these                       difficult and speculative, because many
research. A provider group expressed                comments appears to be that the                         state laws have incomplete,
concern that allowing stronger state                provision-by-provision approach of                      inaccessible, or non-existent legislative
laws to prevail could result in                     Subpart B, which is expressed in the                    histories. It was suggested that the
diminished ability to get enough                    definition of the term ‘‘contrary’’, is                 definition be revised by deleting the
patients to complete high quality                   wrong. As we explained in the preamble                  word ‘‘specific’’ before the word
clinical trials.                                    to the proposed rules (at 64 FR 59995),                 ‘‘purpose.’’ Another commenter argued

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00122   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82583

that the definition of this term should be          little incentive for the states to request              implementation would be difficult since
narrowed to minimize reverse                        clarification. It would also cause large                much of the law is a product of common
preemption by more stringent state                  administrative burdens which, it was                    law, and such state-specific research
laws. One commenter generally                       stated, would be costly and confusing.                  should only be attempted by
supported the proposed definition of                It was also suggested that the request for              experienced health care attorneys in
this term.                                          the exception be made to the applicable                 each jurisdiction.
   Response: We are not accepting the               state’s attorney general or chief legal                    Response: These comments seem to
first comment. The purpose of a given               officer, as well as the Secretary. Various              be principally concerned with potential
state enactment should be ascertainable,            changes to the language were suggested,                 conflicts between state privacy laws and
if not from legislative history or a                such as adding that ‘‘a covered entity, or              the privacy standards, because, as is
purpose statement, then from the statute            any other entity impacted by this rule’’                more fully explained below, preemption
viewed as a whole. The same should be               be allowed to submit the written                        of contrary state laws not relating to
true of state regulations or rulings. In            request.                                                privacy is automatic unless the
any event, it seems appropriate to                     Response: We agree, and have                         Secretary affirmatively acts under
restrict the field of state laws that may           changed § 164.204(a) below accordingly.                 section 1178(a)(2)(A) to grant an
potentially trump the federal standards                The decision to eliminate advisory                   exception. We recognize that the
to those that are clearly intended to               opinions makes this issue moot with                     provisions of sections 1178(b) (state
establish state public policy and operate           respect to those opinions.                              public health laws), and 1178(c) (state
in the same area as the federal                        Comment: Several commenters noted                    regulation of health plans) similarly
standards. To the extent that the                   that it was unclear under the proposed                  preserve state laws in those areas, but
definition in the rules below does this,            rule which state officials would be                     very little of the public comment
we have accommodated the second                     authorized to request a determination.                  appeared to be concerned with these
comment. We note, however, that we do                  Response: We agree that the proposed                 latter statutory provisions. Accordingly,
not agree that the definition should be             rule was unclear in this respect. The                   we respond below to what we see as the
further restricted to minimize ‘‘reverse            final rule clarifies who may make the                   commenters’ main concern.
preemption,’’ as suggested by this                  request for a state, with respect to                       The Department will not do the kind
comment, as we believe that state laws              exception determinations. See,                          of global analysis requested by many of
that are more protective of privacy than            § 160.204(a). The language adopted                      these comments. What these comments
contrary federal standards should                   should ensure that the Secretary                        are in effect seeking is a global advisory
remain, in order to ensure that the                 receives an authoritative statement from                opinion as to when the federal privacy
privacy of individuals’ health                      the state. At the same time, this                       standards will control and when they
information receives the maximum legal              language provides states with flexibility,              will not. We understand the desire for
protection available.                               in that the governor or other chief                     certainty underlying these comments.
                                                    elected official may choose to designate                Nonetheless, the reasons set out above
Sections 160.203 and 160.204—                       other state officials to make such                      as the basis for our decision not to
Exception Determinations and Advisory               requests.                                               establish a formal advisory opinion
Opinions                                               Comment: Many commenters                             process apply equally to these requests.
   Most of the comments received on                 recommended that a process be                           We also do not agree that the task of
proposed Subpart B lumped together the              established whereby HHS performs an                     evaluating the requirements below in
proposed process for exception                      initial state-by-state critical analysis to             light of existing state law is unduly
determinations under section                        provide guidance on which state laws                    burdensome or unreasonable. Rather, it
1178(a)(2)(A) with the proposed process             will not be preempted; most suggested                   is common for new federal requirements
for issuing advisory opinions under                 that such an analysis (alternatively                    to necessitate an examination by the
section 1178(a)(2)(B), either because the           referred to as a database or                            regulated entities of the interaction
substance of the comment applied to                 clearinghouse) should be completed                      between existing state law and the
both processes or because the                       before providers would be required to                   federal requirements incident to coming
commenters did not draw a distinction               come into compliance. Many of these                     into compliance.
between the two processes. We address               comments argued that the Secretary                         We agree, however, that the case is
these general comments in this section.             should bear the cost for the analyses of                different where the Secretary has
   Comment: Numerous commenters,                    state law, disagreeing with the premise                 affirmatively acted, either through
particularly providers and provider                 stated in the preamble to the proposed                  granting an exception under section
groups, recommended that exception                  rules that it is more efficient for the                 1178(a)(2)(A) or by making a specific
determinations and advisory opinions                private market to complete the state-by-                determination about the effect of a
not be limited to states and advocated              state review. Several comments also                     particular state privacy law in, for
allowing all covered entities (including            requested that HHS continue to                          example, the course of determining an
individuals, providers and insurers), or            maintain and monitor the exception                      entity’s compliance with the privacy
private sector organizations, to request            determination process, and update the                   standards. As is discussed below, the
determinations and opinions with                    database over time in order to provide                  Department intends to make notice of
respect to preemption of state laws.                guidance and certainty on the                           exception determinations that it makes
Several commenters argued that limiting             interaction of the federal rules with                   routinely available.
requests to states would deny third                 newly enacted or amended state laws                        We do not agree with the comments
party stakeholders, such as life and                that are produced after the final rule.                 suggesting that compliance by covered
disability income insurers, any means of            Some comments recommended that                          entities be delayed pending completion
resolving complex questions as to what              each state be required to certify                       of an analysis by the Secretary and that
rule they are subject to. One commenter             agreement with the HHS analyses.                        states be required to certify agreement
noted that because it is an insurer who                In contrast, one hospital association                with the Secretary’s analysis, as we are
will be liable if it incorrectly analyzes           noted concerns that the Secretary would                 not institutionalizing the advisory
the interplay between laws and reaches              conduct a nationwide analysis of state                  opinion/analysis process upon which
an incorrect conclusion, there would be             laws. The comment stated that                           these comments are predicated.

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00123   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82584       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

Furthermore, with respect to the                    Another commenter, however, urged                       guidance in making the determination
suggestion regarding delaying the                   that ‘‘instead of the presumption of                    as to which law prevails. Ambiguity in
compliance date, Congress provided in               preemption, the state laws in question                  the state of the law might also be a factor
section 1175(b) of the Act for a delay in           would be presumed to be subject to the                  to be taken into account in determining
when compliance is required to                      exception unless or until the Secretary                 whether a penalty should be applied.
accommodate the needs of covered                    makes a determination to the contrary.’’                   Comment: Several comments
entities to address implementation                     Response: It is true that the effect of              recommended that exception
issues such as those raised by these                section 1178(a)(2)(A) is that the federal               determinations or advisory opinions
comments. With respect to the                       standards will preempt contrary state                   encompass a state act or code in its
suggestion regarding requiring states to            law and that such preemption will not                   entirety (in lieu of a provision-specific
certify their agreement with the                    be removed unless and until the                         evaluation) if it is considered more
Secretary’s analysis, we have no                    Secretary acts to grant an exception                    stringent as a whole than the regulation.
authority to do this.                               under that section (assuming, of course,                It was argued that since the provisions
   Comment: Several commenters                      that another provision of section 1178                  of a given law are typically
criticized the proposed provision for               does not apply). We do not agree,                       interconnected and related, adopting or
annual publication of determinations                however, that confusion should result,                  overriding them on a provision-by-
and advisory opinions in the Federal                where the issue is whether a given state                provision basis would result in
Register as inadequate. They suggested              law has been preempted under section                    distortions and/or unintended
that more frequent notices should be                1178(a)(2)(A). Because preemption is                    consequences or loopholes. For
made and the regulation be changed                  automatic with respect to state laws that               example, when a state law includes
accordingly, to provide for publication             do not come within the other provisions                 authorization provisions, some of which
either quarterly or within a few days of            of section 1178 (i.e., sections                         are consistent with the federal
a determination. A few commenters                   1178(a)(2)(B), 1178(b), and 1178(c)),                   requirements and some which are not,
suggested that any determinations                   such state laws are preempted until the                 the cleanest approach is to view the
made, or opinions issued, by the                    Secretary affirmatively acts to preserve                state law as inconsistent with the
Secretary be published on the                       them from preemption by granting an                     federal requirements and thus
Department’s website within 10 days or              exception under section 1178(a)(2)(A).                  preempted in its entirety. Similarly,
a few days of the determination or                     We cannot accept the suggestion that                 another comment suggested that state
opinion.                                            a presumption of validity attach to state               confidentiality laws written to address
   Response: We agree that the proposed             laws, and that states not be required to                the specific needs of individuals served
provision for annual publication was                request exceptions except in very                       within a discreet system of care be
inadequate and have accordingly                     narrow circumstances. The statutory                     considered as a whole in assessing
deleted it. Subpart B contains no                   scheme is the opposite: The statute                     whether they are as stringent or more
express requirement for publication, as             effects preemption in the section                       stringent than the federal requirements.
the Department is free to publish its               1178(a)(2)(A) context unless the                        Another comment requested explicit
determinations absent such a                        Secretary affirmatively acts to except the              clarification that state laws with a
requirement. It is our intention to                 contrary state law in question.                         broader scope than the regulation will
publish notice of exception                            With respect to preemption under                     be viewed as more stringent and be
determinations on a periodic basis in               sections 1178(b) and 1178(c) (the carve-                allowed to stand.
the Federal Register. We will also                  outs for state public health laws and                      Response: We have not adopted the
consider other avenues of making such               state regulation of health plans), we do                approach suggested by these comments.
decisions publicly available as we move             not agree that preemption is likely to be               As discussed above with respect to the
into the implementation process.                    a major cause of uncertainty. We have                   definition of the term ‘‘more stringent,’’
   Comment: A few commenters argued                 deferred to Congressional intent by                     it is our view that the statute precludes
that the process for obtaining an                   crafting the permissible releases for                   the approach suggested. We also suggest
exception determination or an advisory              public health, abuse, and oversight                     that this approach ignores the fact that
opinion from the Secretary will result in           broadly. See, §§ 164.512(b)—(d) below.                  each separate provision of law usually
a period of time in which there is                  Since there must first be a conflict                    represents a nuanced policy choice to,
confusion as to whether state or federal            between a state law and a federal                       for example, permit this use or prohibit
law applies. The proposed regulations               requirement in order for an issue of                    that disclosure; the aggregated approach
say that the federal provisions will                preemption to even arise, we think that,                proposed would fail to recognize and
remain effective until the Secretary                as a practical matter, few preemption                   weigh such policy choices.
makes a determination concerning the                questions should arise with respect to                     Comment: One comment
preemption issue. This means that, for              sections 1178(b) and 1178(c).                           recommended that the final rule: permit
example, a state law that was enacted                  With respect to preemption of state                  requests for exception determinations
and enforced for many years will be                 privacy laws under section                              and advisory opinions as of the date of
preempted by federal law for the period             1178(a)(2)(B), however, we agree that                   publication of the final rule, require the
of time during which it takes the                   the situation may be more difficult to                  Secretary to notify the requestor within
Secretary to make a determination. Then             ascertain, because the Secretary does                   a specified short period of time of all
if the Secretary determines that the state          not determine the preemption status of                  additional information needed, and
law is not preempted, the state law will            a state law under that section, unlike the              prohibit enforcement action until the
again become effective. Such situations             situation with respect to section                       Secretary issues a response.
will result in confusion and unintended             1178(a)(2)(A). We have tried to define                     Response: With respect to the first
violations of the law. One of the                   the term ‘‘more stringent’’ to identify                 recommendation, we clarify that
commenters suggested that requests for              and particularize the factors to be                     requests for exception determinations
exceptions be required only when a                  considered by courts to those relevant to               may be made at any time; since the
challenge is brought against a particular           privacy interests. The more specific                    process for issuing advisory opinions
state law, and that a presumption of                (than the statute) definition of this term              has not been adopted, this
validity should lie with state laws.                at § 160.202 below should provide some                  recommendation is moot as it pertains

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00124   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82585

to advisory opinions. With respect to               exceptions will be clearly tied to                      amend their state laws as a precondition
the second recommendation, we will                  statements of priorities made by                        to requesting exceptions under section
undertake to process exception requests             publicly accountable bodies (e.g.,                      1178(a)(2)(A). Rather, the question
as expeditiously as possible, but, for the          through the public comment process for                  should be whether the state has made a
reasons discussed below in connection               regulations, and by elected officials                   convincing case that the state law in
with the comments relating to setting               through statutes). With respect to the                  question is sufficiently necessary for
deadlines for those determinations, we              criterion at section 1178(a)(2)(A)(ii), we              one of the statutory purposes that it
cannot commit at this time to a                     have further delineated what ‘‘addresses                should trump the contrary federal
‘‘specified short period of time’’ within           controlled substances’’ means. The                      policy.
which the Secretary may request                     language provided, which builds on                         Comment: One commenter stated that
additional information. We see no                   concepts at 21 U.S.C. 821 and the                       exceptions for state laws that are
reason to agree to the third                        Medicare regulations at 42 CFR 1001.2,                  contrary to the federal standards should
recommendation. Because contrary state              delineates the area within which the                    not be preempted where the state and
laws for which an exception is available            government traditionally regulates                      federal standards are found to be equal.
only under section 1178(a)(2)(A) will be            controlled substances, both civilly and                    Response: This suggestion has not
preempted by operation of law unless                criminally; it is our view that HIPAA                   been adopted, as it is not consistent
and until the Secretary acts to grant an            was not intended to displace such                       with the statute. With respect to the
exception, there will be an ascertainable           regulation.                                             administrative simplification standards
compliance standard for compliance                     Comment: Several commenters urged                    in general, it is clear that the intent of
purposes, and enforcement action                    that the request for determination by the               Congress was to preempt contrary state
would be appropriate where such                     Secretary under proposed § 160.204(a)                   laws except in the limited areas
compliance did not occur.                           be limited to cases where an exception                  specified as exceptions or carve-outs.
                                                    is absolutely necessary, and that in                    See, section 1178. This statutory
Sections 160.203(a) and 160.204(a)—                 making such a determination, the                        approach is consistent with the
Exception Determinations                            Secretary should be required to make a                  underlying goal of simplifying health
Section 160.203(a)—Criteria for                     determination that the benefits of                      care transactions through the adoption
Exception Determinations                            granting an exception outweigh the                      of uniform national standards. Even
                                                    potential harm and risk of disclosure in                with respect to state laws relating to the
   Comment: Numerous comments                       violation of the regulation.                            privacy of medical information, the
criticized the proposed criteria for their             Response: We have not further                        statute shields such state laws from
substance or lack thereof. A number of              defined the statutory term ‘‘necessary’’,               preemption by the federal standards
commenters argued that the                          as requested. We believe that the                       only if they are ‘‘more’’ stringent than
effectiveness language that was added to            determination of what is ‘‘necessary’’                  the related federal standard or
the third statutory criterion made the              will be fact-specific and context                       implementation specification.
exception so massive that it would                  dependent, and should not be further                       Comment: One commenter noted that
swallow the rule. These comments                    circumscribed absent such specifics.                    determinations would apply only to
generally expressed concern that laws               The state will need to make its case that               transactions that are wholly intrastate.
that were less protective of privacy                the state law in question is sufficiently               Thus, any element of a health care
would be granted exceptions under this              ‘‘necessary’’ to accomplish the                         transaction that would implicate more
language. Other commenters criticized               particular statutory ground for                         than one state’s law would
the criteria generally as creating a large          exception that it should trump the                      automatically preclude the Secretary’s
loophole that would let state laws that             contrary federal standard, requirement,                 evaluation as to whether the laws were
do not protect privacy trump the federal            or implementation specification.                        more or less stringent than the federal
privacy standards.                                     Comment: One commenter noted that                    requirement. Other commenters
   Response: We agree with these                    a state should be required to explain                   expressed confusion about this
comments. The scope of the statutory                whether it has taken any action to                      proposed requirement, noting that
criteria is ambiguous, but they could be            correct any less stringent state law for                providers and plans operate now in a
read so broadly as to largely swallow the           which an exception has been requested.                  multi-state environment.
federal protections. We do not think that           This commenter recommended that a                          Response: We agree with the
this was Congress’s intent. Accordingly,            section be added to proposed                            commenters and have dropped the
we have added language to most of the               § 160.204(a) stating that ‘‘a state must                proposed requirement. As noted by the
statutory criteria clarifying their scope.          specify what, if any, action has been                   commenters, health care entities now
With respect to the criteria at                     taken to amend the state law to comply                  typically operate in a multi-state
1178(a)(2)(A)(i), this clarifying language          with the federal regulations.’’ Another                 environment, so already make the
generally ties the criteria more                    comment, received in the Transactions                   choice of law judgements that are
specifically to the concern with                    rulemaking, took the position that                      necessary in multi-state transactions. It
protecting and making more efficient                exception determinations should be                      is the result of that calculus that will
the health care delivery and payment                granted only if the state standards in                  have to be weighed against the federal
system that underlies the                           question exceeded the national                          standards, requirements, and
Administrative Simplification                       standards.                                              implementation specifications in the
provisions of HIPAA, but, with respect                 Response: The first and last comments                preemption analysis.
to the catch-all provision at section               appear to confuse the ‘‘more stringent’’                   Comment: One comment received in
1178(a)(2)(A)(i)(IV), also requires that            criterion that applies under section                    the Transactions rulemaking suggested
privacy interests be balanced with such             1178(a)(2)(B) of the Act with the criteria              that the Department should allow
concerns, to the extent relevant. We                that apply to exceptions under section                  exceptions to the standard transactions
require that exceptions for rules to                1178(a)(2)(A). We are also not adopting                 to accommodate abbreviated
ensure appropriate state regulation of              the language suggested by the first                     transactions between state agencies,
insurance and health plans be stated in             comment, because we do not agree that                   such as claims between a public health
a statute or regulation, so that such               states should necessarily have to try to                department and the state Medicaid

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00125   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82586       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

agency. Another comment requested an                suggesting that the Secretary must                         We are not accepting the suggestion
exception for Home and Community                    proactively identify instances of conflict              that requests for exception be deemed
Based Waiver Services from the                      and evaluate them. This suggestion is,                  approved if not acted upon in some
transactions standards.                             thus, at bottom the same as the many                    defined time period. Section
   Response: The concerns raised by                 suggestions that we create a database or                1178(a)(2)(A) requires a specific
these comments would seem to be more                compendium of controlling law, and it                   determination by the Secretary. The
properly addressed through the process              is rejected for the same reasons.                       suggested policy would not be
established for maintaining and                        Comment: Several comments urged                      consistent with this statutory
modifying the transactions standards. If            that all state requests for non-                        requirement. It is also inadvisable from
the concerns underlying these                       preemption include a process for public                 a policy standpoint, in that it would
comments cannot be addressed in this                participation. These comments believe                   tend to maximize exceptions. This
manner, however, there is nothing in                that members of the public and other                    would be contrary to the underlying
the rules below to preclude states from             interested stakeholders should be                       statutory policy in favor of uniform
requesting exceptions in such cases.                allowed to submit comments on a state’s                 federal standards.
They will then have to make the case                request for exception, and that these                      Comment: One commenter took
that one or more grounds for exception              comments should be reviewed and                         exception to the requirement for states
applies.                                            considered by the Secretary in                          to seek a determination from the
                                                    determining whether the exception                       Department that a provision of state law
Section 160.204(a)—Process for
                                                    should be granted. One comment                          is necessary to prevent fraud and abuse
Exception Determinations—Comments
                                                    suggested that the Secretary at least give              or to ensure appropriate state regulation
and Responses
                                                    notice to the citizens of the state prior               of insurance plans, contending that this
   Comment: Several comments received                                                                       mandate could interfere with the
                                                    to granting an exception.
in the Transactions rulemaking stated                                                                       Insurance Commissioners’ ability to do
that the process for applying for and                  Response: The revision to
                                                    § 160.204(a), to permit requests for                    their jobs. Another commenter
granting exception determinations                                                                           suggested that the regulation
(referred to as ‘‘waivers’’ by some)                exception determinations by any
                                                    person, responds to these comments.                     specifically recognize the broad scope of
needed to be spelled out in the final                                                                       state insurance department activities,
rule.                                                  Comment: Many commenters noted
                                                                                                            such as market conduct examinations,
   Response: We agree with these                    that the lack of a clear and reasonable
                                                                                                            enforcement investigations, and
comments. As noted above, since no                  time line for the Secretary to issue an
                                                                                                            consumer complaint handling.
process was proposed in the                         exception determination would not                          Response: The first comment raises an
Transactions rulemaking, a process for              provide sufficient assurance that the                   issue that lies outside our legal
making exception determinations was                 questions regarding what rules apply                    authority to address, as section
not adopted in those final rules. Subpart           will be resolved in a time frame that                   1178(a)(2)(A) clearly mandates that the
B below adopts a process for making                 will allow business to be conducted                     Secretary make a determination in these
exception determinations, which                     properly, and argued that this would                    areas. With respect to the second
responds to these comments.                         increase confusion and uncertainty                      comment, to the extent these concerns
   Comment: Comments stated that the                about which statutes and regulations                    pertain to health plans, we believe that
exception process would be                          should be followed. Timeframes of 60 or                 the provisions at § 164.512 relating to
burdensome, unwieldy, and time-                     90 days were suggested. One group                       oversight and disclosures required by
consuming for state agencies as well as             suggested that, if a state does not receive             law should address the concerns
the Department. One comment took the                a response from HHS within 60 days,                     underlying this comment.
position that states should not be                  the waiver should be deemed approved.
required to submit exception requests to               Response: The workload prioritization                Section 160.204(a)(4)—Period of
the Department under proposed                       and management considerations                           Effectiveness of Exception
§ 160.203(a), but could provide                     discussed above with respect to                         Determinations
documentation that the state law meets              advisory opinions are also relevant here                  Comment: Numerous commenters
one of the conditions articulated in                and make us reluctant to agree to a                     stated that the proposed three year
proposed § 160.203.                                 deadline for making exception                           limitation on the effectiveness of
   Response: We disagree that the                   determinations. This is particularly true               exception determinations would pose
process adopted at § 164.204 below will             at the outset, since we have no                         significant problems and should be
be burdensome, unwieldy, or time-                   experience with such requests. We                       limited to one year, since a one year
consuming. The only thing the                       therefore have no basis for determining                 limitation would provide more frequent
regulation describes is the showings that           how long processing such requests will                  review of the necessity for exceptions.
a requestor must make as part of its                take, how many requests we will need                    The commenters expressed concern that
submission, and all are relevant to the             to process, or what resources will be                   state laws which provide less privacy
issue to be determined by the Secretary.            available for such processing. We agree                 protection than the federal regulation
How much information is submitted is,               that states and other requesters should                 would be given exceptions by the
generally speaking, in the requestor’s              receive timely responses and will make                  Secretary and thus argued that the
control, and the regulation places no               every effort to make determinations as                  exceptions should be more limited in
restrictions on how the requestor                   expeditiously as possible, but we cannot                duration or that the Secretary should
obtains it, whether by acting directly, by          commit to firm deadlines in this initial                require that each request, regardless of
working with providers and/or plans, or             rule. Once we have experience in                        duration, include a description of the
by working with others. With respect to             handling exception requests, we will                    length of time such an exception would
the suggestion that states not be                   consult with states and others in regard                be needed.
required to submit exception requests,              to their experiences and concerns and                     One state government commenter,
we disagree that this suggestion is either          their suggestions for improving the                     however, argued that the 3 year limit
statutorily authorized or advisable. We             Secretary’s expeditious handling of such                should be eliminated entirely, on the
read this comment as implicitly                     requests.                                               ground that requiring a redetermination

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00126   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82587

every three years would be burdensome                  Several of these concerns, however,                  law to be considered more stringent and
for the states and be a waste of time and           raise issues of broader concern that need               thus not preempted. The Department
resources for all parties. Other                    to be addressed. First, we disagree that                should clarify whether a state law could
commenters, including two state                     the Secretary lacks legal authority to                  be non-preempted even without such an
agencies, suggested that the exemption              opine on whether or not state privacy                   advisory opinion. Another commenter
should remain effective until either the            laws are preempted. The Secretary is                    requested that the final rule explicitly
state law or the federal regulation is              charged by law with determining                         state that the stricter rule always
changed. Another commenter suggested                compliance, and where state law and                     applies, whether it be state or federal,
that the three year sunset be deleted and           the federal requirements conflict, a                    and regardless of whether there is any
that the final rule provide for automatic           determination of which law controls                     conflict between state and federal law.
review to determine if changes in                   will have to be made in order to                           Response: The elimination of the
circumstance or law would necessitate               determine whether the federal standard,                 proposed process for advisory opinions
amendment or deletion of the opinion.               requirement, or implementation                          renders moot the first question. Also,
Other recommendations included                      specification at issue has been violated.               the preceding response clarifies that
deeming the state law as continuing in              Thus, the Secretary cannot carry out her                which law preempts in the privacy
effect upon the submission of a state               enforcement functions without making                    context (assuming that the state law and
application for an exemption rather than            such determinations. It is further                      federal requirement are ‘‘contrary’’) is a
waiting for a determination by the                  reasonable that, if the Secretary makes                 matter of which one is the ‘‘more
Secretary that may not occur for a                  such determinations, she can make                       stringent.’’ This is not a matter which
substantial period of time.                         those determinations known, for                         the Secretary will ultimately determine;
   Response: We are persuaded that the              whatever persuasive effect they may                     rather, this is a question about which
proposed 3 year limit on exception                  have.                                                   the courts will ultimately make the final
                                                       The questions as to whether a state                  determination. With respect to the
determinations does not make sense
                                                    could enforce, or would be subject to                   second comment, we believe that
where neither law providing the basis
                                                    penalties if it chose to continue to                    § 160.203(b) below responds to this
for the exception has changed in the                enforce, its own laws following a denial
interim. We also agree that where either                                                                    issue, but we would note that the statute
                                                    by the Secretary of an exception request                already provides for this.
law has changed, a previously granted               under § 160.203 or a holding by a court
exception should not continue. Section                                                                         Comment: Several commenters
                                                    of competent jurisdiction that a state
160.205(a) below addresses these                                                                            supported the decision to limit the
                                                    privacy law had been preempted by a
concerns.                                                                                                   parties who may request advisory
                                                    contrary federal privacy standard raise
                                                                                                            opinions to the state. These commenters
Sections 160.203(b) and 160.204(b)—                 several issues. First, a state law is
                                                                                                            did not believe that insurers should be
Advisory Opinions                                   preempted under the Act only to the
                                                                                                            allowed to request an advisory opinion
                                                    extent that it applies to covered entities;
Section 160.203(b)—Effect of Advisory                                                                       and open every state law up to
                                                    thus, a state is free to continue to
Opinions                                                                                                    challenge and review.
                                                    enforce a ‘‘preempted’’ state law against
                                                    non-covered entities to which the state                    Several commenters requested that
   Comment: Several commenters                                                                              guidance on advisory opinions be
questioned whether or not DHHS has                  law applies. If there is a question of
                                                    coverage, states may wish to establish                  provided in all circumstances, not only
standing to issue binding advisory                                                                          at the Secretary’s discretion. It was
opinions and recommended that the                   processes to ascertain which entities
                                                    within their borders are covered entities               suggested that proposed
Department clarify this issue before                                                                        § 160.204(b)(2)(iv) be revised to read as
implementation of this regulation. One              within the meaning of these rules.
                                                    Second, with respect to covered entities,               follows: ‘‘A state may submit a written
respondent suggested that the                                                                               request to the Secretary for an advisory
Department clarify in the final rule the            if a state were to try to enforce a
                                                    preempted state law against such                        opinion under this paragraph. The
legal issues on which it will opine in                                                                      request must include the following
advisory opinion requests, and state that           entities, it would presumably be acting
                                                    without legal authority in so doing. We                 information: the reasons why the state
in responding to requests for advisory                                                                      law should or should not be preempted
opinions the Department will not opine              cannot speak to what remedies might be
                                                    available to covered entities to protect                by the federal standard, requirement, or
on the preemptive force of ERISA with                                                                       implementation specification, including
respect to state laws governing the                 themselves against such wrongful state
                                                    action, but we assume that covered                      how the state law meets the criteria at
privacy of individually identifiable                                                                        § 160.203(b).’’
health information, since interpretations           entities could seek judicial relief, if all
                                                    else failed. With respect to the issue of                  Response: The decision not to have a
as to the scope and extent of ERISA’s
                                                    imposing penalties on states, we do not                 formal process for issuing advisory
preemption provisions are outside of the
                                                    see this as likely. The only situation that             opinions renders these issues moot.
Department’s jurisdictional authority.
                                                    we can envision in which penalties                      Sections 160.203(c) and 160.203(d)—
   One commenter asked whether a state              might be imposed on a state would be
could enforce a state law which the                                                                         Statutory Carve-Outs
                                                    if a state agency were itself a covered
Secretary had indicated through an                  entity and followed a preempted state                      Comment: Several commenters asked
advisory opinion is preempted by                    law, thereby violating the contrary                     that the Department provide more
federal law. This commenter also asked              federal standard, requirement, or                       specific examples itemizing activities
whether the state would be subject to               implementation specification.                           traditionally regulated by the state that
penalties if it chose to continue to                                                                        could constitute ‘‘carve-out’’ exceptions.
enforce its own laws.                               Section 160.204(b)—Process for                          These commenters also requested that
   Response: As discussed above, in part            Advisory Opinions                                       the Department include language in the
for reasons raised by these comments,                 Comment: Several commenters stated                    regulation stating that if a state law falls
the Department has decided not to have              that it was unclear whether a state                     within several different exceptions, the
a formal process for issuing advisory               would be required to submit a request                   state chooses which determination
opinions, as proposed.                              for an advisory opinion in order for the                exception shall apply.

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00127   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82588       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

   Response: We are concerned that                  1178(a)(2)(A); contrary state laws                      Article II
itemizing examples in this way could                coming within section 1178(a)(2)(B) are                   Comment: One commenter contended
leave out important state laws or create            preempted if not more stringent, while                  that the Secretary improperly delegated
inadvertent negative implications that              if a contrary state law comes within                    authority to private entities by requiring
laws not listed are not included.                   section 1178(b) or section 1178(c), it is               covered entities to enter into contracts
However, as explained above, we have                not preempted. These latter statutory                   with, monitor, and take action for
designed the types of activities that are           provisions operate by their own terms.                  violations of the contract against their
permissive disclosures for public health            Thus, it is not within the Secretary’s                  business partners. These comments
under § 164.512(b) below in part to                 authority to establish the determination                assert that the selection of these entities
come within the carve-out effected by               process which these comments seek.                      to ‘‘enforce’’ the regulations violates the
section 1178(b); while the state                       With respect to the request seeking                  Executive Powers Clause and the
regulatory activities covered by section            advisory opinions in the section 1178(b)                Appointments and Take Care Clauses.
1178(c) will generally come within                  and 1178(c) situations, we agree that we                  Response: We reject the assertion that
§ 164.512(d) below. With respect to the             have the authority to issue such                        the business associate provisions
comments asking that a state get to                 opinions. However, the considerations                   constitute an improper delegation of
‘‘choose’’ which exception it comes                 described above that have led us not to
under, we have in effect provided for                                                                       executive power to private entities.
                                                    adopt a formal process for issuing                      HIPAA provides HHS with authority to
this with respect to exceptions under               advisory opinions in the privacy context
section 1178(a)(2)(A), by giving the state                                                                  enforce the regulation against covered
                                                    apply with equal force and effect here.                 entities. The rules below regulate only
the right to request an exception under
that section. With respect to exceptions               Comment: One commenter argued                        the conduct of the covered entity; to the
under section 1178(a)(2)(B), those                  that it would be unnecessarily                          extent a covered entity chooses to
exceptions occur by operation of law,               burdensome for state health data                        conduct its funding through a business
and it is not within the Secretary’s                agencies (whose focus is on the cost of                 associate, those functions are still
power to ‘‘let’’ the state choose whether           healthcare or improving Medicare,                       functions of the covered entity. Thus, no
an exception occurs under that section.             Medicaid, or the healthcare system) to                  improper delegation has occurred
   Comment: Several commenters took                 obtain a specific determination from the                because what is being regulated are the
the position that the Secretary should              Department for an exception under                       actions of the covered entity, not the
not limit the procedural requirements in            proposed § 160.203(c). States should be                 actions of the business associate in its
proposed § 160.204(a) to only those                 required only to notify the Secretary of                independent capacity.
applications under proposed                         their own determination that such                         We also reject the suggestion that the
§ 160.203(a). They urged that the                   collection is necessary. It was also                    business associates provisions
requirements of proposed § 160.204(a)               argued that cases where the statutory                   constitute an improper appointment of
should also apply to preemption under               carve-outs apply should not require a                   covered entities to enforce the
sections 1178(a)(2)(B), 1178(b) and                 Secretarial determination.                              regulation and violate the Take Care
1178(c). It was suggested that the rules               Response: We clarify that no                         Clause. Because the Secretary has not
should provide for exception                        Secretarial determination is required for               delegated authority to covered entities,
determinations with respect to the                  activities that fall into one of the                    the inference that she has appointed
matters covered by these provisions of              statutory carve-outs. With respect to                   covered entities to exercise such
the statute; such additional provisions             data collections for state health data                  authority misses the mark.
would provide clear procedures for                  agencies, we note that provision has                    Commerce Clause
states to follow and ensure that requests           been made for many of these activities
for exceptions are adequately                                                                                 Comment: A few commenters
                                                    in several provisions of the rules below,
documented.                                                                                                 suggested that the privacy regulation
                                                    such as the provisions relating to
   A slightly different approach was                                                                        regulates activities that are not in
                                                    disclosures required by law
taken by several commenters, who                                                                            interstate commerce and which are,
                                                    (§ 164.512(a)), disclosures for oversight
recommended that proposed                                                                                   therefore, beyond the powers the U.S.
                                                    (§ 164.512(d)), and disclosures for
§ 160.204(b) be amended to clarify that                                                                     Constitution gives the federal
                                                    public health (§ 164.512(b)). Some
the Secretary will also issue advisory                                                                      government.
                                                    disclosures for Medicare and Medicaid
opinions as to whether a state law                                                                            Response: We disagree. Health care
                                                    purposes may also come within the
constitutes an exception under                                                                              providers, health plans, and health care
                                                    definition of health care operations. A
proposed §§ 160.203(c) and 160.203(d).                                                                      clearinghouses are engaged in economic
                                                    fuller discussion of this issue appears in
This change would, they argued, give                                                                        and commercial activities, including the
                                                    connection with § 164.512 below.
states the same opportunity for guidance                                                                    exchange of individually identifiable
that they have under § 160.203(a) and               Constitutional Comments and                             health information electronically across
(b), and as such, avoid costly lawsuits             Responses                                               state lines. These activities constitute
to preserve state laws.                                                                                     interstate commerce. Therefore, they
   Response: We are not taking either of               Comment: Several commenters                          come within the scope of Congress’
the recommended courses of action.                  suggested that as a general matter the                  power to regulate interstate commerce.
With respect to the recommendation                  rule is unconstitutional.
that we expand the exception                           Response: We disagree that the rule is               Nondelegation Doctrine
determination process to encompass                  unconstitutional. The particular                          Comment: Some commenters objected
exceptions under sections 1178(a)(2)(B),            grounds for this conclusion are set out                 to the manner by which Congress
1178(b), and 1178(c), we do not have the            with respect to particular constitutional               provided the Secretary authority to
authority to grant exceptions under                 issues in the responses below. With                     promulgate this regulation. These
these sections. Under section 1178, the             respect to the comments that simply                     comments asserted that Congress
Secretary has authority to make                     made this general assertion, the lack of                violated the nondelegation doctrine by
exception determinations only with                  detail of the comments makes a                          (1) not providing an ‘‘intelligible
respect to the matters covered by section           substantive response impossible.                        principle’’ to guide the agency, (2) not

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00128   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82589

establishing ‘‘ascertainable standards,’’           because, as proposed, they permitted                      Response: We disagree that the
and (3) improperly permitting the                   the Secretary to make determinations on                 provisions of these rules that permit
Secretary to make social policy                     preemption, which is a role reserved for                disclosures for law enforcement
decisions.                                          the judiciary.                                          purposes and governmental health data
   Response: We disagree. HIPAA clearly                Response: We disagree. We note that                  systems generally violate the Fourth
delineates Congress’ general policy to              this comment only pertains to                           Amendment. The privacy regulation
establish strict privacy protections for            determinations under section                            does not create new access rights for law
individually identifiable health                    1178(a)(2)(A); as discussed above, the                  enforcement. Rather, it refrains from
information to encourage electronic                 rules below provide for no Secretarial                  placing a significant barrier in front of
transactions. Congress also established             determinations with respect to state                    access rights that law enforcement
boundaries limiting the Secretary’s                 privacy laws coming within section                      currently has under existing legal
authority. Congress established these               1178(a)(2)(B). With respect to                          authority. While the regulation may
limitations in several ways, including              determinations under section                            permit a covered entity to make
by calling for privacy standards for                1178(a)(2)(A), however, the final rules,                disclosures in specified instances, it
‘‘individually identifiable health                  like the proposed rules, provide that at                does not require the covered entity
information’’; specifying that privacy              a state’s request the Secretary may make                make the disclosure. Thus, because we
standards must address individuals’                 certain determinations regarding the                    are not modifying existing law regarding
rights regarding their individually                 preemptive effect of the rules on a                     disclosures to law enforcement officials,
identifiable health information, the                particular state law. As usually the case               except to strengthen the requirements
procedures for exercising those rights,             with any administrative decisions, these                related to requests already authorized
and the particular uses and disclosures             are subject to judicial review pursuant                 under law, and are not requiring any
to be authorized or required; restricting           to the Administrative Procedure Act.                    such disclosures, the privacy regulation
the direct application of the privacy                                                                       does not infringe upon individual’s
                                                    First Amendment
standards to ‘‘covered entities,’’ which                                                                    Fourth Amendment rights. We discuss
Congress defined; requiring consultation              Comment: Some comments suggested                      the rationale underlying the permissible
with the National Committee on Vital                that the rules violated the First                       disclosures to law enforcement officials
and Health Statistics and the Attorney              Amendment. They asserted that if the                    more fully in the preamble discussion
General; specifying the circumstances               rule included Christian Science                         relating to § 164.512(f).
under which the federal requirements                practitioners as covered entities it                      We note that the proposed provision
would supersede state laws; and                     would violate the separation of church                  relating to disclosures to government
specifying the civil and criminal                   and state doctrine.                                     health data systems has been eliminated
penalties the Secretary could impose for              Response: We disagree. The First                      in the final rule. However, to the extent
violations of the regulation. These                 Amendment does not always prohibit                      that the comments can be seen as raising
limitations also serve as ‘‘ascertainable           the federal government from regulating                  concern over disclosure of protected
standards’’ upon which reviewing                    secular activities of religious                         health information to government
courts can rely to determine the validity           organizations. However, we address                      agencies for public health, health
of the exercise of authority.                       concerns relating to Christian Science                  oversight, or other purposes permitted
   Although Congress could have chosen              practitioners more fully in the response                by the final rule, the reasoning in the
to impose expressly an exhaustive list of           to comments discussion of the                           previous paragraph applies.
specifications that must be met in order            definition of ‘‘covered entity’’ in                       Comment: One commenter suggested
to achieve the protective purposes of the           § 160.103.                                              that the rules violate the Fourth
HIPAA, it was entirely permissible for              Fourth Amendment                                        Amendment by requiring covered
Congress to entrust to the Secretary the                                                                    entities to provide access to the
task of providing these specifications                Comment: Many comments expressed                      Secretary to their books, records,
based on her experience and expertise               Fourth Amendment concerns about                         accounts, and facilities to ensure
in dealing with these complex and                   various proposed provisions. These                      compliance with these rules. The
technical matters.                                  comments fall into two categories—                      commenter also suggested that the
   We disagree with the comments that               general concerns about warrantless                      requirement that covered entities enter
Congress improperly delegated                       searches and specific concerns about                    into agreements with their business
Congressional policy choices to her.                administrative searches. Several                        partners to make their records available
Congress clearly decided to create                  comments argued that the proposed                       to the Secretary for inspection as well
federal standards protecting the privacy            regulations permit law enforcement and                  also violates the warrant requirement of
of ‘‘individually identifiable health               government officials access to protected                the Fourth Amendment.
information’’ and not to preempt state              health information without first                          Response: We disagree. These
laws that are more stringent. Congress              requiring a judicial search warrant or an               requirements are consistent with U.S.
also determined over whom the                       individual’s consent. These comments                    Supreme Court cases holding that
Secretary would have authority, the                 rejected the applicability of any of the                warrantless administrative searches of
type of information protected, and the              existing exceptions permitting                          commercial property are not per se
minimum level of regulation.                        warrantless searches in this context.                   violations of the Fourth Amendment.
                                                    Another comment argued that federal                     The provisions requiring that covered
Separation of Powers                                and state police should be able to obtain               entities provide access to certain
   Comment: Some commenters asserted                personal medical records only with the                  material to determine compliance with
that the federal government may not                 informed consent of an individual.                      the regulation come within the well-
preempt state laws that are not as strict           Many of these comments also expressed                   settled exception regarding closely
as the privacy regulation because to do             concern that protected health                           regulated businesses and industries to
so would violate the separation of                  information could be provided to                        the warrant requirement. From state and
powers in the U.S. Constitution. One                government or private agencies for                      local licensure laws to the federal fraud
comment suggested that the rules raised             inclusion in a governmental health data                 and abuse statutes and regulations, the
a substantial constitutional issue                  system.                                                 health care industry is one of the most

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00129   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82590       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

tightly regulated businesses in the                 Therefore, no taking has occurred in                    that the rule requires disclosures only to
country. Because the industry has such              these situations either.                                the individual or to the Secretary to
an extensive history of government                                                                          determine compliance with this rule.
                                                    Ninth and Tenth Amendments
oversight and involvement, those                                                                            Other uses or disclosures under this rule
operating within it have no reasonable                 Comment: Several comments asserted                   are permissive, not required. Therefore,
expectation of privacy from the                     that the proposed rules violated the                    if a particular use or disclosure under
government such that a warrant would                Ninth and Tenth Amendments. One                         this rule is viewed as interfering with a
be required to determine compliance                 commenter suggested that the Ninth                      right that prohibited the use or
with the rules.                                     Amendment prohibits long and                            disclosure, the rule itself is not what
   In addition, the cases cited by the              complicated regulations. Other                          requires the use or disclosure.
commenters concern unannounced                      commenters suggested that the proposed
                                                    rules authorized the compelled                          Void for Vagueness
searches of the premises and facilities of
particular entities. Because our                    disclosure of individually identifiable                    Comment: One comment suggested
enforcement provisions only provide for             health information in violation of State                that the Secretary’s use of a
the review of books, records, and other             constitutional provisions, such as those                ‘‘reasonableness’’ standard is
information and only during normal                  in California and Florida. Similarly, a                 unconstitutionally vague. Specifically,
business hours with notice, except for              couple of commenters asserted that the                  this comment objected to the
exceptional situations, this case law               privacy rules violate the Tenth                         requirement that covered entities use
does not apply.                                     Amendment.                                              ‘‘reasonable’’ efforts to use or disclose
                                                       Response: We disagree. The Ninth                     the minimum amount of protected
   As for business associates, they                 and Tenth Amendments address the                        health information, to ensure that
voluntarily enter into their agreements             rights retained by the people and                       business partners comply with the
with covered entities. This agreement,              acknowledge that the States or the                      privacy provisions of their contracts, to
therefore, functions as knowing and                 people are reserved the powers not                      notify business partners of any
voluntary consents to the search (even              delegated to the federal government and                 amendments or corrections to protected
assuming it could be understood to be               not otherwise prohibited by the                         health information, and to verify the
a search) and obviates the need for a               Constitution. Because HHS is regulating                 identity of individuals requesting
warrant.                                            under a delegation of authority from                    information, as well as charge only a
Fifth Amendment                                     Congress in an area that affects                        ‘‘reasonable’’ fee for inspecting and
                                                    interstate commerce, we are within the                  copying health information. This
   Comment: Several comments asserted               powers provided to Congress in the                      comment asserted that the Secretary
that the proposed rules violated the                Constitution. Nothing in the Ninth                      provided ‘‘inadequate guidance’’ as to
Fifth Amendment because in the                      Amendment, or any other provision of                    what qualifies as ‘‘reasonable.’’
commenters’ views they authorized the               the Constitution, restricts the length or                  Response: We disagree with the
taking of privacy property without just             complexity of any law. Additionally, we                 comment’s suggestion that by applying
compensation or due process of law.                 do not believe the rules below                          a ‘‘reasonableness’’ standard, the
   Response: We disagree. The rules set             impermissibly authorize behavior that                   regulation has failed to provide for ‘‘fair
forth below do not address the issue of             violates State constitutions. This rule                 warning’’ or ‘‘fair enforcement.’’ The
who owns an individual’s medical                    requires disclosure only to the                         ‘‘reasonableness’’ standard is well-
record. Instead, they address what uses             individual or to the Secretary to enforce               established in law; for example, it is the
and disclosures of protected health                 this rule. As noted in the preamble                     foundation of the common law of torts.
information may be made by covered                  discussion of ‘‘Preemption,’’ these rules               Courts also have consistently held as
entities with or without a consent or               do not preempt State laws, including                    constitutional statutes that rely upon a
authorization. As described in response             constitutional provisions, that are                     ‘‘reasonableness’’ standard. Our reliance
to a similar comment, medical records               contrary to and more stringent, as                      upon a ‘‘reasonableness’’ standard, thus,
have been the property of the health                defined at § 160.502, than these rules.                 provides covered entities with
care provider or medical facility that              See the discussion of ‘‘Preemption’’ for                constitutionally sufficient guidance.
created them, historically. In some                 further clarification. Therefore, if these
states, statutes directly provide these                                                                     Criminal Intent
                                                    State constitutions are contrary to the
entities with ownership. These laws are             rule below and provide greater                             Comment: One comment argued that
limited by laws that provide patients or            protection, they remain in full force; if               the regulation’s reliance upon a
their representatives with access to the            they do not, they are preempted, in                     ‘‘reasonableness’’ standard criminalizes
records or that provide the patient with            accordance with the Supremacy Clause                    ‘‘unreasonable efforts’’ without
an ownership interest in the information            of the Constitution.                                    requiring criminal intent or mens rea.
within the records. As we discuss, the                                                                         Response: We reject this suggestion
final rule is consistent with current state         Right to Privacy                                        because HIPAA clearly provides the
law that provides patients access to                  Comment: Several comments                             criminal intent requirement.
protected health information, but not               suggested that the proposed regulation                  Specifically, HIPPA provides that a
ownership of medical records. State                 would violate the right to privacy                      ‘‘person who knowingly and in
laws that provide patients with greater             guaranteed by the First, Fourth, Fifth,                 violation of this part—(1) uses or causes
access would remain in effect.                      and Ninth Amendments because it                         to be used a unique health identifier; (2)
Therefore, because patients do not own              would permit covered entities to                        obtains individually identifiable health
their records, no taking can occur. As              disclose protected health information                   information relating to an individual; or
for their interest in the information, the          without the consent of the individual.                  (3) discloses individually identifiable
final rule retains their rights. As for               Response: These comments did not                      health information to another person,
covered entities, the final rule does not           provide specific facts or legal basis for               shall be punished as provided in
take away their ownership rights or                 the claims. We are, thus, unable to                     subsection (b).’’ HIPAA section 1177
make their ownership interest in the                provide a substantive response to these                 (emphasis added). Subsection (b) also
protected health information worthless.             particular comments. However, we note                   relies on a knowledge standard in

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00130   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82591

outlining the three levels of criminal              will be permitted under § 164.512(a) to                 federal requirements if the current
sanctions. Thus, Congress, not the                  make these disclosures without a                        requirements are weaker than the
Secretary, established the mens rea by              consent or authorization; if, however, a                requirements of the privacy regulation.
including the term ‘‘knowingly’’ in the             statute or regulation merely suggests a                 This same commenter suggested that
criminal penalty provisions of HIPAA.               disclosure, the covered entity will need                current federal requirements will trump
                                                    to determine if the disclosure comes                    both state law and the proposed
Data Collection
                                                    within another category of permissible                  regulation, even if Medicaid
  Comment: One commenter suggested                  disclosure under §§ 164.510 or 164.512                  transactions remain wholly intrastate.
that the U.S. Constitution authorized the           or, alternatively, if the disclosure would                 Response: We disagree. As noted in
collection of data on individuals only              otherwise come within § 164.502. If not,                our discussion of ‘‘Relationship to Other
for the purpose of the census.                      the entity will need to obtain a consent                Federal Laws,’’ each law or regulation
  Response: While it might be true that             or authorization for the disclosure.                    will need to be evaluated individually.
the U.S. Constitution expressly                        Comment: One commenter sought                        We similarly disagree with the second
discusses the national census, it does              clarification as to when a disclosure is                assertion made by the commenter. The
not forbid federal agencies from                    considered to be ‘‘required’’ by another                final rule will preempt state laws only
collecting data for other purposes. The             law versus ‘‘permitted’’ by that law.                   in specific instances. For a more
ability of agencies to collect non-census              Responses: We use these terms                        detailed analysis, see the preamble
data has been upheld by the courts.                 according to their common usage. By                     discussion of ‘‘Preemption.’’
Relationship to Other Federal Laws                  ‘‘required by law,’’ we mean that a
                                                    covered entity has a legal obligation to                Administrative Subpoenas
  Comment: We received several                      disclose the information. For example, if                 Comment: One comment stated that
comments that sought clarification of               a statute states that a covered entity                  the final rule should not impose new
the interaction of various federal laws             must report the names of all individuals                standards on administrative subpoenas
and the privacy regulation. Many of                 presenting with gun shot wounds to the                  that would conflict with existing laws or
these comments simply listed federal                emergency room or else be fined $500                    administrative or judicial rules that
laws and regulations with which the                 for each violation, a covered entity                    establish standards for issuing
commenter currently must comply. For                would be required by law to disclose the                subpoenas. Nor should the final rule
example, commenters noted that they                 protected health information necessary                  conflict with established standards for
must comply with regulations relating               to comply with this mandate. The                        the conduct of administrative, civil, or
to safety, public health, and civil rights,         privacy regulation permits this type of                 criminal proceedings, including the
including Medicare and Medicaid, the                disclosure, but does not require it.                    rules regarding the discovery of
Americans with Disabilities Act, the                Therefore, if a covered entity chose not                evidence. Other comments sought
Family and Medical Leave Act, the                   to comply with the reporting statute it                 further restrictions on access to
Federal Aviation Administration                     would violate only the reporting statute                protected health information in this
regulations, the Department of                      and not the privacy regulation.                         context.
Transportation regulations, the Federal                On the other hand, if a statute stated                 Response: Section 164.512(e) below
Highway Administration regulations,                 that a covered entity may or is permitted               addresses disclosures for judicial and
the Occupational Safety and Health                  to report the names of all individuals                  administrative proceedings. The final
Administration regulations, and the                 presenting with gun shot wounds to the                  rules generally do not interfere with
Environmental Protection Agency                     emergency room and, in turn, would                      these existing processes to the extent an
regulations, and alcohol and drug free              receive $500 for each month it made                     individual served with a subpoena,
workplace rules. These commenters                   these reports, a covered entity would                   court order, or other similar process is
suggested that the regulation state                 not be permitted by § 164.512(a) to                     able to raise objections already
clearly and unequivocally that uses or              disclose the protected health                           available. See the discussion below
disclosures of protected health                     information. Of course, if another                      under § 164.512(e) for a fuller response.
information for these purposes were                 permissible provision applied to these
permissible. Some suggested modifying                                                                       Americans with Disabilities Act
                                                    facts, the covered entity could make the
the definition of health care operations            disclosure under that provision, but it                    Comment: Several comments
to include these uses specifically.                 would not be considered to be a                         discussed the intersection between the
Another suggestion was to add a section             disclosure. See discussion under                        proposed Privacy Rule and the
that permitted the transmission of                  § 164.512(a) below.                                     Americans with Disabilities Act
protected health information to                        Comment: Several commenters                          (‘‘ADA’’) and sections 503 and 504 of
employers when reasonably necessary                 suggested that the proposed rule was                    the Rehabilitation Act of 1973. One
to comply with federal, state, or                   unnecessarily duplicative of existing                   comment suggested that the final rule
municipal laws and regulations, or                  regulations for federal programs, such as               explicitly allows disclosures authorized
when necessary for public or employee               Medicare, Medicaid, and the Federal                     by the Americans with Disabilities Act
safety and health.                                  Employee Health Benefit Program.                        without an individual’s authorization,
  Response: Although we sympathize                     Response: Congress specifically                      because this law, in the commenter’s
with entities’ needs to evaluate the                subjected certain federal programs,                     view, provides more than adequate
existing laws with which they must                  including Medicare, Medicaid, and the                   protection for the confidentiality of
comply in light of the requirements of              Federal Employee Health Benefit                         medical records in the employment
the final regulation, we are unable to              Program to the privacy regulation by                    context. The comment noted that under
respond substantially to comments that              including them within the definition of                 these laws employers may receive
do not pose specific questions. We offer,           ‘‘health plan.’’ Therefore, covered                     information related to fitness for duty,
however, the following guidance: if an              entities subject to requirements of                     pre-employment physicals, routine
covered entity is required to disclose              existing federal programs will also have                examinations, return to work
protected health information pursuant               to comply with the privacy regulation.                  examinations, examinations following
to a specific statutory or regulatory                  Comment: One comment asserts that                    other types of absences, examinations
scheme, the covered entity generally                the regulation would not affect current                 triggered by specific events, changes in

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00131   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82592       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

circumstances, requests for reasonable                We agree that this rule does not                      information technology equipment, but
accommodations, leave requests,                     permit employers to request or use                      realize that some covered entities may
employee wellness programs, and                     protected health information in                         need to update their equipment. We
medical monitoring.                                 violation of the ADA or other                           have tried to minimize the costs, while
   Other commenters suggested that the              antidiscrimination laws.                                responding appropriately to Congress’
ADA requires the disclosure of                                                                              mandate for privacy rules. We have
protected health information to                     Appropriations Laws
                                                                                                            dealt with the cost issues in detail in the
employers so that the employee may                     Comment: One comment suggested                       ‘‘Regulatory Impact Analysis’’ section of
take advantage of the protections of                that the penalty provisions of HIPAA, if                this Preamble. With regard to the second
these laws. They suggested that the final           extended to the privacy regulation,                     issue, Congress, not the Secretary,
rules clarify that employment may be                would require the Secretary to violate                  established the compliance data at
conditioned on obtaining an                         ‘‘Appropriations Laws’’ because the                     section 1175(b) of the Act.
authorization for disclosure of protected           Secretary could be in the position of
health information for lawful purposes              assessing penalties against her own and                 Civil Rights of Institutionalized Persons
and provide guidance concerning the                 other federal agencies in their roles as                Act
interaction of the ADA with the final               covered entities. Enforcing penalties on                   Comment: A few comments expressed
regulation’s requirements. Several                  these entities would require the transfer               concern that the privacy regulation
commenters wanted clarification that                of agency funds to the General Fund.                    would inadvertently hinder the
the privacy regulation would not permit                Response: We disagree. Although we                   Department of Justice Civil Rights
employers to request or use protected               anticipate achieving voluntary                          Divisions’ investigations under the Civil
health information in violation of the              compliance and resolving any disputes                   Rights of Institutionalized Persons Act
ADA.                                                prior to the actual assessment of                       (‘‘CRIPA’’). These comments suggested
   Response: We disagree with the                   penalties, the Department of Justice’s                  clearly including civil rights
comment that the final rule should                  Office of Legal Counsel has determined                  enforcement activities as health care
allow disclosures of protected health               in similar situations that federal                      oversight.
information authorized by the ADA                   agencies have authority to assess                          Response: We agree with this
without the individual’s authorization.             penalties against other federal agencies                comment. We do not intend for the
We learned from the comments that                   and that doing so is not in violation of                privacy rules to hinder CRIPA
access to and use of protected health               the Anti-Deficiency Act, 31 U.S.C. 1341.                investigations. Thus, the final rule
information by employers is of                                                                              includes agencies that are authorized by
particular concern to many people. With             Balanced Budget Act of 1997                             law to ‘‘enforce civil rights laws for
regard to employers, we do not have                    Comment: One comment expressed                       which health information is relevant’’ in
statutory authority to regulate them.               concern that the regulation would place                 the definition of ‘‘health oversight
Therefore, it is beyond the scope of this           tremendous burdens on providers                         agency’’ at § 164.501. Covered entities
regulation to prohibit employers from               already struggling with the effects of the              are permitted to disclose protected
requesting or obtaining protected health            Balanced Budget Act of 1997.                            health information to health oversight
information. Covered entities may                      Response: We appreciate the costs                    agencies under § 164.512(d) without an
disclose protected health information               covered entities face when complying                    authorization. Therefore, we do not
about individuals who are members of                with other statutory and regulatory                     believe the final rule should hinder the
an employer’s workforce with an                     requirements, such as the Balanced                      Department of Justice’s ability to
authorization. Nothing in the privacy               Budget Act of 1997. However, HHS                        conduct investigations pursuant to its
regulation prohibits employers from                 cannot address the impact of the                        authority in CRIPA.
obtaining that authorization as a                   Balanced Budget Act or other statutes in
                                                    the context of this regulation.                         Clinical Laboratory Improvement
condition of employment. We note,
                                                       Comment: Another comment stated                      Amendments
however, that employers must comply
with other laws that govern them, such              that the regulation is in direct conflict                  Comment: One comment expressed
as nondiscrimination laws. For                      with the Balanced Budget Act of 1997                    concern that the proposed definition of
example, if an employer receives a                  (‘‘BBA’’). The comment asserts that the                 health care operations did not include
request for a reasonable                            regulation’s compliance date conflicts                  activities related to the quality control
accommodation, the employer may                     with the BBA, as well as Generally                      clinical studies performed by
require reasonable documentation about              Acceptable Accounting Principles.                       laboratories to demonstrate the quality
the employee’s disability and the                   According to the comment, covered                       of patient test results. Because the
functional limitations that require the             entities that made capital acquisitions to              Clinical Laboratory Improvement
reasonable accommodation, if the                    ensure compliance with the year 2000                    Amendments of 1988 (‘‘CLIA’’) requires
disability and the limitations are not              (‘‘Y2K’’) problem would not be able to                  these studies that the comment asserted
obvious. If the individual provides                 account for the full depreciation of these              require the use of protected health
insufficient documentation and does not             systems until 2005. Because HIPAA                       information, the comment suggested
provide the missing information in a                requires compliance before that time,                   including this specific activity in the
timely manner after the employer’s                  the regulation would force premature                    definition of ‘‘health care operations.’’
subsequent request, the employer may                obsolescence of this equipment because                     Response: We do not intend for the
require the individual to go to an                  while it is Y2K compliant, it may be                    privacy regulation to impede the ability
appropriate health professional of the              HIPAA non-compliant.                                    of laboratories to comply with the
employer’s choice. In this situation, the              Response: This comment raises two                    requirements of CLIA. Quality control
employee does not authorize the                     distinct issues—(1) the investment in                   activities come within the definition of
disclosure of information to substantiate           new equipment and (2) the compliance                    ‘‘health care operations’’ in § 164.501
the disability and the need for                     date. With regard to the first issue, we                because they come within the meaning
reasonable accommodation, the                       reject the comment’s assertion that the                 of the term ‘‘quality assurance
employer need not provide the                       regulation requires covered entities to                 activities.’’ To the extent they would not
accommodation.                                      purchase new information systems or                     come within health care operations, but

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00132   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
             Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82593

are required by CLIA, the privacy                    appropriate oversight of the health care                the CSA should not be subjected to
regulation permits clinical laboratories             system.                                                 retaliation by their employers. Under
that are regulated by CLIA to comply                    Therefore, to the extent the DEA is                  § 164.502(j), we specifically state that a
with mandatory uses and disclosures of               enforcing the CSA, disclosures to it in                 covered entity is not considered to have
protected health information pursuant                its capacity as a health oversight agency               violated the regulation if a workforce
to § 164.512(a).                                     are permissible under § 164.512(d).                     member or business associate in good
   Comment: One comment stated that                  Alternatively, CSA required disclosures                 faith reports violations of laws or
the proposed regulation’s right of access            to the DEA for law enforcement                          professional standards by covered
for inspection and copying provisions                purposes are permitted under                            entities to appropriate authorities. See
were contrary to CLIA in that CLIA                   § 164.512(f). When acting as a law                      discussion of § 164.502(j) below.
permits laboratories to disclose lab test            enforcement agency under the CSA, the                   Department of Transportation
results only to ‘‘authorized persons.’’              DEA may obtain the information
This comment suggested that the final                                                                           Comment: Several commenters stated
                                                     pursuant to § 164.512(f). Thus, we do
rule include language adopting this                                                                          that the Secretary should recognize in
                                                     not agree that the privacy regulation
restriction to ensure that patients not                                                                      the preamble that it is permissible for
                                                     will impede the DEA’s enforcement of
obtain laboratory test results before the                                                                    employers to condition employment on
                                                     the CSA. See the preamble discussion of
appropriate health care provider has                                                                         an individual’s delivering a consent to
                                                     § 164.512 for further explanation.
reviewed and explained those results to                                                                      certain medical tests and/or
                                                        Comment: One commenter suggested                     examinations, such as drug-free
the patients.                                        clarifying the provisions allowing
   A similar comment stated that the                                                                         workplace programs and Department of
                                                     disclosures that are ‘‘required by law’’ to             Transportation (‘‘DOT’’)-required
lack of preemption of state laws could               ensure that the mandatory reporting
create problems for clinical laboratories                                                                    physical examinations. These comments
                                                     requirements the CSA imposes on                         also suggested that employers should be
under CLIA. Specifically, this comment               covered entities, including making
noted that CLIA permits clinical                                                                             able to receive certain information, such
                                                     available reports, inventories, and                     as pass/fail test and examination results,
laboratories to perform tests only upon              records of transactions, are not
the written or electronic request of, and                                                                    fitness-to-work assessments, and other
                                                     preempted by the regulation.                            legally required or permissible physical
to provide the results to, an ‘‘authorized              Response: We agree that the privacy
person.’’ State laws define who is an                                                                        assessments without obtaining an
                                                     regulation does not alter covered                       authorization. To achieve this goal,
‘‘authorized person.’’ The comment                   entities’ obligations under the CSA.
expressed concern as to whether the                                                                          these comments suggested defining
                                                     Because the CSA requires covered                        ‘‘health information’’ to exclude
regulation would preempt state laws                  entities manufacturing, distributing,
that only permit physicians to receive                                                                       information such as information about
                                                     and/or dispensing controlled substances                 how much weight a specific employee
test results.                                        to maintain and provide to the DEA
   Response: We agree that CLIA                                                                              can lift.
                                                     specific records and reports, the privacy                  Response: We reject the suggestion to
controls in these cases. Therefore, we
                                                     regulation permits these disclosures                    define ‘‘health information,’’ which
have amended the right of access,
                                                     under § 164.512(a). In addition, when                   Congress defined in HIPAA, so that it
§ 164.524(a), so that a covered entity
                                                     the DEA seeks documents to determine                    excludes individually identifiable
that is subject to CLIA does not have to
                                                     an entity’s compliance with the CSA,                    health information that may be relevant
provide access to the individual to the
                                                     such disclosures are permitted under                    to employers for these types of
extent such access would be prohibited
                                                     § 164.512(d).                                           examinations and programs. We do not
by law. Because of this change, we
                                                        Comment: The same commenter                          regulate employers. Nothing in the rules
believe the preemption concern is moot.
                                                     expressed concern that the proposed                     prohibit employers from conditioning
Controlled Substance Act                             privacy regulation inappropriately                      employment on an individual signing
  Comment: One comment expressed                     limits voluntary reporting and would                    the appropriate consent or
concern that the privacy regulation as               prevent or deter employees of covered                   authorization. By the same token,
proposed would restrict the Drug                     entities from providing the DEA with                    however, the rules below do not relieve
Enforcement Agency’s (‘‘the DEA’’)                   information about violations of the CSA.                employers from their obligations under
enforcement of the Controlled                           Response: We agree with the general                  the ADA and other laws that restrict the
Substances Act (‘‘CSA’’). The comment                concerns expressed in this comment.                     disclosure of individually identifiable
suggested including enforcement                      We do not believe the privacy rules will                health information.
activities in the definition of ‘‘health             limit voluntary reporting of violations of                 Comment: One commenter asserted
oversight agency.’’                                  the CSA. The CSA requires certain                       that the proposed regulation conflicts
  Response: In our view, the privacy                 entities to maintain several types of                   with the DOT guidelines regarding
regulation should not impede the DEA’s               records that may include protected                      positive alcohol and drug tests that
ability to enforce the CSA. First, to the            health information. Although reports                    require the employer be notified in
extent the CSA requires disclosures to               that included protected health                          writing of the results. This document
the DEA, these disclosures would be                  information may be restricted under                     contains protected health information.
permissible under § 164.512(a). Second,              these rules, reporting the fact that an                 In addition, the treatment center records
some of the DEA’s CSA activities come                entity is not maintaining proper reports                must be provided to the Substance
within the exception for health                      is not. If it were necessary to obtain                  Abuse Professional (‘‘SAP’’) and the
oversight agencies which permits                     protected health information during the                 employer must receive a report from
disclosures to health oversight agencies             investigatory stages following such a                   SAP with random drug testing
for:                                                 voluntary report, the DEA would be able                 recommendations.
                                                     to obtain the information in other ways,                   Response: It is our understanding that
  Activities authorized by law, including
audits; civil, administrative, or criminal           such as by following the administrative                 DOT requires drug testing of all
investigations; inspections * * * civil,             procedures outlined in § 164.512(e).                    applicants for employment in safety-
administrative, or criminal proceedings or              We also agree that employees of                      sensitive positions or individuals being
actions; and other activity necessary for            covered entities who report violations of               transferred to such positions.

    VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00133   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82594       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

Employers, pursuant to DOT                             Comment: One commenter requested                     national beneficiaries. They noted that
regulations, may condition an                       that the final rule clarify that section                the distinctions are based on nationality
employee’s employment or position                   264(c)(2) of HIPAA does not save state                  and are inconsistent with the stance of
upon first obtaining an authorization for           laws that would otherwise be                            the E.U. Directive on Data Protection
the disclosure of results of these tests to         preempted by the Federal Employees                      and the Department of Commerce’s
the employer. Therefore, we do not                  Health Benefits Program. The                            assurances to the European
believe the final rules conflict with the           commenter noted that in the NPRM this                   Commission.
DOT requirements, which do not                      statement was made with respect to                         Response: We agree with the general
prohibit obtaining authorizations before            Medicare and ERISA, but not the law                     principle that privacy protections
such information is disclosed to                    governing the FEHBP.                                    should protect every person, regardless
employers.                                             Response: We agree with this                         of nationality. As noted in the
                                                    comment. The preemption analysis set                    discussion of the definition of
Developmental Disabilities Act                      out above with respect to ERISA applies                 ‘‘individual,’’ the final regulation’s
   Comment: One commenter urged HHS                 equally to the Federal Employees Health                 definition does not exclude foreign
to ensure that the regulation would not             Benefit Program.                                        military and diplomatic personnel, their
impede access to individually                          Comment: One commenter noted that                    dependents, or overseas foreign national
identifiable health information to                  the final rule should clarify the                       beneficiaries from the definition of
entities that are part of the Protection            interplay between state law, the                        individual. As described in the
and Advocacy System to investigate                  preemption standards in Subtitle A of                   discussion of § 164.512 below, the final
abuse and neglect as authorized by the              Title I of HIPAA (Health Care Access,                   rule applies to foreign diplomatic
Developmental Disabilities Bill of Rights           Portability and Renewability), and the                  personnel and their dependents like all
Act.                                                preemption standards in the privacy                     other individuals. Foreign military
                                                    requirements in Subtitle F of Title II of               personnel receive the same treatment
   Response: The Developmental
                                                    HIPAA (Administrative Simplification).                  under the final rule as U.S. military
Disabilities Assistance and Bill of Rights
                                                       Response: The NPRM described only                    personnel do, as discussed with regard
Act of 2000 (‘‘DD Act’’) mandates
                                                    the preemption standards that apply                     to § 164.512 below. Overseas foreign
specific disclosures of individually
                                                    with respect to the statutory provisions                national beneficiaries to the extent they
identifiable health information to
                                                    of HIPAA that were implemented by the                   receive care for the Department of
Protection and Advocacy systems
                                                    proposed rule. We agree that the                        Defense or a source acting on behalf of
designated by the chief elected official
                                                    preemption standards in Subtitle A of                   the Department of Defense remain
of the states and Territories. Therefore,
                                                    Title I of HIPAA are different. Congress                generally excluded from the final rules
covered entities may make these
                                                    expressly provided that the preemption                  protections. For a more detailed
disclosures under § 164.512(a) without
                                                    provisions of Title I apply only to Part                explanation, see § 164.500.
first obtaining an individual’s
                                                    7, which addresses portability, access,
authorization, except in those                                                                              Fair Credit Reporting Act
                                                    and renewability requirements for
circumstances in which the DD Act                                                                              Comment: A few commenters
                                                    Group Health Plans. To the extent state
requires the individual’s authorization.                                                                    requested that we exclude information
                                                    laws contain provisions regarding
Therefore, the rules below will not                                                                         maintained, used, or disclosed pursuant
                                                    portability, access, or renewability, as
impede the functioning of the existing                                                                      to the Fair Credit Reporting Act
                                                    well as privacy requirements, a covered
Protection and Advocacy System.                                                                             (‘‘FCRA’’) from the requirements of the
                                                    entity will need to evaluate the privacy
Employee Retirement Income Security                 provisions under the Title II preemption                privacy regulation. These commenters
Act of 1974                                         provisions, as explained in the                         noted that the protection in the privacy
                                                    preemption provisions of the rules, and                 regulation duplicate those in the FCRA.
   Comment: Several commenters                                                                                 Response: Although we realize that
                                                    the other provisions under the Title I
objected to the fact that the NPRM did                                                                      some overlap between FCRA and the
                                                    preemption requirements.
not clarify the scope of preemption of                                                                      privacy rules may exist, we have chosen
state laws under the Employee                       European Union Privacy Directive and                    not to remove information that may
Retirement Income Security Act of 1974              U.S. Safe Harbors                                       come within the purview of FCRA from
(ERISA). These commenters asserted                     Comment: Several comments stated                     the scope of our rules because FCRA’s
that the final rule must state that ERISA           that the privacy regulation should be                   focus is not the same as our
preempts all state laws (including those            consistent with the European Union’s                    Congressional mandate to protect
relating to the privacy of individually             Directive on Data Protection. Others                    individually identifiable health
identifiable health information) so that            sought guidance as to how to comply                     information.
multistate employers could continue to              with both the E.U. Directive on Data                       To the extent a covered entity seeks
administer their group health plans                 Protection and the U.S. Safe Harbor                     to engage in collection activities or other
using a single set of rules. In contrast,           Privacy Principles.                                     payment-related activities, it may do so
other commenters criticized the                        Response: We appreciate the need for                 pursuant to the requirements of this rule
Department for its analysis of the                  covered entities obtaining personal data                related to payment. See discussion of
current principles governing ERISA                  from the European Union to understand                   §§ 164.501 and 164.502 below.
preemption of state law, pointing out               how the privacy regulation intersects                      We understand that some covered
that the Department has no authority to             with the Data Protection Directive. We                  entities may be part of, or contain
interpret ERISA.                                    have provided guidance as to this                       components that are, entities which
   Response: This Department has no                 interaction in the ‘‘Other Federal Laws’’               meet the definition of ‘‘consumer
authority to issue regulations under                provisions of the preamble.                             reporting agencies.’’ As such, these
ERISA as requested by some of these                    Comment: A few comments expressed                    entities are subject to the FCRA. As
commenters, so the rule below does not              concern that the proposed definition of                 described in the preamble to § 164.504,
contain the statement requested. See the            ‘‘individual’’ excluded foreign military                covered entities must designate what
discussion of this point under                      and diplomatic personnel and their                      parts of their organizations will be
‘‘Preemption’’ above.                               dependents, as well as overseas foreign                 treated as covered entities for the

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00134   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82595

purpose of these privacy rules. The                 confidentiality of medical records in the                  Comment: One comment suggested
covered entity component will need to               employment context.                                     that the regulation should not apply to
comply with these rules, while the                    Response: We disagree that the FMLA                   any health information that is part of an
components that are consumer reporting              provides adequate privacy protections                   ‘‘education record’’ in any educational
agencies will need to comply with                   for individually identifiable health                    agency or institution, regardless of its
FCRA.                                               information. As we understand the                       FERPA status.
  Comment: One comment suggested                    FMLA, the need for employers to obtain                     Response: We disagree. As noted in
that the privacy regulation would                   protected health information under the                  our discussion of ‘‘Relationship of Other
conflict with the FCRA if the                       statute is analogous to the employer’s                  Federal Laws,’’ we exclude education
regulation’s requirement applied to                 need for protected health information                   records from the definition of protected
information disclosed to consumer                   under the ADA. In both situations,                      health information because Congress
reporting agencies.                                 employers may need protected health                     expressly provided privacy protections
  Response: To the extent a covered                 information to fulfill their obligations                for these records and explained how
entity is required to disclose protected            under these statutes, but neither statute               these records should be treated in
health information to a consumer                    requires covered entities to provide the                FERPA.
reporting agency, it may do so under                information directly to the employer.                      Comment: One commenter suggested
§ 164.512(a). See also discussion under             Thus, covered entities in these                         eliminating the preamble language that
the definition of ‘‘payment’’ below.                circumstances will need an individual’s                 describes school nurses and on-site
Fair Debt Collection and Practices Act              authorizations before the disclosure is                 clinics as acting as providers and
                                                    made to the employer.                                   subject to the privacy regulation, noting
   Comment: Several comments
expressed concern that health plans and             Federal Common Law                                      that this language is confusing and
health care providers be able to                                                                            inconsistent with the statements
                                                       Comment: One commenter did not
continue using debt collectors in                                                                           provided in the preamble explicitly
                                                    want the privacy rules to interfere with
compliance with the Fair Debt                                                                               stating that HIPAA does not preempt
                                                    the federal common law governing
Collections Practices Act and related                                                                       FERPA.
                                                    collective bargaining agreements
laws.                                                                                                          Response: We agree that this language
                                                    permitting employers to insist on the
   Response: In our view, health plans                                                                      may have been confusing. We have
                                                    cooperation of employees with medical
and health care providers will be able to                                                                   provided a clearer expression of when
                                                    fitness evaluations.
continue using debt collectors. Using                  Response: We do not seek to interfere                schools may be required to comply with
the services of a debt collector to obtain          with legal medical fitness evaluations.                 the privacy regulation in the
payment for the provision of health care            These rules require a covered entity to                 ‘‘Relationship to Other Federal Laws’’
comes within the definition of                      have an individual’s authorization                      section of the preamble.
‘‘payment’’ and is permitted under the              before the information resulting from                      Comment: One commenter suggested
regulation. Thus, so long as the use of             such evaluations is disclosed to the                    adding a discussion of FERPA to the
debt collectors is consistent with the              employer unless another provision of                    ‘‘Relationship to Other Federal Laws’’
regulatory requirements (such as,                   the rule applies. We do not prohibit                    section of the preamble.
providers obtain the proper consents,               employers from conditioning                                Response: We agree and have added
the disclosure is of the minimum                    employment, accommodations, or other                    FERPA to the list of federal laws
amount of information necessary to                  benefits, when legally permitted to do                  discussed in ‘‘Relationship to Other
collect the debt, the provider or health            so, upon the individual/employee                        Federal Laws’’ section of the preamble.
plan enter into a business associate                providing an authorization that would                      Comment: One commenter stated that
agreement with the debt collector, etc.),           permit the disclosure of protected                      school clinics should not have to
relying upon debt collectors to obtain              health information to employers by                      comply with the ‘‘ancillary’’
reimbursement for the provision of                  covered entities. See § 164.508(b)(4)                   administrative requirements, such as
health care would not be prohibited by              below.                                                  designating a privacy official,
the regulation.                                                                                             maintaining documentation of their
                                                    Federal Educational Rights and Privacy                  policies and procedures, and providing
Family Medical Leave Act                            Act                                                     the Secretary of HHS with access.
   Comment: One comment suggested                      Comment: A few commenters                               Response: We disagree. Because we
that the proposed regulation adversely              supported the exclusion of ‘‘education                  have excluded education records and
affects the ability of an employer to               records’’ from the definition of                        records described at 20 U.S.C.
determine an employee’s entitlement to              ‘‘protected health information.’’                       1232g(a)(4)(B)(iv) held by educational
leave under the Family Medical Leave                However, one commenter requested that                   agencies and institutions subject to
Act (‘‘FMLA’’) by affecting the                     ‘‘treatment records’’ of students who are               FERPA from the definition of protected
employer’s right to receive medical                 18 years or older attending post-                       health information, only non-FERPA
certification of the need for leave,                secondary education institutions be                     schools would be subject to the
additional certifications, and fitness for          excluded from the definition of                         administrative requirements. Most of
duty certification at the end of the leave.         ‘‘protected health information’’ as well                these school clinics will also not be
The commenter sought clarification as               to avoid confusion.                                     covered entities because they are not
to whether a provider could disclose                   Response: We agree with these                        engaged in HIPAA transactions and
information to an employer without first            commenters. See ‘‘Relationship to Other                 these administrative requirements will
obtaining an individual’s consent or                Federal Laws’’ for a description of our                 not apply to them. However, to the
authorization. Another commenter                    exclusion of FERPA ‘‘education                          extent a school clinic is within the
suggested that the final rule explicitly            records’’ and records defined at 20                     definition of a health care provider, as
exclude from the rule disclosures                   U.S.C. 1232g(a)(4)(B)(iv), commonly                     Congress defined the term, and the
authorized by the FMLA, because, in the             referred to as ‘‘treatment records,’’ from              school clinic is engaged in HIPAA
commenter’s view, it provides more                  the definition of ‘‘protected health                    transactions, it will be a covered entity
than adequate protection for the                    information.’’                                          and must comply with the rules below.

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00135   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82596       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

   Comment: Several commenters                        Response: We disagree. Congress                         Comment: Other comments
expressed concern that the privacy                  placed enforcement with the Secretary.                  applauded the Secretary’s references to
regulation would eliminate the parents’             See section 1176 of the Act.                            Jaffee v. Redman, 518 U.S. 1 (1996),
ability to have access to information in                                                                    which recognized a psychotherapist-
                                                    Federal Rules of Civil Procedure
their children’s school health records.                                                                     patient privilege, and asked the
Because the proposed regulation                        Comment: A few comments suggested                    Secretary to incorporate expressly this
suggests that school-based clinics keep             revising proposed § 164.510(d) so that it               privilege into the final regulation.
health records separate from other                  is consistent with the existing discovery                 Response: We agree that the
educational files, these comments                   procedure under the Federal Rules of                    psychotherapist-patient relationship is
argued that the regulation is contrary to           Civil Procedure or local rules.                         an important one that deserves
the spirit of FERPA, which provides                    Response: We disagree that the rules                 protection. However, it is beyond the
parents with access rights to their                 regarding disclosures and uses of                       scope our mandate to create specific
children’s educational files.                       protected health information for judicial               evidentiary privileges. It is also
   Response: As noted in the                        and administrative procedures should                    unnecessary because the United States
                                                    provide only those protections that exist               Supreme Court has adopted this
‘‘Relationship to Other Federal Laws’’
                                                    under existing discovery rules.                         privilege.
provision of the preamble, to the extent
                                                    Although the current process may be                       Comment: A few comments discussed
information in school-based clinics is
                                                    appropriate for other documents and                     whether one remedy for violating the
not protected health information
                                                    information requested during the                        privacy regulation should be to exclude
because it is an education record, the
                                                    discovery process, the current system,                  or suppress evidence obtained in
FERPA access requirements apply and
                                                    as exemplified by the Federal Rules of                  violation of the regulation. One
this regulation does not. For more detail
                                                    Civil Procedure, does not provide                       comment supported using this penalty,
regarding the rule’s application to
                                                    sufficient protection for protected health              while another opposed it.
unemancipated minors, see the
                                                    information. Under current discovery                      Response: We do not have the
preamble discussion about ‘‘Personal                rules, private attorneys, government
Representatives.’’                                                                                          authority to mandate that courts apply
                                                    officials, and others who develop such                  or not apply the exclusionary rule to
Federal Employees Compensation Act                  requests make the initial determinations                evidence obtained in violation of the
                                                    as to what information or                               regulation. This issue is in the purview
   Comment: One comment noted that                  documentation should be disclosed.
the Federal Employees Compensation                                                                          of the courts.
                                                    Independent third-party review, such as
Act (‘‘FECA’’) requires claimants to sign           that by a court, only becomes necessary                 Federal Tort Claims Act
a release form when they file a claim.              if a person of whom the request is made                    Comment: One comment contended
This commenter suggested that the                   refuses to provide the information. If                  that the proposed regulation’s
privacy regulation should not place                 this happens, the person seeking                        requirement mandating covered entities
additional restrictions on this type of             discovery must obtain a court order or                  to name the subjects of protected health
release form.                                       move to compel discovery. In our view                   information disclosed under a business
   Response: We agree. In the final rule,           this system does not provide sufficient                 partner contract as third party intended
we have added a new provision,                      protections to ensure that unnecessary                  beneficiaries under the contract would
§ 164.512(l), that permits covered                  and unwarranted disclosures of                          have created an impermissible right of
entities to make disclosures authorized             protected health information does not                   action against the government under the
under workers’ compensation and                     occur. For a related discuss, see the                   Federal Tort Claims Act (‘‘FTCA’’).
similar laws. This provision would                  preamble regarding ‘‘Disclosures for                       Response: Because we have deleted
permit covered entities to make                     Judicial and Administrative                             the third party beneficiary provisions
disclosures authorized under FECA and               Proceedings’’ under § 164.512(e).                       from the final rules, this comment is
not require a different release form.                                                                       moot.
                                                    Federal Rules of Evidence                                  Comment: Another comment
Federal Employees Health Benefits
Program                                               Comment: Many comments requested                      suggested the regulation would hamper
                                                    clarification that the privacy regulation               the ability of federal agencies to disclose
   Comment: A few comments expressed                does not conflict or interfere with the                 protected health information to their
concern about the preemption effect on              federal or state privileges. In particular,             attorneys, the Department of Justice,
FEHBP and wanted clarification that the             one of these comments suggested that                    during the initial stages of the claims
privacy regulation does not alter the               the final regulation provide that                       brought under the FTCA.
existing preemptive scope of the                    disclosures for a purpose recognized by                    Response: We disagree. The
program.                                            the regulation not constitute a waiver of               regulation applies only to federal
   Response: We do not intend to affect             federal or state privileges.                            agencies that are covered entities. To the
the preemptive scope of the FEHBP. The                Response: We do not intend for the                    extent an agency is not a covered entity,
Federal Employee Health Benefit Act of              privacy regulation to interfere with                    it is not subject to the regulation; to the
1998 preempts any state law that                    federal or state rules of evidence that                 extent an agency is a covered entity, it
‘‘relates to’’ health insurance or plans. 5         create privileges. Consistent with The                  must comply with the regulation. A
U.S.C. 8902(m). The final rule does not             Uniform Health-Care Information Act                     covered entity that is a federal agency
attempt to alter the preemptive scope               drafted by the National Conference of                   may disclose relevant information to its
Congress has provided to the FEHBP.                 Commissioners on Uniform State Laws,                    attorneys, who are business associates,
   Comment: One comment suggested                   we do not view a consent or an                          for purposes of health care operations,
that in the context of FEHBP HHS                    authorization to function as a waiver of                which includes uses or disclosures for
should place the enforcement                        federal or state privileges. For further                legal functions. See § 164.501
responsibilities of the privacy regulation          discussion of the effect of consent or                  (definitions of ‘‘business associate’’ and
with Office of Personnel Management,                authorization on federal or state                       ‘‘health care operations’’). The final rule
as the agency responsible for                       privileges, see preamble discussions in                 provides specific provisions describing
administering the program.                          §§ 164.506 and 164.508.                                 how federal agencies may provide

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00136   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82597

adequate assurances for these types of              long as they follow the requirements of                 disclose it without an authorization
disclosures of protected health                     those laws. Therefore, the privacy                      under the rule. To the extent that such
information. See § 164.504(e)(3).                   regulation will not interfere with the                  information is required to be disclosed
                                                    ability of federal agencies to comply                   by FOIA or other law, such disclosures
Food and Drug Administration
                                                    with FOIA, when it requires the                         are permitted under the final rule. In
  Comment: A few comments expressed                 disclosure.                                             addition, to the extent that death
concerns about the use of protected                    We disagree, however, that most                      records and autopsy reports are
health information for reporting                    protected health information will not                   obtainable from non-covered entities,
activities to the Food and Drug                     come within Exemption 6 of FOIA. See                    such as state legal authorities, access to
Administration (‘‘FDA’’). Their concern             the discussion above under                              this information is not impeded by this
focused on the ability to obtain or                 ‘‘Relationship to Other Federal Laws’’                  rule.
disclose protected health information               for our review of FOIA. Moreover, we                      If another law does not require the
for pre-and post-marketing adverse                  disagree with the comment’s assertion                   disclosure of death records and autopsy
event reports, device tracking, and post-           that the protected health information of                reports generated and maintained by a
marketing safety and efficacy                       deceased individuals does not come                      covered entity, which are protected
evaluation.                                         within Exemption 6. Courts have                         health information, covered entities are
  Response: We agree with this                      recognized that a deceased individual’s                 not allowed to disclose such
comment and have provided that                      surviving relatives may have a privacy                  information except as permitted or
covered entities may disclose protected             interest that federal agencies may                      required by the final rule, even if
health information to persons subject to            consider when balancing privacy                         another entity discloses them.
the jurisdiction of the FDA, to comply              interests against the public interest in                  Comment: One comment sought
with the requirements of, or at the                 disclosure of the requested information.                clarification of the relationship between
direction of, the FDA with regard to                Federal agencies will need to consider                  the Freedom of Information Act, the
reporting adverse events (or similar                not only the privacy interests of the                   Privacy Act, and the privacy rules.
reports with respect to dietary                     subject of the protected health
                                                                                                              Response: We have provided this
supplements), the tracking of medical               information in the record requested, but
                                                                                                            analysis in the ‘‘Relationship to Other
devices, other post-marketing                       also, when appropriate, those of a
                                                                                                            Federal Laws’’ section of the preamble
surveillance, or other similar                      deceased individual’s family consistent
                                                                                                            in our discussion of the Freedom of
requirements described at § 164.512(b).             with judicial rulings.
                                                       If an agency receives a FOIA request                 Information Act.
Foreign Standards                                   for the disclosure of protected health                  Gramm-Leach-Bliley
  Comment: One comment asked how                    information of a deceased individual, it
the regulation could be enforced against            will need to determine whether or not                      Comments: One commenter noted
foreign countries (or presumably entities           the disclosure comes within Exemption                   that the Financial Services
in foreign countries) that solicit medical          6. This evaluation must be consistent                   Modernization Act, also known as
records from entities in the United                 with the court’s rulings in this area. If               Gramm-Leach-Bliley (‘‘GLB’’), requires
States.                                             the exemption applies, the federal                      financial institutions to provide detailed
  Response: We do not regulate                      agency will not have to release the                     privacy notices to individuals. The
solicitations of information. To the                information. If the federal agency                      commenter suggested that the privacy
extent a covered entity wants to comply             determines that the exemption does not                  regulation should not require financial
with a request for disclosure of                    apply, may release it under § 164.512(a)                institutions to provide additional notice.
protected health information to foreign             of this regulation.                                        Response: We disagree. To the extent
countries or entities within foreign                   Comment: One commenter expressed                     a covered entity is required to comply
countries, it will need to comply with              concern that our proposal to protect the                with the notice requirements of GLB
the privacy rules before making the                 individually identifiable health                        and those of our rules, the covered
disclosure. If the covered entity fails to          information about the deceased for two                  entity must comply with both. We will
comply with the rules, it will be subject           years following death would impede                      work with the FTC and other agencies
to enforcement proceedings.                         public interest reporting and would be                  implementing GLB to avoid unnecessary
                                                    at odds with many state Freedom of                      duplication. For a more detailed
Freedom of Information Act                          Information laws that make death                        discussion of GLB and the privacy rules,
  Comment: One comment asserted that                records and autopsy reports public                      see the ‘‘Relationship to Other Federal
the proposed privacy regulation                     information. The commenter suggested                    Laws’’ section of the preamble.
conflicts with the Freedom of                       permitting medical information to be                       Comment: A few commenters asked
Information Act (‘‘FOIA’’). The                     available upon the death of an                          that the Department clarify that
comment argued that the proposed                    individual or, at the very least, that an               financial institutions, such as banks,
restriction on disclosures by agencies              appeals process be permitted so that                    that serve as payors are covered entities.
would not come within one of the                    health information trustees would be                    The comments explained that with the
permissible exemptions to the FOIA. In              allowed to balance the interests in                     enactment of the Gramm-Leach-Bliley
addition, the comment noted that only               privacy and in public disclosure and                    Act, banks are able to form holding
in exceptional circumstances would the              release or not release the information                  companies that will include insurance
protected health information of                     accordingly.                                            companies (that may be covered
deceased individuals come within an                    Response: These rules permit covered                 entities). They recommended that banks
exemption because, for the most part,               entities to make disclosures that are                   be held to the rule’s requirements and
death extinguishes an individual’s right            required by state Freedom of                            be required to obtain authorization to
to privacy.                                         Information Act (FOIA) laws under                       conduct non-payment activities, such as
  Response: Section 164.512(a) below                § 164.512(a). Thus, if a state FOIA law                 for the marketing of health and non-
permits covered entities to disclose                designates death records and autopsy                    health items and services or the use and
protected health information when such              reports as public information that must                 disclosure to non-health related
disclosures are required by other laws as           be disclosed, a covered entity may                      divisions of the covered entity.

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00137   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82598       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

  Response: These comments did not                  final rule permits, but does not require,               the disclosure of information on
provide specific facts that would permit            a covered entity to make such a                         Federally Qualified Health Centers than
us to provide a substantive response. An            disclosure under § 164.512(a). If,                      the proposed privacy regulation
organization will need to determine                 however, the Social Security Act does                   suggested. Therefore, the commenter
whether it comes within the definition              not require such disclosures, Medicare                  suggested that the final rule exempt
of ‘‘covered entity.’’ An organization              does not have the discretion to require                 Federally Qualified Health Centers from
may also need to consider whether or                the disclosure of psychotherapy notes as                the rules requirements
not it contains a health care component.            a public policy matter because the final                   Response: We disagree. Congress
Organizations that are uncertain about              rule provides that covered entities, with               expressly included Federally Qualified
the application of the regulation to them           limited exceptions, must obtain an                      Health Centers, a provider of medical or
will need to evaluate their specific facts          individual’s authorization before                       other health services under the Social
in light of this rule.                              disclosing psychotherapy notes. See                     Security Act section 1861(s), within its
                                                    § 164.508(a)(2).                                        definition of health care provider in
Inspector General Act                                                                                       section 1171 of the Act; therefore, we
  Comment: One comment requested                    National Labor Relations Act                            cannot exclude them from the
the Secretary to clarify in the preamble               Comment: A few comments expressed                    regulation.
that the privacy regulation does not                concern that the regulation did not                        Comment: One commenter noted that
preempt the Inspector General Act.                  address the obligation of covered                       no conflicts existed between the
  Response: We agree that to the extent             entities to disclose protected health                   proposed rule and the Public Health
the Inspector General Act requires uses             information to collective bargaining                    Services Act.
or disclosures of protected health                  representatives under the National                         Response: As we discuss in the
information, the privacy regulation does            Labor Relations Act.                                    ‘‘Relationship to Other Federal Laws’’
not preempt it. The final rule provides                Response: The final rule does not                    section of the preamble, the Public
that to the extent required under section           prohibit disclosures that covered                       Health Service Act contains explicit
201(a)(5) of the Act, nothing in this               entities must make pursuant to other                    confidentiality requirements that are so
subchapter should be construed to                   laws. To the extent a covered entity is                 general as not to create problems of
diminish the authority of any Inspector             required by law to disclose protected                   inconsistency. We recognized, however,
General, including the authority                    health information to collective                        that in some cases, that law or its
provided in the Inspector General Act of            bargaining representatives under the                    accompanying regulations may contain
1978. See discussion of § 160.102 above.            NLRA, it may to so without an                           greater restrictions. In those situations,
                                                    authorization. Also, the definition of                  a covered entity’s ability to make what
Medicare and Medicaid                                                                                       are permissive disclosures under this
                                                    ‘‘health care operations’’ at § 164.501
  Comment: One comment suggested                    permits disclosures to employee                         privacy regulation would be limited by
possible inconsistencies between the                representatives for purposes of                         those laws.
regulation and Medicare/Medicaid                    grievance resolution.                                   Reporting Requirement
requirements, such as those under the
Quality Improvement System for                      Organ Donation                                            Comment: One comment noted that
Managed Care. This commenter asked                     Comment: One commenter expressed                     federal agencies must provide
that HHS expand the definition of                   concern about the potential impact of                   information to certain entities pursuant
health care operations to include health            the regulation on the organ donation                    to various federal statutes. For example,
promotion activities and avoid potential            program under 42 CFR part 482.                          federal agencies must not withhold
conflicts.                                             Response: In the final rule, we add                  information from a Congressional
  Response: We disagree that the                    provisions allowing the use or                          oversight committee or the General
privacy regulation would prohibit                   disclosure of protected health                          Accounting Office. Similarly, some
managed care plans operating in the                 information to organ procurement                        federal agencies must provide the
Medicare or Medicaid programs from                  organizations or other entities engaged                 Bureau of the Census and the National
fulfilling their statutory obligations. To          in the procurement, banking, or                         Archives and Records Administration
the extent a covered entity is required             transplantation of cadaveric organs,                    with certain information. This comment
by law to use or disclose protected                 eyes, or tissue for the purpose of                      expressed concern that the privacy
health information in a particular                  facilitating donation and                               regulation would conflict with these
manner, the covered entity may make                 transplantation. See § 164.512(h).                      requirements. Additionally, the
such a use or disclosure under                                                                              commenter asked whether the privacy
§ 164.512(a). Additionally, quality                 Privacy Act Comments                                    notice would need to contain these uses
assessment and improvement activities                  Comment: One comment suggested                       and disclosures and recommended that
come within the definition of ‘‘health              that the final rule unambiguously                       a general statement that these federal
care operations.’’ Therefore, the specific          permit the continued operation of the                   agencies would disclose protected
example provided by the commenter                   statutorily established or authorized                   health information when required by
would seem to be a permissible use or               discretionary routine uses permitted                    law be considered sufficient to meet the
disclosure under § 164.502, even if it              under the Privacy Act for both law                      privacy notice requirements.
were not a use or disclosure ‘‘required             enforcement and health oversight.                         Response: To the extent a federal
by law.’’                                              Response: We disagree. See the                       agency acting as a covered entity is
  Comment: One commenter stated that                discussion of the Privacy Act in                        required by federal statute to disclose
Medicare should not be able to require              ‘‘Relationship to Other Federal Laws’’                  protected health information, the
the disclosure of psychotherapy notes               above.                                                  regulation permits the disclosure as
because it would destroy a practitioner’s                                                                   required by law under § 164.512(a). The
ability to treat patients effectively.              Public Health Services Act                              notice provisions at
  Response: If the Title XVIII of the                 Comment: One comment suggested                        § 164.520(b)(1)(ii)(B) require covered
Social Security Act requires the                    that the Public Health Service Act                      entities to provide a brief description of
disclosure of psychotherapy notes, the              places more stringent rules regarding                   the purposes for which the covered

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00138   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82599

entity is permitted or required by the              commenter, however, supported the                       commenter expressed concern that the
rules to use or disclose protected health           NPRM’s analysis that stated that more                   proposed regulation research provisions
information without an individual’s                 stringent provisions of the substance                   would override these tribal laws.
written authorization. If these statutes            abuse provisions would apply. This                         Response: We disagree with the
require the disclosures, covered entities           commenter suggested an even stronger                    comment that the consultation with
subject to the requirement may make the             approach of including in the text a                     tribal governments undertaken prior to
disclosure pursuant to § 164.512(a).                provision that would preserve existing                  the proposed regulation is inadequate
Thus, their notice must include a                   federal law. Yet, one comment                           under Executive Order No. 13084. As
description of the category of these                suggested that the regulation as                        stated in the proposed regulation, the
disclosures. For example, a general                 proposed would confuse providers by                     Department consulted with
statement such as the covered entity                making it difficult to determine when                   representatives of the National Congress
‘‘will disclose your protected health               they may disclose information to law                    of American Indians and the National
information to comply with legal                    enforcement because the privacy                         Indian Health Board, as well as others,
requirements’’ should suffice.                      regulation would permit disclosures                     about the proposals and the application
   Comment: One comment stressed that               that the substance abuse regulations                    of HIPAA to the Tribes, and the
the final rule should not inadvertently             would not.                                              potential variations based on the
preempt mandatory reporting laws duly                  Response: We appreciate the need of                  relationship of each Tribe with the IHS
enacted by federal, state, or local                 some covered entities to evaluate the                   for the purpose of providing health
legislative bodies. This commenter also             privacy rules in light of federal                       services. In addition, Indian and tribal
suggested that the final rule not prevent           requirements regarding alcohol and                      governments had the opportunity to,
the reporting of violations to law                  drug abuse records. Therefore, we                       and did, submit substantive comments
enforcement agencies.                               provide a more detailed analysis in the                 on the proposed rules.
   Response: We agree. Like the                     ‘‘Relationship to Other Federal Laws’’                     Additionally, disclosures permitted
proposed rule, the final rule permits               section of the preamble.                                by this regulation do not conflict with
covered entities to disclose protected                 Comment: Some of these commenters                    the policies as described by this
health information when required by                 also noted that state laws contain strict               commenter. Disclosures for research
law under § 164.512(a). To the extent a             confidentiality requirements. A few                     purposes under the final rule, as in the
covered entity is required by law to                commenters suggested that HHS                           proposed regulation, are permissive
make a report to law enforcement                    reassess the regulations to avoid                       disclosures only. The rule describes the
agencies or is otherwise permitted to               inconsistencies with state privacy                      outer boundaries of permissible
make a disclosure to a law enforcement              requirements, implying that problems                    disclosures. A covered health care
agency as described in § 164.512(f), it             exist because of conflicts between the                  provider that is subject to the tribal laws
may do so without an authorization.                 federal and state laws regarding the                    of the Navajo Nation must continue to
Alternatively, a covered entity may                 confidentiality of substance abuse                      comply with those tribal laws. If the
always request that individuals                     information.                                            tribal laws impose more stringent
authorize these disclosures.                           Response: As noted in the preamble                   privacy standards on disclosures for
                                                    section discussing preemption, the final                research, such as requiring informed
Security Standards                                  rules do not preempt state laws that                    consent in all cases, nothing in the final
  Comment: One comment called for                   provide more privacy protections. For a                 rule would preclude compliance with
HHS to consider the privacy regulation              more detailed analysis of the                           those more stringent privacy standards.
in conjunction with the other HIPAA                 relationship between state law and the                  The final rule does not interfere with
standards. In particular, this comment              privacy rules, see the ‘‘Preemption’’                   the internal governance of the Navajo
focused on the belief that the security             provisions of the preamble.                             Nation or otherwise adversely affect the
standards should be compatible with                 Tribal Law                                              policy choices of the tribal government
the existing and emerging health care                                                                       with respect to the cultural
and information technology industry                   Comments: One commenter suggested                     appropriateness of research conducted
standards.                                          that the consultation process with tribal               in the Navajo Nation.
  Response: We agree that the security              governments described in the NPRM
standards and the privacy rules should              was inadequate under Executive Order                    TRICARE
be compatible with one another and are              No. 13084. In addition, the commenter                      Comment: One comment expressed
working to ensure that the final rules in           expressed concern that the disclosures                  concern regarding the application of the
both areas function together. Because               for research purposes as permitted by                   ‘‘minimum necessary’’ standard to
we are addressing comments regarding                the NPRM would conflict with a                          investigations of health care providers
the privacy rules in this preamble, we              number of tribal laws that offer                        under the TRICARE (formerly the
will consider the comment about the                 individuals greater privacy rights with                 CHAMPUS) program. The comment also
security standard as we finalize that set           respect to research and reflects cultural               expressed concern that health care
of rules.                                           appropriateness. In particular, the                     providers would be able to avoid
                                                    commenter referenced the Health                         providing their records to such
Substance Abuse Confidentiality Statute             Research Code for the Navajo Nation                     investigators because the proposed
and Regulations                                     which creates a entity with broader                     § 164.510 exceptions were not
  Comment: Several commenters noted                 authority over research conducted on                    mandatory disclosures.
that many health care providers are                 the Navajo Nation than the local IRB                       Response: In our view, neither the
bound by the federal restrictions                   and requires informed consent by study                  minimum necessary standard nor the
governing alcohol and drug abuse                    participants. Other laws mentioned by                   final §§ 164.510 and 164.512 permissive
records. One commenter noted that the               the commenter included the Navajo                       disclosures will impede such
NPRM differed substantially from the                Nation Privacy and Access to                            investigations. The regulation requires
substance abuse regulations and would               Information Act and a similar policy                    covered entities to make all reasonable
have caused a host of practical problems            applicable to all health care providers                 efforts not to disclose more than the
for covered entities. Another                       within the Navajo Nation. The                           minimum amount of protected health

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00139   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82600       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

information necessary to accomplish the             disclosures of our rules, no conflict                   knowledge that her human resources
intended purpose of the use or                      exists. In some cases, our rules may                    manager is improperly reviewing
disclosure. This requirement, however,              demand additional requirements, such                    medical records. A few comments raised
does not apply to uses or disclosures               as obtaining the approval of a privacy                  the concern that permitting any person
that are required by law. See                       board or Institutional Review Board if a                to file a complaint lends itself to abuse
§ 164.502(b)(2)(iv). Thus, if the                   covered entity seeks to disclose                        and is not necessary to ensure privacy
disclosure to the investigators is                  protected health information for                        rights and that the complainant should
required by law, the minimum                        research purposes without the                           be a person for whom there is a duty to
necessary standard will not apply.                  individual’s authorization. A covered                   protect health information.
Additionally, the final rule provides               entity subject to the VA statute will                      Response: As discussed below, the
that covered entities rely, if such                 need to ensure that it meets the                        rule defines ‘‘individual’’ as the person
reliance is reasonable, on assertions               requirements of both that statute and the               who is the subject of the individually
from public officials about what                    regulation below. If a conflict arises, the             identifiable health information.
information is reasonably necessary for             covered entity should evaluate the                      However, the covered entity may allow
the purpose for which it is being sought.           specific potential conflicting provisions               other persons, such as personal
See § 164.514(d)(3)(iii).                           under the implied repeal analysis set                   representatives, to exercise the rights of
   We disagree with the assertion that              forth in the ‘‘Relationship to Other                    the individual under certain
providers will be able to avoid                     Federal Laws’’ discussion in the                        circumstances, e.g., for a deceased
providing their records to investigators.           preamble.                                               individual. We agree with the
Nothing in this rule permits covered                                                                        commenters that any person may
entities to avoid disclosures required by           WIC                                                     become aware of conduct by a covered
other laws.                                            Comment: One comment called on                       entity that is in violation of the rule.
                                                    other federal agencies to examine their                 Such persons could include the covered
Veterans Affairs
                                                    regulations and policies regarding the                  entity’s employees, business associates,
   Comment: One comment sought                      use and disclosure of protected health                  patients, or accrediting, health
clarification about how disclosures of              information. The comment suggested                      oversight, or advocacy agencies or
protected health information would                  that other agencies revise their                        organizations. Many persons, such as
occur within the Veterans Affairs                   regulations and policies to avoid                       the covered entity’s employees, may, in
programs for veterans and their                     duplicative, contradictory, or more                     fact, be in a better position than the
dependents.                                         stringent requirements. The comment                     ‘‘individual’’ to know that a violation
   Response: We appreciate the                                                                              has occurred. Another example is a state
                                                    noted that the U.S. Department of
commenter’s request for clarification as                                                                    Protection and Advocacy group that
                                                    Agriculture’s Special Supplemental
to how the rules will affect disclosures                                                                    may represent persons with
                                                    Nutrition Program for Women, Infants,
of protected health information in the                                                                      developmental disabilities. We have
                                                    and Children (‘‘WIC’’) does not release
specific context of Veteran’s Affairs                                                                       decided to allow complaints from any
                                                    WIC data. Because the commenter
programs. Veterans health care                                                                              person. The term ‘‘person’’ is not
                                                    believed the regulation would not
programs under 38 U.S.C. chapter 17 are                                                                     restricted here to human beings or
                                                    prohibit the disclosure of WIC data, the
defined as ‘‘health plans.’’ Without                                                                        natural persons, but also includes any
                                                    comment stated that the Department of
sufficient details as to the particular                                                                     type of association, group, or
                                                    Agriculture should now release such
aspects of the Veterans Affairs programs                                                                    organization.
that this comment views as problematic,                                                                        Allowing such persons to file
                                                       Response: We support other federal
we cannot comment substantively on                                                                          complaints may be the only way the
                                                    agencies to whom the rules apply in
this concern.                                                                                               Secretary may learn of certain possible
                                                    their efforts to review existing
   Comment: One comment suggested                                                                           violations. Moreover, individuals who
                                                    regulations and policies regarding
that the final regulation clarify that the                                                                  are the subject of the information may
                                                    protected health information. However,
analysis applied to the substance abuse                                                                     not be willing to file a complaint
                                                    we do not agree with the suggestion that
regulations apply to laws governing                                                                         because of fear of embarrassment or
                                                    other federal agencies that are not
Veteran’s Affairs health records.                                                                           retaliation. Based on our experience
   Response: Although we realize some               covered entities must reduce the
                                                                                                            with various civil rights laws, such as
difference may exist between the laws,              protections or access-related rights they
                                                                                                            Title VI of the Civil Rights Act of 1964
we believe the discussion of federal                provide for individually identifiable
                                                                                                            and Title II of the Americans with
substance abuse confidentiality                     health information they hold.
                                                                                                            Disabilities Act, that allow any person
regulations in the ‘‘Relationship to                Part 160, Subpart C—Compliance and                      to file a complaint with the Secretary,
Other Federal Laws’’ preamble provides              Enforcement                                             we do not believe that this practice will
guidance that may be applied to the                                                                         result in abuse. Finally, upholding
laws governing Veteran’s Affairs (‘‘VA’’)           Section 160.306(a)—Who Can File
                                                                                                            privacy protections benefits all persons
health records. In most cases, a conflict           Complaints With the Secretary
                                                                                                            who have or may be served by the
will not exist between these privacy                  Comment: The proposed rule limited                    covered entity as well as the general
rules and the VA programs. For                      those who could file a complaint with                   public, and not only the subject of the
example, some disclosures allowed                   the Secretary to individuals. A number                  information.
without patient consent or authorization            of commenters suggested that other                         If a complaint is received from
under the privacy regulation may not be             persons with knowledge of a possible                    someone who is not the subject of
within the VA statutory list of                     violation should also be able to file                   protected health information, the person
permissible disclosures without a                   complaints. Examples that were                          who is the subject of this information
written consent. In such circumstances,             provided included a mental health care                  may be concerned with the Secretary’s
the covered entity would have to abide              provider with first hand knowledge of a                 investigation of this complaint. While
by the VA statute, and no conflict exists.          health plan improperly requiring                        we did not receive comments on this
If the disclosures permitted by the VA              disclosure of psychotherapy notes and                   issue, we want to protect the privacy
statute come within the permissible                 an occupational health nurse with                       rights of this individual. This might

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00140   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82601

involve the Secretary seeking to contact            complaint coming to the attention of the                the regulation require that complaints
the individual to provide information as            Secretary because of the time allowed                   be filed with the Secretary by a certain
to how the Secretary will address                   for the covered entity to resolve the                   time. These commenters generally
individual’s privacy concerns while                 complaint may mean that significant                     recommended that the time period for
resolving the complaint. Contacting all             violations are not addressed                            filing a complaint should commence to
individuals may not be practicable in               expeditiously. Finally, the process                     run from the time when the individual
the case of allegations of systemic                 proposed by these commenters is                         knew or had reason to know of the
violations (e.g., where the allegation is           arguably unnecessary because an                         violation or omission. Another comment
that hundreds of medical records were               individual who believes that an                         suggested that a requirement to file a
wrongfully disclosed).                              agreement can be reached with the                       complaint with the Secretary within 180
                                                    covered entity, can, through the entity’s               days of the alleged noncompliance is a
Requiring That a Complainant Exhaust
                                                    internal complaint process or other                     problem because a patient may, because
the Covered Entity’s Internal Complaint
                                                    means, seek resolution before filing a                  of his or her medical condition, be
Process Prior to Filing a Complaint With
                                                    complaint with the Secretary.                           unable to access his or her records
the Secretary                                          Our approach is consistent with other                within that time frame.
   Comment: A number of commenters,                 laws and regulations protecting                            Response: We agree with the
primarily health plans, suggested that              individual rights. None of the civil                    commenters that complainants should
individuals should not be permitted to              rights laws enforced by the Secretary                   generally be required to submit
file a complaint with the Secretary until           require a complainant to provide any                    complaints in a timely fashion. Federal
they exhaust the covered entity’s own               notification to the entity that is alleged              regulations implementing Title VI of the
complaint process. Commenters stated                to have engaged in discrimination (e.g.,                Civil Rights Act of 1964 provide that
that covered entities should have a                 Americans with Disabilities Act, section                ‘‘[a] complaint must be filed not later
certain period of time, such as ninety              504 of the Rehabilitation Act, Title VI of              than ‘180 days from the date of the
days, to correct the violation. Some                the Civil Rights Act, and the Age                       alleged discrimination’ unless the time
commenters asserted that providing for              Discrimination Act). The concept of                     for filing is extended by the responsible
filing a complaint with the Secretary               ‘‘exhaustion’’ is used in laws that                     Department official or his designee.’’ 45
will be very expensive for both the                 require individuals to pursue                           CFR 80.7(b). Other civil rights laws,
public and private sectors of the health            administrative remedies, such as that                   such as the Age Discrimination Act,
care industry to implement. Other                   provided by a governmental agency,                      section 504 of the Rehabilitation Act,
commenters suggested requiring the                  before bringing a court action. Under                   and Title II of the Americans with
Secretary to inform the covered entity of           HIPAA, individuals do not have a right                  Disabilities Act (ADA) (state and local
any complaint it has received and not               to court action.                                        government services), also use this
initiate an investigation or ‘‘take                    Some commenters seemed to believe                    approach. Under civil rights laws
enforcement action’’ before the covered             that the Secretary would pursue                         administered by the EEOC, individuals
entity has time to address the                      enforcement action without notifying                    have 180 days of the alleged
complaint.                                          the covered entity. It has been the                     discriminatory act to file a charge with
   Response: We have decided, for a                 Secretary’s practice in investigating                   EEOC (or 300 days if there is a state or
number of reasons, to retain the                    cases under other laws, such as various                 local fair employment practices agency
approach as presented in the proposed               civil rights laws, to inform entities that              involved).
rule. First, we are concerned that                  we have received a complaint against                       Therefore, in the final rule we require
requiring that complainants first notify            them and to seek early resolution if                    that complaints be filed within 180 days
the covered entity would have a chilling            possible. In enforcing the privacy rule,                of when the complainant knew or
effect on complaints. In the course of              the Secretary will generally inform the                 should have known that the act or
investigating individual complaints, the            covered entity of the nature of any                     omission complained of occurred unless
Secretary will often need to reveal the             complaints it has received against the                  this time limit is waived by the
identity of the complainant to the                  entity. (There may be situations where                  Secretary for good cause shown. We
covered entity. However, in the                     information is withheld to protect the                  believe that an investigation of a
investigation of cases of systemic                  privacy interests of the complainant or                 complaint is likely to be most effective
violations and some individual                      others or where revealing information                   if persons can be interviewed and
violations, individual names may not                would impede the investigation of the                   documents reviewed as close to the time
need to be identified. Under the                    covered entity.) The Secretary will also                of the alleged violation as possible.
approach suggested by these                         generally afford the entity an                          Requiring that complaints generally be
commenters, the covered entity would                opportunity to share information with                   filed within a certain period of time
learn the names of all persons who file             the Secretary that may result in an early               increases the likelihood that the
complaints with the Secretary. Some                 resolution. Our approach will be to seek                Secretary will have necessary and
individuals might feel uncomfortable or             informal resolution of complaints                       reliable information. Moreover, we are
fear embarrassment or retaliation                   whenever possible, which includes                       taking this approach in order to
revealing their identity to the covered             allowing covered entities a reasonable                  encourage complainants to file
entity they believe has violated the                amount of time to work with the                         complaints as soon as possible. By
regulation. Individuals may also feel               Secretary to come into compliance                       receiving complaints in a timely
they are being forced to enter into                 before initiating action to seek civil                  fashion, we can, if such complaints
negotiations with this entity before they           monetary penalties.                                     prove valid, reduce the harm caused by
can file a complaint with the Secretary.                                                                    the violation.
   Second, because some potential                   Section 160.306(b)(3)—Requiring That
complainants would not bring                        Complaints Be Filed With the Secretary                  Section 160.308—Basis for Conducting
complaints to the covered entity,                   Within a Certain Period of Time                         Compliance Reviews
possible violations might not become                  Comment: A number of commenters,                        Comment: A number of comments
known to the Secretary and might                    primarily privacy and disability                        expressed concern that the Secretary
continue. Third, the delay in the                   advocacy organizations, suggested that                  would conduct compliance reviews

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00141   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82602       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

without having received a complaint or              extent of intrusion by the federal                      providing health insurance or care to
having reason to believe there is                   government into the business practices                  their employees, church plans are
noncompliance. A number of these                    of a covered entity and that these                      engaging in a secular activity. Under the
commenters appeared to believe that the             provisions violate the Fourth                           regulation, church plans are subject to
Secretary would engage in ‘‘routine                 Amendment of the Constitution.                          the same compliance and enforcement
visits.’’ Some commenters suggested                    Finally, a coalition of church plans                 requirements with which other covered
that the Secretary should only be able to           suggested that the Secretary provide                    entities must comply. Because Congress
conduct compliance reviews if the                   church plans with additional procedural                 did not carve out specific exceptions or
Secretary has initiated an investigation            safeguards to reduce unnecessary                        require stricter standards for
of a complaint regarding the covered                intrusion into internal church                          investigations related to church plans,
entity in the preceding twelve months.              operations. These suggested safeguards                  incorporating such measures into the
Some commenters suggested that there                included permitting HHS to obtain                       regulation would be inappropriate.
should only be compliance reviews                   records and other documents only if                       Additionally, there is no indication
based on established criteria for reviews           they are relevant and necessary to                      that the regulation will directly interfere
(e.g., finding of ‘‘reckless disregard’’).          compliance and enforcement activities                   with the religious practices of church
Many of these commenters stated that                related to church plans, requiring a                    plans. Also, the regulation as written
cooperating with compliance reviews is              senior official to determine the                        appropriately limits the ability of
potentially burdensome and expensive.               appropriateness of compliance-related                   investigators to obtain information from
   One commenter asked whether the                  activities for church plans, and                        covered entities. The regulation
Secretary will have a process for                   providing church plans with a self-                     provides that the Secretary may obtain
reviewing all covered entities to                   correcting period similar to that                       access only to information that is
determine how they are complying with               Congress expressly provided in Title I of               pertinent to ascertain compliance with
requirements. This commenter                        HIPAA under the tax code.                               the regulation. We do not anticipate
questioned whether covered entities                    Response: The final rule retains the                 asking for information that is not
will be required to submit plans and                proposed language in these two                          necessary to assess compliance with the
wait for Departmental approval.                     provisions with one change. The rule                    regulation. The purpose of obtaining
   Another commenter suggested that                 adds a provision indicating that the                    records and similar materials is to
the Secretary specify a time limit for the          Secretary’s access to information held                  determine compliance, not to engage in
completion of a compliance review.                  by the covered entity may be at any time                any sort of review or evaluation of
   Response: We disagree with the                   and without notice where exigent                        religious activities or beliefs. Therefore,
commenters that the final rule should               circumstances exist, such as where time                 we believe the regulation appropriately
restrict the Secretary’s ability to conduct         is of the essence because documents                     balances the need to access information
compliance reviews. The Secretary                   might be hidden or destroyed. Thus,                     to determine compliance with the desire
needs to maintain the flexibility to                covered entities will generally receive                 of covered entities to avoid opening
conduct whatever reviews are necessary              notice before the Secretary seeks to                    every record in their possession to the
to ensure compliance with the rule.                 access the entity’s books or records.                   government.
                                                       Other than the exigent circumstances
Section 160.310 (a) and (c)—The                                                                             Provision of Technical Assistance
                                                    language, the language in these two
Secretary’s Access to Information in
                                                    provisions is virtually the same as the                   Comment: A number of commenters
Determining Compliance
                                                    language in this Department’s regulation                inquired as to how a covered entity can
  Comment: Some commenters raised                   implementing Title VI of the Civil                      request technical assistance from the
objections to provisions in the proposed            Rights Act of 1964. 45 CFR 80.6(b) and                  Secretary to come into compliance. A
rule which required that covered                    (c). The Title VI regulation is                         number of commenters suggested that
entities maintain records and submit                incorporated by reference in other                      the Secretary provide interpretive
compliance reports as the Secretary                 Department regulations prohibiting                      guidance to assist with compliance.
determines is necessary to determine                discrimination of the basis of disability.              Others recommended that the Secretary
compliance and required that covered                45 CFR 84.61. Similar provisions                        have a contact person or privacy official,
entities permit access by the Secretary             allowing this Department access to                      available by telephone or email, to
during normal business hours to its                 recipient information is found in the                   provide guidance on the
books, records, accounts, and other                 Secretary’s regulation implementing the                 appropriateness of a disclosure or a
sources of information, including                   Age Discrimination Act. 45 CFR 91.34.                   denial of access. One commenter
protected health information, and its               These provisions have not proved to be                  suggested that there be a formal process
facilities, that are pertinent to                   burdensome to entities that are subject                 for a covered entity to submit
ascertaining compliance with this                   to these civil rights regulations (i.e., all            compliance activities to the Secretary
subpart. One commenter stated that the              recipients of Department funds).                        for prior approval and clarification. This
Secretary’s access to private health                   We do not interpret Constitutional                   commenter suggested that clarifications
information without appropriate patient             case law as supporting the view that a                  be published on a contemporaneous
consent is contrary to the intent of                federal agency’s review of information                  basis in the Federal Register to help
HIPAA. Another commenter expressed                  pursuant to statutory mandate violates                  correct any ambiguities and confusion
the view that, because covered entities             the Fifth Amendment protections                         in implementation. It was also suggested
face criminal penalties for violations,             against forced self incrimination. Nor                  that the Secretary undertake an
these provisions violate the Fifth                  would such a review of this information                 assessment of ‘‘best practices’’ of
Amendment protections against forced                raise Fourth Amendment problems. See                    covered entities and document and
self incrimination. Other commenters                discussion above regarding                              promote the findings to serve as a
stated that covered entities should be              Constitutional comments and responses.                  convenient ‘‘road map’’ for other
given the reason the Secretary needs to                We appreciate the concern that the                   covered entities. Another commenter
have access to its books and records.               Secretary not involve herself                           suggested that we work with providers
Another commenter stated that there                 unnecessarily into the internal                         to create implementation guidelines
should be a limit to the frequency or               operations of church plans. However, by                 modeled after the interpretative

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00142   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82603

guidelines that HCFA creates for                    use or disclosure is necessary to avert an              expressed a general concern about
surveyors on the conditions of                      imminent threat to health or safety                     resolution of enforcement if an entity
participation for Medicare and Medicaid             (§ 164.512(j)(1)(i)). Therefore, covered                faced with a HIPAA complaint acquires
contractors.                                        entities need to pay careful attention to               or merges with an entity not covered by
   Response: While we have not in the               the specific language in each                           HIPAA.
final rule committed the Secretary to               requirement. However, we note that                         Response: As discussed above, the
any specific model of providing                     many of these provisions can be                         Secretary will encourage voluntary
guidance or assistance, we do state our             implemented in a variety of ways; e.g,                  efforts to cure violations of the rule, and
intent, subject to budget and staffing              covered entities can exercise business                  will consider that fact in determining
constraints, to develop a technical                 judgement regarding how to conduct                      whether to bring a compliance action.
assistance program that will include the            staff training.                                         We do not agree, however, that we
provision of written material when                     As to enforcement, a covered entity                  should limit our authority to pursue
appropriate to assist covered entities in           will not necessarily suffer a penalty                   violations of the rule if the situation
achieving compliance. We will consider              solely because an act or omission                       warrants it.
other models including HCFA’s                       violates the rule. As we discuss                           Comment: One commenter was
Medicare and Medicaid interpretative                elsewhere, the Department will exercise                 concerned about the ‘‘undue risk’’ of
guidelines. Further information                     discretion to consider not only the harm                liability on originators of information,
regarding the Secretary’s technical                 done, but the willingness of the covered                stemming from the fact that ‘‘the
assistance program may be provided in               entity to achieve voluntary compliance.                 number of covered entities is limited
the Federal Register and on the HHS                 Further, the Administrative                             and they are unable to restrict how a
Office for Civil Rights (OCR) Web Site.             Simplification provisions of HIPAA                      recipient of information may use or re-
While OCR plans to have fully trained               provide that whether a violation was                    disclose information * * *’’
staff available to respond to questions,            known or not is relevant in determining
                                                                                                               Response: Under this rule, we do not
its ability to provide individualized               whether civil or criminal penalties
                                                                                                            hold covered entities responsible for the
advice in regard to such matters as the             apply. In addition, if a civil penalty
                                                                                                            actions of recipients of protected health
appropriateness of a particular                     applies, HIPAA allows the Secretary,
                                                                                                            information, unless the recipient is a
disclosure or the sufficiency of                    where the failure to comply was due to
                                                                                                            business associate of the covered entity.
compliance activities will be based on              reasonable cause and not to willful
                                                                                                            We agree that it is not fair to hold
staff resources and demands. The idea               neglect, to delay the imposition of the
                                                                                                            covered entities responsible for the
of looking at ‘‘best practices’’ and                penalty to allow the covered entity to
                                                                                                            actions of persons with whom they have
sharing information with all covered                comply. The Department will develop
entities is a good one and we will                  and release for public comment an                       no on-going relationship, but believe it
explore how best to do this. We note                enforcement regulation applicable to all                is fair to expect covered entities to hold
that a covered entity is not excused from           the administrative simplification                       their business associates to appropriate
compliance with the regulation because              regulations that will address these                     standards of behavior with respect to
of any failure to receive technical                 issues.                                                 health information.
assistance or guidance.                                Comment: One commenter asked                         Other Compliance and Enforcement
                                                    whether hospitals will be vicariously                   Comments
Basis for Violation Findings and                    liable for the violations of their
Enforcement                                         employees and expressed concern that                      Comment: A number of comments
   Comment: A number of commenters                  hospitals and other providers will be the               raised questions regarding the
asked that covered entities not be liable           ones paying large fines.                                Secretary’s priorities for enforcement. A
for violations of the rule if they have                Response: The enforcement regulation                 few commenters stated that they
acted in good faith. One commenter                  will address this issue. However, we                    supported deferring enforcement until
indicated that enforcement actions                  note that section 1128A(1) of the Social                there is experience using the proposed
should not be pursued against covered               Security Act, which applies to the                      standards. One organization asked that
entities that make legitimate business              imposition of civil monetary penalties                  we clarify that the regulation does not
decisions about how to comply with the              under HIPAA, provides that a principal                  replace or otherwise modify the self-
privacy standards.                                  is liable for penalties for the actions of              regulatory/consumer empowerment
   Response: The commenters seemed to               its agent acting within the scope of the                approach to consumer privacy in the
argue that even if a covered entity does            agency. Therefore, a covered entity will                online environment.
not comply with a requirement of the                generally be responsible for the actions                  Response: We have not made any
rule, the covered entity should not be              of its employees such as where the                      decisions regarding enforcement
liable if there was an honest and sincere           employee discloses protected health                     priorities. It appears that some
intention or attempt to fulfill its                 information in violation of the                         commenters believe that no enforcement
obligations. The final rule, however,               regulation.                                             action will be taken against a given
does not take this approach but instead                Comment: A commenter expressed                       covered entity until that entity has had
draws careful distinctions between what             the concern that if a covered entity                    some time to comply. Covered entities
a covered entity must do                            acquires a non-compliant health plan, it                have two years to come into compliance
unconditionally, and what a covered                 would be liable for financial penalties.                with the regulation (three years in the
entity must make certain reasonable                 This commenter suggested that, at a                     case of small health plans). Some
efforts to do. In addition, the final rule          minimum, the covered entity be given a                  covered entities will have had
is clear as to the specific provisions              grace period of at least a year, but not                experience using the standards prior to
where ‘‘good faith’’ is a consideration.            less than six months to bring any                       the compliance date. We do not agree
For example, a covered entity is                    acquisition up to standard. The                         that we should defer enforcement where
permitted to use and disclose protected             commenter stated that the Secretary                     violations of the rule occur. It would be
health information without                          should encourage, not discourage,                       wrong for covered entities to believe
authorization based on criteria that                compliant companies to acquire non-                     that enforcement action is based on
includes a good faith belief that such              compliant ones. Another commenter                       their not having much experience in

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00143   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82604       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

using a particular standard or meeting              privacy. In implementing the privacy                    with Congress and within the new
another requirement.                                regulation, OCR plans to continue its                   Administration in this regard.
   We support a self-regulation approach            current practice of protecting its
in that we recognize that most                                                                              Coordination With Reviewing
                                                    complaint files from disclosure. OCR
compliance will be achieved by the                                                                          Authorities
                                                    treats these files as investigatory records
voluntary activities of covered entities            compiled for law enforcement purposes.                     Comment: A number of commenters
rather than by our enforcement                      Moreover, OCR maintains that                            referenced other entities that already
activities. Our emphasis will be on                 disclosing protected health information                 consider the privacy of health
education, technical assistance, and                in these files generally constitutes an                 information. One commenter indicated
voluntary compliance and not on                     unwarranted invasion of personal                        opposition to the delegation of
finding violations and imposing                     privacy.                                                inspections to third party organizations,
penalties. We also support a consumer                  It is not clear in regarding the use of              such as the Joint Commission on the
empowerment approach. A                             mental health professionals, whether                    Accreditation of Healthcare
knowledgeable consumer is key to the                the commenter believes that such                        Organizations (JCAHO). A few
effectiveness of this rule. A consumer              professionals should be involved                        commenters indicated that state
familiar with the requirements of this              because they would be best able to keep                 agencies are already authorized to
rule will be equipped to make choices               psychotherapy notes confidential or                     investigate violations of state privacy
regarding which covered entity will best            because such professionals can best                     standards and that we should rely on
serve their privacy interests and will              understand the meaning or relevance of                  those agencies to investigate alleged
know their rights under the rule and                such notes. OCR anticipates that it will                violations of the privacy rules or
how they can seek redress for violations            not have to obtain a copy or review                     delegate its complaint process to states
of this rule. Privacy-minded consumers                                                                      that wish to carry out this responsibility
                                                    psychotherapy notes in investigating
will seek to protect the privacy rights of                                                                  or to those states that have a complaint
                                                    most complaints regarding
others by bringing concerns to the                                                                          process in place. Another commenter
                                                    noncompliance in regard to such notes.
attention of covered entities, the public,                                                                  argued that individuals should be
                                                    There may be some cases where a
and the Secretary. However, we do not                                                                       required to exhaust any state processes
                                                    review of the notes may be needed such
agree that we should defer enforcement                                                                      before filing a complaint with the
                                                    as where we need to identify that the
where violations of the rule occur.                                                                         Secretary. Others referenced the fact
                                                    information a covered entity disclosed
   Comment: One commenter expressed                                                                         that state medical licensing boards
                                                    was in fact psychotherapy notes. If we
concern that by filing a complaint an                                                                       investigate complaints against
                                                    need to obtain a copy of psychotherapy
individual would be required to reveal                                                                      physicians for violating patient
                                                    notes, we will keep these notes                         confidentiality. One group asked that
sensitive information to the public.
                                                    confidential and secure. OCR                            the federal government streamline all of
Another commenter suggested that
                                                    investigative staff will be trained to                  these activities so physicians can have
complaints regarding noncompliance in
                                                    ensure that they fully respect the                      a single entity to whom they must be
regard to psychotherapy notes should be
made to a panel of mental health                    confidentiality of personal information.                responsive. Another group suggested
professionals designated by the                     In addition, while the specific contents                that OMB should be given responsibility
Secretary. This commenter also                      of these notes is generally not relevant                for ensuring that FEHB Plans operate in
proposed that all patient information be            to violations under this rule, if such                  compliance with the privacy standards
maintained as privileged, not be                    notes are relevant, we will secure the                  and for enforcement.
revealed to the public, and be kept                 expertise of mental health professionals                   A few commenters stated that the
under seal after the case is reviewed and           if needed in reviewing psychotherapy                    regulation might be used as a basis for
closed.                                             notes.                                                  violation findings and subsequent
   Response: We appreciate this concern                Comment: A member of Congress and                    penalties under other Department
and will seek to ensure that individually           a number of privacy and consumer                        authorities, such as under Medicare’s
identifiable health information and                 groups expressed concern with whether                   Conditions of Participation related to
other personal information contained in             OCR has adequate funding to carry out                   patient privacy and right to
complaints will not be available to the             the major responsibility of enforcing the               confidentiality of medical records. One
public. The privacy regulation provides,            complaint process established by this                   commenter wanted some assurance that
at § 160.310(c)(3), that protected health           rule. The Senator stated that ‘‘[d]ue to                this regulation will not be used as
information obtained by the Secretary in            the limited enforcement ability allowed                 grounds for sanctions under Medicare.
connection with an investigation or                 for in this rule by HIPAA, it is essential              Another commenter indicated support
compliance review will not be disclosed             that OCR have the capacity to enforce                   for making compliance with the privacy
except if necessary for ascertaining or             the regulations. Now is the time for OCR                regulation a Condition of Participation
enforcing compliance with the                       to begin building the necessary                         under Medicare.
regulation or if required by law. In                infrastructure to enforce the regulation                   Response: HIPAA does not give the
addition, this Department generally                 effectively.’’                                          Secretary the authority to delegate her
seeks to protect the privacy of                        Response: We agree and are                           responsibilities to other private or
individuals to the fullest extent                   committed to an effective enforcement                   public agencies such as JCAHO or state
possible, while permitting the exchange             program. We are working with Congress                   agencies. However, we plan to explore
of records required to fulfill its                  to ensure that the Secretary has the                    ways that we may benefit from current
administrative and program                          necessary funds to secure voluntary                     activities that also serve to protect the
responsibilities. The Freedom of                    compliance through education and                        privacy of individually identifiable
Information Act, 5 U.S.C. 552, and the              technical assistance, to investigate                    health information. For example, if we
HHS implementing regulation, 45 CFR                 complaints and conduct compliance                       conduct an investigation or review of a
part 5, provide substantial protection for          reviews, to provide states with                         covered entity, that entity may want to
records about individuals where                     exception determinations, and to use                    share information regarding findings of
disclosure would constitute an                      civil and criminal penalties when                       other bodies that conducted similar
unwarranted invasion of their personal              necessary. We will continue to work                     reviews. We would welcome such

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00144   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82605

information. In developing its                      discourage physicians and other                         However, we note that section 1176
enforcement program, we may explore                 providers from using or disclosing                      subjects persons to civil monetary
ways it can coordinate with other                   necessary information. We believe that                  penalties of not more than $100 for each
regulatory or oversight bodies so that we           the rule permits physicians to make the                 violation of a requirement or prohibition
can efficiently and effectively pursue              disclosures that they need to make                      and not more than $25,000 in a calendar
our joint interests in protecting privacy.          under the health care system without                    year for all violations of an identical
   We do not accept the suggestion that             exposing themselves to jeopardy under                   requirement or prohibition. For
individuals be required to exhaust their            the rule. We believe that the penalties                 example, if a covered entity fails to
remedies under state law before filing a            under the statute are woefully                          permit amendment of protected health
complaint with the Secretary. Our                   inadequate. We support legislation that                 information for 10 patients in one
rationale is similar to that discussed              would increase the amount of these                      calendar year, the entity may be fined
above in regard to the suggestion that              penalties.                                              up to $1000 ($100 times 10 violations
covered entities be required to exhaust                Comment: A number of commenters                      equals $1000).
a covered entity’s internal complaint               stated that the regulations should permit
process before filing a complaint with              individuals to sue for damages caused                   Part 164—Subpart A—General
the Secretary. Congress provided for                by breaches of privacy under these                      Requirements
federal privacy protection and we want              regulations. Some of these commenters                   Part 164—Subpart B–D—Reserved
to allow individuals the right to this              specified that damages, equitable relief,               Part 164—Subpart E—Privacy
protection without barriers or delay.               attorneys fees, and punitive damages
Covered entities may in their privacy               should be available. Conversely, one                    Section 164.500—Applicability
notice inform individuals of any rights             comment stated that strong penalties are                Covered Entities
they have under state law including any             necessary and would preclude the need
right to file privacy complaints. We do             for a private right of action. Another                    The response to comments on covered
not have the authority to interfere with            commenter stated that he does not                       entities is included in the response to
state processes and HIPAA explicitly                believe that the statute intended to give               comments on the definition of ‘‘covered
provides that we cannot preempt state               individuals the equivalent of a right to                entity’’ in the preamble discussion of
laws that provide greater privacy                   sue, which results from making                          § 160.103.
protection.                                         individuals third party beneficiaries to                Covered Information
   We have not yet addressed the issue              contracts between business partners.                       The response to comments on covered
as to whether this regulation might be                 Response: We do not have the                         information is included in the response
used as a basis for violation findings or           authority to provide a private right of                 to comments on the definition of
penalties under other Department                    action by regulation. As discussed                      ‘‘protected health information’’ in the
authorities. We note that Medicare                  below, the final rule deletes the third                 preamble discussion of § 164.501.
conditions of participation require                 party beneficiary provision that was in
participating providers to have                     the proposed rule.                                      Section 164.501—Definitions
procedures for ensuring the                            However, we believe that, in addition                Designated record set
confidentiality of patient records, as              to strong civil monetary penalties,
well as afford patients with the right to           federal law should allow any individual                    Comment: Many commenters
the confidentiality of their clinical               whose rights have been violated to bring                generally supported our proposed
records.                                            an action for actual damages and                        definition of designated record set.
                                                    equitable relief. The Secretary’s                       Commenters suggested different
Penalties                                                                                                   methods for narrowing the information
                                                    Recommendations, which were
   Comment: Many commenters                         submitted to Congress on September 11,                  accessible to individuals, such as
considered the statutory penalties                  1997, called for a private right of action              excluding information obtained without
insufficient to protect privacy, stating            to permit individuals to enforce their                  face-to-face interaction (e.g., phone
that the civil penalties are too weak to            privacy rights.                                         consultations). Other commenters
have the impact needed to reduce the                   Comment: One comment stated that,                    recommended broadening the
risk of inappropriate disclosure. Some              in calculating civil monetary penalties,                information accessible to individuals,
commenters took the opposing view and               the criteria should include aggravating                 such as allowing access to ‘‘the entire
stated that large fines and prison                  or mitigating circumstances and                         medical record,’’ not just a designated
sentences for violations would                      whether the violation is a minor or first               record set. Some commenters advocated
discourage physicians from transmitting             time violation. Several comments stated                 for access to all information about
any sort of health care information to              that penalties should be tiered so that                 individuals. A few commenters
any other agency, regardless of the                 those that commit the most egregious                    generally supported the provision but
medical necessity. Another comment                  violations face stricter civil monetary                 recommended that consultation and
expressed the concern that doctors will             penalties.                                              interpretative assistance be provided
be at risk of going to jail for protecting             Response: As mentioned above, issues                 when the disclosure may cause harm or
the privacy of individuals (by not                  regarding civil fines and criminal                      misunderstanding.
disclosing information the government               penalties will be addressed in the                         Response: We believe individuals
believes should be released).                       enforcement regulation.                                 should have a right to access any
   Response: The enforcement regulation                Comment: One comment stated that                     protected health information that may
will address the application of the civil           the regulation should clarify whether a                 be used to make decisions about them
monetary and criminal penalties under               single disclosure that involved the                     and modify the final rule to accomplish
HIPAA. The regulation will be                       health information of multiple parties                  this result. This approach facilitates an
published in the Federal Register as a              would constitute a single or multiple                   open and cooperative relationship
proposed regulation and the public will             infractions, for the purpose of                         between individuals and covered health
have an opportunity to comment. We do               calculating the penalty amount.                         care providers and health plans and
not believe that our rule, and the                     Response: The enforcement regulation                 allows individuals fair opportunities to
penalties available under it, will                  will address the calculation of penalties.              know what health information may be

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00145   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82606          Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

used to make decisions about them. We                   report ‘‘Best Principles for Health                        Comment: Several commenters
list certain records that are always part               Privacy,’’ the Health Privacy Working                   advocated for access to not only
of the designated record set. For covered               Group recommended that individuals                      information that has already been used
providers these are the medical record                  should have the right to access                         to make decisions, but also information
and billing record. For health plans                    information about them.3 The National                   that may be used to make decisions.
these are the enrollment, payment,                      Association of Insurance                                Other commenters believed accessible
claims adjudication, and case or                        Commissioners’ Health Information                       information should be more limited; for
medical management records. The                         Privacy Model Act establishes the right                 example, some commenters argued that
purpose of these specified records is                   of an individual to examine or receive                  accessible information should be
management of the accounts and health                   a copy of protected health information                  restricted to only information used to
care of individuals. In addition, we                    in the possession of the carrier or a                   make health care decisions.
include in the designated record set to                 person acting on behalf of the carrier.                    Response: We agree that it is desirable
which individuals have access any                          Many states also establish a right for               that individuals have access to
record used, in whole or in part, by or                 individuals to access health information                information reasonably likely to be used
for the covered entity to make decisions                about them. For example, Alaska law                     to make decisions about them. On the
about individuals. Only protected                       (AK Code 18.23.005) entitles patients                   other hand, it is desirable that the
health information that is in a                         ‘‘to inspect and copy any records                       category of records covered be readily
designated record set is covered.                       developed or maintained by a health                     ascertainable by the covered entity. We
Therefore, if a covered provider has a                  care provider or other person pertaining                therefore define ‘‘designated record set’’
phone conversation, information                         to the health care rendered to the                      to include certain categories of records
obtained during that conversation is                    patient.’’ Hawaii law (HRS section                      (a provider’s medical record and billing
subject to access only to the extent that               323C–11) requires health care providers                 record, the enrollment records, and
it is recorded in the designated record                 and health plans, among others, to                      certain other records maintained by a
set.                                                    permit individuals to inspect and copy                  health plan) that are normally used, and
   We do not require a covered entity to                protected health information about                      are reasonably likely to be used, to make
provide access to all individually                      them. Many other states have similar                    decisions about individuals. We also
identifiable health information, because                provisions.                                             add a category of other records that are,
the benefits of access to information not                  Industry and standard-setting                        in fact, used, in whole or in part, to
used to make decisions about                            organizations also have developed                       make decisions about individuals. This
individuals is limited and is outweighed                policies to enable individual access to                 category includes records that are used
by the burdens on covered entities of                   health information. The National                        to make decisions about any
locating, retrieving, and providing                     Committee for Quality Assurance and                     individuals, whether or not the records
access to such information. Such                        the Joint Commission on Accreditation                   have been used to make a decision
information may be found in many                        of Healthcare Organizations issued                      about the particular individual
types of records that include significant               recommendations stating, ‘‘Patients’                    requesting access.
information not relevant to the                         confidence in the protection of their                      We disagree that accessible
individual as well as information about                 information requires that they have the                 information should be restricted to
other persons. For example, a hospital’s                means to know what is contained in                      information used to make health care
peer review files that include protected                their records. The opportunity for                      decisions, because other decisions by
health information about many patients                  patients to review their records will                   covered entities can also affect
but are used only to improve patient                    enable them to correct any errors and                   individuals’ interests. For example,
care at the hospital, and not to make                   may provide them with a better                          covered entities make financial
decisions about individuals, are not part               understanding of their health status and                decisions about individuals, such as
of that hospital’s designated record sets.              treatment.’’ 4 Standards of the American                whether an individual’s deductible has
   We encourage but do not require                      Society for Testing and Materials state,                been met. Because such decisions can
covered entities to provide interpretive                ‘‘The patient or his or her designated                  significantly affect individuals’
assistance to individuals accessing their               personal representative has access rights               interests, we believe they should have
information, because such a                             to the data and information in his or her               access to any protected health
requirement could impose                                health record and other health                          information included in such records.
administrative burdens that outweigh                    information databases except as                            Comment: Some commenters believed
the benefits likely to accrue.                          restricted by law. An individual should                 the rule should use the term
   The importance to individuals of                     be able to inspect or see his or her                    ‘‘retrievable’’ instead of ‘‘retrieved’’ to
having the right to inspect and copy                    health information or request a copy of                 describe information accessible to
information about them is supported by                  all or part of the health information, or               individuals. Other commenters
a variety of industry groups and is                     both.’’ 5 We build on this well-                        suggested that the rule follow the
recognized in current state and federal                 established principle in this final rule.               Privacy Act’s principle of allowing
law. The July 1977 Report of the Privacy                                                                        access only when entities retrieve
Protection Study Commission                               3 Health Privacy Working Group, ‘‘Best Principles     records by individual identifiers. Some
recommended that individuals have                       for Health Privacy,’’ Health Privacy Project,           commenters requested clarification that
access to medical records and medical
                                                        Institute for Health Care Research and Policy,          covered entities are not required to
                                                        Georgetown University, July 1999.                       maintain information by name or other
record information.2 The Privacy Act (5                   4 National Committee on Quality Assurance and

U.S.C. 552a) requires government                        the Joint Commission on Accreditation of
                                                                                                                patient identifier.
                                                        Healthcare Organizations, ‘‘Protecting Personal            Response: We have modified the
agencies to permit individuals to review
                                                        Health Information: A Framework for Meeting the         proposed definition of the designated
records and have a copy made in a form                  Challenges in a Managed Care Environment,’’ 1998,       record set to focus on how information
comprehensible to the individual. In its                p. 25.
                                                          5 ASTM, ‘‘Standard Guide for Confidentiality,
                                                                                                                is used, not how it is retrieved.
   2 Privacy Protection Study Commission,               Privacy, Access and Data Security, Principles for
                                                                                                                Information may be retrieved or
‘‘Personal Privacy in an Information Society,’’ July    Health Information Including Computer-Based             retrievable by name, but if it is never
1977, p. 298–299.                                       Patient Records,’’ E 1869–97, § 11.1.1.                 used to make decisions about any

    VerDate 11<MAY>2000      19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00146   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82607

individuals, the burdens of requiring a             information to the individual. We            which affiliated companies may
covered entity to find it and to redact             clarify that nothing in this provision       combine into a single covered entity and
information about other individuals                 would prevent access to information          similarly describe which components of
outweigh any benefits to the individual             needed to prosecute or defend a medical      a larger organization must comply with
of having access to the information.                malpractice action; the rules of the         the requirements of this rule. For
When the information might be used to               relevant court determine such access.        example, transfers of information within
affect the individual’s interests,                    We found no persuasive evidence to         the designated component or affiliated
however, that balance changes and the               support excluding information already        entity are uses while transfers of
benefits outweigh the burdens. We                   supplied to individuals on previous          information outside the designated
confirm that this regulation does not               requests. The burdens of tracking            component or affiliated entity are
require covered entities to maintain any            requests and the information provided        disclosures. See the discussion of
particular record set by name or                    pursuant to requests outweigh the            § 164.504 for further information and
identifier.                                         burdens of providing the access              rationale. It is not clear from these
   Comment: A few commenters                        requested. A covered entity may,             comments whether the particular
recommended denial of access for                    however, discuss the scope of the            organizational arrangements described
information relating to investigations of           request for access with the individual to    could constitute a single covered entity.
claims, fraud, and misrepresentations.              facilitate the timely provision of access.      Comment: A commenter noted that
Many commenters suggested that                      For example, if the individual agrees,       the definition of ‘‘disclosure’’ should
sensitive, proprietary, and legal                   the covered entity could supply only the     reflect that health plan correspondence
documents that are ‘‘typical state law              information created or received since        containing protected health information,
privileges’’ be excluded from the right to          the date access was last granted.            such as Explanation of Benefits (EOBs),
access. Specific suggestions for                                                                 is frequently sent to the policyholder.
exclusion, either from the right of access                                                       Therefore, it was suggested that the
or from the definition of designated                   Comment: A number of commenters           words ‘‘provision of access to’’ be
record set, include quality assurance               asked that the definition of ‘‘disclosure’’ deleted from the definition and that a
activities, information related to                  be modified so that it is clear that it does ‘‘disclosure’’ be clarified to include the
medical appeals, peer review and                    not include the release, transfer,           conveyance of protected health
credentialing, attorney-client                      provision of access to, or divulging in      information to a third party.
information, and compliance committee               any other manner of protected health            Response: The definition is, on its
activities. Some commenters suggested               information to the individual who is the face, broad enough to cover the transfers
excluding information already supplied              subject of that information. It was          of information described and so is not
to individuals on previous requests and             suggested that we revise the definition      changed. We agree that health plans
information related to health care                  in this way to clarify that a health care    must be able to send EOBs to
operations. However, some commenters                provider may release protected health        policyholders. Sending EOB
felt that such information was already              information to the subject of the            correspondence to a policyholder by a
excluded from the definition of                     information without first requiring that     covered entity is a disclosure for
designated record set. Other                        the patient complete an authorization        purposes of this rule, but it is a
commenters requested clarification that             form.                                        disclosure for purposes of payment.
this provision will not prevent patients               Response: We agree with the               Therefore, subject to the provisions of
from getting information related to                 commenters’ concern, but accomplish          § 164.522(b) regarding Confidential
medical malpractice.                                this result through a different provision    Communications, it is permitted even if
   Response: We do not agree that                   in the regulation. In § 164.502 of this      it discloses to the policyholder
records in these categories are never               final rule, we specify that disclosures of protected health information about
used to affect the interests of                     protected health information to the          another individual (see below).
individuals. For example, while                     individual are not subject to the
protected health information used for               limitations on disclosure of protected       Health care operations
peer review and quality assurance                   health information otherwise imposed            Comment: Several commenters stated
activities typically would not be used to           by this rule.                                that the list of activities within the
make decisions about individuals, and,                 Comment: A number of commenters           definition of health care operations was
thus, typically would not be part of a              stated that the regulation should not        too broad and should be narrowed. They
designated record set, we cannot say                apply to disclosures occurring within or asserted that the definition should be
that this is true in all cases. We design           among different subsidiaries or              limited to exclude activities that have
this provision to be sufficiently flexible          components of the same entity. One           little or no connection to the care of a
to work with the varying practices of               commenter interpreted ‘‘disclosure’’ to      particular patient or to only include
covered entities.                                   mean outside the agency or, in the case      emergency treatment situations or
   The rule addresses several of these              of a state Department of Health, outside     situations constituting a clear and
comments by excepting from the access               sister agencies and offices that directly    present danger to oneself or others.
provisions (§ 164.524) information                  assist the Secretary in performing              Response: We disagree. We believe
compiled in reasonable anticipation of,             Medicaid functions and are listed in the that narrowing the definition in the
or for use in, a civil, criminal, or                state plan as entitled to receive            manner requested will place serious
administrative action or proceeding.                Medicaid data.                               burdens on covered entities and impair
Similarly, nothing in this rule requires               Response: We agree that there are         their ability to conduct legitimate
a covered entity to divulge information             circumstances under which related            business and management functions.
covered by physician-patient or similar             organizations may be treated as a single        Comment: Many commenters,
privilege. Under the access provisions, a           covered entity for purposes of protecting including physician groups, consumer
covered entity may redact information               the privacy of health information, and       groups, and privacy advocates, argued
in a record about other persons or                  modify the rule to accommodate such          that we should limit the information
information obtained under a promise of             circumstances. In § 164.504 of the final     that can be used for health care
confidentiality, prior to releasing the             rule, we specify the conditions under        operations to de-identified data. They

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00147   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82608       Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

argued that if an activity could be done               Response: We agree that some health                  that they would not be able to provide
with de-identified data, it should not be           care operations have many of the                        disease management, wellness, and
incorporated in the definition of health            characteristics of research studies and in              health promotion activities if the
care operations.                                    the NPRM asked for comments on how                      activity were solely captured in the
   Response: We disagree. We believe                to make this distinction. While a clear                 rule’s definition of ‘‘treatment.’’ They
that many activities necessary for the              answer was not suggested in any of the                  also expressed concern that ‘‘treatment’’
business and administrative operations              comments, the comments generally                        usually applies to an individual, not to
of health plans and health care                     together with our fact finding lead to the              a population, as is the practice for
providers are not possible with de-                 provisions in the final rule. The                       disease management.
identified information or are possible              distinction between health care                            Response: We were unable to find
only under unduly burdensome                        operations and research rests on                        generally accepted definitions of the
circumstances. For example, identified              whether the primary purpose of the                      terms ‘‘disease management’’ and
information may be used or disclosed                study is to produce ‘‘generalizable                     ‘‘disability management.’’ Rather than
during an audit of claims, for a plan to            knowledge.’’ We have modified the                       rely on this label, we include many of
contact a provider about alternative                definition of health care operations to                 the functions often included in
treatments for specific patients, and in            include ‘‘quality assessment and                        discussions of disease management in
reviewing the competence of health care             improvement activities, including                       this definition or in the definition of
professionals. Further, not all covered             outcomes evaluation and development                     treatment, and modify both definitions
entities have the same ability to de-               of clinical guidelines, provided that the               to address the commenters’ concerns.
identify protected health information.              obtaining of generalizable knowledge is                 For example, we have revised the
Covered entities with highly automated              not the primary purpose of any studies                  definition of health care operations to
information systems will be able to use             resulting from such activities.’’ If the                include population-based activities
de-identified data for many purposes.               primary purpose of the activity is to                   related to improving health or reducing
Other covered entities maintain most of             produce generalizable knowledge, the                    health care costs. This topic is discussed
their records on paper, so a requirement            activity fits within this rule’s definition             further in the comment responses
to de-identify information would place              of ‘‘research’’ and the covered entity                  regarding the definition of ‘‘treatment,’’
too great a burden on the legitimate and            must comply with §§ 164.508 or                          below.
                                                    164.512, including obtaining an                            Comment: Several commenters urged
routine business functions included in
                                                    authorization or the approval of an                     that the definition of health care
the definition of health care operations.
                                                    institutional review board or privacy                   operations be illustrative and flexible,
Small business, which are most likely to
                                                    board. If not and the activity otherwise                rather than structured in the form of a
have largely paper records, would find
                                                    meets the definition of health care                     list as in the proposed rule. They
such a blanket requirement particularly
                                                    operations, the activity is not research                believed it would be impossible to
                                                    and may be conducted under the health                   identify all the activities that constitute
   Protected health information that is                                                                     health care operations. Commenters
de-identified pursuant to § 164.514(a) is           care operations provisions of this rule.
                                                       In some instances, the primary                       representing health plans were
not subject to this rule. We hope this                                                                      concerned that the ‘‘static’’ nature of the
                                                    purpose of the activity may change as
provides covered entities capable of de-                                                                    definition would stifle innovation and
                                                    preliminary results are analyzed. An
identifying information with the                                                                            could not reflect the new functions that
                                                    activity that was initiated as an internal
incentive to do so.                                                                                         health plans may develop in the future
                                                    outcomes evaluation may produce
   Comment: Some commenters                         information that the covered entity                     that benefit consumers, improve quality,
requested that we permit the use of                 wants to generalize. If the purpose of a                and reduce costs. Other commenters,
demographic data (geographic, location,             study changes and the covered entity                    expressed support for the approach
age, gender, and race) separate from all            does intend to generalize the results, the              taken in the proposed rule, but felt the
other data for health care operations.              covered entity should document the                      list was too broad.
They argued that demographic data was               change in status of the activity to                        Response: In the final rule, we revise
needed to establish provider networks               establish that they did not violate the                 the proposed definition of health care
and monitor providers to ensure that the            requirements of this rule. (See definition              operations to broaden the list of
needs of ethnic and minority                        of ‘‘research,’’ below, for further                     activities included, but we do not agree
populations were being addressed.                   information on the distinction between                  with the comments asking for an
   Response: The use of demographic                 ‘‘research’’ and ‘‘health care                          illustrative definition rather than an
data for the stated purposes is within              operations.’’)                                          inclusive list. Instead, we describe the
the definition of health care operations;              We note that the difficulty in                       activities that constitute health care
a special rule is not necessary.                    determining when an activity is for the                 operations in broad terms and
   Comment: Some commenters pointed                 internal operations of an entity and                    categories, such as ‘‘quality assessment’’
out that the definition of health care              when it is a research activity is a long-               and ‘‘business planning and
operations is similar to, and at times              standing issue in the industry. The                     development.’’ We believe the use of
overlaps with, the definition of research.          variation among commenters’ views is                    broadly stated categories will allow
In addition, a number of commenters                 one of many indications that, today,                    industry innovation, but without the
questioned whether or not research                  there is not consensus on how to draw                   privacy risks entailed in an illustrative
conducted by the covered entity or its              this line. We do not resolve the larger                 approach.
business partner must only be                       issue here, but instead provide                            Comment: Several commenters noted
applicable to and used within the                   requirements specific to the information                that utilization review and internal
covered entity to be considered health              covered by this rule.                                   quality review should be included in
care operations. Others questioned                     Comment: Several commenters asked                    the definition. They pointed out that
whether such studies or research                    that disease management and disability                  both of these activities were discussed
performed internal to a covered entity              management activities be explicitly                     in the preamble to the proposed rule but
are ‘‘health care operations’’ even if              included in the definition of health care               were not incorporated into the
generalizable results may be produced.              operations. Many health plans asserted                  regulation text.

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00148   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
            Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations                                                 82609

   Response: We agree and have                      be directly related to treatment and                    protected health information of
modified the regulation text to                     payment, and we add to this definition                  prospective enrollees to underwrite and
incorporate quality assessment and                  the new categories of business                          rate new business and change the
improvement activities, including the               management (including general                           definition of health care operations
development of clinical guidelines and              administrative activities) and business                 accordingly. The definition of health
protocol development.                               planning activities.                                    care operations below includes
   Comment: Several commenters stated                  Comment: One commenter asked for                     underwriting, premium rating, and
that the proposal did not provide                   clarification on whether cost-related                   other activities related to the creation of
sufficient guidance regarding compiling             analyses could also be done by                          a contract of health insurance.
and analyzing information in                        providers as well as health plans.                         Comment: Several commenters stated
anticipation of or for use in legal                    Response: Health care operations,                    that group health plans needed to be
proceedings. In particular, they raised             including business management                           able to use and disclose protected health
concerns about the lack of specificity as           functions, are not limited to health                    information for purposes of soliciting a
to when ‘‘anticipation’’ would be                   plans. Any covered entity can perform                   contract with a new carrier and rate
triggered.                                          health care operations.                                 setting.
   Response: We agree that this                        Comment: One commenter stated that                      Response: We agree and add
provision was confusing and have                    the proposed rule did not address what                  ‘‘activities relating to the * * *
replaced it with a broader reference to             happens to records when a covered                       replacement of a contract of insurance’’
conducting or arranging for legal                   entity is sold or merged with another                   to cover such disclosures. See § 164.504
services generally.                                 entity.                                                 for the rules for plan sponsors of group
   Comment: Hospital representatives                   Response: We agree and add to the                    health plans to obtain such information.
pointed out the pressure on health care             definition of health care operations                       Comment: Commenters from the
facilities to improve cost efficiencies,            disclosures of protected health                         business community supported our
make cost-effectiveness studies, and                information for due diligence to a                      recognition of the importance of
benchmark essential health care                     covered entity that is a potential                      financial risk transfer mechanisms in
operations. They emphasized that such               successor in interest. This provision                   the health care marketplace by
activities often use identifiable patient           includes disclosures pursuant to the                    including ‘‘reinsurance’’ in the
information, although the products of               sale of a covered entity’s business as a                definition of health care operations.
the analyses usually do not contain                 going concern, mergers, acquisitions,                   However, they stated that the term
identifiable health information.                    consolidations, and other similar types                 ‘‘reinsurance’’ alone was not adequate to
Commenters representing state hospital              of corporate restructuring between                      capture ‘‘stop-loss insurance’’ (also
associations pointed out that they                  covered entities, including a division of               referred to as excess of loss insurance),
routinely receive protected health                  a covered entity, and to an entity that is              another type of risk transfer insurance.
information from hospitals for analyses             not a covered entity but will become a                     Response: We agree with the
that are used by member hospitals for               covered entity if the reorganization or                 commenters that stop-loss and excess of
such things as quality of care                      sale is completed. Other types of sales                 loss insurance are functionally
benchmark comparisons, market share                 of assets, or disclosures to organizations              equivalent to reinsurance and add these
analysis, determining physician                     that are not and would not become                       to the definition of health care
utilization of hospital resources, and              covered entities, are not included in the               operations.
charge comparisons.                                 definition of health care operations and                   Comment: Commenters from the
   Response: We have expanded the                   could only occur if the covered entity                  employer community explained that
definition of health care operations to             obtained valid authorization for such                   there is a trend among employers to
include use and disclosure of protected             disclosure in accordance with § 164.508                 contract with a single insurer for all
health information for the important                or if the disclosure is otherwise                       their insurance needs (health, disability,
functions noted by these commenters.                permitted under this rule.                              workers’ compensation). They stated
We also allow a covered entity to engage               Once a covered entity is sold or                     that in these integrated systems,
a business associate to provide data                merged with another covered entity, the                 employee health information is shared
aggregation services. See § 164.504(e).             successor in interest becomes                           among the various programs in the
   Comment: Several commenters argued               responsible for complying with this                     system. The commenters believed the
that many activities that are integral to           regulation with respect to the                          existing definition poses obstacles for
the day-to-day operations of a health               transferred information.                                those employers utilizing an integrated
plan have not been included in the                     Comment: Several commenters                          health system because of the need to
definition. Examples provided by the                expressed concern that the definition of                obtain authorizations before being
commenters include: issuing plan                    health care operations failed to include                permitted to use protected health
identification cards, customer service,             the use of protected health information                 information from the health plan to
computer maintenance, storage and                   for the underwriting of new health care                 administer or audit their disability or
back-up of radiologic images, and the               policies and took issue with the                        workers’ compensation plan.
installation and servicing of medical               exclusion of uses and disclosures of                       Other commenters representing
equipment or computer systems.                      protected health information of                         employers stated that some employers
   Response: We agree with the                      prospective enrollees. They expressed                   wanted to combine health information
commenters that there are activities not            the concern that limiting health care                   from different insurers and health plans
directly part of treatment or payment               operations to the underwriting and                      providing employee benefits to their
that are more closely associated with the           rating of existing members places a                     workforces, including its group health
administrative or clerical functions of             health plan in the position of not being                plan, workers’ compensation insurers,
the plan or provider that need to be                able to evaluate prudently and                          and disability insurers, so that they
included in the definition. To include              underwrite a consumer’s health care                     could have more information in order to
such activities in the definition of                risk.                                                   better manage the occurrences of
health care operations, we eliminate the               Response: We agree that covered                      disability and illness among their
requirement that health care operations             entities should be able to use the                      workforces. They expressed concern

   VerDate 11<MAY>2000   19:16 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00149   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2
82610        Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

that the proposed rule would not permit                We note that under the arrangements                  Health Oversight Agency
such sharing of information.                        described above, the final rule provides                   Comment: Some commenters sought
   Response: While we agree that                    substantial flexibility to covered entities             to have specific organizations defined as
integrating health information from                 to provide general data and statistical                 health oversight agencies. For example,
different benefit programs may produce              analyses, resulting in the disclosure of                some commenters asked that the
efficiencies as well as benefits for                de-identified information, to employers                 regulation text, rather than the
individuals, the integration also raises            and other customers. An employer also                   preamble, explicitly list state insurance
significant privacy concerns,                       may receive protected health                            departments as an example of health
particularly if there are no safeguards on          information from a covered entity for                   oversight agencies. Medical device
uses and disclosures from the integrated            any purpose, including those described                  manufacturers recommended expanding
data. Under HIPAA, we do not have                   in comment above, with the                              the definition to include government
jurisdiction over many types of insurers            authorization of the individual. See                    contractors such as coding committees,
that use health information, such as                § 164.508.
workers’ compensation insurers or                                                                           which provide data to HCFA to help the
insurers providing disability income                   Comment: A number of commenters                      agency make reimbursement decisions.
                                                    asserted that the proposed definition                      One federal agency sought
benefits, and we cannot address the
                                                    appeared to limit training and                          clarification that several of its sub-
extent to which they provide
individually identifiable health                    educational activities to that of health                agencies were oversight agencies; it was
information to a health plan, nor do we             care professionals, students, and                       concerned about its status in part
prohibit a health plan from receiving               trainees. They asked that we expand the                 because the agency fits into more than
such information. Once a health plan                definition to include other education-                  one of the categories of health oversight
receives identifiable health information,           related activities, such as continuing                  agency listed in the proposed rule.
however, the information becomes                    education for providers and training of                    Other commenters recommended
protected and may only be used and                  non-health care professionals as needed                 expanding the definition of oversight
disclosed as otherwise permitted by this            for supporting treatment or payment.                    agency to include private-sector
rule.                                                                                                       accreditation organizations. One
                                                       Response: We agree with the                          commenter recommended stating in the
   We clarify, however, that a covered              commenters that the definition of health
entity may provide data and statistical                                                                     final rule that private companies
                                                    care operations was unnecessarily                       providing information to insurers and
analyses for its customers as a health              limiting with respect to educational
care operation, provided that it does not                                                                   employers are not included in the
                                                    activities and expand the definition of                 definition of health oversight agency.
disclose protected health information in            health care operations to include
a way that would otherwise violate this                                                                        Response: Because the range of health
                                                    ‘‘conducting training programs in which                 oversight agencies is so broad, we do
rule. A group health plan or health                 students, trainees, or practitioners in
insurance issuer or HMO, or their                                                                           not include specific examples in the
                                                    areas of health care learn under                        definition. We include many examples
business associate on their behalf, may             supervision to practice or improve their
perform such analyses for an employer                                                                       in the preamble above and provide
                                                    skills as health care providers.’’ We                   further clarity here.
customer and provide the results in de-             clarify that medical rounds are
identified form to the customer, using                                                                         As under the NPRM, state insurance
                                                    considered treatment, not health care                   departments are an example of a health
integrated data received from other                 operations.
insurers, as long as protected health                                                                       oversight agency. A commenter
information is not disclosed in violation              Comment: A few commenters                            concerned about state trauma registries
of this rule. See the definition of ‘‘health        outlined the need to include the training               did not describe the registries’ activities
care operations,’’ § 164.501. If the                of non-health care professionals, such as               or legal charters, so we cannot clarify
employer sponsors more than one group               health data analysts, administrators, and               whether such registries may be health
health plan, or if its group health plan            computer programmers within the                         oversight agencies. Government
provides coverage through more than                 definition of health care operations. It                contractors such as coding committees,
one health insurance issuer or HMO, the             was argued that, in many cases, these                   which provide data to HCFA to support
different covered entities may be an                professionals perform functions which                   payment processes, are not thereby
organized health care arrangement and               support treatment and payment and will                  health oversight agencies under this
be able to jointly participate in such an           need access to protected health                         rule. We clarify that public agencies
analysis as part of the health care                 information in order to carry out their                 may fit into more than one category of
operations of such organized health care            responsibilities.                                       health oversight agency.
arrangement. See the definitions of                    Response: We agree and expand the                       The definition of health oversight
‘‘health care operations’’ and ‘‘organized          definition of health care operations to                 agency does not include private-sector
health care arrangement,’’ § 164.501. We            include training of non-health care                     accreditation organizations. While their
further clarify that a plan sponsor                 professionals.                                          work can promote quality in the health
providing plan administration to a                                                                          care delivery system, private
group health plan may participate in                   Comment: One commenter stated that                   accreditation organizations are not
such an analysis, provided that the                 the definition did not explicitly include               authorized by law to oversee the health
requirements of § 164.504(f) and other              physician credentialing and peer                        care system or government programs in
parts of this rule are met.                         review.                                                 which health information is necessary
   The results described above are the                 Response: We have revised the                        to determine eligibility or compliance,
same whether the health information                 definition to specifically include                      or to enforce civil rights laws for which
that is being combined is from separate             ‘‘licensing or credentialing activities.’’              health information is relevant. Under
insurers or from one entity that has a              In addition, peer review activities are                 the final rule, we consider private
health component and also provides                  captured in the definition as reviewing                 accrediting groups to be performing a
excepted benefits. See the discussion               the competence or qualifications of                     health care operations function for
relating to health care components,                 health care professionals and evaluating                covered entities. Thus, disclosures to
§ 164.504.                                          practitioner and provider performance.                  private accrediting organizations are

   VerDate 11<MAY>2000   21:08 Dec 27, 2000   Jkt 194001   PO 00000   Frm 00150   Fmt 4701   Sfmt 4700   E:\FR\FM\28DER2.SGM   pfrm08   PsN: 28DER2