[Federal Register Volume 65, Number 250 (Thursday, December 28, 2000)]
[Rules and Regulations]
[Pages 82462-82829]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 00-32678]



[[Page 82461]]

-----------------------------------------------------------------------

Part II





Department of Health and Human Services





-----------------------------------------------------------------------



Office of the Secretary



-----------------------------------------------------------------------



45 CFR Parts 160 and 164



Standards for Privacy of Individually Identifiable Health Information; 
Final Rule

Federal Register / Vol. 65 , No. 250 / Thursday, December 28, 2000 / 
Rules and Regulations

[[Page 82462]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

Rin: 0991-AB08


Standards for Privacy of Individually Identifiable Health 
Information

AGENCY: Office of the Assistant Secretary for Planning and Evaluation, 
DHHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This rule includes standards to protect the privacy of 
individually identifiable health information. The rules below, which 
apply to health plans, health care clearinghouses, and certain health 
care providers, present standards with respect to the rights of 
individuals who are the subjects of this information, procedures for 
the exercise of those rights, and the authorized and required uses and 
disclosures of this information.
    The use of these standards will improve the efficiency and 
effectiveness of public and private health programs and health care 
services by providing enhanced protections for individually 
identifiable health information. These protections will begin to 
address growing public concerns that advances in electronic technology 
and evolution in the health care industry are resulting, or may result, 
in a substantial erosion of the privacy surrounding individually 
identifiable health information maintained by health care providers, 
health plans and their administrative contractors. This rule implements 
the privacy requirements of the Administrative Simplification subtitle 
of the Health Insurance Portability and Accountability Act of 1996.

DATES: The final rule is effective on February 26, 2001.

FOR FURTHER INFORMATION CONTACT: Kimberly Coleman, 1-866-OCR-PRIV (1-
866-627-7748) or TTY 1-866-788-4989.

SUPPLEMENTARY INFORMATION: Availability of copies, and electronic 
access.
    Copies: To order copies of the Federal Register containing this 
document, send your request to: New Orders, Superintendent of 
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date 
of the issue requested and enclose a check or money order payable to 
the Superintendent of Documents, or enclose your Visa or Master Card 
number and expiration date. Credit card orders can also be placed by 
calling the order desk at (202) 512-1800 or by fax to (202) 512-2250. 
The cost for each copy is $8.00. As an alternative, you can view and 
photocopy the Federal Register document at most libraries designated as 
Federal Depository Libraries and at many other public and academic 
libraries throughout the country that receive the Federal Register.
    Electronic Access: This document is available electronically at 
http://aspe.hhs.gov/admnsimp/ as well as at the web site of the 
Government Printing Office at http://www.access.gpo.gov/su_docs/aces/
aces140.html.

I. Background

Table of Contents

Sec.    
160.101   Statutory basis and purpose.
160.102   Applicability.
160.103   Definitions.
160.104   Modifications.
160.201   Applicability
160.202   Definitions.
160.203   General rule and exceptions.
160.204   Process for requesting exception determinations.
160.205   Duration of effectiveness of exception determinations.
160.300   Applicability.
160.302   Definitions.
160.304   Principles for achieving compliance.
   (a) Cooperation.
   (b) Assistance.
160.306   Complaints to the Secretary.
   (a) Right to file a complaint.
   (b) Requirements for filing complaints.
   (c) Investigation.
160.308   Compliance reviews.
160.310   Responsibilities of covered entities.
   (a) Provide records and compliance reports.
   (b) Cooperate with complaint investigations and compliance 
reviews.
   (c) Permit access to information.
160.312   Secretarial action regarding complaints and compliance 
reviews.
   (a) Resolution where noncompliance is indicated.
   (b) Resolution when no violation is found.
164.102   Statutory basis.
164.104   Applicability.
164.106   Relationship to other parts.
164.500   Applicability.
164.501   Definitions.
164.502   Uses and disclosures of protected health information: 
general rules.
   (a) Standard.
   (b) Standard: minimum necessary.
   (c) Standard: uses and disclosures of protected health 
information subject to an agreed upon restriction.
   (d) Standard: uses and disclosures of de-identified protected 
health information.
   (e) Standard: disclosures to business associates.
   (f) Standard: deceased individuals.
   (g) Standard: personal representatives.
   (h) Standard: confidential communications.
   (i) Standard: uses and disclosures consistent with notice.
   (j) Standard: disclosures by whistleblowers and workforce member 
crime victims.
164.504   Uses and disclosures: organizational requirements.
   (a) Definitions.
   (b) Standard: health care component.
   (c) Implementation specification: application of other 
provisions.
   (d) Standard: affiliated covered entities.
   (e) Standard: business associate contracts.
   (f) Standard: requirements for group health plans.
   (g) Standard: requirements for a covered entity with multiple 
covered functions.
164.506  Consent for uses or disclosures to carry out treatment, 
payment, or health care operations.
   (a) Standard: consent requirement.
   (b) Implementation specifications: general requirements.
   (c) Implementation specifications: content requirements.
   (d) Implementation specifications: defective consents.
   (e) Standard: resolving conflicting consents and authorizations.
   (f) Standard: joint consents.
164.508  Uses and disclosures for which an authorization is 
required.
   (a) Standard: authorizations for uses and disclosures.
   (b) Implementation specifications: general requirements.
   (c) Implementation specifications: core elements and 
requirements.
   (d) Implementation specifications: authorizations requested by a 
covered entity for its own uses and disclosures.
   (e) Implementation specifications: authorizations requested by a 
covered entity for disclosures by others.
   (f) Implementation specifications: authorizations for uses and 
disclosures of protected health information created for research 
that includes treatment of the individual.
164.510  Uses and disclosures requiring an opportunity for the 
individual to agree or to object.
   (a) Standard: use and disclosure for facility directories.
   (b) Standard: uses and disclosures for involvement in the 
individual's care and notification purposes.
164.512  Uses and disclosures for which consent, an authorization, 
or opportunity to agree or object is not required.
   (a) Standard: uses and disclosures required by law.
   (b) Standard: uses and disclosures for public health activities.
   (c) Standard: disclosures about victims of abuse, neglect or 
domestic violence.
   (d) Standard: uses and disclosures for health oversight 
activities.
   (e) Standard: disclosures for judicial and administrative 
proceedings.
   (f) Standard: disclosures for law enforcement purposes.
   (g) Standard: uses and disclosures about decedents.
   (h) Standard: uses and disclosures for cadaveric organ, eye or 
tissue donation purposes.

[[Page 82463]]

   (i) Standard: uses and disclosures for research purposes.
   (j) Standard: uses and disclosures to avert a serious threat to 
health or safety.
   (k) Standard: uses and disclosures for specialized government 
functions.
   (l) Standard: disclosures for workers' compensation.
164.514  Other requirements relating to uses and disclosures of 
protected health information.
   (a) Standard: de-identification of protected health information.
   (b) Implementation specifications: requirements for de-
identification of protected health information.
   (c) Implementation specifications: re-identification.
   (d) Standard: minimum necessary requirements.
   (e) Standard: uses and disclosures of protected health 
information for marketing.
   (f) Standard: uses and disclosures for fundraising.
   (g) Standard: uses and disclosures for underwriting and related 
purposes.
   (h) Standard: verification requirements
164.520  Notice of privacy practices for protected health 
information.
   (a) Standard: notice of privacy practices.
   (b) Implementation specifications: content of notice.
   (c) Implementation specifications: provision of notice.
   (d) Implementation specifications: joint notice by separate 
covered entities.
   (e) Implementation specifications: documentation.
164.522  Rights to request privacy protection for protected health 
information.
   (a) Standard: right of an individual to request restriction of 
uses and disclosures.
   (b) Standard: confidential communications requirements.
164.524  Access of individuals to protected health information.
   (a) Standard: access to protected health information.
   (b) Implementation specifications: requests for access and timely 
action.
   (c) Implementation specifications: provision of access.
   (d) Implementation specifications: denial of access.
   (e) Implementation specification: documentation.
164.526  Amendment of protected health information.
   (a) Standard: right to amend.
   (b) Implementation specifications: requests for amendment and 
timely action.
   (c) Implementation specifications: accepting the amendment.
   (d) Implementation specifications: denying the amendment.
   (e) Implementation specification: actions on notices of 
amendment.
   (f) Implementation specification: documentation.
164.528  Accounting of disclosures of protected health information.
   (a) Standard: right to an accounting of disclosures of protected 
health information.
   (b) Implementation specifications: content of the accounting.
   (c) Implementation specifications: provision of the accounting.
   (d) Implementation specification: documentation.
164.530  Administrative requirements.
   (a) Standard: personnel designations.
   (b) Standard: training.
   (c) Standard: safeguards.
   (d) Standard: complaints to the covered entity.
   (e) Standard: sanctions
   (f) Standard: mitigation.
   (g) Standard: refraining from intimidating or retaliatory acts.
   (h) Standard: waiver of rights.
   (i) Standard: policies and procedures.
   (j) Standard: documentation.
   (k) Standard: group health plans.
164.532  Transition provisions.
   (a) Standard: effect of prior consents and authorizations.
   (b) Implementation specification: requirements for retaining 
effectiveness of prior consents and authorizations.
164.534  Compliance dates for initial implementation of the privacy 
standards.
   (a) Health care providers.
   (b) Health plans.
   (c) Health care clearinghouses.

Purpose of the Administrative Simplification Regulations

    This regulation has three major purposes: (1) To protect and 
enhance the rights of consumers by providing them access to their 
health information and controlling the inappropriate use of that 
information; (2) to improve the quality of health care in the U.S. by 
restoring trust in the health care system among consumers, health care 
professionals, and the multitude of organizations and individuals 
committed to the delivery of care; and (3) to improve the efficiency 
and effectiveness of health care delivery by creating a national 
framework for health privacy protection that builds on efforts by 
states, health systems, and individual organizations and individuals.
    This regulation is the second final regulation to be issued in the 
package of rules mandated under title II subtitle F section 261-264 of 
the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), Public Law 104-191, titled ``Administrative Simplification.'' 
Congress called for steps to improve ``the efficiency and effectiveness 
of the health care system by encouraging the development of a health 
information system through the establishment of standards and 
requirements for the electronic transmission of certain health 
information.'' To achieve that end, Congress required the Department to 
promulgate a set of interlocking regulations establishing standards and 
protections for health information systems. The first regulation in 
this set, Standards for Electronic Transactions 65 FR 50312, was 
published on August 17, 2000 (the ``Transactions Rule''). This 
regulation establishing Standards for Privacy of Individually 
Identifiable Health Information is the second final rule in the 
package. A rule establishing a unique identifier for employers to use 
in electronic health care transactions, a rule establishing a unique 
identifier for providers for such transactions, and a rule establishing 
standards for the security of electronic information systems have been 
proposed. See 63 FR 25272 and 25320 (May 7, 1998); 63 FR 32784 (June 
16, 1998); 63 FR 43242 (August 12, 1998). Still to be proposed are 
rules establishing a unique identifier for health plans for electronic 
transactions, standards for claims attachments, and standards for 
transferring among health plans appropriate standard data elements 
needed for coordination of benefits. (See section C, below, for a more 
detailed explanation of the statutory mandate for these regulations.)
    In enacting HIPAA, Congress recognized the fact that administrative 
simplification cannot succeed if we do not also protect the privacy and 
confidentiality of personal health information. The provision of high-
quality health care requires the exchange of personal, often-sensitive 
information between an individual and a skilled practitioner. Vital to 
that interaction is the patient's ability to trust that the information 
shared will be protected and kept confidential. Yet many patients are 
concerned that their information is not protected. Among the factors 
adding to this concern are the growth of the number of organizations 
involved in the provision of care and the processing of claims, the 
growing use of electronic information technology, increased efforts to 
market health care and other products to consumers, and the increasing 
ability to collect highly sensitive information about a person's 
current and future health status as a result of advances in scientific 
research.
    Rules requiring the protection of health privacy in the United 
States have been enacted primarily by the states. While virtually every 
state has enacted one or more laws to safeguard privacy, these laws 
vary significantly from state to state and typically apply to only part 
of the health care system. Many states have adopted laws that protect 
the health information relating to certain health conditions such as 
mental illness, communicable diseases, cancer, HIV/AIDS, and other 
stigmatized conditions. An examination of state health privacy laws and 
regulations,

[[Page 82464]]

however, found that ``state laws, with a few notable exceptions, do not 
extend comprehensive protections to people's medical records.'' Many 
state rules fail to provide such basic protections as ensuring a 
patient's legal right to see a copy of his or her medical record. See 
Health Privacy Project, ``The State of Health Privacy: An Uneven 
Terrain,'' Institute for Health Care Research and Policy, Georgetown 
University (July 1999) (http://www.healthprivacy.org) (the ``Georgetown 
Study'').
    Until now, virtually no federal rules existed to protect the 
privacy of health information and guarantee patient access to such 
information. This final rule establishes, for the first time, a set of 
basic national privacy standards and fair information practices that 
provides all Americans with a basic level of protection and peace of 
mind that is essential to their full participation in their care. The 
rule sets a floor of ground rules for health care providers, health 
plans, and health care clearinghouses to follow, in order to protect 
patients and encourage them to seek needed care. The rule seeks to 
balance the needs of the individual with the needs of the society. It 
creates a framework of protection that can be strengthened by both the 
federal government and by states as health information systems continue 
to evolve.

Need for a National Health Privacy Framework

The Importance of Privacy

    Privacy is a fundamental right. As such, it must be viewed 
differently than any ordinary economic good. The costs and benefits of 
a regulation must, of course, be considered as a means of identifying 
and weighing options. At the same time, it is important not to lose 
sight of the inherent meaning of privacy: it speaks to our individual 
and collective freedom.
    A right to privacy in personal information has historically found 
expression in American law. All fifty states today recognize in tort 
law a common law or statutory right to privacy. Many states 
specifically provide a remedy for public revelation of private facts. 
Some states, such as California and Tennessee, have a right to privacy 
as a matter of state constitutional law. The multiple historical 
sources for legal rights to privacy are traced in many places, 
including Chapter 13 of Alan Westin's Privacy and Freedom and in Ellen 
Alderman & Caroline Kennedy, The Right to Privacy (1995).
    Throughout our nation's history, we have placed the rights of the 
individual at the forefront of our democracy. In the Declaration of 
Independence, we asserted the ``unalienable right'' to ``life, liberty 
and the pursuit of happiness.'' Many of the most basic protections in 
the Constitution of the United States are imbued with an attempt to 
protect individual privacy while balancing it against the larger social 
purposes of the nation.
    To take but one example, the Fourth Amendment to the United States 
Constitution guarantees that ``the right of the people to be secure in 
their persons, houses, papers and effects, against unreasonable 
searches and seizures, shall not be violated.'' By referring to the 
need for security of ``persons'' as well as ``papers and effects'' the 
Fourth Amendment suggests enduring values in American law that relate 
to privacy. The need for security of ``persons'' is consistent with 
obtaining patient consent before performing invasive medical 
procedures. The need for security in ``papers and effects'' underscores 
the importance of protecting information about the person, contained in 
sources such as personal diaries, medical records, or elsewhere. As is 
generally true for the right of privacy in information, the right is 
not absolute. The test instead is what constitutes an ``unreasonable'' 
search of the papers and effects.
    The United States Supreme Court has upheld the constitutional 
protection of personal health information. In Whalen v. Roe, 429 U.S. 
589 (1977), the Court analyzed a New York statute that created a 
database of persons who obtained drugs for which there was both a 
lawful and unlawful market. The Court, in upholding the statute, 
recognized at least two different kinds of interests within the 
constitutionally protected ``zone of privacy.'' ``One is the individual 
interest in avoiding disclosure of personal matters,'' such as this 
regulation principally addresses. This interest in avoiding disclosure, 
discussed in Whalen in the context of medical information, was found to 
be distinct from a different line of cases concerning ``the interest in 
independence in making certain kinds of important decisions.''
    Individuals' right to privacy in information about themselves is 
not absolute. It does not, for instance, prevent reporting of public 
health information on communicable diseases or stop law enforcement 
from getting information when due process has been observed. But many 
people believe that individuals should have some right to control 
personal and sensitive information about themselves. Among different 
sorts of personal information, health information is among the most 
sensitive. Many people believe that details about their physical self 
should not generally be put on display for neighbors, employers, and 
government officials to see. Informed consent laws place limits on the 
ability of other persons to intrude physically on a person's body. 
Similar concerns apply to intrusions on information about the person.
    Moving beyond these facts of physical treatment, there is also 
significant intrusion when records reveal details about a person's 
mental state, such as during treatment for mental health. If, in 
Justice Brandeis' words, the ``right to be let alone'' means anything, 
then it likely applies to having outsiders have access to one's 
intimate thoughts, words, and emotions. In the recent case of Jaffee v. 
Redmond, 116 S.Ct. 1923 (1996), the Supreme Court held that statements 
made to a therapist during a counseling session were protected against 
civil discovery under the Federal Rules of Evidence. The Court noted 
that all fifty states have adopted some form of the psychotherapist-
patient privilege. In upholding the federal privilege, the Supreme 
Court stated that it ``serves the public interest by facilitating the 
appropriate treatment for individuals suffering the effects of a mental 
or emotional problem. The mental health of our citizenry, no less than 
its physical health, is a public good of transcendent importance.''
    Many writers have urged a philosophical or common-sense right to 
privacy in one's personal information. Examples include Alan Westin, 
Privacy and Freedom (1967) and Janna Malamud Smith, Private Matters: In 
Defense of the Personal Life (1997). These writings emphasize the link 
between privacy and freedom and privacy and the ``personal life,'' or 
the ability to develop one's own personality and self-expression. 
Smith, for instance, states:

    The bottom line is clear. If we continually, gratuitously, 
reveal other people's privacies, we harm them and ourselves, we 
undermine the richness of the personal life, and we fuel a social 
atmosphere of mutual exploitation. Let me put it another way: Little 
in life is as precious as the freedom to say and do things with 
people you love that you would not say or do if someone else were 
present. And few experiences are as fundamental to liberty and 
autonomy as maintaining control over when, how, to whom, and where 
you disclose personal material. Id. at 240-241.

    In 1890, Louis D. Brandeis and Samuel D. Warren defined the right 
to privacy as ``the right to be let alone.'' See L. Brandeis, S. 
Warren, ``The Right

[[Page 82465]]

To Privacy,'' 4 Harv.L.Rev. 193. More than a century later, privacy 
continues to play an important role in Americans' lives. In their book, 
The Right to Privacy, (Alfred A. Knopf, New York, 1995) Ellen Alderman 
and Caroline Kennedy describe the importance of privacy in this way:

    Privacy covers many things. It protects the solitude necessary 
for creative thought. It allows us the independence that is part of 
raising a family. It protects our right to be secure in our own 
homes and possessions, assured that the government cannot come 
barging in. Privacy also encompasses our right to self-determination 
and to define who we are. Although we live in a world of noisy self-
confession, privacy allows us to keep certain facts to ourselves if 
we so choose. The right to privacy, it seems, is what makes us 
civilized.

Or, as Cavoukian and Tapscott observed the right of privacy is: ``the 
claim of individuals, groups, or institutions to determine for 
themselves when, how, and to what extent information about them is 
communicated.'' See A. Cavoukian, D. Tapscott, ``Who Knows: 
Safeguarding Your Privacy in a Networked World,'' Random House (1995).

Increasing Public Concern About Loss of Privacy

    Today, it is virtually impossible for any person to be truly ``let 
alone.'' The average American is inundated with requests for 
information from potential employers, retail shops, telephone marketing 
firms, electronic marketers, banks, insurance companies, hospitals, 
physicians, health plans, and others. In a 1998 national survey, 88 
percent of consumers said they were ``concerned'' by the amount of 
information being requested, including 55 percent who said they were 
``very concerned.'' See Privacy and American Business, 1998 Privacy 
Concerns & Consumer Choice Survey (http://www.pandab.org). These 
worries are not just theoretical. Consumers who use the Internet to 
make purchases or request ``free'' information often are asked for 
personal and financial information. Companies making such requests 
routinely promise to protect the confidentiality of that information. 
Yet several firms have tried to sell this information to other 
companies even after promising not to do so.
    Americans' concern about the privacy of their health information is 
part of a broader anxiety about their lack of privacy in an array of 
areas. A series of national public opinion polls conducted by Louis 
Harris & Associates documents a rising level of public concern about 
privacy, growing from 64 percent in 1978 to 82 percent in 1995. Over 80 
percent of persons surveyed in 1999 agreed with the statement that they 
had ``lost all control over their personal information.'' See Harris 
Equifax, Health Information Privacy Study (1993) (http://www.epic.org/
privacy/medical/polls.html). A Wall Street Journal/ABC poll on 
September 16, 1999 asked Americans what concerned them most in the 
coming century. ``Loss of personal privacy'' was the first or second 
concern of 29 percent of respondents. All other issues, such a 
terrorism, world war, and global warming had scores of 23 percent or 
less.
    This growing concern stems from several trends, including the 
growing use of interconnected electronic media for business and 
personal activities, our increasing ability to know an individual's 
genetic make-up, and, in health care, the increasing complexity of the 
system. Each of these trends brings the potential for tremendous 
benefits to individuals and society generally. At the same time, each 
also brings new potential for invasions of our privacy.

Increasing Use of Interconnected Electronic Information Systems

    Until recently, health information was recorded and maintained on 
paper and stored in the offices of community-based physicians, nurses, 
hospitals, and other health care professionals and institutions. In 
some ways, this imperfect system of record keeping created a false 
sense of privacy among patients, providers, and others. Patients' 
health information has never remained completely confidential. Until 
recently, however, a breach of confidentiality involved a physical 
exchange of paper records or a verbal exchange of information. Today, 
however, more and more health care providers, plans, and others are 
utilizing electronic means of storing and transmitting health 
information. In 1996, the health care industry invested an estimated 
$10 billion to $15 billion on information technology. See National 
Research Council, Computer Science and Telecommunications Board, ``For 
the Record: Protecting Electronic Health Information,'' (1997). The 
electronic information revolution is transforming the recording of 
health information so that the disclosure of information may require 
only a push of a button. In a matter of seconds, a person's most 
profoundly private information can be shared with hundreds, thousands, 
even millions of individuals and organizations at a time. While the 
majority of medical records still are in paper form, information from 
those records is often copied and transmitted through electronic means.
    This ease of information collection, organization, retention, and 
exchange made possible by the advances in computer and other electronic 
technology affords many benefits to individuals and to the health care 
industry. Use of electronic information has helped to speed the 
delivery of effective care and the processing of billions of dollars 
worth of health care claims. Greater use of electronic data has also 
increased our ability to identify and treat those who are at risk for 
disease, conduct vital research, detect fraud and abuse, and measure 
and improve the quality of care delivered in the U.S. The National 
Research Council recently reported that ``the Internet has great 
potential to improve Americans'' health by enhancing communications and 
improving access to information for care providers, patients, health 
plan administrators, public health officials, biomedical researchers, 
and other health professionals.'' See ``Networking Health: 
Prescriptions for the Internet,'' National Academy of Sciences (2000).
    At the same time, these advances have reduced or eliminated many of 
the financial and logistical obstacles that previously served to 
protect the confidentiality of health information and the privacy 
interests of individuals. And they have made our information available 
to many more people. The shift from paper to electronic records, with 
the accompanying greater flows of sensitive health information, thus 
strengthens the arguments for giving legal protection to the right to 
privacy in health information. In an earlier period where it was far 
more expensive to access and use medical records, the risk of harm to 
individuals was relatively low. In the potential near future, when 
technology makes it almost free to send lifetime medical records over 
the Internet, the risks may grow rapidly. It may become cost-effective, 
for instance, for companies to offer services that allow purchasers to 
obtain details of a person's physical and mental treatments. In 
addition to legitimate possible uses for such services, malicious or 
inquisitive persons may download medical records for purposes ranging 
from identity theft to embarrassment to prurient interest in the life 
of a celebrity or neighbor. The comments to the proposed privacy rule 
indicate that many persons believe that they have a right to live in 
society without having these details of their lives laid open to 
unknown and possibly hostile eyes. These technological changes, in 
short, may provide a reason for institutionalizing

[[Page 82466]]

privacy protections in situations where the risk of harm did not 
previously justify writing such protections into law.
    The growing level of trepidation about privacy in general, noted 
above, has tracked the rise in electronic information technology. 
Americans have embraced the use of the Internet and other forms of 
electronic information as a way to provide greater access to 
information, save time, and save money. For example, 60 percent of 
Americans surveyed in 1999 reported that they have a computer in their 
home; 82 percent reported that they have used a computer; 64 percent 
say they have used the Internet; and 58 percent have sent an e-mail. 
Among those who are under the age of 60, these percentages are even 
higher. See ``National Survey of Adults on Technology,'' Henry J. 
Kaiser Family Foundation (February, 2000). But 59 percent of Americans 
reported that they worry that an unauthorized person will gain access 
to their information. A recent survey suggests that 75 percent of 
consumers seeking health information on the Internet are concerned or 
very concerned about the health sites they visit sharing their personal 
health information with a third party without their permission. Ethics 
Survey of Consumer Attitudes about Health Web Sites, California Health 
Care Foundation, at 3 (January, 2000).
    Unless public fears are allayed, we will be unable to obtain the 
full benefits of electronic technologies. The absence of national 
standards for the confidentiality of health information has made the 
health care industry and the population in general uncomfortable about 
this primarily financially-driven expansion in the use of electronic 
data. Many plans, providers, and clearinghouses have taken steps to 
safeguard the privacy of individually identifiable health information. 
Yet they must currently rely on a patchwork of State laws and 
regulations that are incomplete and, at times, inconsistent. States 
have, to varying degrees, attempted to enhance confidentiality by 
establishing laws governing at least some aspects of medical record 
privacy. This approach, though a step in the right direction, is 
inadequate. These laws fail to provide a consistent or comprehensive 
legal foundation of health information privacy. For example, there is 
considerable variation among the states in the type of information 
protected and the scope of the protections provided. See Georgetown 
Study, at Executive Summary; Lawrence O. Gostin, Zita Lazzarrini, 
Kathleen M. Flaherty, Legislative Survey of State Confidentiality Laws, 
with Specific Emphasis on HIV and Immunization, Report to Centers for 
Disease Control, Council of State and Territorial Epidemiologists, and 
Task Force for Child Survival and Development, Carter Presidential 
Center (1996) (Gostin Study).
    Moreover, electronic health data is becoming increasingly 
``national''; as more information becomes available in electronic form, 
it can have value far beyond the immediate community where the patient 
resides. Neither private action nor state laws provide a sufficiently 
comprehensive and rigorous legal structure to allay public concerns, 
protect the right to privacy, and correct the market failures caused by 
the absence of privacy protections (see discussion below of market 
failure under section V.C). Hence, a national policy with consistent 
rules is necessary to encourage the increased and proper use of 
electronic information while also protecting the very real needs of 
patients to safeguard their privacy.

Advances in Genetic Sciences

    Recently, scientists completed nearly a decade of work unlocking 
the mysteries of the human genome, creating tremendous new 
opportunities to identify and prevent many of the leading causes of 
death and disability in this country and around the world. Yet the 
absence of privacy protections for health information endanger these 
efforts by creating a barrier of distrust and suspicion among 
consumers. A 1995 national poll found that more than 85 percent of 
those surveyed were either ``very concerned'' or ``somewhat concerned'' 
that insurers and employers might gain access to and use genetic 
information. See Harris Poll, 1995 #34. Sixty-three percent of the 
1,000 participants in a 1997 national survey said they would not take 
genetic tests if insurers and employers could gain access to the 
results. See ``Genetic Information and the Workplace,'' Department of 
Labor, Department of Health and Human Services, Equal Employment 
Opportunity Commission, January 20, 1998. ``In genetic testing studies 
at the National Institutes of Health, thirty-two percent of eligible 
people who were offered a test for breast cancer risk declined to take 
it, citing concerns about loss of privacy and the potential for 
discrimination in health insurance.'' Sen. Leahy's comments for March 
10, 1999 Introduction of the Medical Information Privacy and Security 
Act.

The Changing Health Care System

    The number of entities who are maintaining and transmitting 
individually identifiable health information has increased 
significantly over the last 10 years. In addition, the rapid growth of 
integrated health care delivery systems requires greater use of 
integrated health information systems. The health care industry has 
been transformed from one that relied primarily on one-on-one 
interactions between patients and clinicians to a system of integrated 
health care delivery networks and managed care providers. Such a system 
requires the processing and collection of information about patients 
and plan enrollees (for example, in claims files or enrollment 
records), resulting in the creation of databases that can be easily 
transmitted. This dramatic change in the practice of medicine brings 
with it important prospects for the improvement of the quality of care 
and reducing the cost of that care. It also, however, means that 
increasing numbers of people have access to health information. And, as 
health plan functions are increasingly outsourced, a growing number of 
organizations not affiliated with our physicians or health plans also 
have access to health information.
    According to the American Health Information Management Association 
(AHIMA), an average of 150 people ``from nursing staff to x-ray 
technicians, to billing clerks'' have access to a patient's medical 
records during the course of a typical hospitalization. While many of 
these individuals have a legitimate need to see all or part of a 
patient's records, no laws govern who those people are, what 
information they are able to see, and what they are and are not allowed 
to do with that information once they have access to it. According to 
the National Research Council, individually identifiable health 
information frequently is shared with:
     Consulting physicians;
     Managed care organizations;
     Health insurance companies
     Life insurance companies;
     Self-insured employers;
     Pharmacies;
     Pharmacy benefit managers;
     Clinical laboratories;
     Accrediting organizations;
     State and Federal statistical agencies; and
     Medical information bureaus.

Much of this sharing of information is done without the knowledge of 
the patient involved. While many of these functions are important for 
smooth functioning of the health care system, there are no rules 
governing how that

[[Page 82467]]

information is used by secondary and tertiary users. For example, a 
pharmacy benefit manager could receive information to determine whether 
an insurance plan or HMO should cover a prescription, but then use the 
information to market other products to the same patient. Similarly, 
many of us obtain health insurance coverage though our employer and, in 
some instances, the employer itself acts as the insurer. In these 
cases, the employer will obtain identifiable health information about 
its employees as part of the legitimate health insurance functions such 
as claims processing, quality improvement, and fraud detection 
activities. At the same time, there is no comprehensive protection 
prohibiting the employer from using that information to make decisions 
about promotions or job retention.
    Public concerns reflect these developments. A 1993 Lou Harris poll 
found that 75 percent of those surveyed worry that medical information 
from a computerized national health information system will be used for 
many non-health reasons, and 38 percent are very concerned. This poll, 
taken during the health reform efforts of 1993, showed that 85 percent 
of respondents believed that protecting the confidentiality of medical 
records is ``absolutely essential'' or ``very essential'' in health 
care reform. An ACLU Poll in 1994 also found that 75 percent of those 
surveyed are concerned a ``great deal'' or a ``fair amount''' about 
insurance companies putting medical information about them into a 
computer information bank to which others have access. Harris Equifax, 
Health Information Privacy Study 2,33 (1993) http://www.epic.org/
privacy/medical/poll.html. Another survey found that 35 percent of 
Fortune 500 companies look at people's medical records before making 
hiring and promotion decisions. Starr, Paul. ``Health and the Right to 
Privacy,'' American Journal of Law and Medicine, 1999. Vol 25, pp. 193-
201.
    Concerns about the lack of attention to information privacy in the 
health care industry are not merely theoretical. In the absence of a 
national legal framework of health privacy protections, consumers are 
increasingly vulnerable to the exposure of their personal health 
information. Disclosure of individually identifiable information can 
occur deliberately or accidentally and can occur within an organization 
or be the result of an external breach of security. Examples of recent 
privacy breaches include:
     A Michigan-based health system accidentally posted the 
medical records of thousands of patients on the Internet (The Ann Arbor 
News, February 10, 1999).
     A Utah-based pharmaceutical benefits management firm used 
patient data to solicit business for its owner, a drug store 
(Kiplingers, February 2000).
     An employee of the Tampa, Florida, health department took 
a computer disk containing the names of 4,000 people who had tested 
positive for HIV, the virus that causes AIDS (USA Today, October 10, 
1996).
     The health insurance claims forms of thousands of patients 
blew out of a truck on its way to a recycling center in East Hartford, 
Connecticut (The Hartford Courant, May 14, 1999).
     A patient in a Boston-area hospital discovered that her 
medical record had been read by more than 200 of the hospital's 
employees (The Boston Globe, August 1, 2000).
     A Nevada woman who purchased a used computer discovered 
that the computer still contained the prescription records of the 
customers of the pharmacy that had previously owned the computer. The 
pharmacy data base included names, addresses, social security numbers, 
and a list of all the medicines the customers had purchased. (The New 
York Times, April 4, 1997 and April 12, 1997).
     A speculator bid $4000 for the patient records of a family 
practice in South Carolina. Among the businessman's uses of the 
purchased records was selling them back to the former patients. (New 
York Times, August 14, 1991).
     In 1993, the Boston Globe reported that Johnson and 
Johnson marketed a list of 5 million names and addresses of elderly 
incontinent women. (ACLU Legislative Update, April 1998).
     A few weeks after an Orlando woman had her doctor perform 
some routine tests, she received a letter from a drug company promoting 
a treatment for her high cholesterol. (Orlando Sentinel, November 30, 
1997).
    No matter how or why a disclosure of personal information is made, 
the harm to the individual is the same. In the face of industry 
evolution, the potential benefits of our changing health care system, 
and the real risks and occurrences of harm, protection of privacy must 
be built into the routine operations of our health care system.

Privacy Is Necessary To Secure Effective, High Quality Health Care

    While privacy is one of the key values on which our society is 
built, it is more than an end in itself. It is also necessary for the 
effective delivery of health care, both to individuals and to 
populations. The market failures caused by the lack of effective 
privacy protections for health information are discussed below (see 
section V.C below). Here, we discuss how privacy is a necessary 
foundation for delivery of high quality health care. In short, the 
entire health care system is built upon the willingness of individuals 
to share the most intimate details of their lives with their health 
care providers.
    The need for privacy of health information, in particular, has long 
been recognized as critical to the delivery of needed medical care. 
More than anything else, the relationship between a patient and a 
clinician is based on trust. The clinician must trust the patient to 
give full and truthful information about their health, symptoms, and 
medical history. The patient must trust the clinician to use that 
information to improve his or her health and to respect the need to 
keep such information private. In order to receive accurate and 
reliable diagnosis and treatment, patients must provide health care 
professionals with accurate, detailed information about their personal 
health, behavior, and other aspects of their lives. The provision of 
health information assists in the diagnosis of an illness or condition, 
in the development of a treatment plan, and in the evaluation of the 
effectiveness of that treatment. In the absence of full and accurate 
information, there is a serious risk that the treatment plan will be 
inappropriate to the patient's situation.
    Patients also benefit from the disclosure of such information to 
the health plans that pay for and can help them gain access to needed 
care. Health plans and health care clearinghouses rely on the provision 
of such information to accurately and promptly process claims for 
payment and for other administrative functions that directly affect a 
patient's ability to receive needed care, the quality of that care, and 
the efficiency with which it is delivered.
    Accurate medical records assist communities in identifying 
troubling public health trends and in evaluating the effectiveness of 
various public health efforts. Accurate information helps public and 
private payers make correct payments for care received and lower costs 
by identifying fraud. Accurate information provides scientists with 
data they need to conduct research. We cannot improve the quality of 
health care without information about which treatments work, and which 
do not.
    Individuals cannot be expected to share the most intimate details 
of their lives unless they have confidence that such information will 
not be used or

[[Page 82468]]

shared inappropriately. Privacy violations reduce consumers' trust in 
the health care system and institutions that serve them. Such a loss of 
faith can impede the quality of the health care they receive, and can 
harm the financial health of health care institutions.
    Patients who are worried about the possible misuse of their 
information often take steps to protect their privacy. Recent studies 
show that a person who does not believe his privacy will be protected 
is much less likely to participate fully in the diagnosis and treatment 
of his medical condition. A national survey conducted in January 1999 
found that one in five Americans believe their health information is 
being used inappropriately. See California HealthCare Foundation, 
``National Survey: Confidentiality of Medical Records'' (January, 1999) 
(http://www.chcf.org). More troubling is the fact that one in six 
Americans reported that they have taken some sort of evasive action to 
avoid the inappropriate use of their information by providing 
inaccurate information to a health care provider, changing physicians, 
or avoiding care altogether. Similarly, in its comments on our proposed 
rule, the Association of American Physicians and Surgeons reported 78 
percent of its members reported withholding information from a 
patient's record due to privacy concerns and another 87 percent 
reported having had a patient request to withhold information from 
their records. For an example of this phenomenon in a particular 
demographic group, see Drs. Bearman, Ford, and Moody, ``Foregone Health 
Care among Adolescents,'' JAMA, vol. 282, no. 23 (999); Cheng, T.L., et 
al., ``Confidentiality in Health Care: A Survey of Knowledge, 
Perceptions, and Attitudes among High School Students,'' JAMA, vol. 
269, no. 11 (1993), at 1404-1407.
    The absence of strong national standards for medical privacy has 
widespread consequences. Health care professionals who lose the trust 
of their patients cannot deliver high-quality care. In 1999, a 
coalition of organizations representing various stakeholders including 
health plans, physicians, nurses, employers, disability and mental 
health advocates, accreditation organizations as well as experts in 
public health, medical ethics, information systems, and health policy 
adopted a set of ``best principles'' for health care privacy that are 
consistent with the standards we lay out here. (See the Health Privacy 
Working Group, ``Best Principles for Health Privacy'' (July, 1999) 
(Best Principles Study). The Best Principles Study states that--

    To protect their privacy and avoid embarrassment, stigma, and 
discrimination, some people withhold information from their health 
care providers, provide inaccurate information, doctor-hop to avoid 
a consolidated medical record, pay out-of-pocket for care that is 
covered by insurance, and--in some cases--avoid care altogether.

Best Principles Study, at 9. In their comments on our proposed rule, 
numerous organizations representing health plans, health providers, 
employers, and others acknowledged the value of a set of national 
privacy standards to the efficient operation of their practices and 
businesses.

Breaches of Health Privacy Harm More Than Our Health Status

    A breach of a person's health privacy can have significant 
implications well beyond the physical health of that person, including 
the loss of a job, alienation of family and friends, the loss of health 
insurance, and public humiliation. For example:
     A banker who also sat on a county health board gained 
access to patients' records and identified several people with cancer 
and called in their mortgages. See the National Law Journal, May 30, 
1994.
     A physician was diagnosed with AIDS at the hospital in 
which he practiced medicine. His surgical privileges were suspended. 
See Estate of Behringer v. Medical Center at Princeton, 249 N.J. Super. 
597.
     A candidate for Congress nearly saw her campaign derailed 
when newspapers published the fact that she had sought psychiatric 
treatment after a suicide attempt. See New York Times, October 10, 
1992, Section 1, page 25.
     A 30-year FBI veteran was put on administrative leave 
when, without his permission, his pharmacy released information about 
his treatment for depression. (Los Angeles Times, September 1, 1998) 
Consumer Reports found that 40 percent of insurers disclose personal 
health information to lenders, employers, or marketers without customer 
permission. ``Who's reading your Medical Records,'' Consumer Reports, 
October 1994, at 628, paraphrasing Sweeny, Latanya, ``Weaving 
Technology and Policy Together to Maintain Confidentiality,'' The 
Journal Of Law Medicine and Ethics (Summer & Fall 1997) Vol. 25, 
Numbers 2,3.
    The answer to these concerns is not for consumers to withdraw from 
society and the health care system, but for society to establish a 
clear national legal framework for privacy. By spelling out what is and 
what is not an allowable use of a person's identifiable health 
information, such standards can help to restore and preserve trust in 
the health care system and the individuals and institutions that 
comprise that system. As medical historian Paul Starr wrote: ``Patients 
have a strong interest in preserving the privacy of their personal 
health information but they also have an interest in medical research 
and other efforts by health care organizations to improve the medical 
care they receive. As members of the wider community, they have an 
interest in public health measures that require the collection of 
personal data.'' (P. Starr, ``Health and the Right to Privacy,'' 
American Journal of Law & Medicine, 25, nos. 2&3 (1999) 193-201). The 
task of society and its government is to create a balance in which the 
individual's needs and rights are balanced against the needs and rights 
of society as a whole.
    National standards for medical privacy must recognize the sometimes 
competing goals of improving individual and public health, advancing 
scientific knowledge, enforcing the laws of the land, and processing 
and paying claims for health care services. This need for balance has 
been recognized by many of the experts in this field. Cavoukian and 
Tapscott described it this way: ``An individual's right to privacy may 
conflict with the collective rights of the public * * *. We do not 
suggest that privacy is an absolute right that reigns supreme over all 
other rights. It does not. However, the case for privacy will depend on 
a number of factors that can influence the balance--the level of harm 
to the individual involved versus the needs of the public.''

The Federal Response

    There have been numerous federal initiatives aimed at protecting 
the privacy of especially sensitive personal information over the past 
several years--and several decades. While the rules below are likely 
the largest single federal initiative to protect privacy, they are by 
no means alone in the field. Rather, the rules arrive in the context of 
recent legislative activity to grapple with advances in technology, in 
addition to an already established body of law granting federal 
protections for personal privacy.
    In 1965, the House of Representatives created a Special 
Subcommittee on Invasion of Privacy. In 1973, this Department's 
predecessor agency, the Department of Health, Education and Welfare 
issued The Code of Fair Information Practice Principles establishing an 
important baseline for

[[Page 82469]]

information privacy in the U.S. These principles formed the basis for 
the federal Privacy Act of 1974, which regulates the government's use 
of personal information by limiting the disclosure of personally-
identifiable information, allows consumers access to information about 
them, requires federal agencies to specify the purposes for collecting 
personal information, and provides civil and criminal penalties for 
misuse of information.
    In the last several years, with the rapid expansion in electronic 
technology--and accompanying concerns about individual privacy--laws, 
regulations, and legislative proposals have been developed in areas 
ranging from financial privacy to genetic privacy to the safeguarding 
of children on-line. For example, the Children's Online Privacy 
Protection Act was enacted in 1998, providing protection for children 
when interacting at web-sites. In February, 2000, President Clinton 
signed Executive Order 13145, banning the use of genetic information in 
federal hiring and promotion decisions. The landmark financial 
modernization bill, signed by the President in November, 1999, likewise 
contained financial privacy protections for consumers. There also has 
been recent legislative activity on establishing legal safeguards for 
the privacy of individuals' Social Security numbers, and calls for 
regulation of on-line privacy in general.
    These most recent laws, regulations, and legislative proposals come 
against the backdrop of decades of privacy-enhancing statutes passed at 
the federal level to enact safeguards in fields ranging from government 
data files to video rental records. In the 1970s, individual privacy 
was paramount in the passage of the Fair Credit Reporting Act (1970), 
the Privacy Act (1974), the Family Educational Rights and Privacy Act 
(1974), and the Right to Financial Privacy Act (1978). These key laws 
were followed in the next decade by another series of statutes, 
including the Privacy Protection Act (1980), the Electronic 
Communications Privacy Act (1986), the Video Privacy Protection Act 
(1988), and the Employee Polygraph Protection Act (1988). In the last 
ten years, Congress and the President have passed additional legal 
privacy protection through, among others, the Telephone Consumer 
Protection Act (1991), the Driver's Privacy Protection Act (1994), the 
Telecommunications Act (1996), the Children's Online Privacy Protection 
Act (1998), the Identity Theft and Assumption Deterrence Act (1998), 
and Title V of the Gramm-Leach-Bliley Act (1999) governing financial 
privacy.
    In 1997, a Presidential advisory commission, the Advisory 
Commission on Consumer Protection and Quality in the Health Care 
Industry, recognized the need for patient privacy protection in its 
recommendations for a Consumer Bill of Rights and Responsibilities 
(November 1997). In 1997, Congress enacted the Balanced Budget Act 
(Public Law 105-34), which added language to the Social Security Act 
(18 U.S.C. 1852) to require Medicare+Choice organizations to establish 
safeguards for the privacy of individually identifiable patient 
information. Similarly, the Veterans Benefits section of the U.S. Code 
provides for confidentiality of medical records in cases involving drug 
abuse, alcoholism or alcohol abuse, HIV infection, or sickle cell 
anemia (38 U.S.C. 7332).
    As described in more detail in the next section, Congress 
recognized the importance of protecting the privacy of health 
information by enacting the Health Insurance Portability and 
Accountability Act of 1996. The Act called on Congress to enact a 
medical privacy statute and asked the Secretary of Health and Human 
Services to provide Congress with recommendations for protecting the 
confidentiality of health care information. The Congress further 
recognized the importance of such standards by providing the Secretary 
with authority to promulgate regulations on health care privacy in the 
event that lawmakers were unable to act within the allotted three 
years.
    Finally, it also is important for the U.S. to join the rest of the 
developed world in establishing basic medical privacy protections. In 
1995, the European Union (EU) adopted a Data Privacy Directive 
requiring its 15 member states to adopt consistent privacy laws by 
October 1998. The EU urged all other nations to do the same or face the 
potential loss of access to information from EU countries.

Statutory Background

History of the Privacy Component of the Administrative Simplification 
Provisions

    The Congress addressed the opportunities and challenges presented 
by the rapid evolution of health information systems in the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA), Public 
Law 104-191, which was enacted on August 21, 1996. Sections 261 through 
264 of HIPAA are known as the Administrative Simplification provisions. 
The major part of these Administrative Simplification provisions are 
found at section 262 of HIPAA, which enacted a new part C of title XI 
of the Social Security Act (hereinafter we refer to the Social Security 
Act as the ``Act'' and we refer to all other laws cited in this 
document by their names).
    In section 262, Congress primarily sought to facilitate the 
efficiencies and cost savings for the health care industry that the 
increasing use of electronic technology affords. Thus, section 262 
directs HHS to issue standards to facilitate the electronic exchange of 
information with respect to financial and administrative transactions 
carried out by health plans, health care clearinghouses, and health 
care providers who transmit information electronically in connection 
with such transactions.
    At the same time, Congress recognized the challenges to the 
confidentiality of health information presented by the increasing 
complexity of the health care industry, and by advances in health 
information systems technology and communications. Section 262 thus 
also directs HHS to develop standards to protect the security, 
including the confidentiality and integrity, of health information.
    Congress has long recognized the need for protection of health 
information privacy generally, as well as the privacy implications of 
electronic data interchange and the increased ease of transmitting and 
sharing individually identifiable health information. Congress has been 
working on broad health privacy legislation for many years and, as 
evidenced by the self-imposed three year deadline included in the 
HIPAA, discussed below, believes it can and should enact such 
legislation. A significant portion of the first Administrative 
Simplification section debated on the floor of the Senate in 1994 (as 
part of the Health Security Act) consisted of privacy provisions. In 
the version of the HIPAA passed by the House of Representatives in 
1996, the requirement for the issuance of privacy standards was located 
in the same section of the bill (section 1173) as the requirements for 
issuance of the other HIPAA Administrative Simplification standards. In 
conference, the requirement for privacy standards was moved to a 
separate section in the same part of HIPAA, section 264, so that 
Congress could link the Privacy standards to Congressional action.
    Section 264(b) requires the Secretary of HHS to develop and submit 
to the Congress recommendations for:
     The rights that an individual who is a subject of 
individually identifiable health information should have.

[[Page 82470]]

     The procedures that should be established for the exercise 
of such rights.
     The uses and disclosures of such information that should 
be authorized or required.

The Secretary's Recommendations were submitted to the Congress on 
September 11, 1997. Section 264(c)(1) provides that:

    If legislation governing standards with respect to the privacy 
of individually identifiable health information transmitted in 
connection with the transactions described in section 1173(a) of the 
Social Security Act (as added by section 262) is not enacted by 
[August 21, 1999], the Secretary of Health and Human Services shall 
promulgate final regulations containing such standards not later 
than [February 21, 2000]. Such regulations shall address at least 
the subjects described in subsection (b).

As the Congress did not enact legislation regarding the privacy of 
individually identifiable health information prior to August 21, 1999, 
HHS published proposed rules setting forth such standards on November 
3, 1999, 64 FR 59918, and is now publishing the mandated final 
regulation.
    These privacy standards have been, and continue to be, an integral 
part of the suite of Administrative Simplification standards intended 
to simplify and improve the efficiency of the administration of our 
health care system.

The Administrative Simplification Provisions, and Regulatory Actions to 
Date

    Part C of title XI consists of sections 1171 through 1179 of the 
Act. These sections define various terms and impose several 
requirements on HHS, health plans, health care clearinghouses, and 
health care providers who conduct the identified transactions 
electronically.
    The first section, section 1171 of the Act, establishes definitions 
for purposes of part C of title XI for the following terms: code set, 
health care clearinghouse, health care provider, health information, 
health plan, individually identifiable health information, standard, 
and standard setting organization.
    Section 1172 of the Act makes the standard adopted under part C 
applicable to: (1) Health plans, (2) health care clearinghouses, and 
(3) health care providers who transmit health information in electronic 
form in connection with transactions referred to in section 1173(a)(1) 
of the Act (hereinafter referred to as the ``covered entities''). 
Section 1172 also contains procedural requirements concerning the 
adoption of standards, including the role of standard setting 
organizations and required consultations, summarized in subsection F 
and section VI, below.
    Section 1173 of the Act requires the Secretary to adopt standards 
for transactions, and data elements for such transactions, to enable 
health information to be exchanged electronically. Section 1173(a)(1) 
describes the transactions to be promulgated, which include the nine 
transactions listed in section 1173(a)(2) and other transactions 
determined appropriate by the Secretary. The remainder of section 1173 
sets out requirements for the specific standards the Secretary is to 
adopt: Unique health identifiers, code sets, security standards, 
electronic signatures, and transfer of information among health plans. 
Of particular relevance to this proposed rule is section 1173(d), the 
security standard provision. The security standard authority applies to 
both the transmission and the maintenance of health information, and 
requires the entities described in section 1172(a) to maintain 
reasonable and appropriate safeguards to ensure the integrity and 
confidentiality of the information, protect against reasonably 
anticipated threats or hazards to the security or integrity of the 
information or unauthorized uses or disclosures of the information, and 
to ensure compliance with part C by the entity's officers and 
employees.
    In section 1174 of the Act, the Secretary is required to establish 
standards for all of the above transactions, except claims attachments, 
by February 21, 1998. The statutory deadline for the claims attachment 
standard is February 21, 1999.
    As noted above, a proposed rule for most of the transactions was 
published on May 7, 1998, and the final Transactions Rule was 
promulgated on August 17, 2000. The delay was caused by the deliberate 
consensus building process, working with industry, and the large number 
of comments received (about 17,000). In addition, in a series of 
Notices of Proposed Rulemakings, HHS published other proposed 
standards, as described above. Each of these steps was taken in concert 
with the affected professions and industries, to ensure rapid adoption 
and compliance.
    Generally, after a standard is established, it may not be changed 
during the first year after adoption except for changes that are 
necessary to permit compliance with the standard. Modifications to any 
of these standards may be made after the first year, but not more 
frequently than once every 12 months. The Secretary also must ensure 
that procedures exist for the routine maintenance, testing, 
enhancement, and expansion of code sets and that there are crosswalks 
from prior versions.
    Section 1175 of the Act prohibits health plans from refusing to 
process, or from delaying processing of, a transaction that is 
presented in standard format. It also establishes a timetable for 
compliance: each person to whom a standard or implementation 
specification applies is required to comply with the standard within 24 
months (or 36 months for small health plans) of its adoption. A health 
plan or other entity may, of course, comply voluntarily before the 
effective date. The section also provides that compliance with 
modifications to standards or implementation specifications must be 
accomplished by a date designated by the Secretary, which date may not 
be earlier than 180 days from the notice of change.
    Section 1176 of the Act establishes civil monetary penalties for 
violation of the provisions in part C of title XI of the Act, subject 
to several limitations. Penalties may not be more than $100 per person 
per violation and not more than $25,000 per person for violations of a 
single standard for a calendar year. The procedural provisions of 
section 1128A of the Act apply to actions taken to obtain civil 
monetary penalties under this section.
    Section 1177 establishes penalties for any person that knowingly 
uses a unique health identifier, or obtains or discloses individually 
identifiable health information in violation of the part. The penalties 
include: (1) A fine of not more than $50,000 and/or imprisonment of not 
more than 1 year; (2) if the offense is ``under false pretenses,'' a 
fine of not more than $100,000 and/or imprisonment of not more than 5 
years; and (3) if the offense is with intent to sell, transfer, or use 
individually identifiable health information for commercial advantage, 
personal gain, or malicious harm, a fine of not more than $250,000 and/
or imprisonment of not more than 10 years.
    Under section 1178 of the Act, the requirements of part C, as well 
as any standards or implementation specifications adopted thereunder, 
preempt contrary state law. There are three exceptions to this general 
rule of preemption: State laws that the Secretary determines are 
necessary for certain purposes set forth in the statute; state laws 
that the Secretary determines address controlled substances; and state 
laws relating to the privacy of

[[Page 82471]]

individually identifiable health information that are contrary to and 
more stringent than the federal requirements. There also are certain 
areas of state law (generally relating to public health and oversight 
of health plans) that are explicitly carved out of the general rule of 
preemption and addressed separately.
    Section 1179 of the Act makes the above provisions inapplicable to 
financial institutions (as defined by section 1101 of the Right to 
Financial Privacy Act of 1978) or anyone acting on behalf of a 
financial institution when ``authorizing, processing, clearing, 
settling, billing, transferring, reconciling, or collecting payments 
for a financial institution.''
    Finally, as explained above, section 264 requires the Secretary to 
issue standards with respect to the privacy of individually 
identifiable health information. Section 264 also contains a preemption 
provision that provides that contrary provisions of state laws that are 
more stringent than the federal standards, requirements, or 
implementation specifications will not be preempted.

Our Approach to This Regulation

Balance

    A number of facts informed our approach to this regulation. 
Determining the best approach to protecting privacy depends on where we 
start, both with respect to existing legal expectations and also with 
respect to the expectations of individuals, health care providers, 
payers and other stakeholders. From the comments we received on the 
proposed rule, and from the extensive fact finding in which we engaged, 
a confused picture developed. We learned that stakeholders in the 
system have very different ideas about the extent and nature of the 
privacy protections that exist today, and very different ideas about 
appropriate uses of health information. This leads us to seek to 
balance the views of the different stakeholders, weighing the varying 
interests on each particular issue with a view to creating balance in 
the regulation as a whole.
    For example, we received hundreds of comments explaining the 
legitimacy of various uses and disclosure of health information. We 
agree that many uses and disclosures of health information are 
``legitimate,'' but that is not the end of the inquiry. Neither 
privacy, nor the important social goals described by the commenters, 
are absolutes. In this regulation, we are asking health providers and 
institutions to add privacy into the balance, and we are asking 
individuals to add social goals into the balance.
    The vast difference among regulated entities also informed our 
approach in significant ways. This regulation applies to solo 
practitioners, and multi-national health plans. It applies to 
pharmacies and information clearinghouses. These entities differ not 
only in the nature and scope of their businesses, but also in the 
degree of sophistication of their information systems and information 
needs. We therefore designed the core requirements of this regulation 
to be flexible and ``scalable.'' This is reflected throughout the rule, 
particularly in the implementation specifications for making the 
minimum necessary uses and disclosures, and in the administrative 
policies and procedures requirements.
    We also are informed by the rapid evolution in industry 
organization and practice. Our goal is to enhance privacy protections 
in ways that do not impede this evolution. For example, we received 
many comments asking us to assign a status under this regulation based 
on a label or title. For example, many commenters asked whether 
``disease management'' is a ``health care operation,'' or whether a 
``pharmacy benefits manager'' is a covered entity. From the comments 
and our fact-finding, however, we learned that these terms do not have 
consistent meanings today; rather, they encompass diverse activities 
and information practices. Further, the statutory definitions of key 
terms such as health care provider and health care clearinghouse 
describe functions, not specific types of persons or entities. To 
respect both the Congressional approach and industry evolution, we 
design the rule to follow activities and functions, not titles and 
labels.
    Similarly, many comments asked whether a particular person would be 
a ``business associate'' under the rule, based on the nature of the 
person's business. Whether a business associate arrangement must exist 
under the rule, however, depends on the relationship between the 
entities and the services being performed, not on the type of persons 
or companies involved.
    Our approach is also significantly informed by the limited 
jurisdiction conferred by HIPAA. In large part, we have the authority 
to regulate those who create and disclose health information, but not 
many key stakeholders who receive that health information from a 
covered entity. Again, this led us to look to the balance between the 
burden on covered entities and need to protect privacy in determining 
our approach to such disclosures. In some instances, we approach this 
dilemma by requiring covered entities to obtain a representation or 
documentation of purpose from the person requesting information. While 
there would be advantages to legislation regulating such third persons 
directly, we cannot justify abandoning any effort to enhance privacy.
    It also became clear from the comments and our fact-finding that we 
have expectations as a society that conflict with individuals' views 
about the privacy of health information. We expect the health care 
industry to develop treatment protocols for the delivery of high 
quality health care. We expect insurers and the government to reduce 
fraud in the health care system. We expect to be protected from 
epidemics, and we expect medical research to produce miracles. We 
expect the police to apprehend suspects, and we expect to pay for our 
care by credit card. All of these activities involve disclosure of 
health information to someone other than our physician.
    While most commenters support the concept of health privacy in 
general, many go on to describe activities that depend on the 
disclosure of health information and urge us to protect those 
information flows. Section III, in which we respond to the comments, 
describes our approach to balancing these conflicting expectations.
    Finally, we note that many commenters were concerned that this 
regulation would lessen current privacy protections. It is important to 
understand this regulation as a new federal floor of privacy 
protections that does not disturb more protective rules or practices. 
Nor do we intend this regulation to describe a set of a ``best 
practices.'' Rather, this regulation describes a set of basic consumer 
protections and a series of regulatory permissions for use and 
disclosure of health information. The protections are a mandatory 
floor, which other governments and any covered entity may exceed. The 
permissions are just that, permissive--the only disclosures of health 
information required under this rule are to the individual who is the 
subject of the information or to the Secretary for enforcement of this 
rule. We expect covered entities to rely on their professional ethics 
and use their own best judgements in deciding which of these 
permissions they will use.

Combining Workability With New Protections

    This rule establishes national minimum standards to protect the 
privacy of individually identifiable health information in prescribed

[[Page 82472]]

settings. The standards address the many varied uses and disclosures of 
individually identifiable health information by health plans, certain 
health care providers and health care clearinghouses. The complexity of 
the standards reflects the complexity of the health care marketplace to 
which they apply and the variety of subjects that must be addressed. 
The rule applies not only to the core health care functions relating to 
treating patients and reimbursing health care providers, but also to 
activities that range from when individually identifiable health 
information should be available for research without authorization to 
whether a health care provider may release protected health information 
about a patient for law enforcement purposes. The number of discrete 
provisions, and the number of commenters requesting that the rule 
recognize particular activities, is evidence of the significant role 
that individually identifiable health information plays in many vital 
public and private concerns.
    At the same time, the large number of comments from individuals and 
groups representing individuals demonstrate the deep public concern 
about the need to protect the privacy of individually identifiable 
health information. The discussion above is rich with evidence about 
the importance of protecting privacy and the potential adverse 
consequences to individuals and their health if such protections are 
not extended.
    The need to balance these competing interests--the necessity of 
protecting privacy and the public interest in using identifiable health 
information for vital public and private purposes--in a way that is 
also workable for the varied stakeholders causes much of the complexity 
in the rule. Achieving workability without sacrificing protection means 
some level of complexity, because the rule must track current practices 
and current practices are complex. We believe that the complexity 
entailed in reflecting those practices is better public policy than a 
perhaps simpler rule that disturbed important information flows.
    Although the rule taken as a whole is complicated, we believe that 
the standards are much less complex as they apply to particular actors. 
What a health plan or covered health care provider must do to comply 
with the rule is clear, and the two-year delayed implementation 
provides a substantial period for trade and professional associations, 
working with their members, to assess the effects of the standards and 
develop policies and procedures to come into compliance with them. For 
individuals, the system may look substantially more complicated 
because, for the first time, we are ensuring that individuals will 
receive detailed information about how their individually identifiable 
health information may be used and disclosed. We also provide 
individuals with additional tools to exercise some control over those 
uses and disclosures. The additional complexity for individuals is the 
price of expanding their understanding and their rights.
    The Department will work actively with members of the health care 
industry, representatives of individuals and others during the 
implementation of this rule. As stated elsewhere, our focus is to 
develop broader understanding of how the standards work and to 
facilitate compliance. We intend to provide guidance and check lists as 
appropriate, particularly to small businesses affected by the rule. We 
also will work with trade and professional associations to develop 
guidance and provide technical assistance so that they can help their 
members understand and comply with these new standards. If this effort 
is to succeed, the various public and private participants inside and 
outside of the health care system will need to work together to assure 
that the competing interests described above remain in balance and that 
an ethic that recognizes their importance is established.

Enforcement

    The Secretary has decided to delegate her responsibility under this 
regulation to the Department's Office for Civil Rights (OCR). OCR will 
be responsible for enforcement of this regulation. Enforcement 
activities will include working with covered entities to secure 
voluntary compliance through the provision of technical assistance and 
other means; responding to questions regarding the regulation and 
providing interpretations and guidance; responding to state requests 
for exception determinations; investigating complaints and conducting 
compliance reviews; and, where voluntary compliance cannot be achieved, 
seeking civil monetary penalties and making referrals for criminal 
prosecution.

Consent

Current Law and Practice
    The issue that drew the most comments overall is the question of 
when individuals' permission should be obtained prior to use or 
disclosure of their health information. We learned that individuals' 
views and the legal view of ``consent'' for use and disclosure of 
health information are different and in many ways incompatible. 
Comments from individuals revealed a common belief that, today, people 
must be asked permission for each and every release of their health 
information. Many believe that they ``own'' the health records about 
them. However, current law and practice do not support this view.
    Current privacy protection practices are determined in part by the 
standards and practices that the professional associations have adopted 
for their members. Professional codes of conduct for ethical behavior 
generally can be found as opinions and guidelines developed by 
organizations such as the American Medical Association, American 
Nurses' Association, the American Hospital Association, the American 
Psychiatric Association, and the American Dental Association. These are 
generally issued though an organization's governing body. The codes do 
not have the force of law, but providers often recognize them as 
binding rules.
    Our review of professional codes of ethics revealed partial, but 
loose, support for individuals' expectations of privacy. For example, 
the American Medical Association's Code of Ethics recognizes both the 
right to privacy and the need to balance it against societal needs. It 
reads in part: ``conflicts between a patient's right to privacy and a 
third party's need to know should be resolved in favor of the patient, 
except where that would result in serious health hazard or harm to the 
patient or others.'' AMA Policy No 140.989. See also, Mass. Med. 
Society, Patient Privacy and Confidentiality (1996), at 14:

    Patients enter treatment with the expectation that the 
information they share will be used exclusively for their clinical 
care. Protection of our patients' confidences is an integral part of 
our ethical training.

    These codes, however, do not apply to many who obtain information 
from providers. For example, the National Association of Insurance 
Commissioners model code, ``Health Information Privacy Model Act'' 
(1998), applies to insurers but has not been widely adopted. Codes of 
ethics are also often written in general terms that do not provide 
guidance to providers and plans confronted with specific questions 
about protecting health information.
    State laws are a crucial means of protecting health information, 
and today state laws vary dramatically. Some states defer to the 
professional codes of conduct, others provide general guidelines for 
privacy protection, and

[[Page 82473]]

others provide detailed requirements relating to the protection of 
information relating to specific diseases or to entire classes of 
information. Cf., D.C. Code Ann. Sec. 2-3305.14(16) and Haw. Rev. Stat. 
323C, et seq. In general, state statutes and case law addressing 
consent to use of health information do not support the public's strong 
expectations regarding consent for use and disclosure of health 
information. Only about half of the states have a general law that 
prohibits disclosure of health information without patient 
authorization and some of these are limited to hospital medical 
records.
    Even when a state has a law limiting disclosure of health 
information, the law typically exempts many types of disclosure from 
the authorization requirement. Georgetown Study, Key Findings; Lisa 
Dahm, ``50-State Survey on Patient Health Care Record 
Confidentiality,'' American Health Lawyers Association (1999). One of 
the most common exemptions from a consent requirement is disclosure of 
health information for treatment and related purposes. See, e.g., 
Wis.Stat. Sec. 164.82; Cal. Civ. Code 56:10; National Conference of 
Commissioners on Uniform State Laws, Uniform Health-Care Information 
Act, Minneapolis, MN, August 9, 1985. Some states include utilization 
review and similar activities in the exemption. See, e.g., Ariz. Rev. 
Stat. Sec. 12-2294. Another common exemption from consent is disclosure 
of health information for purposes of obtaining payment. See, e.g., 
Fla. Stat. Ann. Sec. 455.667; Tex. Rev. Civ. Stat. Art. 4495, 
Sec. 5.08(h); 410 Ill. Comp. Stat. 50/3(d). Other common exemptions 
include disclosures for emergency care, and for disclosures to 
government authorities (such as a department of public health). See 
Gostin Study, at 1-2; 48-51. Some states also exempt disclosure to law 
enforcement officials (e.g., Massachusetts, Ch. 254 of the Acts of 
2000), coroners (Wis. Stat. Sec. 146.82), and for such purposes as 
business operations, oversight, research, and for directory 
information. Under these exceptions, providers can disclose health 
information without any consent or authorization from the patient. When 
states require specific, written authorization for disclosure of health 
information, the authorizations are usually only required for certain 
types of disclosures or certain types of information, and one 
authorization can suffice for multiple disclosures over time.
    The states that do not have laws prohibiting disclosure of health 
information impose no specific requirements for consent or 
authorization prior to release of health information. There may, 
however, be other controls on release of health information. For 
instance, most health care professional licensure laws include general 
prohibitions against ``breaches of confidentiality.'' In some states, 
patients can hold providers accountable for some unauthorized 
disclosures of health information about them under various tort 
theories, such as invasion of privacy and breach of a confidential 
relationship. While these controls may affect certain disclosure 
practices, they do not amount to a requirement that a provider obtain 
authorization for each and every disclosure of health information.
    Further, patients are typically not given a choice; they must sign 
the ``consent'' in order to receive care. As the Georgetown Study 
points out, ``In effect, the authorization may function more as a 
waiver of consent--the patient may not have an opportunity to object to 
any disclosures.'' Georgetown Study, Key Findings.
    In the many cases where neither state law nor professional ethical 
standards exist, the only privacy protection individuals have is 
limited to the policies and procedures that the health care entity 
adopts. Corporate privacy policies are often proprietary. While several 
professional associations attached their privacy principles to their 
comments, health care entities did not. One study we found indicates 
that these policies are not adequate to provide appropriate privacy 
protections and alleviate public concern. The Committee on Maintaining 
Privacy and Security in Health Care Applications of the National 
Information Infrastructure made multiple findings highlighting the need 
for heightened privacy and security, including:

    Finding 5: The greatest concerns regarding the privacy of health 
information derives from widespread sharing of patient information 
throughout the health care industry and the inadequate federal and 
state regulatory framework for systematic protection of health 
information.
    For the Record: Protecting Electronic Health Information, 
National Academy Press, Washington DC, 1997.
Consent Under This Rule
    In the NPRM, we expressed concern about the coercive nature of 
consents currently obtained by providers and plans relating to the use 
and disclosure of health information. We also expressed concern about 
the lack of information available to the patient during the process, 
and the fact that patients often were not even presented with a copy of 
the consent that they have signed. These and other concerns led us to 
propose that covered entities be permitted to use and disclose 
protected health information for treatment, payment and health care 
operations without the express consent of the subject individual.
    In the final rule, we alter our proposed approach and require, in 
most instances, that health care providers who have a direct treatment 
relationship with their patients obtain the consent of their patients 
to use and disclose protected health information for treatment, payment 
and health care operations. While our concern about the coerced nature 
of these consents remains, many comments that we received from 
individuals, health care professionals, and organizations that 
represent them indicated that both patients and practitioners believe 
that patient consent is an important part of the current health care 
system and should be retained.
    Providing and obtaining consent clearly has meaning for patients 
and practitioners. Patient advocates argued that the act of signing 
focuses the patient's attention on the substance of the transaction and 
provides an opportunity for the patient to ask questions about or seek 
modifications in the provider's practices. Many health care 
practitioners and their representatives argued that seeking a patient's 
consent to disclose confidential information is an ethical requirement 
that strengthens the physician-patient relationship. Both practitioners 
and patients argued that the approach proposed in the NPRM actually 
reduced patient protections by eliminating the opportunity for patients 
to agree to how their confidential information would be used and 
disclosed.
    While we believe that the provisions in the NPRM that provided for 
detailed notice to the patient and the right to request restrictions 
would have provided an opportunity for patients and providers to 
discuss and negotiate over information practices, it is clear from the 
comments that many practitioners and patients believe the approach 
proposed in the NPRM is not an acceptable replacement for the patient 
providing consent.
    To encourage a more informed interaction between the patient and 
the provider during the consent process, the final rule requires that 
the consent form that is presented to the patient be accompanied by a 
notice that contains a detailed discussion of the provider's health 
information practices. The consent form must reference the notice and 
also must inform the patient that he

[[Page 82474]]

or she has the right to ask the health care provider to request certain 
restrictions as to how the information of the patient will be used or 
disclosed. Our goal is to provide an opportunity for and to encourage 
more informed discussions between patients and providers about how 
protected health information will be used and disclosed within the 
health care system.
    We considered and rejected other approaches to consent, including 
those that involved individuals providing a global consent to uses and 
disclosures when they sign up for insurance. While such approaches do 
require the patient to provide consent, it is not really an informed 
one or a voluntary one. It is also unclear how a consent obtained at 
the enrollment stage would be meaningfully communicated to the many 
providers who create the health information in the first instance. The 
ability to negotiate restrictions or otherwise have a meaningful 
discussion with the front-line provider would be independent of, and 
potentially in conflict with, the consent obtained at the enrollment 
stage. In addition, employers today are moving toward simplified 
enrollment forms, using check-off boxes and similar devices. The 
opportunity for any meaningful consideration or interaction at that 
point is slight. For these and other reasons, we decided that, to the 
extent a consent can accomplish the goal sought by individuals and 
providers, it must be focused on the direct interaction between an 
individual and provider.
    The comments and fact-finding indicate that our approach will not 
significantly change the administrative aspect of consent as it exists 
today. Most direct treatment providers today obtain some type of 
consent for some uses and disclosures of health information. Our 
regulation will ensure that those consents cover the routine uses and 
disclosures of health information, and provide an opportunity for 
individuals to obtain further information and have further discussion, 
should they so desire.

Administrative Costs

    Section 1172(b) of the Act provides that ``[a]ny standard adopted 
under this part [part C of title XI of the Act] shall be consistent 
with the objective of reducing the administrative costs of providing 
and paying for health care.'' The privacy and security standards are 
the platform on which the remaining standards rest; indeed, the design 
of part C of title XI makes clear that the various standards are 
intended to function together. Thus, the costs of privacy and security 
are properly attributable to the suite of administrative simplification 
regulations as a whole, and the cost savings realized should likewise 
be calculated on an aggregated basis, as is done below. Because the 
privacy standards are an integral and necessary part of the suite of 
Administrative Simplification standards, and because that suite of 
standards will result in substantial administrative cost savings, the 
privacy standards are ``consistent with the objective of reducing the 
administrative costs of providing and paying for health care.''
    As more fully discussed in the Regulatory Impact and Regulatory 
Flexibility analyses below, we recognize that these privacy standards 
will entail substantial initial and ongoing administrative costs for 
entities subject to the rules. It is also the case that the privacy 
standards, like the security standards authorized by section 1173(d) of 
the Act, are necessitated by the technological advances in information 
exchange that the remaining Administrative Simplification standards 
facilitate for the health care industry. The same technological 
advances that make possible enormous administrative cost savings for 
the industry as a whole have also made it possible to breach the 
security and privacy of health information on a scale that was 
previously inconceivable. The Congress recognized that adequate 
protection of the security and privacy of health information is a sine 
qua non of the increased efficiency of information exchange brought 
about by the electronic revolution, by enacting the security and 
privacy provisions of the law. Thus, as a matter of policy as well as 
law, the administrative standards should be viewed as a whole in 
determining whether they are ``consistent with'' the objective of 
reducing administrative costs.

Consultations

    The Congress required the Secretary to consult with specified 
groups in developing the standards under sections 262 and 264. Section 
264(d) of HIPAA specifically requires the Secretary to consult with the 
National Committee on Vital and Health Statistics (NCVHS) and the 
Attorney General in carrying out her responsibilities under the 
section. Section 1172(b)(3) of the Act, which was enacted by section 
262, requires that, in developing a standard under section 1172 for 
which no standard setting organization has already developed a 
standard, the Secretary must, before adopting the standard, consult 
with the National Uniform Billing Committee (NUBC), the National 
Uniform Claim Committee (NUCC), the Workgroup for Electronic Data 
Interchange (WEDI), and the American Dental Association (ADA). Section 
1172(f) also requires the Secretary to rely on the recommendations of 
the NCVHS and consult with other appropriate federal and state agencies 
and private organizations.
    We engaged in the required consultations including the Attorney 
General, NUBC, NUCC, WEDI and the ADA. We consulted with the NCVHS in 
developing the Recommendations, upon which this proposed rule is based. 
We continued to consult with this committee by requesting the committee 
to review the proposed rule and provide comments prior to its 
publication, and by reviewing transcripts of its public meeting on 
privacy and related topics. We consulted with representatives of the 
National Congress of American Indians, the National Indian Health 
Board, and the self governance tribes. We also met with representatives 
of the National Governors' Association, the National Conference of 
State Legislatures, the National Association of Public Health 
Statistics and Information Systems, and a number of other state 
organizations to discuss the framework for the proposed rule, issues of 
special interests to the states, and the process for providing comments 
on the proposed rule.
    Many of these groups submitted comments to the proposed rule, and 
those were taken into account in developing the final regulation.
    In addition to the required consultations, we met with numerous 
individuals, entities, and agencies regarding the regulation, with the 
goal of making these standards as compatible as possible with current 
business practices, while still enhancing privacy protection. During 
the open comment period, we met with dozens of groups.
    Relevant federal agencies participated in the interagency working 
groups that developed the NPRM and the final regulation, with 
additional representatives from all operating divisions and many staff 
offices of HHS. The following federal agencies and offices were 
represented on the interagency working groups: the Department of 
Justice, the Department of Commerce, the Social Security 
Administration, the Department of Defense, the Department of Veterans 
Affairs, the Department of Labor, the Office of Personnel Management, 
and the Office of Management and Budget.

[[Page 82475]]

II. Section-by-Section Description of Rule Provisions

Part 160--Subpart A--General Provisions

    Part 160 applies to all the administrative simplification 
regulations. We include the entire regulation text in this rule, not 
just those provisions relevant to this Privacy regulation. For example, 
the term ``trading partner'' is defined here, for use in the Health 
Insurance Reform: Standards for Electronic Transactions regulation, 
published at 65 FR 50312, August 17, 2000 (the ``Transactions Rule''). 
It does not appear in the remainder of this Privacy rule.
    Sections 160.101 and 160.104 of Subpart A of part 160 were 
promulgated in the Transactions Rule, and we do not change them here. 
We do, however, make changes and additions to Sec. 160.103, the 
definitions section of Subpart A. The definitions that were promulgated 
in the Transactions Rule and that remain unchanged here are: Act, ANSI, 
covered entity, compliance date, group health plan, HCFA, HHS, health 
care provider, health information, health insurance issuer, health 
maintenance organization, modify or modification, Secretary, small 
health plan, standard setting organization, and trading partner 
agreement. Of these terms, we discuss further in this preamble only 
covered entity and health care provider.

Section 160.102--Applicability

    The proposed rule stated that the subchapter (Parts 160, 162, and 
164) applies to the entities set out at section 1172(a) of the Act: 
Health plans, health care clearinghouses, and health care providers who 
transmit any health information in electronic form in connection with a 
transaction covered by the subchapter. The final rule adds a provision 
(Sec. 160.102(b)) clarifying that to the extent required under section 
201(a)(5) of HIPAA, nothing in the subchapter is to be construed to 
diminish the authority of any Inspector General. This was done in 
response to comment, to clarify that the administrative simplification 
rules, including the rules below, do not conflict with the cited 
provision of HIPAA.

Section 160.103--Definitions

Business Associate

    We proposed to define the term ``business partner'' to mean, with 
respect to a covered entity, a person to whom the covered entity 
discloses protected health information so that the person can carry 
out, assist with the performance of, or perform on behalf of, a 
function or activity for the covered entity. ``Business partner'' would 
have included contractors or other persons who receive protected health 
information from the covered entity (or from another business partner 
of the covered entity) for the purposes described in the previous 
sentence, including lawyers, auditors, consultants, third-party 
administrators, health care clearinghouses, data processing firms, 
billing firms, and other covered entities. ``Business partner'' would 
have excluded persons who are within the covered entity's workforce, as 
defined in this section.
    This rule reflects the change in the name from ``business partner'' 
to ``business associate,'' included in the Transactions Rule.
    In the final rule, we change the definition of ``business 
associate'' to clarify the circumstances in which a person is acting as 
a business associate of a covered entity. The changes clarify that the 
business association occurs when the right to use or disclose the 
protected health information belongs to the covered entity, and another 
person is using or disclosing the protected health information (or 
creating, obtaining and using the protected health information) to 
perform a function or activity on behalf of the covered entity. We also 
clarify that providing specified services to a covered entity creates a 
business associate relationship if the provision of the service 
involves the disclosure of protected health information to the service 
provider. In the proposed rule, we had included a list of persons that 
were considered to be business partners of the covered entity. However, 
it is not always clear whether the provision of certain services to a 
covered entity is ``for'' the covered entity or whether the service 
provider is acting ``on behalf of'' the covered entity. For example, a 
person providing management consulting services may need protected 
health information to perform those services, but may not be acting 
``on behalf of'' the covered entity. This we believe led to some 
general confusion among the commenters as to whether certain 
arrangements fell within the definition of a business partner under the 
proposed rule. The construction of the final rule clarifies that the 
provision of the specified services gives rise to a business associate 
relationship if the performance of the service involves disclosure of 
protected health information by the covered entity to the business 
associate. The specified services are legal, actuarial, accounting, 
consulting, management, administrative accreditation, data aggregation, 
and financial services. The list is intended to include the types of 
services commonly provided to covered entities where the disclosure of 
protected health information is routine to the performance of the 
service, but when the person providing the service may not always be 
acting ``on behalf of'' the covered entity.
    In the final rule, we reorganize the list of examples of the 
functions or activities that may be conducted by business associates. 
We place a part of the proposed list in the portion of the definition 
that addresses when a person is providing functions or activities for 
or on behalf of a covered entity. We place other parts of the list in 
the portion of the definition that specifies the services that give 
rise to a business associate relationship, as discussed above. We also 
have expanded the examples to provide additional guidance and in 
response to questions from commenters.
    We have added data aggregation to the list of services that give 
rise to a business associate relationship. Data aggregation, as 
discussed below, is where a business associate in its capacity as the 
business associate of one covered entity combines the protected health 
information of such covered entity with protected health information 
received by the business associate in its capacity as a business 
associate of another covered entity in order to permit the creation of 
data for analyses that relate to the health care operations of the 
respective covered entities. Adding this service to the business 
associate definition clarifies the ability of covered entities to 
contract with business associates to undertake quality assurance and 
comparative analyses that involve the protected health information of 
more than one contracting covered entity. For example, a state hospital 
association could act as a business associate of its member hospitals 
and could combine data provided to it to assist the hospitals in 
evaluating their relative performance in areas such as quality, 
efficiency and other patient care issues. As discussed below, however, 
the business associate contracts of each of the hospitals would have to 
permit the activity, and the protected health information of one 
hospital could not be disclosed to another hospital unless the 
disclosure is otherwise permitted by the rule.
    The definition also states that a business associate may be a 
covered entity, and that business associate excludes a person who is 
part of the covered entity's workforce.
    We also clarify in the final rule that a business association 
arises with

[[Page 82476]]

respect to a covered entity when a person performs functions or 
activities on behalf of, or provides the specified services to or for, 
an organized health care health care arrangement in which the covered 
entity participates. This change recognizes that where covered entities 
participate in certain joint arrangements for the financing or delivery 
of health care, they often contract with persons to perform functions 
or to provide services for the joint arrangement. This change is 
consistent with changes made in the final rule to the definition of 
health care operations, which permits covered entities to use or 
disclose protected health information not only for their own health 
care operations, but also for the operations of an organized health 
care arrangement in which the covered entity participates. By making 
these changes, we avoid the confusion that could arise in trying to 
determine whether a function or activity is being provided on behalf of 
(or if a specified service is being provided to or for) a covered 
entity or on behalf of or for a joint enterprise involving the covered 
entity. The change clarifies that in either instance the person 
performing the function or activity (or providing the specified 
service) is a business associate.
    We also add language to the final rule that clarifies that the mere 
fact that two covered entities participate in an organized health care 
arrangement does not make either of the covered entities a business 
associate of the other covered entity. The fact that the entities 
participate in joint health care operations or other joint activities, 
or pursue common goals through a joint activity, does not mean that one 
party is performing a function or activity on behalf of the other party 
(or is providing a specified services to or for the other party).
    In general under this provision, actions relating to the protected 
health information of an individual undertaken by a business associate 
are considered, for the purposes of this rule, to be actions of the 
covered entity, although the covered entity is subject to sanctions 
under this rule only if it has knowledge of the wrongful activity and 
fails to take the required actions to address the wrongdoing. For 
example, if a business associate maintains the medical records or 
manages the claims system of a covered entity, the covered entity is 
considered to have protected health information and the covered entity 
must ensure that individuals who are the subject of the information can 
have access to it pursuant to Sec. 164.524.
    The business associate relationship does not describe all 
relationships between covered entities and other persons or 
organizations. While we permit uses or disclosures of protected health 
information for a variety of purposes, business associate contracts or 
other arrangements are only required for those cases in which the 
covered entity is disclosing information to someone or some 
organization that will use the information on behalf of the covered 
entity, when the other person will be creating or obtaining protected 
health information on behalf of the covered entity, or when the 
business associate is providing the specified services to the covered 
entity and the provision of those services involves the disclosure of 
protected health information by the covered entity to the business 
associate. For example, when a health care provider discloses protected 
health information to health plans for payment purposes, no business 
associate relationship is established. While the covered provider may 
have an agreement to accept discounted fees as reimbursement for 
services provided to health plan members, neither entity is acting on 
behalf of or providing a service to the other.
    Similarly, where a physician or other provider has staff privileges 
at an institution, neither party to the relationship is a business 
associate based solely on the staff privileges because neither party is 
providing functions or activities on behalf of the other. However, if a 
party provides services to or for the other, such as where a hospital 
provides billing services for physicians with staff privileges, a 
business associate relationship may arise with respect to those 
services. Likewise, where a group health plan purchases insurance or 
coverage from a health insurance issuer or HMO, the provision of 
insurance by the health insurance issuer or HMO to the group health 
plan does not make the issuer a business associate. In such case, the 
activities of the health insurance issuer or HMO are on their own 
behalf and not on the behalf of the group health plan. We note that 
where a group health plan contracts with a health insurance issuer or 
HMO to perform functions or activities or to provide services that are 
in addition to or not directly related to the provision of insurance, 
the health insurance issuer or HMO may be a business associate with 
respect to those additional functions, activities or services. We also 
note that covered entities are permitted to disclose protected health 
information to oversight agencies that act to provide oversight of 
federal programs and the health care system. These oversight agencies 
are not performing services for or on behalf of the covered entities 
and so are not business associates of the covered entities. Therefore 
HCFA, the federal agency that administers Medicare, is not required to 
enter into a business associate contract in order to disclose protected 
health information to the Department's Office of Inspector General.
    We do not require a covered entity to enter into a business 
associate contract with a person or organization that acts merely as a 
conduit for protected health information (e.g., the US Postal Service, 
certain private couriers and their electronic equivalents). A conduit 
transports information but does not access it other than on a random or 
infrequent basis as may be necessary for the performance of the 
transportation service, or as required by law. Since no disclosure is 
intended by the covered entity and the probability of exposure of any 
particular protected health information to a conduit is very small, we 
do not consider a conduit to be a business associate of the covered 
entity.
    We do not consider a financial institution to be acting on behalf 
of a covered entity, and therefore no business associate contract is 
required, when it processes consumer-conducted financial transactions 
by debit, credit or other payment card, clears checks, initiates or 
processes electronic funds transfers, or conducts any other activity 
that directly facilitates or effects the transfer of funds for 
compensation for health care. A typical consumer-conducted payment 
transaction is when a consumer pays for health care or health insurance 
premiums using a check or credit card. In these cases the identity of 
the consumer is always included and some health information (e.g., 
diagnosis or procedure) may be implied through the name of the health 
care provider or health plan being paid. Covered entities that initiate 
such payment activities must meet the minimum necessary disclosure 
requirements described in the preamble to Sec. 164.514.

Covered Entity

    We provided this definition in the NPRM for convenience of 
reference and proposed it to mean the entities to which part C of title 
XI of the Act applies. These are the entities described in section 
1172(a)(1): Health plans, health care clearinghouses, and health care 
providers who transmit any health information in electronic form in 
connection with a transaction referred

[[Page 82477]]

to in section 1173(a)(1) of the Act (a ``standard transaction'').
    We note that health care providers who do not submit HIPAA 
transactions in standard form become covered by this rule when other 
entities, such as a billing service or a hospital, transmit standard 
electronic transactions on their behalf. A provider could not 
circumvent these requirements by assigning the task to its business 
associate since the business associate would be considered to be acting 
on behalf of the provider. See the definition of ``business 
associate.''
    Where a public agency is required or authorized by law to 
administer a health plan jointly with another entity, we consider each 
agency to be a covered entity with respect to the health plan functions 
it performs. Unlike private sector health plans, public plans are often 
required by or expressly authorized by law to jointly administer health 
programs that meet the definition of ``health plan'' under this 
regulation. In some instances the public entity is required or 
authorized to administer the program with another public agency. In 
other instances, the public entity is required or authorized to 
administer the program with a private entity. In either circumstance, 
we note that joint administration does not meet the definition of 
``business associate'' in Sec. 164.501. Examples of joint 
administration include state and federal administration of the Medicaid 
and SCHIP program, or joint administration of a Medicare+Choice plan by 
the Health Care Financing Administration and the issuer offering the 
plan.

Health Care

    We proposed to define ``health care'' to mean the provision of 
care, services, or supplies to a patient and to include any: (1) 
Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or 
palliative care, counseling, service, or procedure with respect to the 
physical or mental condition, or functional status, of a patient or 
affecting the structure or function of the body; (2) sale or dispensing 
of a drug, device, equipment, or other item pursuant to a prescription; 
or (3) procurement or banking of blood, sperm, organs, or any other 
tissue for administration to patients.
    The final rule revises both the NPRM definition and the definition 
as provided in the Transactions Rule, to now mean ``care, services, or 
supplies related to the health of an individual. Health care includes 
the following:
    (1) Preventive, diagnostic, therapeutic, rehabilitative, 
maintenance, or palliative care, and counseling, service, assessment, 
or procedure with respect to the physical or mental condition, or 
functional status, of an individual or that affects the structure or 
function of the body; and
    (2) Sale or dispensing of a drug, device, equipment, or other item 
in accordance with a prescription.
    We delete the term ``providing'' from the definition to delineate 
more clearly the relationship between ``treatment,'' as the term is 
defined in Sec. 164.501, and ``health care.'' Other key revisions 
include adding the term ``assessment'' in subparagraph (1) and deleting 
proposed subparagraph (3) from the rule. Therefore the procurement or 
banking of organs, blood (including autologous blood), sperm, eyes or 
any other tissue or human product is not considered to be health care 
under this rule and the organizations that perform such activities 
would not be considered health care providers when conducting these 
functions. As described in Sec. 164.512(h), covered entities are 
permitted to disclose protected health information without individual 
authorization, consent, or agreement (see below for explanation of 
authorizations, consents, and agreements) as necessary to facilitate 
cadaveric donation.

Health Care Clearinghouse

    In the NPRM, we defined ``health care clearinghouse'' as a public 
or private entity that processes or facilitates the processing of 
nonstandard data elements of health information into standard data 
elements. The entity receives health care transactions from health care 
providers or other entities, translates the data from a given format 
into one acceptable to the intended payor or payors, and forwards the 
processed transaction to appropriate payors and clearinghouses. Billing 
services, repricing companies, community health management information 
systems, community health information systems, and ``value-added'' 
networks and switches would have been considered to be health care 
clearinghouses for purposes of this part, if they perform the functions 
of health care clearinghouses as described in the preceding sentences.
    In the final regulation, we modify the definition of health care 
clearinghouse to reflect changes in the definition published in the 
Transactions Rule. The definition in the final rule is:
    Health care clearinghouse means a public or private entity, 
including billing services, repricing companies, community health 
management information systems or community health information systems, 
and ``value-added'' networks and switches, that does either of the 
following functions:
    (1) Processes or facilitates the processing of health information 
received from another entity in a nonstandard format or containing 
nonstandard data content into standard data elements or a standard 
transaction.
    (2) Receives a standard transaction from another entity and 
processes or facilitates the processing of health information into 
nonstandard format or nonstandard data content for the receiving 
entity.
    We note here that the term health care clearinghouse may have other 
meanings and connotations in other contexts, but the regulation defines 
it specifically, and an entity is considered a health care 
clearinghouse only to the extent that it meets the criteria in this 
definition. Telecommunications entities that provide connectivity or 
mechanisms to convey information, such as telephone companies and 
Internet Service Providers, are not health care clearinghouses as 
defined in the rule unless they actually carry out the functions 
outlined in our definition. Value added networks and switches are not 
health care clearinghouses unless they carry out the functions outlined 
in the definition. The examples of entities in our proposed definition 
we continue to consider to be health care clearinghouses, as well as 
any other entities that meet that definition, to the extent that they 
perform the functions in the definition.
    In order to fall within this definition of clearinghouse, the 
covered entity must perform the clearinghouse function on health 
information received from some other entity. A department or component 
of a health plan or health care provider that transforms nonstandard 
information into standard data elements or standard transactions (or 
vice versa) is not a clearinghouse for purposes of this rule, unless it 
also performs these functions for another entity. As described in more 
detail in Sec. 164.504(d), we allow affiliates to perform clearinghouse 
functions for each other without triggering the definition of 
``clearinghouse'' if the conditions in Sec. 164.504(d) are met.

Health Care Provider

    We proposed to define health care provider to mean a provider of 
services as defined in section 1861(u) of the Act, a provider of 
medical or health services as defined in section 1861(s) of the Act, 
and any other person or organization who furnishes, bills, or is paid 
for health care services or supplies in the normal course of business.

[[Page 82478]]

    In the final rule, we delete the term ``services and supplies,'' in 
order to eliminate redundancy within the definition. The definition 
also reflects the addition of the applicable U.S.C. citations (42 
U.S.C. 1395x(u) and 42 U.S.C. 1395x(s), respectively) for the 
referenced provisions of the Act that were promulgated in the 
Transactions Rule.
    To assist the reader, we also provide here excerpts from the 
relevant sections of the Act. (Refer to the U.S.C. sections cited above 
for complete definitions in sections 1861(u) and 1861(s).) Section 
1861(u) of the Act defines a ``provider of services,'' to include, for 
example,

a hospital, critical access hospital, skilled nursing facility, 
comprehensive outpatient rehabilitation facility, home health 
agency, hospice program, or, for purposes of section 1814(g) (42 
U.S.C. 1395f(g)) and section 1835(e) (42 U.S.C. 1395n(e)), a fund.'' 
Section 1861(s) of the Act defines the term, ``medical and other 
health services,'' and includes a list of covered items or services, 
as illustrated by the following excerpt:
    (s) Medical and other health services. The term ``medical and 
other health services'' means any of the following items or 
services:
    (1) Physicians' services;
    (2) (A) services and supplies * * * furnished as an incident to 
a physician's professional service, or kinds which are commonly 
furnished in physicians' offices and are commonly either rendered 
without charge or included in the physicians' bills;
    (B) hospital services * * * incident to physicians' services 
rendered to outpatients and partial hospitalization services 
incident to such services;
    (C) diagnostic services which are--
    (i) furnished to an individual as an outpatient by a hospital or 
by others under arrangements with them made by a hospital, and
    (ii) ordinarily furnished by such hospital (or by others under 
such arrangements) to its outpatients for the purpose of diagnostic 
study;
    (D) outpatient physical therapy services and outpatient 
occupational therapy services;
    (E) rural health clinic services and federally qualified health 
center services;
    (F) home dialysis supplies and equipment, self-care home 
dialysis support services, and institutional dialysis services and 
supplies;
    (G) antigens * * * prepared by a physician * * * for a 
particular patient, including antigens so prepared which are 
forwarded to another qualified person * * * for administration to 
such patient, * * * by or under the supervision of another such 
physician;
    (H)(i) services furnished pursuant to a contract under section 
1876 (42 U.S.C. 1395mm) to a member of an eligible organization by a 
physician assistant or by a nurse practitioner * * * and such 
services and supplies furnished as an incident to his service to 
such a member * * * and
    (ii) services furnished pursuant to a risk-sharing contract 
under section 1876(g) (42 U.S.C. 1395mm(g)) to a member of an 
eligible organization by a clinical psychologist * * * or by a 
clinical social worker * * * (and) furnished as an incident to such 
clinical psychologist's services or clinical social worker's 
services * * *;
    (I) blood clotting factors, for hemophilia patients * * *;
    (J) prescription drugs used in immunosuppressive therapy 
furnished, to an individual who receives an organ transplant for 
which payment is made under this title (42 U.S.C. 1395 et seq.), but 
only in the case of (certain) drugs furnished * * *
    (K)(i) services which would be physicians' services if furnished 
by a physician * * * and which are performed by a physician 
assistant * * *; and
    (ii) services which would be physicians' services if furnished 
by a physician * * * and which are performed by a nurse * * *;
    (L) certified nurse-midwife services;
    (M) qualified psychologist services;
    (N) clinical social worker services * * *;
    (O) erythropoietin for dialysis patients * * *;
    (P) prostate cancer screening tests * * *;
    (Q) an oral drug (which is approved by the Federal Food and Drug 
Administration) prescribed for use as an anti-cancer 
chemotherapeutic agent for a given indication, and containing an 
active ingredient (or ingredients) * * *;
    (R) colorectal cancer screening tests * * *;
    (S) diabetes outpatient self-management training services * * *; 
and
    (T) an oral drug (which is approved by the federal Food and Drug 
Administration) prescribed for use as an acute anti-emetic used as 
part of an anti-cancer chemotherapeutic regimen * * *
    (3) diagnostic X-ray tests * * * furnished in a place of 
residence used as the patient's home * * * ;
    (4) X-ray, radium, and radioactive isotope therapy, including 
materials and services of technicians;
    (5) surgical dressings, and splints, casts, and other devices 
used for reduction of fractures and dislocations;
    (6) durable medical equipment;
    (7) ambulance service where the use of other methods of 
transportation is contraindicated by the individual's condition * * 
* ;
    (8) prosthetic devices (other than dental) which replace all or 
part of an internal body organ (including colostomy bags and 
supplies directly related to colostomy care), * * * and including 
one pair of conventional eyeglasses or contact lenses furnished 
subsequent to each cataract surgery * * * [;]
    (9) leg, arm, back, and neck braces, and artificial legs, arms, 
and eyes, including replacements if required * * * ;
    (10) (A) pneumococcal vaccine and its administration * * *; and
    (B) hepatitis B vaccine and its administration * * *, and
    (11) services of a certified registered nurse anesthetist * * *;
    (12) * * * extra-depth shoes with inserts or custom molded shoes 
with inserts for an individual with diabetes, if * * *;
    (13) screening mammography * * *;
    (14) screening pap smear and screening pelvic exam; and
    (15) bone mass measurement * * *. (etc.)

Health Plan

    We proposed to define ``health plan'' essentially as section 
1171(5) of the Act defines it. Section 1171 of the Act refers to 
several definitions in section 2791 of the Public Health Service Act, 
42 U.S.C. 300gg-91, as added by Public Law 104-191.
    As defined in section 1171(5), a ``health plan'' is an individual 
plan or group health plan that provides, or pays the cost of, medical 
care. We proposed that this definition include, but not be limited to 
the 15 types of plans (e.g., group health plan, health insurance 
issuer, health maintenance organization) listed in the statute, as well 
as any combination of them. Such term would have included, when applied 
to public benefit programs, the component of the government agency that 
administers the program. Church plans and government plans would have 
been included to the extent that they fall into one or more of the 
listed categories.
    In the proposed rule, ``health plan'' included the following, 
singly or in combination:
    (1) A group health plan, defined as an employee welfare benefit 
plan (as currently defined in section 3(1) of the Employee Retirement 
Income and Security Act of 1974, 29 U.S.C. 1002(1)), including insured 
and self-insured plans, to the extent that the plan provides medical 
care (as defined in section 2791(a)(2) of the Public Health Service 
Act, 42 U.S.C. 300gg-91(a)(2)), including items and services paid for 
as medical care, to employees or their dependents directly or through 
insurance or otherwise, that:
    (i) Has 50 or more participants; or
    (ii) Is administered by an entity other than the employer that 
established and maintains the plan.
    (2) A health insurance issuer, defined as an insurance company, 
insurance service, or insurance organization that is licensed to engage 
in the business of insurance in a state and is subject to state or 
other law that regulates insurance.
    (3) A health maintenance organization, defined as a federally 
qualified health maintenance organization, an organization recognized 
as a health maintenance organization under state law, or a similar 
organization regulated for solvency under state law in the same manner 
and to the same extent as such a health maintenance organization.
    (4) Part A or Part B of the Medicare program under title XVIII of 
the Act.
    (5) The Medicaid program under title XIX of the Act.

[[Page 82479]]

    (6) A Medicare supplemental policy (as defined in section 
1882(g)(1) of the Act, 42 U.S.C. 1395ss).
    (7) A long-term care policy, including a nursing home fixed-
indemnity policy.
    (8) An employee welfare benefit plan or any other arrangement that 
is established or maintained for the purpose of offering or providing 
health benefits to the employees of two or more employers.
    (9) The health care program for active military personnel under 
title 10 of the United States Code.
    (10) The veterans health care program under 38 U.S.C. chapter 17.
    (11) The Civilian Health and Medical Program of the Uniformed 
Services (CHAMPUS), as defined in 10 U.S.C. 1072(4).
    (12) The Indian Health Service program under the Indian Health Care 
Improvement Act (25 U.S.C. 1601, et seq.).
    (13) The Federal Employees Health Benefits Program under 5 U.S.C. 
chapter 89.
    (14) An approved state child health plan for child health 
assistance that meets the requirements of section 2103 of the Act.
    (15) A Medicare Plus Choice organization as defined in 42 CFR 
422.2, with a contract under 42 CFR part 422, subpart K.
    In addition to the 15 specific categories, we proposed that the 
list include any other individual plan or group health plan, or 
combination thereof, that provides or pays for the cost of medical 
care. The Secretary would determine which plans that meet these 
criteria would to be considered health plans for the purposes of this 
rule.
    Consistent with the other titles of HIPAA, our proposed definition 
did not include certain types of insurance entities, such as workers' 
compensation and automobile insurance carriers, other property and 
casualty insurers, and certain forms of limited benefits coverage, even 
when such arrangements provide coverage for health care services.
    In the final rule, we add two provisions to clarify the types of 
policies or programs that we do not consider to be a health plan. 
First, the rule excepts any policy, plan or program to the extent that 
it provides, or pays for the cost of, excepted benefits, as defined in 
section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1). We note 
that, while coverage for on-site medical clinics is excluded from 
definition of ``health plans,'' such clinics may meet the definition of 
``health care provider'' and persons who work in the clinic may also 
meet the definition of health care provider.'' Second, many commenters 
were confused by the statutory inclusion as a health plan of any 
``other individual or group plan that provides or pays the cost of 
medical care;'' they questioned how the provision applied to many 
government programs. We therefore clarify that while many government 
programs (other than the programs specified in the statute) provide or 
pay the cost of medical care, we do not consider them to be individual 
or group plans and therefore, do not consider them to be health plans. 
Government funded programs that do not have as their principal purpose 
the provision of, or payment for, the cost of health care but which do 
incidentally provide such services are not health plans (for example, 
programs such as the Special Supplemental Nutrition Program for Women, 
Infants and Children (WIC) and the Food Stamp Program, which provide or 
pay for nutritional services, are not considered to be health plans). 
Government funded programs that have as their principal purpose the 
provision of health care, either directly or by grant, are also not 
considered to be health plans. Examples include the Ryan White 
Comprehensive AIDS Resources Emergency Act, government funded health 
centers and immunization programs. We note that some of these may meet 
the rule's definition of health care provider.
    We note that in certain instances eligibility for or enrollment in 
a health plan that is a government program providing public benefits, 
such as Medicaid or SCHIP, is determined by an agency other than the 
agency that administers the program, or individually identifiable 
health information used to determine enrollment or eligibility in such 
a health plan is collected by an agency other than the agency that 
administers the health plan. In these cases, we do not consider an 
agency that is not otherwise a covered entity, such as a local welfare 
agency, to be a covered entity because it determines eligibility or 
enrollment or collects enrollment information as authorized by law. We 
also do not consider the agency to be a business associate when 
conducting these functions, as we describe further in the business 
associate discussion above.
    The definition in the final rule also reflects the following 
changes promulgated in the Transactions Rule:
    (1) Exclusion of nursing home fixed-indemnity policies;
    (2) Addition of the word ``issuer'' to Medicare supplemental 
policy, and long-term care policy;
    (3) Addition or revision of the relevant statutory cites where 
appropriate;
    (4) Deletion of the term ``or assisted'' when referring to 
government programs;
    (5) Replacement of the word ``organization'' with ``program'' when 
referring to Medicare + Choice;
    (6) Deletion of the term ``health'' when referring to a group plan 
in subparagraph (xvi);
    (7) Extraction of the definitions of ``group health plan,'' 
``health insurance issuer,'' and ``health maintenance organization'' 
into Part 160 as distinct definitions;
    (8) In the definition of ``group health plan,'' deletion of the 
term ``currently'' from the reference to the statutory cite of ERISA, 
addition of the relevant statutory cite for the term ``participant,'' 
and addition of the term ``reimbursement;''
    (9) In the definition of ``health insurance issuer,'' addition of 
the relevant statutory cite, deletion of the term ``or other law'' 
after ``state law,'' addition of health maintenance organizations for 
consistency with the statute, and clarification that the term does not 
include a group health plan; and
    (10) In the definition of ``health maintenance organization,'' 
addition of the relevant statutory cite.
    Finally, we add to this definition a high risk pool that is a 
mechanism established under state law to provide health insurance 
coverage or comparable coverage to eligible individuals. High risk 
pools are designed mainly to provide health insurance coverage for 
individuals who, due to health status or pre-existing conditions, 
cannot obtain insurance through the individual market or who can do so 
only at very high premiums. Some states use their high risk pool as an 
alternative mechanism under section 2744 of HIPAA. We do not reference 
the definition of ``qualified high risk pool'' in HIPAA because that 
definition includes the requirements for a state to use its risk pool 
as its alternative mechanism under HIPAA. Some states may have high 
risk pools, but do not use them as their alternative mechanism and 
therefore may not meet the definition in HIPAA. We want to make clear 
that state high risk pools are covered entities under this rule whether 
or not they meet the definition of a qualified high risk pool under 
section 2744. High risk pools, as described in this rule, do not 
include any program established under state law solely to provide 
excepted benefits. For example, a state program established to provide 
workers' compensation coverage is not

[[Page 82480]]

considered to be a high risk pool under the rule.

Implementation Specification

    This definition was adopted in the Transactions Rule and is 
minimally revised here. We add the words ``requirements or'' before the 
word ``instructions.'' The word ``instructions'' is appropriate in the 
context of the implementation specifications adopted in the 
Transactions Rule, which are generally a series of instructions as to 
how to use particular electronic forms. However, that word is not 
apropos in the context of the rules below. In the rules below, the 
implementation specifications are specific requirements for how to 
comply with a given standard. The change to this definition thus ties 
in to this regulatory framework.

Standard

    This definition was adopted in the Transactions Rule and we have 
modified it to make it clearer. We also add language reflecting section 
264 of the statute, to clarify that the standards adopted by this rule 
meet this definition.

State

    We modify the definition of state as adopted in the Transactions 
Rule to clarify that this term refers to any of the several states.

Transaction

    We change the term ``exchange'' to the term ``transmission'' in the 
definition of Transaction to clarify that these transactions may be 
one-way communications.

Workforce

    We proposed in the NPRM to define workforce to mean employees, 
volunteers, trainees, and other persons under the direct control of a 
covered entity, including persons providing labor on an unpaid basis.
    The definition in the final rule reflects one revision established 
in the Transactions Rule, which replaces the term ``including persons 
providing labor on an unpaid basis'' with the term ``whether or not 
they are paid by the covered entity.'' In addition, we clarify that if 
the assigned work station of persons under contract is on the covered 
entity's premises and such persons perform a substantial proportion of 
their activities at that location, the covered entity may choose to 
treat them either as business associates or as part of the workforce, 
as explained in the discussion of the definition of business associate. 
If there is no business associate contract, we assume the person is a 
member of the covered entity's workforce. We note that independent 
contractors may or may not be workforce members. However, for 
compliance purposes we will assume that such personnel are members of 
the workforce if no business associate contract exists.

Part 160--Subpart B--Preemption of State Laws

Statutory Background

    Section 1178 of the Act establishes a ``general rule'' that state 
law provisions that are contrary to the provisions or requirements of 
part C of title XI or the standards or implementation specifications 
adopted or established thereunder are preempted by the federal 
requirements. The statute provides three exceptions to this general 
rule: (1) In section 1178(a)(2)(A)(i), for state laws that the 
Secretary determines are necessary to prevent fraud and abuse, ensure 
appropriate state regulation of insurance and health plans, for state 
reporting on health care delivery, and other purposes; (2) in section 
1178(a)(2)(A)(ii), for state laws that address controlled substances; 
and (3) in section 1178(a)(2)(B), for state laws relating to the 
privacy of individually identifiable health information that as 
provided for by the related provision of section 264(c)(2) of HIPAA, 
are contrary to and more stringent than the federal requirements. 
Section 1178 also carves out, in sections 1178(b) and 1178(c), certain 
areas of state authority that are not limited or invalidated by the 
provisions of part C of title XI: these areas relate to public health 
and state regulation of health plans.
    The NPRM proposed a new Subpart B of the proposed part 160. The new 
Subpart B, which would apply to all standards, implementation 
specifications, and requirements adopted under HIPAA, would consist of 
four sections. Proposed Sec. 160.201 provided that the provisions of 
Subpart B applied to exception determinations and advisory opinions 
issued by the Secretary under section 1178. Proposed Sec. 160.202 set 
out proposed definitions for four terms: (1) ``Contrary,'' (2) ``more 
stringent,'' (3) ``relates to the privacy of individually identifiable 
health information,'' and (4) ``state law.'' The definition of 
``contrary'' was drawn from case law concerning preemption. A seven-
part set of specific criteria, drawn from fair information principles, 
was proposed for the definition of ``more stringent.'' The definition 
of ``relates to the privacy of individually identifiable health 
information'' was also based on case law. The definition of ``state 
law'' was drawn from the statutory definition of this term elsewhere in 
HIPAA. We note that state action having the force and effect of law may 
include common law. We eliminate the term ``decision'' from the 
proposed rule because it is redundant.
    Proposed Sec. 160.203 proposed a general rule reflecting the 
statutory general rule and exceptions that generally mirrored the 
statutory language of the exceptions. The one substantive addition to 
the statutory exception language was with respect to the statutory 
exception, ``for other purposes.'' The following language was added: 
``for other purposes related to improving the Medicare program, the 
Medicaid program, or the efficiency and effectiveness of the health 
care system.''
    Proposed Sec. 160.204 proposed two processes, one for the making of 
exception determinations, relating to determinations under section 
1178(a)(2)(A) of the Act, the other for the rendering of advisory 
opinions, with respect to section 1178(a)(2)(B) of the Act. The 
processes proposed were similar in the following respects: (1) Only the 
state could request an exception determination or advisory opinion, as 
applicable; (2) both required the request to contain the same 
information, except that a request for an exception determination also 
had to set out the length of time the requested exception would be in 
effect, if less than three years; (3) both sets of requirements 
provided that requests had to be submitted to the Secretary as required 
by the Secretary, and until the Secretary's determination was made, the 
federal standard, requirement or implementation specification remained 
in effect; (4) both sets of requirements provided that the Secretary's 
decision would be effective intrastate only; (5) both sets of 
requirements provided that any change to either the federal or state 
basis for the Secretary's decision would require a new request, and the 
federal standard, implementation specification, or requirement would 
remain in effect until the Secretary acted favorably on the new 
request; (6) both sets of requirements provided that the Secretary 
could seek changes to the federal rules or urge states or other 
organizations to seek changes; and (7) both sets of requirements 
provided for annual publication of Secretarial decisions. In addition, 
the process for exception determinations provided for a maximum 
effective period of three years for such determinations.
    The following changes have been made to subpart B in the final 
rules. First, Sec. 160.201 now expressly

[[Page 82481]]

implements section 1178. Second, the definition of ``more stringent'' 
has been changed by eliminating the criterion relating to penalties and 
by framing the criterion under paragraph (1) more generally. Also, we 
have clarified that the term ``individual'' means the person who is the 
subject of the individually identifiable health information, since the 
term ``individual'' is defined this way only in subpart E of part 164, 
not in part 160. Third, the definition of ``state law'' has been 
changed by substituting the words ``statute, constitutional provision'' 
for the word ``law,'' the words ``common law'' for the word 
``decision,'' and adding the words ``force and'' before the word 
``effect'' in the proposed definition. Fourth, in Sec. 160.203, several 
criteria relating to the statutory grounds for exception determinations 
have been further spelled out: (1) The words `` related to the 
provision of or payment for health care'' have been added to the 
exception for fraud and abuse; (2) the words ``to the extent expressly 
authorized by statute or regulation'' have been added to the exception 
for state regulation of health plans; (3) the words ``of serving a 
compelling need related to public health, safety, or welfare, and, 
where a standard, requirement, or implementation specification under 
part 164 of this subchapter is at issue, where the Secretary determines 
that the intrusion into privacy is warranted when balanced against the 
need to be served'' have been added to the general exception ``for 
other purposes''; and (4) the statutory provision regarding controlled 
substances has been elaborated on as follows: ``Has as its principal 
purpose the regulation of the manufacture, registration, distribution, 
dispensing, or other control of any controlled substance, as defined at 
21 U.S.C. 802, or which is deemed a controlled substance by state 
law.''
    The most extensive changes have been made to proposed Sec. 160.204. 
The provision for advisory opinions has been eliminated. Section 
160.204 now sets out only a process for requesting exception 
determinations. In most respects, this process is the same as proposed. 
However, the proposed restriction of the effect of exception 
determinations to wholly intrastate transactions has been eliminated. 
Section 160.204(a) has been modified to allow any person, not just a 
state, to submit a request for an exception determination, and 
clarifies that requests from states may be made by the state's chief 
elected official or his or her designee. Proposed Sec. 160.204(a)(3) 
stated that if it is determined that the federal standard, requirement, 
or implementation specification in question meets the exception 
criteria as well as or better than the state law for which the 
exception is requested, the request will be denied; this language has 
been deleted. Thus, the criterion for granting or denying an exception 
request is whether the applicable exception criterion or criteria are 
met.
    A new Sec. 160.205 is also adopted, replacing part of what was 
proposed at proposed Sec. 160.204. The new Sec. 160.205 sets out the 
rules relating to the effectiveness of exception determinations. 
Exception determinations are effective until either the underlying 
federal or state laws change or the exception is revoked, by the 
Secretary, based on a determination that the grounds supporting the 
exception no longer exist. The proposed maximum of three years has been 
eliminated.

Relationship to Other Federal Laws

    Covered entities subject to these rules are also subject to other 
federal statutes and regulations. For example, federal programs must 
comply with the statutes and regulations that govern them. Pursuant to 
their contracts, Medicare providers must comply with the requirements 
of the Privacy Act of 1974. Substance abuse treatment facilities are 
subject to the Substance Abuse Confidentiality provisions of the Public 
Health Service Act, section 543 and its regulations. And, health care 
providers in schools, colleges, and universities may come within the 
purview of the Family Educational Rights and Privacy Act. Thus, covered 
entities will need to determine how the privacy regulation will affect 
their ability to comply with these other federal laws.
    Many commenters raised questions about how different federal 
statutes and regulations intersect with the privacy regulation. While 
we address specific concerns in the response to comments later in the 
preamble, in this section, we explore some of the general interaction 
issues. These summaries do not identify all possible conflicts or 
overlaps of the privacy regulation and other federal laws, but should 
provide general guidance for complying with both the privacy regulation 
and other federal laws. The summaries also provide examples of how 
covered entities can analyze other federal laws when specific questions 
arise. HHS may consult with other agencies concerning the 
interpretation of other federal laws as necessary.

Implied Repeal Analysis

    When faced with the need to determine how different federal laws 
interact with one another, we turn to the judiciary's approach. Courts 
apply the implied repeal analysis to resolve tensions that appear to 
exist between two or more statutes. While the implication of a 
regulation-on-regulation conflict is unclear, courts agree that 
administrative rules and regulations that do not conflict with express 
statutory provisions have the force and effect of law. Thus, we believe 
courts would apply the standard rules of interpretation that apply to 
statutes to address questions of interpretation with regard to 
regulatory conflicts.
    When faced with two potentially conflicting statutes, courts 
attempt to construe them so that both are given effect. If this 
construction is not possible, courts will look for express language in 
the later statute, or an intent in its legislative history, indicating 
that Congress intended the later statute to repeal the earlier one. If 
there is no expressed intent to repeal the earlier statute, courts will 
characterize the statutes as either general or specific. Ordinarily, 
later, general statutes will not repeal the special provisions of an 
earlier, specific statute. In some cases, when a later, general statute 
creates an irreconcilable conflict or is manifestly inconsistent with 
the earlier, specific statute in a manner that indicates a clear and 
manifest Congressional intent to repeal the earlier statute, courts 
will find that the later statute repeals the earlier statute by 
implication. In these cases, the latest legislative action may prevail 
and repeal the prior law, but only to the extent of the conflict.
    There should be few instances in which conflicts exist between a 
statute or regulation and the rules below. For example, if a statute 
permits a covered entity to disclose protected health information and 
the rules below permit such a disclosure, no conflict arises; the 
covered entity could comply with both and choose whether or not to 
disclose the information. In instances in which a potential conflict 
appears, we would attempt to resolve it so that both laws applied. For 
example, if a statute or regulation permits dissemination of protected 
health information, but the rules below prohibit the use or disclosure 
without an authorization, we believe a covered entity would be able to 
comply with both because it could obtain an authorization under 
Sec. 164.508 before disseminating the information under the other law.
    Many apparent conflicts will not be true conflicts. For example, if 
a conflict

[[Page 82482]]

appears to exist because a previous statute or regulation requires a 
specific use or disclosure of protected health information that the 
rules below appear to prohibit, the use or disclosure pursuant to that 
statute or regulation would not be a violation of the privacy 
regulation because Sec. 164.512(a) permits covered entities to use or 
disclose protected health information as required by law.
    If a statute or regulation prohibits dissemination of protected 
health information, but the privacy regulation requires that an 
individual have access to that information, the earlier, more specific 
statute would apply. The interaction between the Clinical Laboratory 
Improvement Amendments regulation is an example of this type of 
conflict. From our review of several federal laws, it appears that 
Congress did not intend for the privacy regulation to overrule existing 
statutory requirements in these instances.

Examples of Interaction

    We have summarized how certain federal laws interact with the 
privacy regulation to provide specific guidance in areas deserving 
special attention and to serve as examples of the analysis involved. In 
the Response to Comment section, we have provided our responses to 
specific questions raised during the comment period.

The Privacy Act

    The Privacy Act of 1974, 5 U.S.C. 552a, prohibits disclosures of 
records contained in a system of records maintained by a federal agency 
(or its contractors) without the written request or consent of the 
individual to whom the record pertains. This general rule is subject to 
various statutory exceptions. In addition to the disclosures explicitly 
permitted in the statute, the Privacy Act permits agencies to disclose 
information for other purposes compatible with the purpose for which 
the information was collected by identifying the disclosure as a 
``routine use'' and publishing notice of it in the Federal Register. 
The Act applies to all federal agencies and certain federal contractors 
who operate Privacy Act systems of records on behalf of federal 
agencies.
    Some federal agencies and contractors of federal agencies that are 
covered entities under the privacy rules are subject to the Privacy 
Act. These entities must comply with all applicable federal statutes 
and regulations. For example, if the privacy regulation permits a 
disclosure, but the disclosure is not permitted under the Privacy Act, 
the federal agency may not make the disclosure. If, however, the 
Privacy Act allows a federal agency the discretion to make a routine 
use disclosure, but the privacy regulation prohibits the disclosure, 
the federal agency will have to apply its discretion in a way that 
complies with the regulation. This means not making the particular 
disclosure.

The Freedom of Information Act

    FOIA, 5 U.S.C. 552, provides for public disclosure, upon the 
request of any person, of many types of information in the possession 
of the federal government, subject to nine exemptions and three 
exclusions. For example, Exemption 6 permits federal agencies to 
withhold ``personnel and medical files and similar files the disclosure 
of which would constitute a clearly unwarranted invasion of personal 
privacy.'' 5 U.S.C. 552(b)(6).
    Uses and disclosures required by FOIA come within Sec. 164.512(a) 
of the privacy regulation that permits uses or disclosures required by 
law if the uses or disclosures meet the relevant requirements of the 
law. Thus, a federal agency must determine whether it may apply an 
exemption or exclusion to redact the protected health information when 
responding to a FOIA request. When a FOIA request asks for documents 
that include protected health information, we believe the agency, when 
appropriate, must apply Exemption 6 to preclude the release of medical 
files or otherwise redact identifying details before disclosing the 
remaining information.
    We offer the following analysis for federal agencies and federal 
contractors who operate Privacy Act systems of records on behalf of 
federal agencies and must comply with FOIA and the privacy regulation. 
If presented with a FOIA request that would result in the disclosure of 
protected health information, a federal agency must first determine if 
FOIA requires the disclosure or if an exemption or exclusion would be 
appropriate. We believe that generally a disclosure of protected health 
information, when requested under FOIA, would come within FOIA 
Exemption 6. We recognize, however, that the application of this 
exemption to information about deceased individuals requires a 
different analysis than that applicable to living individuals because, 
as a general rule, under the Privacy Act, privacy rights are 
extinguished at death. However, under FOIA, it is entirely appropriate 
to consider the privacy interests of a decedent's survivors under 
Exemption 6. See Department of Justice FOIA Guide 2000, Exemption 6: 
Privacy Considerations. Covered entities subject to FOIA must evaluate 
each disclosure on a case-by-case basis, as they do now under current 
FOIA procedures.

Federal Substance Abuse Confidentiality Requirements

    The federal confidentiality of substance abuse patient records 
statute, section 543 of the Public Health Service Act, 42 U.S.C. 290dd-
2, and its implementing regulation, 42 CFR part 2, establish 
confidentiality requirements for patient records that are maintained in 
connection with the performance of any federally-assisted specialized 
alcohol or drug abuse program. Substance abuse programs are generally 
programs or personnel that provide alcohol or drug abuse treatment, 
diagnosis, or referral for treatment. The term ``federally-assisted'' 
is broadly defined and includes federally conducted or funded programs, 
federally licensed or certified programs, and programs that are tax 
exempt. Certain exceptions apply to information held by the Veterans 
Administration and the Armed Forces.
    There are a number of health care providers that are subject to 
both these rules and the substance abuse statute and regulations. In 
most cases, a conflict will not exist between these rules. These 
privacy rules permit a health care provider to disclose information in 
a number of situations that are not permitted under the substance abuse 
regulation. For example, disclosures allowed, without patient 
authorization, under the privacy rule for law enforcement, judicial and 
administrative proceedings, public health, health oversight, directory 
assistance, and as required by other laws would generally be prohibited 
under the substance abuse statute and regulation. However, because 
these disclosures are permissive and not mandatory, there is no 
conflict. An entity would not be in violation of the privacy rules for 
failing to make these disclosures.
    Similarly, provisions in the substance abuse regulation provide for 
permissive disclosures in case of medical emergencies, to the FDA, for 
research activities, for audit and evaluation activities, and in 
response to certain court orders. Because these are permissive 
disclosures, programs subject to both the privacy rules and the 
substance abuse rule are able to comply with both rules even if the 
privacy rules restrict these types of disclosures. In addition, the 
privacy rules generally require that an individual be given access to 
his or her own health information. Under the substance abuse

[[Page 82483]]

regulation, programs may provide such access, so there is no conflict.
    The substance abuse regulation requires notice to patients of the 
substance abuse confidentiality requirements and provides for written 
consent for disclosure. While the privacy rules have requirements that 
are somewhat different, the program may use notice and authorization 
forms that include all the elements required by both regulations. The 
substance abuse rule provides a sample notice and a sample 
authorization form and states that the use of these forms would be 
sufficient. While these forms do not satisfy all of the requirements of 
the privacy regulation, there is no conflict because the substance 
abuse regulation does not mandate the use of these forms.

Employee Retirement Income Security Act of 1974

    ERISA was enacted in 1974 to regulate pension and welfare employee 
benefit plans established by private sector employers, unions, or both, 
to provide benefits to their workers and dependents. Under ERISA, plans 
that provide ``through the purchase of insurance or otherwise * * * 
medical, surgical, or hospital care or benefits, or benefits in the 
event of sickness, accident, disability, [or] death'' are defined as 
employee welfare benefit plans. 29 U.S.C. 1002(1). In 1996, HIPAA 
amended ERISA to require portability, nondiscrimination, and 
renewability of health benefits provided by group health plans and 
group health insurance issuers. Numerous, although not all, ERISA plans 
are covered under the rules proposed below as ``health plans.''
    Section 514(a) of ERISA, 29 U.S.C. 1144(a), preempts all state laws 
that ``relate to'' any employee benefit plan. However, section 514(b) 
of ERISA, 29 U.S.C. 1144(b)(2)(A), expressly saves from preemption 
state laws that regulate insurance. Section 514(b)(2)(B) of ERISA, 29 
U.S.C. 1144(b)(2)(B), provides that an ERISA plan is deemed not to be 
an insurer for the purpose of regulating the plan under the state 
insurance laws. Thus, under the deemer clause, states may not treat 
ERISA plans as insurers subject to direct regulation by state law. 
Finally, section 514(d) of ERISA, 29 U.S.C. 1144(d), provides that 
ERISA does not ``alter, amend, modify, invalidate, impair, or supersede 
any law of the United States.''
    We considered whether the preemption provision of section 264(c)(2) 
of HIPAA would give effect to state laws that would otherwise be 
preempted by section 514(a) of ERISA. As discussed above, our reading 
of the statutes together is that the effect of section 264(c)(2) is 
only to leave in place state privacy protections that would otherwise 
apply and that are more stringent than the federal privacy protections.
    Many health plans covered by the privacy regulation are also 
subject to ERISA requirements. Our discussions and consultations have 
not uncovered any particular ERISA requirements that would conflict 
with the rules.

The Family Educational Rights and Privacy Act

    FERPA, as amended, 20 U.S.C. 1232g, provides parents of students 
and eligible students (students who are 18 or older) with privacy 
protections and rights for the records of students maintained by 
federally funded educational agencies or institutions or persons acting 
for these agencies or institutions. We have excluded education records 
covered by FERPA, including those education records designated as 
education records under Parts B, C, and D of the Individuals with 
Disabilities Education Act Amendments of 1997, from the definition of 
protected health information. For example, individually identifiable 
health information of students under the age of 18 created by a nurse 
in a primary or secondary school that receives federal funds and that 
is subject to FERPA is an education record, but not protected health 
information. Therefore, the privacy regulation does not apply. We 
followed this course because Congress specifically addressed how 
information in education records should be protected in FERPA.
    We have also excluded certain records, those described at 20 U.S.C. 
1232g(a)(4)(B)(iv), from the definition of protected health information 
because FERPA also provided a specific structure for the maintenance of 
these records. These are records (1) of students who are 18 years or 
older or are attending post-secondary educational institutions, (2) 
maintained by a physician, psychiatrist, psychologist, or recognized 
professional or paraprofessional acting or assisting in that capacity, 
(3) that are made, maintained, or used only in connection with the 
provision of treatment to the student, and (4) that are not available 
to anyone, except a physician or appropriate professional reviewing the 
record as designated by the student. Because FERPA excludes these 
records from its protections only to the extent they are not available 
to anyone other than persons providing treatment to students, any use 
or disclosure of the record for other purposes, including providing 
access to the individual student who is the subject of the information, 
would turn the record into an education record. As education records, 
they would be subject to the protections of FERPA.
    These exclusions are not applicable to all schools, however. If a 
school does not receive federal funds, it is not an educational agency 
or institution as defined by FERPA. Therefore, its records that contain 
individually identifiable health information are not education records. 
These records may be protected health information. The educational 
institution or agency that employs a school nurse is subject to our 
regulation as a health care provider if the school nurse or the school 
engages in a HIPAA transaction.
    While we strongly believe every individual should have the same 
level of privacy protection for his/her individually identifiable 
health information, Congress did not provide us with authority to 
disturb the scheme it had devised for records maintained by educational 
institutions and agencies under FERPA. We do not believe Congress 
intended to amend or preempt FERPA when it enacted HIPAA.
    With regard to the records described at 20 U.S.C. 
1232g(a)(4)(b)(iv), we considered requiring health care providers 
engaged in HIPAA transactions to comply with the privacy regulation up 
to the point these records were used or disclosed for purposes other 
than treatment. At that point, the records would be converted from 
protected health information into education records. This conversion 
would occur any time a student sought to exercise his/her access 
rights. The provider, then, would need to treat the record in 
accordance with FERPA's requirements and be relieved from its 
obligations under the privacy regulation. We chose not to adopt this 
approach because it would be unduly burdensome to require providers to 
comply with two different, yet similar, sets of regulations and 
inconsistent with the policy in FERPA that these records be exempt from 
regulation to the extent the records were used only to treat the 
student.

Gramm-Leach-Bliley

    In 1999, Congress passed Gramm-Leach-Bliley (GLB), Pub. L. 106-102, 
which included provisions, section 501 et seq., that limit the ability 
of financial institutions to disclose ``nonpublic personal 
information'' about consumers to non-affiliated third parties and 
require financial institutions to provide customers with their privacy 
policies and practices with respect to nonpublic

[[Page 82484]]

personal information. In addition, Congress required seven agencies 
with jurisdiction over financial institutions to promulgate regulations 
as necessary to implement these provisions. GLB and its accompanying 
regulations define ``financial institutions'' as including institutions 
engaged in the financial activities of bank holding companies, which 
may include the business of insuring. See 15 U.S.C. 6809(3); 12 U.S.C. 
1843(k). However, Congress did not provide the designated federal 
agencies with the authority to regulate health insurers. Instead, it 
provided states with an incentive to adopt and have their state 
insurance authorities enforce these rules. See 15 U.S.C. 6805. If a 
state were to adopt laws consistent with GLB, health insurers would 
have to determine how to comply with both sets of rules.
    Thus, GLB has caused concern and confusion among health plans that 
are subject to our privacy regulation. Although Congress remained 
silent as to its understanding of the interaction of GLB and HIPAA's 
privacy provisions, the Federal Trade Commission and other agencies 
implementing the GLB privacy provisions noted in the preamble to their 
GLB regulations that they ``would consult with HHS to avoid the 
imposition of duplicative or inconsistent requirements.'' 65 Fed. Reg. 
33646, 33648 (2000). Additionally, the FTC also noted that ``persons 
engaged in providing insurance'' would be within the enforcement 
jurisdiction of state insurance authorities and not within the 
jurisdiction of the FTC. Id.
    Because the FTC has clearly stated that it will not enforce the GLB 
privacy provisions against persons engaged in providing insurance, 
health plans will not be subject to dual federal agency jurisdiction 
for information that is both nonpublic personal information and 
protected health information. If states choose to adopt GLB-like laws 
or regulations, which may or may not track the federal rules 
completely, health plans would need to evaluate these laws under the 
preemption analysis described in subpart B of Part 160.

Federally Funded Health Programs

    These rules will affect various federal programs, some of which may 
have requirements that are, or appear to be, inconsistent with the 
requirements of these regulations. These programs include those 
operated directly by the federal government (such as health programs 
for military personnel and veterans) as well as programs in which 
health services or benefits are provided by the private sector or by 
state or local governments, but which are governed by various federal 
laws (such as Medicare, Medicaid, and ERISA).
    Congress explicitly included some of these programs in HIPAA, 
subjecting them directly to the privacy regulation. Section 1171 of the 
Act defines the term ``health plan'' to include the following federally 
conducted, regulated, or funded programs: Group plans under ERISA that 
either have 50 or more participants or are administered by an entity 
other than the employer who established and maintains the plan; 
federally qualified health maintenance organizations; Medicare; 
Medicaid; Medicare supplemental policies; the health care program for 
active military personnel; the health care program for veterans; the 
Civilian Health and Medical Program of the Uniformed Services 
(CHAMPUS); the Indian health service program under the Indian Health 
Care Improvement Act, 25 U.S.C. 1601, et seq.; and the Federal 
Employees Health Benefits Program. There also are many other federally 
conducted, regulated, or funded programs in which individually 
identifiable health information is created or maintained, but which do 
not come within the statutory definition of ``health plan.'' While 
these latter types of federally conducted, regulated, or assisted 
programs are not explicitly covered by part C of title XI in the same 
way that the programs listed in the statutory definition of ``health 
plan'' are covered, the statute may nonetheless apply to transactions 
and other activities conducted under such programs. This is likely to 
be the case when the federal entity or federally regulated or funded 
entity provides health services; the requirements of part C may apply 
to such an entity as a ``health care provider.'' Thus, the issue of how 
different federal requirements apply is likely to arise in numerous 
contexts.
    There are a number of authorities under the Public Health Service 
Act and other legislation that contain explicit confidentiality 
requirements, either in the enabling legislation or in the implementing 
regulations. Many of these are so general that there would appear to be 
no problem of inconsistency, in that nothing in those laws or 
regulations would appear to restrict the provider's ability to comply 
with the privacy regulation's requirements.
    There may, however, be authorities under which either the 
requirements of the enabling legislation or of the program regulations 
would impose requirements that differ from these rules.
    For example, regulations applicable to the substance abuse block 
grant program funded under section 1943(b) of the Public Health Service 
Act require compliance with 42 CFR part 2, and, thus, raise the issues 
identified above in the substance abuse confidentiality regulations 
discussion. There are a number of federal programs which, either by 
statute or by regulation, restrict the disclosure of patient 
information to, with minor exceptions, disclosures ``required by law.'' 
See, for example, the program of projects for prevention and control of 
sexually transmitted diseases funded under section 318(e)(5) of the 
Public Health Service Act (42 CFR 51b.404); the regulations 
implementing the community health center program funded under section 
330 of the Public Health Service Act (42 CFR 51c.110); the regulations 
implementing the program of grants for family planning services under 
title X of the Public Health Service Act (42 CFR 59.15); the 
regulations implementing the program of grants for black lung clinics 
funded under 30 U.S.C. 437(a) (42 CFR 55a.104); the regulations 
implementing the program of maternal and child health projects funded 
under section 501 of the Act (42 CFR 51a.6); the regulations 
implementing the program of medical examinations of coal miners (42 CFR 
37.80(a)). These legal requirements would restrict the grantees or 
other entities providing services under the programs involved from 
making many of the disclosures that Secs. 164.510 or 164.512 would 
permit. In some cases, permissive disclosures for treatment, payment, 
or health care operations would also be limited. Because Secs. 164.510 
and 164.512 are merely permissive, there would not be a conflict 
between the program requirements, because it would be possible to 
comply with both. However, entities subject to both sets of 
requirements would not have the total range of discretion that they 
would have if they were subject only to this regulation.

Food, Drug, and Cosmetic Act

    The Food, Drug, and Cosmetic Act, 21 U.S.C. 301, et seq., and its 
accompanying regulations outline the responsibilities of the Food and 
Drug Administration with regard to monitoring the safety and 
effectiveness of drugs and devices. Part of the agency's responsibility 
is to obtain reports about adverse events, track medical devices, and 
engage in other types of post marketing surveillance. Because many of 
these reports contain protected health information, the information 
within them may come within the purview of the privacy rules.

[[Page 82485]]

Although some of these reports are required by the Food, Drug, and 
Cosmetic Act or its accompanying regulations, other types of reporting 
are voluntary. We believe that these reports, while not mandated, play 
a critical role in ensuring that individuals receive safe and effective 
drugs and devices. Therefore, in Sec. 164.512(b)(1)(iii), we have 
provided that covered entities may disclose protected health 
information to a person subject to the jurisdiction of the Food and 
Drug Administration for specified purposes, such as reporting adverse 
events, tracking medical devices, or engaging in other post marketing 
surveillance. We describe the scope and conditions of such disclosures 
in more detail in Sec. 164.512(b).

Clinical Laboratory Improvement Amendments

    CLIA, 42 U.S.C. 263a, and the accompanying regulations, 42 CFR part 
493, require clinical laboratories to comply with standards regarding 
the testing of human specimens. This law requires clinical laboratories 
to disclose test results or reports only to authorized persons, as 
defined by state law. If a state does not define the term, the federal 
law defines it as the person who orders the test.
    We realize that the person ordering the test is most likely a 
health care provider and not the individual who is the subject of the 
protected health information included within the result or report. 
Under this requirement, therefore, a clinical laboratory may be 
prohibited by law from providing the individual who is the subject of 
the test result or report with access to this information.
    Although we believe individuals should be able to have access to 
their individually identifiable health information, we recognize that 
in the specific area of clinical laboratory testing and reporting, the 
Health Care Financing Administration, through regulation, has provided 
that access may be more limited. To accommodate this requirement, we 
have provided at Sec. 164.524(1)(iii) that covered entities maintaining 
protected health information that is subject to the CLIA requirements 
do not have to provide individuals with a right of access to or a right 
to inspect and obtain a copy of this information if the disclosure of 
the information to the individual would be prohibited by CLIA.
    Not all clinical laboratories, however, will be exempted from 
providing individuals with these rights. If a clinical laboratory 
operates in a state in which the term ``authorized person'' is defined 
to include the individual, the clinical laboratory would have to 
provide the individual with these rights. Similarly, if the individual 
was the person who ordered the test and an authorized person included 
such a person, the laboratory would be required to provide the 
individual with these rights.
    Additionally, CLIA regulations exempt the components or functions 
of ``research laboratories that test human specimens but do not report 
patient specific results for the diagnosis, prevention or treatment of 
any disease or impairment of, or the assessment of the health of 
individual patients'' from the CLIA regulatory scheme. 42 CFR 
493.3(a)(2). If subject to the access requirements of this regulation, 
such entities would be forced to meet the requirements of CLIA from 
which they are currently exempt. To eliminate this additional 
regulatory burden, we have also excluded covered entities that are 
exempt from CLIA under that rule from the access requirement of this 
regulation.
    Although we are concerned about the lack of immediate access by the 
individual, we believe that, in most cases, individuals who receive 
clinical tests will be able to receive their test results or reports 
through the health care provider who ordered the test for them. The 
provider will receive the information from the clinical laboratory. 
Assuming that the provider is a covered entity, the individual will 
have the right of access and right to inspect and copy this protected 
health information through his or her provider.

Other Mandatory Federal or State Laws

    Many federal laws require covered entities to provide specific 
information to specific entities in specific circumstances. If a 
federal law requires a covered entity to disclose a specific type of 
information, the covered entity would not need an authorization under 
Sec. 164.508 to make the disclosure because the final rule permits 
covered entities to make disclosures that are required by law under 
Sec. 164.512(a). Other laws, such as the Social Security Act (including 
its Medicare and Medicaid provisions), the Family and Medical Leave 
Act, the Public Health Service Act, Department of Transportation 
regulations, the Environmental Protection Act and its accompanying 
regulations, the National Labor Relations Act, the Federal Aviation 
Administration, and the Federal Highway Administration rules, may also 
contain provisions that require covered entities or others to use or 
disclose protected health information for specific purposes.
    When a covered entity is faced with a question as to whether the 
privacy regulation would prohibit the disclosure of protected health 
information that it seeks to disclose pursuant to a federal law, the 
covered entity should determine if the disclosure is required by that 
law. In other words, it must determine if the disclosure is mandatory 
rather than merely permissible. If it is mandatory, a covered entity 
may disclose the protected health information pursuant to 
Sec. 164.512(a), which permits covered entities to disclose protected 
health information without an authorization when the disclosure is 
required by law. If the disclosure is not required (but only permitted) 
by the federal law, the covered entity must determine if the disclosure 
comes within one of the other permissible disclosures. If the 
disclosure does not come within one of the provisions for permissible 
disclosures, the covered entity must obtain an authorization from the 
individual who is the subject of the information or de-identify the 
information before disclosing it.
    If another federal law prohibits a covered entity from using or 
disclosing information that is also protected health information, but 
the privacy regulation permits the use or disclosure, a covered entity 
will need to comply with the other federal law and not use or disclose 
the information.

Federal Disability Nondiscrimination Laws

    The federal laws barring discrimination on the basis of disability 
protect the confidentiality of certain medical information. The 
information protected by these laws falls within the larger definition 
of ``health information'' under this privacy regulation. The two 
primary disability nondiscrimination laws are the Americans with 
Disabilities Act (ADA), 42 U.S.C. 12101 et seq., and the Rehabilitation 
Act of 1973, as amended, 29 U.S.C. 701 et seq., although other laws 
barring discrimination on the basis of disability (such as the 
nondiscrimination provisions of the Workforce Investment Act of 1988, 
29 U.S.C. 2938) may also apply. Federal disability nondiscrimination 
laws cover two general categories of entities relevant to this 
discussion: employers and entities that receive federal financial 
assistance.
    Employers are not covered entities under the privacy regulation. 
Many employers, however, are subject to the federal disability 
nondiscrimination laws and, therefore, must protect the

[[Page 82486]]

confidentiality of all medical information concerning their applicants 
and employees.
    The employment provisions of the ADA, 42 U.S.C. 12111 et seq., 
expressly cover employers of 15 or more employees, employment agencies, 
labor organizations, and joint labor-management committees. Since 1992, 
employment discrimination complaints arising under sections 501, 503, 
and 504 of the Rehabilitation Act also have been subject to the ADA's 
employment nondiscrimination standards. See ``Rehabilitation Act 
Amendments,'' Pub. L. No. 102-569, 106 Stat. 4344. Employers subject to 
ADA nondiscrimination standards have confidentiality obligations 
regarding applicant and employee medical information. Employers must 
treat such medical information, including medical information from 
voluntary health or wellness programs and any medical information that 
is voluntarily disclosed as a confidential medical record, subject to 
limited exceptions.
    Transmission of health information by an employer to a covered 
entity, such as a group health plan, is governed by the ADA 
confidentiality restrictions. The ADA, however, has been interpreted to 
permit an employer to use medical information for insurance purposes. 
See 29 CFR part 1630 App. at Sec. 1630.14(b) (describing such use with 
reference to 29 CFR 1630.16(f), which in turn explains that the ADA 
regulation ``is not intended to disrupt the current regulatory 
structure for self-insured employers * * * or current industry 
practices in sales, underwriting, pricing, administrative and other 
services, claims and similar insurance related activities based on 
classification of risks as regulated by the states''). See also, 
``Enforcement Guidance on Disability-Related Inquiries and Medical 
Examinations of Employees under the Americans with Disabilities Act,'' 
4, n.10 (July 26, 2000), ____ FEP Manual (BNA) ____ (``Enforcement 
Guidance on Employees''). See generally, ``ADA Enforcement Guidance on 
Preemployment Disability-Related Questions and Medical Examinations'' 
(October 10, 1995), 8 FEP Manual (BNA) 405:7191 (1995) (also available 
at http://www.eeoc.gov). Thus, use of medical information for insurance 
purposes may include transmission of health information to a covered 
entity.
    If an employer-sponsored group health plan is closely linked to an 
employer, the group health plan may be subject to ADA confidentiality 
restrictions, as well as this privacy regulation. See Carparts 
Distribution Center, Inc. v. Automotive Wholesaler's Association of New 
England, Inc., 37 F.3d 12 (1st Cir. 1994)(setting forth three bases for 
ADA Title I jurisdiction over an employer-provided medical 
reimbursement plan, in a discrimination challenge to the plan's HIV/
AIDS cap). Transmission of applicant or employee health information by 
the employer's management to the group health plan may be permitted 
under the ADA standards as the use of medical information for insurance 
purposes. Similarly, disclosure of such medical information by the 
group health plan, under the limited circumstances permitted by this 
privacy regulation, may involve use of the information for insurance 
purposes as broadly described in the ADA discussion above.
    Entities that receive federal financial assistance, which may also 
be covered entities under the privacy regulation, are subject to 
section 504 of the Rehabilitation Act (29 U.S.C. 794) and its 
implementing regulations. Each federal agency has promulgated such 
regulations that apply to entities that receive financial assistance 
from that agency (``recipients''). These regulations may limit the 
disclosure of medical information about persons who apply to or 
participate in a federal financially assisted program or activity. For 
example, the Department of Labor's section 504 regulation (found at 29 
CFR part 32), consistent with the ADA standards, requires recipients 
that conduct employment-related programs, including employment training 
programs, to maintain confidentiality regarding any information about 
the medical condition or history of applicants to or participants in 
the program or activity. Such information must be kept separate from 
other information about the applicant or participant and may be 
provided to certain specified individuals and entities, but only under 
certain limited circumstances described in the regulation. See 29 CFR 
32.15(d). Apart from those circumstances, the information must be 
afforded the same confidential treatment as medical records, id. Also, 
recipients of federal financial assistance from the Department of 
Health and Human Services, such as hospitals, are subject to the ADA's 
employment nondiscrimination standards. They must, accordingly, 
maintain confidentiality regarding the medical condition or history of 
applicants for employment and employees.
    The statutes and implementing regulations under which the federal 
financial assistance is provided may contain additional provisions 
regulating collection and disclosure of medical, health, and 
disability-related information. See, e.g., section 188 of the Workforce 
Investment Act of 1988 (29 U.S.C. 2938) and 29 CFR 37.3(b). Thus, 
covered entities that are subject to this privacy regulation, may also 
be subject to the restrictions in these laws as well.

U.S. Safe Harbor Privacy Principles (European Union Directive on Data 
Protection)

    The E.U. Directive became effective in October 1998 and prohibits 
European Union Countries from permitting the transfer of personal data 
to another country without ensuring that an ``adequate level of 
protection,'' as determined by the European Commission, exists in the 
other country or pursuant to one of the Directive's derogations of this 
rule, such as pursuant to unambiguous consent or to fulfill a contract 
with the individual. In July 2000, the European Commission concluded 
that the U.S. Safe Harbor Privacy Principles \1\ constituted ``adequate 
protection.'' Adherence to the Principles is voluntary. Organizations 
wishing to engage in the exchange of personal data with E.U. countries 
may assert compliance with the Principles as one means of obtaining 
data from E.U. countries.
---------------------------------------------------------------------------

    \1\ The Principles are: (1) Notice; (2) Choice (i.e., consent); 
(3) Onward Transfer (i.e., subsequent disclosures); (4) Security; 
(5) Data Integrity; (6) Access; and (7) Enforcement. Department of 
Commerce, Safe Harbor Principles, July 21, 2000 (``Principles''). 
They do not apply to manually processed data.
---------------------------------------------------------------------------

    The Department of Commerce, which negotiated these Principles with 
the European Commission, has provided guidance for U.S. organizations 
seeking to adhere to the guidelines and comply with U.S. law. We 
believe this guidance addresses the concerns covered entities seeking 
to transfer personal data from E.U. countries may have. When ``U.S. law 
imposes a conflicting obligation, U.S. organizations whether in the 
safe harbor or not must comply with the law.'' An organization does not 
need to comply with the Principles if a conflicting U.S. law 
``explicitly authorizes'' the particular conduct. The organization's 
non-compliance is ``limited to the extent necessary to meet the 
overriding legitimate interests further[ed] by such authorization.'' 
However, if only a difference exists such that an ``option is allowable 
under the Principles and/or U.S. law, organizations are expected to opt 
for the higher protection where possible.'' Questions regarding 
compliance and interpretation will be decided based on U.S. law. See 
Department of Commerce, Memorandum on Damages for Breaches

[[Page 82487]]

of Privacy, Legal Authorizations and Mergers and Takeovers in U.S. Law 
5 (July 17, 2000); Department of Commerce, Safe Harbor Privacy 
Principles Issued by the U.S. Department of Commerce on July 21, 2000, 
65 FR 45666 (2000). The Principles and our privacy regulation are based 
on common principles of fair information practices. We believe they are 
essentially consistent and that an organization complying with our 
privacy regulation can fairly and correctly self-certify that it 
complies with the Principles. If a true conflict arises between the 
privacy regulation and the Principles, the Department of Commerce's 
guidance provides that an entity must comply with the U.S. law.

Part 160--Subpart C--Compliance and Enforcement

    Proposed Sec. 164.522 included five paragraphs addressing 
activities related to the Secretary's enforcement of the rule. These 
provisions were based on procedures and requirements in various civil 
rights regulations. Proposed Sec. 164.522(a) provided that the 
Secretary would, to the extent practicable, seek the cooperation of 
covered entities in obtaining compliance, and could provide technical 
assistance to covered entities to help them comply voluntarily. 
Proposed Sec. 164.522(b) provided that individuals could file 
complaints with the Secretary. However, where the complaint related to 
the alleged failure of a covered entity to amend or correct protected 
health information as proposed in the rule, the Secretary would not 
make certain determinations such as whether protected health 
information was accurate or complete. This paragraph also listed the 
requirements for filing complaints and indicated that the Secretary may 
investigate such complaints and what might be reviewed as part of such 
investigation.
    Under proposed Sec. 164.522(c), the Secretary would be able to 
conduct compliance reviews. Proposed Sec. 164.522(d) described the 
responsibilities that covered entities keep records and reports as 
prescribed by the Secretary, cooperate with compliance reviews, permit 
the Secretary to have access to their facilities, books, records, and 
other sources of information during normal business hours, and seek 
records held by other persons. This paragraph also stated that the 
Secretary would maintain the confidentiality of protected health 
information she collected and prohibit covered entities from taking 
retaliatory action against individuals for filing complaints or for 
other activities. Proposed Sec. 164.522(e) provided that the Secretary 
would inform the covered entity and the individual complainant if an 
investigation or review indicated a failure to comply and would seek to 
resolve the matter informally if possible. If the matter could not be 
resolved informally, the Secretary would be able to issue written 
findings, be required to inform the covered entity and the complainant, 
and be able to pursue civil enforcement action or make a criminal 
referral. The Secretary would also be required to inform the covered 
entity and the individual complainant if no violation was found.
    We make the following changes and additions to proposed 
Sec. 164.522 in the final rule. First, we have moved this section to 
part 160, as a new subpart C, ``Compliance and Enforcement.'' Second, 
we add new sections that explain the applicability of these provisions 
and incorporate certain definitions. Accordingly, we change the 
proposed references to violations to ``this subpart'' to violations of 
``the applicable requirements of part 160 and the applicable standards, 
requirements, and implementation specifications of subpart E of part 
164 of this subchapter.'' Third, the final rule at Sec. 160.306(a) 
provides that any person, not just an ``individual'' (the person who is 
the subject of the individually identifiable health information) may 
file a complaint with the Secretary. Other references in this subpart 
to an individual have been changed accordingly. Fourth, we delete the 
proposed Sec. 164.522(a) language that indicated that the Secretary 
would not determine whether information was accurate or complete, or 
whether errors or omissions might have an adverse effect on the 
individual. While the policy is not changed in that the Secretary will 
not make such determinations, we believe the language is unnecessary 
and may suggest that we would make all other types of determinations, 
such as all determinations in which the regulation defers to the 
professional judgment of the covered entity. Fifth, Sec. 160.306(b)(3) 
requires that complaints be filed within 180 days of when the 
complainant knew or should have known that the act or omission 
complained of occurred, unless this time limit is waived by the 
Secretary for good cause shown. Sixth, Sec. 160.310(b) requires 
cooperation with investigations as well as compliance reviews. Seventh, 
Sec. 160.310 (c)(1) provides that the Secretary must be provided access 
to a covered entity's facilities, books, records, accounts, and other 
sources of information, including protected health information, at any 
time and without notice where exigent circumstances exist, such as 
where documents might be hidden or destroyed. Eighth, the provision 
proposed at Sec. 164.522(d) that would prohibit covered entities from 
taking retaliatory action against individuals for filing a complaint 
with the Secretary or for certain other actions has been changed and 
moved to Sec. 164.530. Ninth, Sec. 160. 312(a)(2) deletes the reference 
in the proposed rule to using violation findings as a basis for 
initiating action to secure penalties. This deletion is not a 
substantive change. This language was removed because penalties will be 
addressed in the enforcement regulation. As in the NPRM, the Secretary 
may promulgate alternative procedures for complaints relating to 
national security. For example, to protect classified information, we 
may promulgate rules that would allow an intelligence community agency 
to create a separate body within that agency to receive complaints.
    The Department plans to issue an Enforcement Rule that applies to 
all of the regulations that the Department issues under the 
Administrative Simplification provisions of HIPAA. This regulation will 
address the imposition of civil monetary penalties and the referral of 
criminal cases where there has been a violation of this rule. Penalties 
are provided for under section 262 of HIPAA. The Enforcement Rule would 
also address the topics covered by Subpart C below. It is expected that 
this Enforcement Rule would replace Subpart C.

Part 164--Subpart A--General Provisions

Section 164.102--Statutory Basis

    In the NPRM, we provided that the provisions of this part are 
adopted pursuant to the Secretary's authority to prescribe standards, 
requirements, and implementation standards under part C of title XI of 
the Act and section 264 of Public Law 104-191. The final rule adopts 
this language.

Section 164.104--Applicability

    In the NPRM, we provided that except as otherwise provided, the 
provisions of this part apply to covered entities: health plans, health 
care clearinghouses, and health care providers who transmit health 
information in electronic form in connection with any transaction 
referred to in section 1173(a)(1) of the Act. The final rule adopts 
this language.

[[Page 82488]]

Section 164.106--Relationship to Other Parts

    The final rule adds a new provision stating that in complying with 
the requirements of this part, covered entities are required to comply 
with the applicable provisions of parts 160 and 162 of this subchapter. 
This language references Subchapter C in this regulation, 
Administrative Data Standards and Related Requirements; Part 160, 
General Administrative Requirements; and Part 162, Administrative 
Requirements. Part 160 includes requirements such as keeping records 
and submitting compliance reports to the Secretary and cooperating with 
the Secretary's complaint investigations and compliance reviews. Part 
162 includes requirements such as requiring a covered entity that 
conducts an electronic transaction, adopted under this part, with 
another covered entity to conduct the transaction as a standard 
transaction as adopted by the Secretary.

Part 164--Subpart B-D--Reserved

Part 164--Subpart E--Privacy

Section 164.500--Applicability

    The discussion below describes the entities and the information 
that are subject to the final regulation.
    Many of the provisions of the regulation are presented as 
``standards.'' Generally, the standards indicate what must be 
accomplished under the regulation and implementation specifications 
describe how the standards must be achieved.

Covered Entities

    We proposed in the NPRM to apply the standards in the regulation to 
health plans, health care clearinghouses, and to any health care 
provider who transmits health information in electronic form in 
connection with transactions referred to in section 1173(a)(1) of the 
Act. The proposal referred to these entities as ``covered entities.''
    We have revised Sec. 164.500 to clarify the applicability of the 
rule to health care clearinghouses. As we stated in the preamble to the 
NPRM, we believe that in most instances health care clearinghouses will 
receive protected health information as a business associate to another 
covered entity. This understanding was confirmed by the comments and by 
our fact finding. Clearinghouses rarely have direct contact with 
individuals, and usually will not be in a position to create protected 
health information or to receive it directly from them. Unlike health 
plans and providers, clearinghouses usually convey and repackage 
information and do not add materially to the substance of protected 
health information of an individual.
    The revised language provides that clearinghouses are not subject 
to certain requirements in the rule when acting as business associates 
of other covered entities. As revised, a clearinghouse acting as a 
business associate is subject only to the provisions of this section, 
to the definitions, to the general rules for uses and disclosures of 
protected health information (subject to limitations), to the provision 
relating to health care components, to the provisions relating to uses 
and disclosures for which consent, individual authorization or an 
opportunity to agree or object is not required (subject to 
limitations), to the transition requirements and to the compliance 
date. With respect to the uses and disclosures authorized under 
Sec. 164.502 or Sec. 164.512, a clearinghouse acting as a business 
associate is not authorized by the rule to make any use or disclosure 
not permitted by its business associate contract. Clearinghouses acting 
as business associates are not subject to the other requirements of 
this rule, which include the provisions relating to procedural 
requirements, requirements for obtaining consent, individual 
authorization or agreement, provision of a notice, individual rights to 
request privacy protection, access and amend information and receive an 
accounting of disclosures and the administrative requirements.
    We note that, even as business associates, clearinghouses remain 
covered entities. Clearinghouses, like other covered entities, are 
responsible under this regulation for abiding by the terms of business 
associate contracts. For example, while the provisions regarding 
individuals' access to and right to request corrections to protected 
health information about them apply only to health plans and covered 
health care providers, clearinghouses may have some responsibility for 
providing such access under their business associate contracts. A 
clearinghouse (or any other covered entity) that violates the terms of 
a business associate contract also is in direct violation of this rule 
and, as a covered entity, is subject to compliance and enforcement 
action.
    We clarify that a covered entity is only subject to these rules to 
the extent that they possess protected health information. Moreover, 
these rules only apply with regard to protected health information. For 
example, if a covered entity does not disclose or receive from its 
business associate any protected health information and no protected 
health information is created or received by its business associate on 
behalf of the covered entity, then the business associate requirements 
of this rule do not apply.
    We clarify that the Department of Defense or any other federal 
agency and any non-governmental organization acting on its behalf, is 
not subject to this rule when it provides health care in another 
country to foreign national beneficiaries. The Secretary believes that 
this exemption is warranted because application of the rule could have 
the unintended effect of impeding or frustrating the conduct of such 
activities, such as interfering with the ability of military command 
authorities to obtain protected health information on prisoners of war, 
refugees, or detainees for whom they are responsible under 
international law. See the preamble to the definition of ``individual'' 
for further discussion.

Covered Information

    We proposed in the NPRM to apply the requirements of the rule to 
individually identifiable health information that is or has been 
electronically transmitted or maintained by a covered entity. The 
provisions would have applied to the information itself, referred to as 
protected health information in the rule, and not to the particular 
records in which the information is contained. We proposed that once 
information was maintained or transmitted electronically by a covered 
entity, the protections would follow the information in whatever form, 
including paper records, in which it exists while held by a covered 
entity. The proposal would not have applied to information that was 
never electronically maintained or transmitted by a covered entity.
    In the final rule, we extend the scope of protections to all 
individually identifiable health information in any form, electronic or 
non-electronic, that is held or transmitted by a covered entity. This 
includes individually identifiable health information in paper records 
that never has been electronically stored or transmitted. (See 
Sec. 164.501, definition of ``protected health information,'' for 
further discussion.)

Section 164.501--Definitions

Correctional Institution

    The proposed rule did not define the term correctional institution. 
The final rule defines correctional institution as any penal or 
correctional facility, jail, reformatory, detention center, work farm, 
halfway house, or residential community program center operated by, or 
under contract to, the United States,

[[Page 82489]]

a state, a territory, a political subdivision of a state or territory, 
or an Indian tribe, for the confinement or rehabilitation of persons 
charged with or convicted of a criminal offense or other persons held 
in lawful custody. Other persons held in lawful custody includes 
juvenile offenders adjudicated delinquent, aliens detained awaiting 
deportation, persons committed to mental institutions through the 
criminal justice system, witnesses, or others awaiting charges or 
trial. This language was necessary to explain the privacy rights and 
protections of inmates in this regulation.

Covered Functions

    We add a new term, ``covered functions,'' as a shorthand way of 
expressing and referring to the functions that the entities covered by 
section 1172(a) of the Act perform. Section 1171 defines the terms 
``health plan'', ``health care provider'', and ``health care 
clearinghouse'' in functional terms. Thus, a ``health plan'' is an 
individual or group plan ``that provides, or pays the cost of, medical 
care * * *'', a ``health care provider'' ``furnish[es] health care 
services or supplies,'' and a ``health care clearinghouse'' is an 
entity ``that processes or facilitates the processing of * * * data 
elements of health information * * *''. Covered functions, therefore, 
are the activities that any such entity engages in that are directly 
related to operating as a health plan, health care provider, or health 
care clearinghouse; that is, they are the functions that make it a 
health plan, health care provider, or health care clearinghouse.
    The term ``covered functions'' is not intended to include various 
support functions, such as computer support, payroll and other office 
support, and similar support functions, although we recognize that 
these support functions must occur in order for the entity to carry out 
its health care functions. Because such support functions are often 
also performed for parts of an organization that are not doing 
functions directly related to the health care functions and may involve 
access to and/or use of protected health information, the rules below 
describe requirements for ensuring that workforce members who perform 
these support functions do not impermissibly use or disclose protected 
health information. See Sec. 164.504.

Data Aggregation

    The NPRM did not include a definition of data aggregation. In the 
final rule, data aggregation is defined, with respect to protected 
health information received by a business associate in its capacity as 
the business associate of a covered entity, as the combining of such 
protected health information by the business associate with protected 
health information received by the business associate in its capacity 
as a business associate of another covered entity, to permit the 
creation of data for analyses that relate to the health care operations 
of the respective covered entities. The definition is included in the 
final rule to help describe how business associates can assist covered 
entities to perform health care operations that involve comparative 
analysis of protected health information from otherwise unaffiliated 
covered entities. Data aggregation is a service that gives rise to a 
business associate relationship if the performance of the service 
involves disclosure of protected health information by the covered 
entity to the business associate.

Designated Record Set

    In the proposed rule, we defined designated record set as ``a group 
of records under the control of a covered entity from which information 
is retrieved by the name of the individual or by some identifying 
number, symbol, or other identifying particular assigned to the 
individual and which is used by the covered entity to make decisions 
about the individual.'' We defined a ``record'' as ``any item, 
collection, or grouping of protected health information maintained, 
collected, used, or disseminated by a covered entity.''
    In the final rule, we modify the definition of designated record 
set to specify certain records maintained by or for a covered entity 
that are always part of a covered entity's designated record sets and 
to include other records that are used to make decisions about 
individuals. We do not use the means of retrieval of a record as a 
defining criteria.
    For health plans, designated record sets include, at a minimum, the 
enrollment, payment, claims adjudication, and case or medical 
management record systems of the plan. For covered health care 
providers, designated record sets include, at a minimum, the medical 
record and billing record about individuals maintained by or for the 
provider. In addition to these records, designated record sets include 
any other group of records that are used, in whole or in part, by or 
for a covered entity to make decisions about individuals. We note that 
records that otherwise meet the definition of designated record set and 
which are held by a business associate of the covered entity are part 
of the covered entity's designated record sets. Although we do not 
specify particular types of records that are always included in the 
designated record sets of clearinghouses when they are not acting as 
business associates, this definition includes a group of records that 
such a clearinghouse uses, in whole or in part, to make decisions about 
individuals.
    For the most part we retain, with slight modifications, the 
definition of ``record,'' defining it as any item, collection, or 
grouping of information that includes protected health information and 
is maintained, collected, used, or disseminated.

Direct Treatment Relationship

    This term was not included in the proposed rule. Direct treatment 
relationship means a relationship between a health care provider and an 
individual that is not an indirect treatment relationship (see 
definition of indirect treatment relationship, below). For example, 
outpatient pharmacists and Web-based providers generally have direct 
treatment relationships with patients. Outpatient pharmacists fill 
prescriptions written by other providers, but they furnish the 
prescription and advice about the prescription directly to the patient, 
not through another treating provider. Web-based providers generally 
deliver health care independently, without the orders of another 
provider.
    A provider may have direct treatment relationships with some 
patients and indirect treatment relationships with others. In some 
provisions of the final rule, providers with indirect treatment 
relationships are excepted from requirements that apply to other 
providers. See Sec. 164.506 regarding consent for uses and disclosures 
of protected health information for treatment, payment, and health care 
operations, and Sec. 164.520 regarding notice of information practices. 
These exceptions apply only with respect to the individuals with whom 
the provider has an indirect treatment relationship.

Disclosure

    We proposed to define ``disclosure'' to mean the release, transfer, 
provision of access to, or divulging in any other manner of information 
outside the entity holding the information. The final rule is 
unchanged. We note that the transfer of protected health information 
from a covered entity to a business associate is a disclosure for 
purposes of this regulation.

Health Care Operations

    The preamble to the proposed rule explained that in order for 
treatment and payment to occur, protected health

[[Page 82490]]

information must be used within entities and shared with business 
partners. In the proposed rule we provided a definition for ``health 
care operations'' to clarify the activities we considered to be 
``compatible with and directly related to'' treatment and payment and 
for which protected health information could be used or disclosed 
without individual authorization. These activities included conducting 
quality assessment and improvement activities, reviewing the competence 
or qualifications and accrediting/licensing of health care 
professionals and plans, evaluating health care professional and health 
plan performance, training future health care professionals, insurance 
activities relating to the renewal of a contract for insurance, 
conducting or arranging for medical review and auditing services, and 
compiling and analyzing information in anticipation of or for use in a 
civil or criminal legal proceeding. Recognizing the dynamic nature of 
the health care industry, we acknowledged that the specified categories 
may need to be modified as the industry evolves.
    The preamble discussion of the proposed general rules listed 
certain activities that would not be considered health care operations 
because they were sufficiently unrelated to treatment and payment to 
warrant requiring an individual to authorize such use or disclosure. 
Those activities included: marketing of health and non-health items and 
services; disclosure of protected health information for sale, rent or 
barter; use of protected health information by a non-health related 
division of an entity; disclosure of protected health information for 
eligibility, enrollment, underwriting, or risk rating determinations 
prior to an individuals' enrollment in a health plan; disclosure to an 
employer for employment determinations; and fundraising.
    In the final rule, we do not change the general approach of 
defining health care operations: health care operations are the listed 
activities undertaken by the covered entity that maintains the 
protected health information (i.e., one covered entity may not disclose 
protected health information for the operations of a second covered 
entity); a covered entity may use any protected health information it 
maintains for its operations (e.g., a plan may use protected health 
information about former enrollees as well as current enrollees); we 
expand the proposed list to reflect many changes requested by 
commenters.
    We modify the proposal that health care operations represent 
activities ``in support of'' treatment and payment functions. Instead, 
in the final rule, health care operations are the enumerated activities 
to the extent that the activities are related to the covered entity's 
functions as a health care provider, health plan or health care 
clearinghouse, i.e., the entity's ``covered functions.'' We make this 
change to clarify that health care operations includes general 
administrative and business functions necessary for the covered entity 
to remain a viable business. While it is possible to draw a connection 
between all the enumerated activities and ``treatment and payment,'' 
for some general business activities (e.g., audits for financial 
disclosure statements) that connection may be tenuous. The proposed 
concept also did not include the operations of those health care 
clearinghouses that may be covered by this rule outside their status as 
business associate to a covered entity. We expand the definition to 
include disclosures for the enumerated activities of organized health 
care arrangements in which the covered entity participates. See also 
the definition of organized health care arrangements, below.
    In addition, we make the following changes and additions to the 
enumerated subparagraphs:
    (1) We add language to clarify that the primary purpose of the 
studies encompassed by ``quality assessment and improvement 
activities'' must not be to obtain generalizable knowledge. A study 
with such a purpose would meet the rule's definition of research, and 
use or disclosure of protected health information would have to meet 
the requirements of Secs. 164.508 or 164.512(i). Thus, studies may be 
conducted as a health care operation if development of generalizable 
knowledge is not the primary goal. However, if the study changes and 
the covered entity intends the results to be generalizable, the change 
should be documented by the covered entity as proof that, when 
initiated, the primary purpose was health care operations.
    We add population-based activities related to improving health or 
reducing health care costs, protocol development, case management and 
care coordination, contacting of health care providers and patients 
with information about treatment alternatives, and related functions 
that do not entail direct patient care. Many commenters recommended 
adding the term ``disease management'' to health care operations. We 
were unable, however, to find a generally accepted definition of the 
term. Rather than rely on this label, we include many of the functions 
often included in discussions of disease management in this definition 
or in the definition of treatment. This topic is discussed further in 
the comment responses below.
    (2) We have deleted ``undergraduate and graduate'' as a qualifier 
for ``students,'' to make the term more general and inclusive. We add 
the term ``practitioners.'' We expand the purposes encompassed to 
include situations in which health care providers are working to 
improve their skills. The rule also adds the training of non-health 
care professionals.
    (3) The rule expands the range of insurance related activities to 
include those related to the creation, renewal or replacement of a 
contract for health insurance or health benefits, as well as ceding, 
securing, or placing a contract for reinsurance of risk relating to 
claims for health care (including stop-loss and excess of loss 
insurance). For these activities, we also eliminate the proposed 
requirement that these uses and disclosures apply only to protected 
health information about individuals already enrolled in a health plan. 
Under this provision, a group health plan that wants to replace its 
insurance carrier may disclose certain protected health information to 
insurance issuers in order to obtain bids on new coverage, and an 
insurance carrier interested in bidding on new business may use 
protected health information obtained from the potential new client to 
develop the product and pricing it will offer. For circumstances in 
which no new contract is issued, we add a provision in Sec. 164.514(g) 
restricting the recipient health plan from using or disclosing 
protected health information obtained for this purpose, other than as 
required by law. Uses and disclosures in these cases come within the 
definition of ``health care operations,'' provided that the 
requirements of Sec. 164.514(g) are met, if applicable. See 
Sec. 164.504(f) for requirements for such disclosures by group health 
plans, as well as specific restrictions on the information that may be 
disclosed to plan sponsors for such purposes. We note that a covered 
health care provider must obtain an authorization under Sec. 164.508 in 
order to disclose protected health information about an individual for 
purposes of pre-enrollment underwriting; the underwriting is not an 
``operation'' of the provider and that disclosure is not otherwise 
permitted by a provision of this rule.
    (4) We delete reference to the ``compiling and analyzing 
information in anticipation of or for use in a civil or criminal legal 
proceeding'' and replace it with a broader reference to

[[Page 82491]]

conducting or arranging for ``legal services.''
    We add two new categories of activities:
    (5) Business planning and development, such as conducting cost-
management and planning-related analyses related to managing and 
operating the entity, including formulary development and 
administration, development or improvement of methods of payment or 
coverage policies.
    (6) Business management activities and general administrative 
functions, such as management activities relating to implementation of 
and compliance with the requirements of this subchapter, fundraising 
for the benefit of the covered entity to the extent permitted without 
authorization under Sec. 164.514(f), and marketing of certain services 
to individuals served by the covered entity, to the extent permitted 
without authorization under Sec. 164.514(e) (see discussion in the 
preamble to that section, below). For example, under this category we 
permit uses or disclosures of protected health information to determine 
from whom an authorization should be obtained, for example to generate 
a mailing list of individuals who would receive an authorization 
request.
    We add to the definition of health care operations disclosure of 
protected health information for due diligence to a covered entity that 
is a potential successor in interest. This provision includes 
disclosures pursuant to the sale of a covered entity's business as a 
going concern, mergers, acquisitions, consolidations, and other similar 
types of corporate restructuring between covered entities, including a 
division of a covered entity, and to an entity that is not a covered 
entity but will become a covered entity if the transfer or sale is 
completed. Other types of sales of assets, or disclosures to 
organizations that are not and would not become covered entities, are 
not included in the definition of health care operations and could only 
occur if the covered entity obtained valid authorization for such 
disclosure in accordance with Sec. 164.508, or if the disclosure is 
otherwise permitted under this rule.
    We also add to health care operations disclosure of protected 
health information for resolution of internal grievances. These uses 
and disclosures include disclosure to an employee and/or employee 
representative, for example when the employee needs protected health 
information to demonstrate that the employer's allegations of improper 
conduct are untrue. We note that such employees and employee 
representatives are not providing services to or for the covered 
entity, and, therefore, no business associate contract is required. 
Also included are resolution of disputes from patients or enrollees 
regarding the quality of care and similar matters.
    We also add use for customer service, including the provision of 
data and statistical analyses for policyholders, plan sponsors, or 
other customers, as long as the protected health information is not 
disclosed to such persons. We recognize that part of the general 
management of a covered entity is customer service. We clarify that 
customer service may include the use of protected health information to 
provide data and statistical analyses. For example, a plan sponsor may 
want to understand why its costs are rising faster than average, or why 
utilization in one plant location is different than in another 
location. An association that sponsors an insurance plan for its 
members may want information on the relative costs of its plan in 
different areas. Some plan sponsors may want more detailed analyses 
that attempt to identify health problems in a work site. We note that 
when a plan sponsor has several different group health plans, or when 
such plans provide insurance or coverage through more than one health 
insurance issuer or HMO, the covered entities may jointly engage in 
this type of analysis as a health care operation of the organized 
health care arrangement.
    This activity qualifies as a health care operation only if it does 
not result in the disclosure of protected health information to the 
customer. The results of the analyses must be presented in a way that 
does not disclose protected health information. A disclosure of 
protected health information to the customer as a health care operation 
under this provision violates this rule. This provision is not intended 
to permit covered entities to circumvent other provisions in this rule, 
including requirements relating to disclosures of protected health 
information to plan sponsors or the requirements relating to research. 
See Sec. 164.504(f) and Sec. 164.512(i).
    We use the term customer to provide flexibility to covered 
entities. We do not intend the term to apply to persons with whom the 
covered entity has no other business; this provision is intended to 
permit covered entities to provide service to their existing customer 
base.
    We note that this definition, either alone or in conjunction with 
the definition of ``organized health care arrangement,'' allows an 
entity such as an integrated staff model HMO, whether legally 
integrated or whether a group of associated entities, that hold 
themselves out as an organized arrangement to share protected health 
information under Sec. 164.506. In these cases, the sharing of 
protected health information will be either for the operations of the 
disclosing entity or for the organized health care arrangement in which 
the entity is participating.
    Whether a disclosure is allowable for health care operations under 
this provision is determined separately from whether a business 
associate contract is required. These provisions of the rule operate 
independently. Disclosures for health care operations may be made to an 
entity that is neither a covered entity nor a business associate of the 
covered entity. For example, a covered academic medical center may 
disclose certain protected health information to community health care 
providers who participate in one of its continuing medical education 
programs, whether or not such providers are covered health care 
providers under this rule. A provider attending a continuing education 
program is not thereby performing services for the covered entity 
sponsoring the program and, thus, is not a business associate for that 
purpose. Similarly, health plans may disclose for due diligence 
purposes to another entity that may or may not be a covered entity or a 
business associate.

Health Oversight Agency

    The proposed rule would have defined ``health oversight agency'' as 
``an agency, person, or entity, including the employees or agents 
thereof, (1) That is: (i) A public agency; or (ii) A person or entity 
acting under grant of authority from or contract with a public agency; 
and (2) Which performs or oversees the performance of any audit; 
investigation; inspection; licensure or discipline; civil, criminal, or 
administrative proceeding or action; or other activity necessary for 
appropriate oversight of the health care system, of government benefit 
programs for which health information is relevant to beneficiary 
eligibility, or of government regulatory programs for which health 
information is necessary for determining compliance with program 
standards.'' The proposed rule also described the functions of health 
oversight agencies in the proposed health oversight section 
(Sec. 164.510(c)) by repeating much of this definition.
    In the final rule, we modify the definition of health oversight 
agency by eliminating from the definition the language in proposed 
Sec. 164.510(c) (now Sec. 164.512(d)). In addition, the final rule 
clarifies this definition by specifying that a ``health oversight 
agency'' is an agency or authority of the United States,

[[Page 82492]]

a state, a territory, a political subdivision of a state or territory, 
or an Indian tribe, or a person or entity acting under a grant of 
authority from or contract with such public agency, including the 
employees or agents of such public agency or its contractors or 
grantees, that is authorized by law to oversee the health care system 
or government programs in which health information is necessary to 
determine eligibility or compliance, or to enforce civil rights laws 
for which health information is relevant.
    The preamble to the proposed rule listed the following as examples 
of health oversight agencies that conduct oversight activities relating 
to the health care system: state insurance commissions, state health 
professional licensure agencies, Offices of Inspectors General of 
federal agencies, the Department of Justice, state Medicaid fraud 
control units, Defense Criminal Investigative Services, the Pension and 
Welfare Benefit Administration, the HHS Office for Civil Rights, and 
the FDA. The proposed rule listed the Social Security Administration 
and the Department of Education as examples of health oversight 
agencies that conduct oversight of government benefit programs for 
which health information is relevant to beneficiary eligibility. The 
proposed rule listed the Occupational Health and Safety Administration 
and the Environmental Protection Agency as examples of oversight 
agencies that conduct oversight of government regulatory programs for 
which health information is necessary for determining compliance with 
program standards.
    In the final rule, we include the following as additional examples 
of health oversight activities: (1) The U.S. Department of Justice's 
civil rights enforcement activities, and in particular, enforcement of 
the Civil Rights of Institutionalized Persons Act (42 U.S.C. 1997-
1997j) and the Americans with Disabilities Act (42 U.S.C. 12101 et 
seq.), as well as the EEOC's civil rights enforcement activities under 
titles I and V of the ADA; (2) the FDA's oversight of food, drugs, 
biologics, devices, and other products pursuant to the Food, Drug, and 
Cosmetic Act (21 U.S.C. 301 et seq.) and the Public Health Service Act 
(42 U.S.C. 201 et seq.); and (3) data analysis --performed by a public 
agency or by a person or entity acting under grant of authority from or 
under contract with a public agency --to detect health care fraud.
    ``Overseeing the health care system,'' which is included in the 
definition of health oversight, encompasses activities such as: 
oversight of health care plans; oversight of health benefit plans; 
oversight of health care providers; oversight of health care and health 
care delivery; oversight activities that involve resolution of consumer 
complaints; oversight of pharmaceuticals, medical products and devices, 
and dietary supplements; and a health oversight agency's analysis of 
trends in health care costs, quality, health care delivery, access to 
care, and health insurance coverage for health oversight purposes.
    We recognize that health oversight agencies, such as the U.S. 
Department of Labor's Pension and Welfare Benefits Administration, may 
perform more than one type of health oversight. For example, agencies 
may sometimes perform audits and investigations and at other times 
conduct general oversight of health benefit plans. Such entities are 
considered health oversight agencies under the rule for any and all of 
the health oversight functions that they perform.
    The definition of health oversight agency does not include private 
organizations, such as private-sector accrediting groups. Accreditation 
organizations are performing health care operations functions on behalf 
of health plans and covered health care providers. Accordingly, in 
order to obtain protected health information without individuals' 
authorizations, accrediting groups must enter into business associate 
agreements with health plans and covered health care providers for 
these purposes. Similarly, private entities, such as coding committees, 
that help government agencies that are health plans make coding and 
payment decisions are performing health care payment functions on 
behalf the government agencies and, therefore, must enter into business 
associate agreements in order to receive protected health information 
from the covered entity (absent individuals' authorization for such 
disclosure).

Indirect Treatment Relationship

    This term was not included in the proposed rule. An ``indirect 
treatment relationship'' is a relationship between a health care 
provider and an individual in which the provider delivers health care 
to the individual based on the orders of another health care provider 
and the health care services, products, diagnoses, or results are 
typically furnished to the patient through another provider, rather 
than directly. For example, radiologists and pathologists generally 
have indirect treatment relationships with patients because they 
deliver diagnostic services based on the orders of other providers and 
the results of those services are furnished to the patient through the 
direct treating provider. This definition is necessary to clarify the 
relationships between providers and individuals in the regulation. For 
example, see the consent discussion at Sec. 164.506.

Individual

    We proposed to define ``individual'' to mean the person who is the 
subject of the protected health information. We proposed that the term 
include, with respect to the signing of authorizations and other rights 
(such as access, copying, and correction), the following types of legal 
representatives:
    (1) With respect to adults and emancipated minors, legal 
representatives (such as court-appointed guardians or persons with a 
power of attorney), to the extent to which applicable law permits such 
legal representatives to exercise the person's rights in such contexts.
    (2) With respect to unemancipated minors, a parent, guardian, or 
person acting in loco parentis, provided that when a minor lawfully 
obtains a health care service without the consent of or notification to 
a parent, guardian, or other person acting in loco parentis, the minor 
shall have the exclusive right to exercise the rights of an individual 
with respect to the protected health information relating to such care.
    (3) With respect to deceased persons, an executor, administrator, 
or other person authorized under applicable law to act on behalf of the 
decedent's estate.
    In addition, we proposed to exclude from the definition:
    (1) Foreign military and diplomatic personnel and their dependents 
who receive health care provided by or paid for by the Department of 
Defense or other federal agency or by an entity acting on its behalf, 
pursuant to a country-to-country agreement or federal statute.
    (2) Overseas foreign national beneficiaries of health care provided 
by the Department of Defense or other federal agency or by a non-
governmental organization acting on its behalf.
    In the final rule, we eliminate from the definition of 
``individual'' the provisions designating a legal representative as the 
``individual'' for purposes of exercising certain rights with regard to 
protected health information. Instead, we include in the final rule a 
separate standard for ``personal representatives.'' A covered entity 
must treat a personal representative of an individual as the individual 
except under specified circumstances. See discussion in

[[Page 82493]]

Sec. 164.502(g) regarding personal representatives.
    In addition, we eliminate from the definition of ``individual'' the 
above exclusions for foreign military and diplomatic personnel and 
overseas foreign national beneficiaries. We address the special 
circumstances for use and disclosure of protected health information 
about individuals who are foreign military personnel in 
Sec. 164.512(k). We address overseas foreign national beneficiaries in 
Sec. 164.500, ``Applicability.'' The protected health information of 
individuals who are foreign diplomatic personnel and their dependents 
are not subject to special treatment under the final rule.
    Individually identifiable health information about one individual 
may exist in the health records of another individual; health 
information about one individual may include health information about a 
second person. For example, a patient's medical record may contain 
information about the medical conditions of the patient's parents, 
children, and spouse, as well as their names and contact information. 
For the purpose of this rule, if information about a second person is 
included within the protected health information of an individual, the 
second person is not the person who is the subject of the protected 
health information. The second person is not the ``individual'' with 
regard to that protected health information, and under this rule thus 
does not have the individual's rights (e.g., access and amendment) with 
regard to that information.

Individually Identifiable Health Information

    We proposed to define ``individually identifiable health 
information'' to mean information that is a subset of health 
information, including demographic information collected from an 
individual, and that:
    (1) Is created by or received from a health care provider, health 
plan, employer, or health care clearinghouse; and
    (2) Relates to the past, present, or future physical or mental 
health or condition of an individual, the provision of health care to 
an individual, or the past, present, or future payment for the 
provision of health care to an individual, and
    (i) Which identifies the individual, or
    (ii) With respect to which there is a reasonable basis to believe 
that the information can be used to identify the individual.
    In the final rule, we change ``created by or received from a health 
care provider * * *'' to ``created or received by a health care 
provider * * * ``in order to conform to the statute. We otherwise 
retain the definition of ``individually identifiable health 
information'' without change in the final rule.

Inmate

    The proposed rule did not define the term inmate. In the final 
rule, it is defined as a person incarcerated in or otherwise confined 
to a correctional institution. The addition of this definition is 
necessary to explain the privacy rights and protections of inmates in 
this regulation.

Law Enforcement Official

    The proposed rule would have defined a ``law enforcement official'' 
as ``an official of an agency or authority of the United States, a 
state, a territory, a political subdivision of a state or territory, or 
an Indian tribe, who is empowered by law to conduct: (1) An 
investigation or official proceeding inquiring into a violation of, or 
failure to comply with, any law; or (2) a criminal, civil, or 
administrative proceeding arising from a violation of, or failure to 
comply with, any law.''
    The final rule modifies this definition slightly. The definition in 
the final rule recognizes that law enforcement officials are empowered 
to prosecute cases as well as to conduct investigations and civil, 
criminal, or administrative proceedings. In addition, the definition in 
the final rule reflects the fact that when investigations begin, often 
it is not clear that law has been violated. Thus, the final rule 
describes law enforcement investigations and official proceedings as 
inquiring into a potential violation of law. In addition, it describes 
law enforcement-related civil, criminal, or administrative proceedings 
as arising from alleged violation of law.

Marketing

    The proposed rule did not include a definition of ``marketing.'' 
The proposed rule generally required that a covered entity would need 
an authorization from an individual to use or disclose protected health 
information for marketing.
    In the final rule we define marketing as a communication about a 
product or service a purpose of which is to encourage recipients of the 
communication to purchase or use the product or service. The definition 
does not limit the type or means of communication that are considered 
marketing.
    The definition of marketing contains three exceptions. If a covered 
entity receives direct or indirect remuneration from a third party for 
making a written communication otherwise described in an exception, 
then the communication is not excluded from the definition of 
marketing. The activities we except from the definition of marketing 
are encompassed by the definitions of treatment, payment, and health 
care operations. Covered entities may therefore use and disclose 
protected health information for these excepted activities without 
authorization under Sec. 164.508 and pursuant to any applicable consent 
obtained under Sec. 164.506.
    The first exception applies to communications made by a covered 
entity for the purpose of describing the entities participating in a 
provider network or health plan network. It also applies to 
communications made by a covered entity for the purpose of describing 
if and the extent to which a product or service, or payment for a 
product or service, is provided by the covered entity or included in a 
benefit plan. This exception permits covered entities to use or 
disclose protected health information when discussing topics such as 
the benefits and services available under a health plan, the payment 
that may be made for a product or service, which providers offer a 
particular product or service, and whether a provider is part of a 
network or whether (and what amount of) payment will be provided with 
respect to the services of particular providers. This exception 
expresses our intent not to interfere with communications made to 
individuals about their health benefits.
    The second exception applies to communications tailored to the 
circumstances of a particular individual, made by a health care 
provider to an individual as part of the treatment of the individual, 
and for the purpose of furthering the treatment of that individual. 
This exception leaves health care providers free to use or disclose 
protected health information as part of a discussion of its products 
and services, or the products and services of others, and to prescribe, 
recommend, or sell such products or services, as part of the treatment 
of an individual. This exception includes activities such as referrals, 
prescriptions, recommendations, and other communications that address 
how a product or service may relate to the individual's health. This 
exception expresses our intent not to interfere with communications 
made to individuals about their treatment.
    The third exception applies to communications tailored to the

[[Page 82494]]

circumstances of a particular individual and made by a health care 
provider or health plan to an individual in the course of managing the 
treatment of that individual or for the purpose of directing or 
recommending to that individual alternative treatments, therapies, 
providers, or settings of care. As with the previous exception, this 
exception permits covered entities to discuss freely their products and 
services and the products and services of third parties, in the course 
of managing an individual's care or providing or discussing treatment 
alternatives with an individual, even when such activities involve the 
use or disclose protected health information.
    Section 164.514 contains provisions governing use or disclosure of 
protected health information in marketing communications, including a 
description of certain marketing communications that may use or include 
protected health information but that may be made by a covered entity 
without individual authorization. The definition of health care 
operations includes those marketing communications that may be made 
without an authorization pursuant to Sec. 164.514. Covered entities may 
therefore use and disclose protected health information for these 
activities pursuant to any applicable consent obtained under 
Sec. 164.506, or, if they are not required to obtain a consent under 
Sec. 164.506, without one.

Organized Health Care Arrangement

    This term was not used in the proposed rule. We define the term in 
order to describe certain arrangements in which participants need to 
share protected health information about their patients to manage and 
benefit the common enterprise. To allow uses and disclosures of 
protected health information for these arrangements, we also add 
language to the definition of ``health care operations.'' See 
discussion of that term above.
    We include five arrangements within the definition of organized 
health care arrangement. The arrangements involve clinical or 
operational integration among legally separate covered entities in 
which it is often necessary to share protected health information for 
the joint management and operations of the arrangement. They may range 
in legal structure, but a key component of these arrangements is that 
individuals who obtain services from them have an expectation that 
these arrangements are integrated and that they jointly manage their 
operations. We include within the definition a clinically integrated 
care setting in which individuals typically receive health care from 
more than one health care provider. Perhaps the most common example of 
this type of organized health care arrangement is the hospital setting, 
where a hospital and a physician with staff privileges at the hospital 
together provide treatment to the individual. Participants in such 
clinically integrated settings need to be able to share health 
information freely not only for treatment purposes, but also to improve 
their joint operations. For example, any physician with staff 
privileges at a hospital must be able to participate in the hospital's 
morbidity and mortality reviews, even when the particular physician's 
patients are not being discussed. Nurses and other hospital personnel 
must also be able to participate. These activities benefit the common 
enterprise, even when the benefits to a particular participant are not 
evident. While protected health information may be freely shared among 
providers for treatment purposes under other provisions of this rule, 
some of these joint activities also support the health care operations 
of one or more participants in the joint arrangement. Thus, special 
rules are needed to ensure that this rule does not interfere with 
legitimate information sharing among the participants in these 
arrangements.
    We also include within the definition an organized system of health 
care in which more than one covered entity participates, and in which 
the participating covered entities hold themselves out to the public as 
participating in a joint arrangement, and in which the joint activities 
of the participating covered entities include at least one of the 
following: utilization review, in which health care decisions by 
participating covered entities are reviewed by other participating 
covered entities or by a third party on their behalf; quality 
assessment and improvement activities, in which treatment provided by 
participating covered entities is assessed by other participating 
covered entities or by a third party on their behalf; or payment 
activities, if the financial risk for delivering health care is shared 
in whole or in part by participating covered entities through the joint 
arrangement and if protected health information created or received by 
a covered entity is reviewed by other participating covered entities or 
by a third party on their behalf for the purpose of administering the 
sharing of financial risk. A common example of this type of organized 
health care arrangement is an independent practice association formed 
by a large number of physicians. They may advertise themselves as a 
common enterprise (e.g., Acme IPA), whether or not they are under 
common ownership or control, whether or not they practice together in 
an integrated clinical setting, and whether or not they share financial 
risk.
    If such a group engages jointly in one or more of the listed 
activities, the participating covered entities will need to share 
protected health information to undertake such activities and to 
improve their joint operations. In this example, the physician 
participants in the IPA may share financial risk through common 
withhold pools with health plans or similar arrangements. The IPA 
participants who manage the financial arrangements need protected 
health information about all the participants' patients in order to 
manage the arrangement. (The participants may also hire a third party 
to manage their financial arrangements.) If the participants in the IPA 
engage in joint quality assurance or utilization review activities, 
they will need to share protected health information about their 
patients much as participants in an integrated clinical setting would. 
Many joint activities that require the sharing of protected health 
information benefit the common enterprise, even when the benefits to a 
particular participant are not evident.
    We include three relationships related to group health plans as 
organized health care arrangements. First, we include a group health 
plan and an issuer or HMO with respect to the group health plan within 
the definition, but only with respect to the protected health 
information of the issuer or HMO that relates to individuals who are or 
have been participants or beneficiaries in the group health plan. We 
recognize that many group health plans are funded partially or fully 
through insurance, and that in some cases the group health plan and 
issuer or HMO need to coordinate operations to properly serve the 
enrollees. Second, we include a group health plan and one or more other 
group health plans each of which are maintained by the same plan 
sponsor. We recognize that in some instances plan sponsors provide 
health benefits through a combination of group health plans, and that 
they may need to coordinate the operations of such plans to better 
serve the participants and beneficiaries of the plans. Third, we 
include a combination of group health plans maintained by the same plan 
sponsor and the health insurance issuers and HMOs with respect to such 
plans, but again only with respect to the protected health information 
of such issuers and HMOs that relates to

[[Page 82495]]

individuals who are or have been enrolled in such group health plans. 
We recognize that is some instances a plan sponsor may provide benefits 
through more than one group health plan, and that such plans may fund 
the benefits through one or more issuers or HMOs. Again, coordinating 
health care operations among these entities may be necessary to serve 
the participants and beneficiaries in the group health plans. We note 
that the necessary coordination may necessarily involve the business 
associates of the covered entities and may involve the participation of 
the plan sponsor to the extent that it is providing plan administration 
functions and subject to the limits in Sec. 164.504.

Payment

    We proposed the term payment to mean:
    (1) The activities undertaken by or on behalf of a covered entity 
that is:
    (i) A health plan, or by a business partner on behalf of a health 
plan, to obtain premiums or to determine or fulfill its responsibility 
for coverage under the health plan and for provision of benefits under 
the health plan; or
    (ii) A health care provider or health plan, or a business partner 
on behalf of such provider or plan, to obtain reimbursement for the 
provision of health care.
    (2) Activities that constitute payment include:
    (i) Determinations of coverage, adjudication or subrogation of 
health benefit claims;
    (ii) Risk adjusting amounts due based on enrollee health status and 
demographic characteristics;
    (iii) Billing, claims management, and medical data processing;
    (iv) Review of health care services with respect to medical 
necessity, coverage under a health plan, appropriateness of care, or 
justification of charges; and
    (v) Utilization review activities, including precertification and 
preauthorization of services.
    In the final rule, we maintain the general approach of defining of 
payment: payment activities are described generally in the first clause 
of the definition, and specific examples are given in the second 
clause. Payment activities relate to the covered entity that maintains 
the protected health information (i.e., one covered entity may not 
disclose protected health information for the payment activities of a 
second covered entity). A covered entity may use or disclose only the 
protected health information about the individual to whom care was 
rendered, for its payment activities (e.g., a provider may disclose 
protected health information only about the patient to whom care was 
rendered in order to obtain payment for that care, or only the 
protected health information about persons enrolled in the particular 
health plan that seeks to audit the provider's records). We expand the 
proposed list to reflect many changes requested by commenters.
    We add eligibility determinations as an activity included in the 
definition of payment. We expand coverage determinations to include the 
coordination of benefits and the determination of a specific 
individual's cost sharing amounts. The rule deletes activities related 
to the improvement of methods of paying or coverage policies from this 
definition and instead includes them in the definition of health care 
operations. We add to the definition ``collection activities.'' We 
replace ``medical data processing'' activities with health care data 
processing related to billing, claims management, and collection 
activities. We add activities for the purpose of obtaining payment 
under a contract for reinsurance (including stop-loss and excess of 
loss insurance). Utilization review activities now include concurrent 
and retrospective review of services.
    In addition, we modify this definition to clarify that the 
activities described in section 1179 of the Act are included in the 
definition of ``payment.'' We add new subclause (vi) allowing covered 
entities to disclose to consumer reporting agencies an individual's 
name, address, date of birth, social security number and payment 
history, account number, as well as the name and address of the 
individual's health care provider and/or health plan, as appropriate. 
Covered entities may make disclosure of this protected health 
information to consumer reporting agencies for purposes related to 
collection of premiums or reimbursement. This allows reporting not just 
of missed payments and overdue debt but also of subsequent positive 
payment experience (e.g., to expunge the debt). We consider such 
positive payment experience to be ``related to'' collection of premiums 
or reimbursement.
    The remaining activities described in section 1179 are included in 
other language in this definition. For example, ``authorizing, 
processing, clearing, settling, billing, transferring, reconciling or 
collecting, a payment for, or related to, health plan premiums or 
health care'' are covered by paragraph (2)(iii) of the definition, 
which allows use and disclosure of protected health information for 
``billing, claims management, collection activities and related health 
care data processing.'' ``Claims management'' also includes auditing 
payments, investigating and resolving payment disputes and responding 
to customer inquiries regarding payments. Disclosure of protected 
health information for compliance with civil or criminal subpoenas, or 
with other applicable laws, are covered under Sec. 164.512 of this 
regulation. (See discussion above regarding the interaction between 
1179 and this regulation.)
    We modify the proposed regulation text to clarify that payment 
includes activities undertaken to reimburse health care providers for 
treatment provided to individuals.
    Covered entities may disclose protected health information for 
payment purposes to any other entity, regardless of whether it is a 
covered entity. For example, a health care provider may disclose 
protected health information to a financial institution in order to 
cash a check or to a health care clearinghouse to initiate electronic 
transactions. However, if a covered entity engages another entity, such 
as a billing service or a financial institution, to conduct payment 
activities on its behalf, the other entity may meet the definition of 
``business associate'' under this rule. For example, an entity is 
acting as a business associate when it is operating the accounts 
receivable system on behalf of a health care provider.
    Similarly, payment includes disclosure of protected health 
information by a health care provider to an insurer that is not a 
``health plan'' as defined in this rule, to obtain payment. For 
example, protected health information may be disclosed to obtain 
reimbursement from a disability insurance carrier. We do not interpret 
the definition of ``payment'' to include activities that involve the 
disclosure of protected health information by a covered entity, 
including a covered health care provider, to a plan sponsor for the 
purpose of obtaining payment under a group health plan maintained by 
such plan sponsor, or for the purpose of obtaining payment from a 
health insurance issuer or HMO with respect to a group health plan 
maintained by such plan sponsor, unless the plan sponsor is performing 
plan administration pursuant to Sec. 164.504(f).
    The Transactions Rule adopts standards for electronic health care 
transactions, including two for processing payments. We adopted the ASC 
X12N 835 transaction standard for ``Health Care Payment and Remittance

[[Page 82496]]

Advice'' transactions between health plans and health care providers, 
and the ASC X12N 820 standard for ``Health Plan Premium Payments'' 
transactions between entities that arrange for the provision of health 
care or provide health care coverage payments and health plans. Under 
these two transactions, information to effect funds transfer is 
transmitted in a part of the transaction separable from the part 
containing any individually identifiable health information.
    We note that a covered entity may conduct the electronic funds 
transfer portion of the two payment standard transactions with a 
financial institution without restriction, because it contains no 
protected health information. The protected health information 
contained in the electronic remittance advice or the premium payment 
enrollee data portions of the transactions is not necessary either to 
conduct the funds transfer or to forward the transactions. Therefore, a 
covered entity may not disclose the protected health information to a 
financial institution for these purposes. A covered entity may transmit 
the portions of the transactions containing protected health 
information through a financial institution if the protected health 
information is encrypted so it can be read only by the intended 
recipient. In such cases no protected health information is disclosed 
and the financial institution is acting solely as a conduit for the 
individually identifiable data.

Plan Sponsor

    In the final rule we add a definition of ``plan sponsor.'' We 
define plan sponsor by referencing the definition of the term provided 
in (3)(16)(B) of the Employee Retirement Income Security Act (ERISA). 
The plan sponsor is the employer or employee organization, or both, 
that establishes and maintains an employee benefit plan. In the case of 
a plan established by two or more employers, it is the association, 
committee, joint board of trustees, or other similar group or 
representative of the parties that establish and maintain the employee 
benefit plan. This term includes church health plans and government 
health plans. Group health plans may disclose protected health 
information to plan sponsors who conduct payment and health care 
operations activities on behalf of the group health plan if the 
requirements for group health plans in Sec. 164.504 are met.
    The preamble to the Transactions Rule noted that plan sponsors of 
group health plans are not covered entities and, therefore, are not 
required to use the standards established in that regulation to perform 
electronic transactions, including enrollment and disenrollment 
transactions. We do not change that policy through this rule. Plan 
sponsors that perform enrollment functions are doing so on behalf of 
the participants and beneficiaries of the group health plan and not on 
behalf of the group health plan itself. For purposes of this rule, plan 
sponsors are not subject to the requirements of Sec. 164.504 regarding 
group health plans when conducting enrollment activities.

Protected Health Information

    We proposed to define ``protected health information'' to mean 
individually identifiable health information that is or has been 
electronically maintained or electronically transmitted by a covered 
entity, as well as such information when it takes any other form. For 
purposes of this definition, we proposed to define ``electronically 
transmitted'' as including information exchanged with a computer using 
electronic media, such as the movement of information from one location 
to another by magnetic or optical media, transmissions over the 
Internet, Extranet, leased lines, dial-up lines, private networks, 
telephone voice response, and ``faxback'' systems. We proposed that 
this definition not include ``paper-to-paper'' faxes, or person-to-
person telephone calls, video teleconferencing, or messages left on 
voice-mail.
    Further, ``electronically maintained'' was proposed to mean 
information stored by a computer or on any electronic medium from which 
the information may be retrieved by a computer, such as electronic 
memory chips, magnetic tape, magnetic disk, or compact disc optical 
media.
    The proposal's definition explicitly excluded:
    (1) Individually identifiable health information that is part of an 
``education record'' governed by the Family Educational Rights and 
Privacy Act (FERPA), 20 U.S.C. 1232g.
    (2) Individually identifiable health information of inmates of 
correctional facilities and detainees in detention facilities.
    In this final rule we expand the definition of protected health 
information to encompass all individually identifiable health 
information transmitted or maintained by a covered entity, regardless 
of form. Specifically, we delete the conditions for individually 
identifiable health information to be ``electronically maintained'' or 
``electronically transmitted'' and the corresponding definitions of 
those terms. Instead, the final rule defines protected health 
information to be individually identifiable health information that is:
    (1) Transmitted by electronic media;
    (2) Maintained in any medium described in the definition of 
electronic media at Sec. 162.103 of this subchapter; or
    (3) Transmitted or maintained in any other form or medium.
    We refer to electronic media, as defined in Sec. 162.103, which 
means the mode of electronic transmission. It includes the Internet 
(wide-open), Extranet (using Internet technology to link a business 
with information only accessible to collaborating parties), leased 
lines, dial-up lines, private networks, and those transmissions that 
are physically moved from one location to another using magnetic tape, 
disk, or compact disk media.
    The definition of protected health information is set out in this 
form to emphasize the severability of this provision. As discussed 
below, we believe we have ample legal authority to cover all 
individually identifiable health information transmitted or maintained 
by covered entities. We have structured the definition this way so 
that, if a court were to disagree with our view of our authority in 
this area, the rule would still be operational, albeit with respect to 
a more limited universe of information.
    Other provisions of the rules below may also be severable, 
depending on their scope and operation. For example, if the rule itself 
provides a fallback, as it does with respect to the various 
discretionary uses and disclosures permitted under Sec. 164.512, the 
provisions would be severable under case law.
    The definition in the final rule retains the exception relating to 
individually identifiable health information in ``education records'' 
governed by FERPA. We also exclude the records described in 20 U.S.C. 
1232g(a)(4)(B)(iv). These are records of students held by post-
secondary educational institutions or of students 18 years of age or 
older, used exclusively for health care treatment and which have not 
been disclosed to anyone other than a health care provider at the 
student's request. (See discussion of FERPA above.)
    We have removed the exception for individually identifiable health 
information of inmates of correctional facilities and detainees in 
detention facilities. Individually identifiable health information 
about inmates is protected health information under the final rule, and 
special rules for use and disclosure of the protected health

[[Page 82497]]

information about inmates and their ability to exercise the rights 
granted in this rule are described below.

Psychotherapy Notes

    Section 164.508(a)(3)(iv)(A) of the proposed rule defined 
psychotherapy notes as notes recorded (in any medium) by a health care 
provider who is a mental health professional documenting or analyzing 
the contents of conversation during a private counseling session or a 
group, joint, or family counseling session. The proposed definition 
excluded medication prescription and monitoring, counseling session 
start and stop times, the modalities and frequencies of treatment 
furnished, results of clinical tests, and any summary of the following 
items: Diagnosis, functional status, the treatment plan, symptoms, 
prognosis and progress. Furthermore, we stated in the preamble of the 
proposed rule that psychotherapy notes would have to be maintained 
separately from the medical record.
    In this final rule, we retain the definition of psychotherapy notes 
that we had proposed, but add to the regulation text the requirement 
that, to meet the definition of psychotherapy notes, the information 
must be separated from the rest of the individual's medical record.

Public Health Authority

    The proposed rule would have defined ``public health authority'' as 
``an agency or authority of the United States, a state, a territory, or 
an Indian tribe that is responsible for public health matters as part 
of its official mandate.''
    The final rule changes this definition slightly to clarify that a 
``public health authority'' also includes a person or entity acting 
under a grant of authority from or contract with a public health 
agency. Therefore, the final rule defines this term as an agency or 
authority of the United States, a state, a territory, a political 
subdivision of a state or territory, or an Indian tribe, or a person or 
entity acting under a grant of authority from or contract with such 
public agency, including the employees or agents of such public agency 
or its contractors or persons or entities to whom it has granted 
authority, that is responsible for public health matters as part of its 
official mandate.

Required By Law

    In the preamble to the NPRM, we did not include a definition of 
``required by law.'' We discussed what it meant for an action to be 
considered to be ``required'' or ``mandated'' by law and included 
several examples of activities that would be considered as required by 
law for the purposes of the proposed rule, including a valid Inspector 
General subpoena, grand jury subpoena, civil investigative demand, or a 
statute or regulation requiring production of information justifying a 
claim would constitute a disclosure required by law.
    In the final rule we include a new definition, move the preamble 
clarifications to the regulatory text and add several items to the 
illustrative list. For purposes of this regulation, ``required by law'' 
means a mandate contained in law that compels a covered entity to make 
a use or disclosure of protected health information and that is 
enforceable in a court of law. Among the examples listed in definition 
are Medicare conditions of participation with respect to health care 
providers participating in that program, court-ordered warrants, and 
subpoenas issued by a court. We note that disclosures ``required by 
law'' include disclosures of protected health information required by 
this regulation in Sec. 164.502(a)(2). It does not include contracts 
between private parties or similar voluntary arrangements. This list is 
illustrative only and is not intended in any way to limit the scope of 
this paragraph or other paragraphs in Sec. 164.512 that permit uses or 
disclosures to the extent required by other laws. We note that nothing 
in this rule compels a covered entity to make a use or disclosure 
required by the legal demands or prescriptions listed in this 
clarification or by any other law or legal process, and a covered 
entity remains free to challenge the validity of such laws and 
processes.

Research

    We proposed to define ``research'' as it is defined in the Federal 
Policy for the Protection of Human Subjects, at 45 CFR part 46, subpart 
A (referred to elsewhere in this rule as ``Common Rule''), and in 
addition, elaborated on the meaning of the term ``generalizable 
knowledge.'' In Sec. 164.504 of the proposed rule we defined research 
as ``* * * a systematic investigation, including research development, 
testing and evaluation, designed to develop or contribute to 
generalizable knowledge. `Generalizable knowledge' is knowledge related 
to health that can be applied to populations outside of the population 
served by the covered entity.''
    The final rule eliminates the further elaboration of 
``generalizable knowledge.'' Therefore, the rule defines ``research'' 
as the term is defined in the Common Rule: a systematic investigation, 
including research development, testing and evaluation, designed to 
develop or contribute to generalizable knowledge.

Research Information Unrelated to Treatment

    We delete this definition and the associated requirements from the 
final rule. Refer to Sec. 164.508(f) for new requirements regarding 
authorizations for research that includes treatment of the individual.

Treatment

    The proposed rule defined ``treatment'' as the provision of health 
care by, or the coordination of health care (including health care 
management of the individual through risk assessment, case management, 
and disease management) among, health care providers; the referral of a 
patient from one provider to another; or the coordination of health 
care or other services among health care providers and third parties 
authorized by the health plan or the individual. The preamble noted 
that the definition was intended to relate only to services provided to 
an individual and not to an entire enrolled population.
    In the final rule, we do not change the general approach to 
defining treatment: treatment means the listed activities undertaken by 
any health care provider, not just a covered health care provider. A 
plan can disclose protected health information to any health care 
provider to assist the provider's treatment activities; and a health 
care provider may use protected health information about an individual 
to treat another individual. A health care provider may use any 
protected health information it maintains for treatment purposes (e.g., 
a provider may use protected health information about former patients 
as well as current patients). We modify the proposed list of treatment 
activities to reflect changes requested by commenters.
    Specifically, we modify the proposed definition of ``treatment'' to 
include the management of health care and related services. Under the 
definition, the provision, coordination, or management of health care 
or related services may be undertaken by one or more health care 
providers. ``Treatment'' includes coordination or management by a 
health care provider with a third party and consultation between health 
care providers. The term also includes referral by a health care 
provider of a patient to another health care provider.
    Treatment refers to activities undertaken on behalf of a single 
patient, not a population. Activities are considered treatment only if 
delivered

[[Page 82498]]

by a health care provider or a health care provider working with 
another party. Activities of health plans are not considered to be 
treatment. Many services, such as a refill reminder communication or 
nursing assistance provided through a telephone service, are considered 
treatment activities if performed by or on behalf of a health care 
provider, such as a pharmacist, but are regarded as health care 
operations if done on behalf of a different type of entity, such as a 
health plan.
    We delete specific reference to risk assessment, case management, 
and disease management. Activities often referred to as risk 
assessment, disease and case management are treatment activities only 
to the extent that they are services provided to a particular patient 
by a health care provider; population based analyses or records review 
for the purposes of treatment protocol development or modification are 
health care operations, not treatment activities. If a covered entity 
is licensed as both a health plan and a health care provider, a single 
activity could be considered to be both treatment and health care 
operations; for compliance purposes we would consider the purpose of 
the activity. Given the integration of the health care system we 
believe that further classification of activities into either treatment 
or health care operations would not be helpful. See the definition of 
health care operations for additional discussion.

Use

    We proposed to define ``use'' to mean the employment, application, 
utilization, examination, or analysis of information within an entity 
that holds the information. In the final rule, we clarify that use 
refers to the use of individually identifiable health information. We 
replace the term ``holds'' with the term ``maintains.'' These changes 
are for clarity only, and are not intended to effect any substantive 
change.

Section 164.502--General Rules for Uses and Disclosures of 
Protected Health Information

Section 164.502(a)--Use and Disclosure for Treatment, Payment and 
Health Care Operations

    As a general rule, we proposed in the NPRM to prohibit covered 
entities from using or disclosing protected health information except 
as authorized by the individual who is the subject of such information 
or as explicitly permitted by the rule. The proposed rule explicitly 
would have permitted covered entities to use or disclose an 
individual's protected health information without authorization for 
treatment, payment, and health care operations. The proposal would not 
have restricted to whom disclosures could be made for the purposes of 
treatment, payment, or operations. The proposal would have allowed 
disclosure of the protected health information of one individual for 
the treatment or payment of another, as appropriate. We also proposed 
to prohibit covered entities from seeking individual authorization for 
uses and disclosures for treatment, payment, and health care operations 
unless required by state or other applicable law.
    We proposed two exceptions to this general rule which prohibited 
covered entities from using or disclosing research information 
unrelated to treatment or psychotherapy notes for treatment, payment, 
or health care operations purposes unless a specific authorization was 
obtained from the subject of the information. In addition, we proposed 
that a covered entity be prohibited from conditioning treatment, 
enrollment in a health plan or payment decisions on a requirement that 
the individual provide a specific authorization for the disclosure of 
these two types of information (see proposed Sec. 164.508(a)(3)(iii)).
    We also proposed to permit covered entities to use or disclose an 
individual's protected health information for specified public and 
public policy-related purposes, including public health, research, 
health oversight, law enforcement, and use by coroners. In addition, 
the proposal would have permitted covered entities to use and disclose 
protected health information when required to do so by other law or 
pursuant to an authorization from the individual allowing them to use 
or disclose the information for purposes other than treatment, payment 
or health care operations.
    We proposed to require covered entities to disclose protected 
health information for only two purposes: to permit individuals to 
inspect and copy protected health information about themselves and for 
enforcement of the rule.
    We proposed not to require covered entities to vary the level of 
protection accorded to protected health information based on the 
sensitivity of such information. In addition, we proposed to require 
that each affected entity assess its own needs and devise, implement, 
and maintain appropriate privacy policies, procedures, and 
documentation to address its business requirements.
    In the final rule, the general standard remains that covered 
entities may use or disclose protected health information only as 
permitted or required by this rule. However, we make significant 
changes to the conditions under which uses and disclosures are 
permitted.
    We revise the application of the general standard to require 
covered health care providers who have a direct treatment relationship 
with an individual to obtain a general ``consent'' from the individual 
in order to use or disclose protected health information about the 
individual for treatment, payment and health care operations (for 
details on who must obtain such consents and the requirements they must 
meet, see Sec. 164.506). These consents are intended to accommodate 
both the covered provider's need to use or disclose protected health 
information for treatment, payment, and health care operations, and 
also the individual's interest in understanding and acquiescing to such 
uses and disclosures. In general, other covered entities are permitted 
to use and disclose protected health information to carry out 
treatment, payment, or health care operations (as defined in this rule) 
without obtaining such consent, as in the proposed rule. Covered 
entities must, as under the proposed rule, obtain the individual's 
``authorization'' in order to use or disclose psychotherapy notes for 
most purposes: see Sec. 164.508(a)(2) for exceptions to this rule. We 
delete the proposed special treatment of ``research information 
unrelated to treatment.''
    We revise the application of the general standard to require all 
covered entities to obtain the individual's verbal ``agreement'' before 
using or disclosing protected health information for facility 
directories, to persons assisting in the individual's care, and for 
other purposes described in Sec. 164.510. Unlike ``consent'' and 
``authorization,'' verbal agreement may be informal and implied from 
the circumstances (for details on who must obtain such agreements and 
the requirements they must meet, see Sec. 164.510). Verbal agreements 
are intended to accommodate situations where it is neither appropriate 
to remove from the individual the ability to control the protected 
health information nor appropriate to require formal, written 
permission to share such information. For the most part, these 
provisions reflect current practices.
    As under the proposed rule, we permit covered entities to use or 
disclose protected health information without the individual's consent, 
authorization or agreement for specified

[[Page 82499]]

public policy purposes, in compliance with the requirements in 
Sec. 164.512.
    We permit covered entities to disclose protected health information 
to the individual who is the subject of that information without any 
condition. We note that this may include disclosures to ``personal 
representatives'' of individuals as provided by Sec. 164.502(g).
    We permit a covered entity to use or disclose protected health 
information for other lawful purposes if the entity obtains a written 
``authorization'' from the individual, consistent with the provisions 
of Sec. 164.508. Unlike ``consents,'' these ``authorizations'' are 
specific and detailed. (For details on who must obtain such 
authorizations and the requirements they must meet, see Sec. 164.508.) 
They are intended to provide the individuals with concrete information 
about, and control over, the uses and disclosures of protected health 
information about themselves.
    The final rule retains the provision that requires a covered entity 
to disclose protected health information only in two instances: When 
individuals request access to information about themselves, and when 
disclosures are compelled by the Secretary for compliance and 
enforcement purposes.
    Finally, Sec. 164.502(a)(1) also requires covered entities to use 
or disclose protected health information in compliance with the other 
provisions of Sec. 164.502, for example, consistent with the minimum 
necessary standard, to create de-identified information, or to a 
personal representative of an individual. These provisions are 
described below.
    We note that a covered entity may use or disclose protected health 
information as permitted by and in accordance with a provision of this 
rule, regardless of whether that use or disclosure fails to meet the 
requirements for use or disclosure under another provision of this 
rule.

Section 164.502(b)--Minimum Necessary Uses and Disclosures

    The proposed rule required a covered entity to make all reasonable 
efforts not to use or disclose more than the minimum amount of 
protected health information necessary to accomplish the intended 
purpose of the use or disclosure (proposed Sec. 164.506(b)). This final 
rule significantly modifies the proposed requirements for implementing 
the minimum necessary standard. In the final rule, Sec. 164.502(b) 
contains the basic standard and Sec. 164.514 describes the requirements 
for implementing the standard. Therefore we discuss all aspects of the 
minimum necessary standard and specific requirements below in the 
discussion of Sec. 164.514(d).

Section 164.502(c)--Uses and Disclosures Under a Restriction Agreement

    The proposed rule would have required that covered health care 
providers permit individuals to request restrictions of uses and 
disclosures of protected health information and would have prohibited 
covered providers from using or disclosing protected health information 
in violation of any agreed-to restriction.
    The final rule retains an individual's right to request 
restrictions on uses or disclosures for treatment, payment or health 
care operations and prohibits a covered entity from using or disclosing 
protected health information in a way that is inconsistent with an 
agreed upon restriction between the covered entity and the individual, 
but makes some changes to this right. Most significantly, under the 
final rule individuals have the right to request restrictions of all 
covered entities. This standard is set forth in Sec. 164.522. Details 
about the changes to the standard are explained in the preamble 
discussion to Sec. 164.522.

Section 164.502(d)--Creation of De-identified Information

    In proposed Sec. 164.506(d) of the NPRM, we proposed to permit use 
of protected health information for the purpose of creating de-
identified information and we provided detailed mechanisms for doing 
so.
    In Sec. 164.502(d) of the final rule, we permit a covered entity to 
use protected health information to create de-identified information, 
whether or not the de-identified information is to be used by the 
covered entity. We clarify that de-identified information created in 
accordance with our procedures (which have been moved to 
Sec. 164.514(a)) is not subject to the requirements of these privacy 
rules unless it is re-identified. Disclosure of a key or mechanism that 
could be used to re-identify such information is also defined to be 
disclosure of protected health information. See the preamble to 
Sec. 164.514(a) for further discussion.

Section 164.502(e)--Business Associates

    In the proposed rule, other than for purposes of consultation or 
referral for treatment, we would have allowed a covered entity to 
disclose protected health information to a business partner only 
pursuant to a written contract that would, among other specified 
provisions, limit the business partner's uses and disclosures of 
protected health information to those permitted by the contract, and 
would impose certain security, inspection and reporting requirements on 
the business partner. We proposed to define the term ``business 
partner'' to mean, with respect to a covered entity, a person to whom 
the covered entity discloses protected health information so that the 
person can carry out, assist with the performance of, or perform on 
behalf of, a function or activity for the covered entity.
    In the final rule, we change the term ``business partner'' to 
``business associate'' and in the definition clarify the full range of 
circumstances in which a person is acting as a business associate of a 
covered entity. (See definition of ``business associate'' in 
Sec. 160.103.) These changes mean that Sec. 164.502(e) requires a 
business associate contract (or other arrangement, as applicable) not 
only when the covered entity discloses protected health information to 
a business associate, but also when the business associate creates or 
receives protected health information on behalf of the covered entity.
    In the final rule, we modify the proposed standard and 
implementation specifications for business associates in a number of 
significant ways. These modifications are explained in the preamble 
discussion of Sec. 164.504(e).

Section 164.502(f)--Deceased Individuals

    We proposed to extend privacy protections to the protected health 
information of a deceased individual for two years following the date 
of death. During the two-year time frame, we proposed in the definition 
of ``individual'' that the right to control the deceased individual's 
protected health information would be held by an executor or 
administrator, or other person (e.g., next of kin) authorized under 
applicable law to act on behalf of the decedent's estate. The only 
proposed exception to this standard allowed for uses and disclosures of 
a decedent's protected health information for research purposes without 
the authorization of a legal representative and without the 
Institutional Review Board (IRB) or privacy board approval required (in 
proposed Sec. 164.510(j)) for most other uses and disclosures for 
research.
    In the final rule (Sec. 164.502(f)), we modify the standard to 
extend protection of protected health information about deceased 
individuals for as long as the covered entity maintains the 
information. We retain the exception for uses and disclosures for 
research purposes, now part of Sec. 164.512(i), but also require that 
the

[[Page 82500]]

covered entity take certain verification measures prior to release of 
the decedent's protected health information for such purposes (see 
Secs. 164.514(h) and 164.512(i)(1)(iii)).
    We remove from the definition of ``individual'' the provision 
related to deceased persons. Instead, we create a standard for 
``personal representatives'' (Sec. 164.502(g), see discussion below) 
that requires a covered entity to treat a personal representative of an 
individual as the individual in certain circumstances, i.e., allows the 
representative to exercise the rights of the individual. With respect 
to deceased individuals, the final rule describes when a covered entity 
must allow a person who otherwise is permitted under applicable law to 
act with respect to the interest of the decedent or on behalf of the 
decedent's estate, to make decisions regarding the decedent's protected 
health information.
    The final rule also adds a provision to Sec. 164.512(g), that 
permits covered entities to disclose protected health information to a 
funeral director, consistent with applicable law, as necessary to carry 
out their duties with respect to the decedent. Such disclosures are 
permitted both after death and in reasonable anticipation of death.

Section 164.502(g)--Personal Representatives

    In the proposed rule we defined ``individual'' to include certain 
persons who were authorized to act on behalf of the person who is the 
subject of the protected health information. For adults and emancipated 
minors, the NPRM provided that ``individual'' includes a legal 
representative to the extent to which applicable law permits such legal 
representative to exercise the individual's rights in such contexts. 
With respect to unemancipated minors, we proposed that the definition 
of ``individual'' include a parent, guardian, or person acting in loco 
parentis, (hereinafter referred to as ``parent'') except when an 
unemancipated minor obtained health care services without the consent 
of, or notification to, a parent. Under the proposed rule, if a minor 
obtained health care services under these conditions, the minor would 
have had the exclusive rights of an individual with respect to the 
protected health information related to such health care services.
    In the final rule, the definition of ``individual'' is limited to 
the subject of the protected health information, which includes 
unemancipated minors and other individuals who may lack capacity to act 
on their own behalf. We remove from the definition of ``individual'' 
the provisions regarding legal representatives. The circumstances in 
which a representative must be treated as an individual for purposes of 
this rule are addressed in a separate standard titled ``personal 
representatives.'' (Sec. 164.502(g)). The standard regarding personal 
representatives incorporates some changes to the proposed provisions 
regarding legal representatives. In general, under the final 
regulation, the ``personal representatives'' provisions are directed at 
the more formal representatives, while Sec. 164.510(b) addresses 
situations in which persons are informally acting on behalf of an 
individual.
    With respect to adults or emancipated minors, we clarify that a 
covered entity must treat a person as a personal representative of an 
individual if such person is, under applicable law, authorized to act 
on behalf of the individual in making decisions related to health care. 
This includes a court-appointed guardian and a person with a power of 
attorney, as set forth in the NPRM, but may also include other persons. 
The authority of a personal representative under this rule is limited: 
the representative must be treated as the individual only to the extent 
that protected health information is relevant to the matters on which 
the personal representative is authorized to represent the individual. 
For example, if a person's authority to make health care decisions for 
an individual is limited to decisions regarding treatment for cancer, 
such person is a personal representative and must be treated as the 
individual with respect to protected health information related to the 
cancer treatment of the individual. Such a person is not the personal 
representative of the individual with respect to all protected health 
information about the individual, and therefore, a covered entity may 
not disclose protected health information that is not relevant to the 
cancer treatment to the person, unless otherwise permitted under the 
rule. We intend this provision to apply to persons empowered under 
state or other law to make health related decisions for an individual, 
whether or not the instrument or law granting such authority 
specifically addresses health information.
    In addition, we clarify that with respect to an unemancipated 
minor, if under applicable law a parent may act on behalf of an 
unemancipated minor in making decisions related to health care, a 
covered entity must treat such person as a personal representative 
under this rule with respect to protected health information relevant 
to such personal representation, with three exceptions. Under the 
general rule, in most circumstances the minor would not have the 
capacity to act as the individual, and the parent would be able to 
exercise rights and authorities on behalf of the minor. Under the 
exceptions to the rule on personal representatives of unemancipated 
minors, the minor, and not the parent, would be treated as the 
individual and able to exercise the rights and authorities of an 
individual under the rule. These exceptions occur if: (1) The minor 
consents to a health care service; no other consent to such health care 
service is required by law, regardless of whether the consent of 
another person has also been obtained; and the minor has not requested 
that such person be treated as the personal representative; (2) the 
minor may lawfully obtain such health care service without the consent 
of a parent, and the minor, a court, or another person authorized by 
law consents to such health care service; or (3) a parent assents to an 
agreement of confidentiality between a covered health care provider and 
the minor with respect to such health care service. We note that the 
definition of health care includes services, but we use ``health care 
service'' in this provision to clarify that the scope of the rights of 
minors under this rule is limited to the protected health information 
related to a particular service.
    Under this provision, we do not provide a minor with the authority 
to act under the rule unless the state has given them the ability to 
obtain health care without consent of a parent, or the parent has 
assented. In addition, we defer to state law where the state authorizes 
or prohibits disclosure of protected health information to a parent. 
See part 160, subpart B, Preemption of State Law. This rule does not 
affect parental notification laws that permit or require disclosure of 
protected health information to a parent. However, the rights of a 
minor under this rule are not otherwise affected by such notification.
    In the final rule, the provision regarding personal representatives 
of deceased individuals has been changed to clarify the provision. The 
policy has not changed substantively from the NPRM.
    Finally, we added a provision in the final rule to permit covered 
entities to elect not to treat a person as a personal representative in 
abusive situations. Under this provision, a covered entity need not 
treat a person as a personal representative of an individual if the 
covered entity, in the exercise of professional judgment, decides that 
it is

[[Page 82501]]

not in the best interest of the individual to treat the person as the 
individual's personal representative and the covered entity has a 
reasonable belief that the individual has been or may be subjected to 
domestic violence, abuse, or neglect by such person, or that treating 
such person as the personal representative could endanger the 
individual.
    Section 164.502(g) requires a covered entity to treat a person that 
meets the requirements of a personal representative as the individual 
(with the exceptions described above). We note that disclosure of 
protected health information to a personal representative is mandatory 
under this rule only if disclosure to the individual is mandatory. 
Disclosure to the individual is mandatory only under Secs. 164.524 and 
164.528. Further, as noted above, the personal representative's rights 
are limited by the scope of its authority under other law. Thus, this 
provision does not constitute a general grant of authority to personal 
representatives.
    We make disclosure to personal representatives mandatory to ensure 
that an individual's rights under Secs. 164.524 and 164.528 are 
preserved even when individuals are incapacitated or otherwise unable 
to act for themselves to the same degree as other individuals. If the 
covered entity were to have the discretion to recognize a personal 
representative as the individual, there could be situations in which no 
one could invoke an individual's rights under these sections.
    We continue to allow covered entities to use their discretion to 
disclose certain protected health information to family members, 
relatives, close friends, and other persons assisting in the care of an 
individual, in accordance with Sec. 164.510(b). We recognize that many 
health care decisions take place on an informal basis, and we permit 
disclosures in certain circumstance to permit this practice to 
continue. Health care providers may continue to use their discretion to 
address these informal situations.

Section 164.502(h)--Confidential Communications

    In the NPRM, we did not directly address the issue of whether an 
individual could request that a covered entity restrict the manner in 
which it communicated with the individual. The NPRM did provide 
individuals with the right to request that health care providers 
restrict uses and disclosures of protected health information for 
treatment, payment and health operations, but providers were not 
required to agree to such a restriction.
    In the final rule, we require covered providers to accommodate 
reasonable requests by patients about how the covered provider 
communicates with the individual. For example, an individual who does 
not want his or her family members to know about a certain treatment 
may request that the provider communicate with the individual at his or 
her place of employment, or to send communications to a designated 
address. Covered providers must accommodate the request unless it is 
unreasonable. Similarly, the final rule permits individuals to request 
that health plans communicate with them by alternative means, and the 
health plan must accommodate such a request if it is reasonable and the 
individual states that disclosure of the information could endanger the 
individual. The specific provisions relating to confidential 
communications are in Sec. 164.522.

Section 164.502(i)--Uses and Disclosures Consistent with Notice

    We proposed to prohibit covered entities from using or disclosing 
protected health information in a manner inconsistent with their notice 
of information practices. We retain this provision in the final rule. 
See Sec. 164.520 regarding notice content and distribution 
requirements.

Section 164.502(j)--Disclosures by Whistleblowers and Workforce Member 
Crime Victims

Disclosures by Whistleblowers

    In Sec. 164.518(c)(4) of the NPRM we addressed the issue of 
whistleblowers by proposing that a covered entity not be held in 
violation of this rule because a member of its workforce or a person 
associated with a business associate of the covered entity used or 
disclosed protected health information that such person believed was 
evidence of a civil or criminal violation, and any disclosure was: (1) 
Made to relevant oversight agencies or law enforcement or (2) made to 
an attorney to allow the attorney to determine whether a violation of 
criminal or civil law had occurred or to assess the remedies or actions 
at law that may be available to the person disclosing the information.
    We included an extensive discussion on how whistleblower actions 
can further the public interest, including reference to the need in 
some circumstances to utilize protected health information for this 
purpose as well as reference to the qui tam provisions of the Federal 
False Claims Act.
    In the final rule we retitle the provision and include it in 
Sec. 164.502 to reflect the fact that these disclosures are not made by 
the covered entity and therefore this material does not belong in the 
section on safeguarding information against disclosure.
    We retain the basic concept in the NPRM of providing protection to 
a covered entity for the good faith whistleblower action of a member of 
its workforce or a business associate. We clarify that a whistleblower 
disclosure by an employee, subcontractor, or other person associated 
with a business associate is considered a whistleblower disclosure of 
the business associate under this provision. However, in the final 
rule, we modify the scope of circumstances under which a covered entity 
is protected in whistleblower situations. A covered entity is not in 
violation of the requirements of this rule when a member of its 
workforce or a business associate of the covered entity discloses 
protected health information to: (i) A health oversight agency or 
public health authority authorized by law to investigate or otherwise 
oversee the relevant conduct or conditions of the covered entity; (ii) 
an appropriate health care accreditation organization; or (iii) an 
attorney, for the purpose of determining his or her legal options with 
respect to whistleblowing. We delete disclosures to a law enforcement 
official.
    We expand the scope of this section to cover disclosures of 
protected health information to an oversight or accreditation 
organization for the purpose of reporting breaches of professional 
standards or problems with quality of care. The covered entity will not 
be in violation of this rule, provided that the disclosing individual 
believes in good faith that the covered entity has engaged in conduct 
which is unlawful or otherwise violates professional or clinical 
standards, or that the care, services or conditions provided by the 
covered entity potentially endanger one or more patients, workers or 
the public. Since these provisions only relate to whistleblower actions 
in relation to the covered entity, disclosure of protected health 
information to expose malfeasant conduct by another person, such as 
knowledge gained during the course of treatment about an individual's 
illicit drug use, would not be protected activity.
    We clarify that this section only applies to protection of a 
covered entity, based on the whistleblower action of a member of its 
workforce or business associates. Since the HIPAA legislation only 
applies to covered entities, not their workforces, it is beyond the 
scope of this rule to directly regulate the

[[Page 82502]]

whistleblower actions of members of a covered entity's workforce.
    In the NPRM, we had proposed to require covered entities to apply 
sanctions to members of its workforce who improperly disclose protected 
health information. In this final rule, we retain this requirement in 
Sec. 164.530(e)(1) but modify the proposed provision on sanctions to 
clarify that the sanctions required under this rule do not apply to 
workforce members of a covered entity for whistleblower disclosures.

Disclosures by Workforce Members Who Are Crime Victims

    The proposed rule did not address disclosures by workforce members 
who are victims of a crime. In the final rule, we clarify that a 
covered entity is not in violation of the rule when a workforce member 
of a covered entity who is the victim of a crime discloses protected 
health information to law enforcement officials about the suspected 
perpetrator of the crime. We limit the amount of protected health 
information that may be disclosed to the limited information for 
identification and location described in Sec. 164.512(f)(2).
    We note that this provision is similar to the provision in 
Sec. 164.512(f)(5), which permits a covered entity to disclose 
protected health information to law enforcement that the covered entity 
believes in good faith constitutes evidence of criminal conduct that 
occurred on the premises of the covered entity. This provision differs 
in that it permits the disclosure even if the crime occurred somewhere 
other than on the premises of the covered entity. For example, if a 
hospital employee is the victim of an attack outside of the hospital, 
but spots the perpetrator sometime later when the perpetrator seeks 
medical care at the hospital, the workforce member who was attacked may 
notify law enforcement of the perpetrator's location and other 
identifying information. We do not permit, however, the disclosure of 
protected health information other than that described in 
Sec. 164.512(f)(2).

Section 164.504--Uses and Disclosures--Organizational 
Requirements--Component Entities, Affiliated Entities, Business 
Associates and Group Health Plans

Section 164.504(a)-(c)--Health Care Component (Component Entities)

    In the preamble to the proposed rule we introduced the concept of a 
``component entity'' to differentiate the health care unit of a larger 
organization from the larger organization. In the proposal we noted 
that some organizations that are primarily involved in non-health care 
activities do provide health care services or operate health plans or 
health care clearinghouses. Examples included a school with an on-site 
health clinic and an employer that self administers a sponsored health 
plan. In such cases, the proposal said that the health care component 
of the entity would be considered the covered entity, and any release 
of information from that component to another office or person in the 
organization would be a regulated disclosure. We would have required 
such entities to create barriers to prevent protected health 
information from being used or disclosed for activities not authorized 
or permitted under the proposal.
    We discuss group health plans and their relationships with plan 
sponsors below under ``Requirements for Group Health Plans.''
    In the final rule we address the issue of differentiating health 
plan, covered health care provider and health care clearinghouse 
activities from other functions carried out by a single legal entity in 
paragraphs (a)-(c) of Sec. 164.504. We have created a new term, 
``hybrid entity'', to describe the situation where a health plan, 
health care provider, or health care clearinghouse is part of a larger 
legal entity; under the definition, a ``hybrid entity'' is ``a single 
legal entity that is a covered entity and whose covered functions are 
not its primary functions.'' The term ``covered functions'' is 
discussed above under Sec. 164.501. By ``single legal entity'' we mean 
a legal entity, such as a corporation or partnership, that cannot be 
further differentiated into units with their own legal identities. For 
example, for purposes of this rule a multinational corporation composed 
of multiple subsidiary companies would not be a single legal entity, 
but a small manufacturing firm and its health clinic, if not separately 
incorporated, could be a single legal entity.
    The health care component rules are designed for the situation in 
which the health care functions of the legal entity are not its 
dominant mission. Because some part of the legal entity meets the 
definition of a health plan or other covered entity, the legal entity 
as a whole could be required to comply with the rules below. However, 
in such a situation, it makes sense not to require the entire entity to 
comply with the requirements of the rules below, when most of its 
activities may have little or nothing to do with the provision of 
health care; rather, as a practical matter, it makes sense for such an 
entity to focus its compliance efforts on the component that is 
actually performing the health care functions. On the other hand, where 
most of what the covered entity does consist of covered functions, it 
makes sense to require the entity as a whole to comply with the rules. 
The provisions at Secs. 164.504(a)-(c) provide that for a hybrid 
entity, the rules apply only to the part of the entity that is the 
health care component. At the same time, the lack of corporate 
boundaries increases the risk that protected health information will be 
used in a manner that would not otherwise be permitted by these rules. 
Thus, we require that the covered entity erect firewalls to protect 
against the improper use or disclosure within or by the organization. 
See Sec. 164.504(c)(2).
    The term ``primary functions'' in the definition of ``hybrid 
entity'' is not meant to operate with mathematical precision. Rather, 
we intend that a more common sense evaluation take place: Is most of 
what the covered entity does related to its health care functions? If 
so, then the whole entity should be covered. Entities with different 
insurance lines, if not separately incorporated, present a particular 
issue with respect to this analysis. Because the definition of ``health 
plan'' excludes many types of insurance products (in the exclusion 
under paragraph (2)(i) of the definition), we would consider an entity 
that has one or more of these lines of insurance in addition to its 
health insurance lines to come within the definition of ``hybrid 
entity,'' because the other lines of business constitute substantial 
parts of the total business operation and are required to be separate 
from the health plan(s) part of the business.
    An issue that arises in the hybrid entity situation is what records 
are covered in the case of an office of the hybrid entity that performs 
support functions for both the health care component of the entity and 
for the rest of the entity. For example, this situation could arise in 
the context of a company with an onsite clinic (which we will assume is 
a covered health care provider), where the company's business office 
maintains both clinic records and the company's personnel records. 
Under the definition of the term ``health care component,'' the 
business office is part of the health care component (in this 
hypothetical, the clinic) ``to the extent that'' it is performing 
covered functions on behalf of the clinic involving the use or 
disclosure of protected health information that it receives from, 
creates or maintains for the clinic. Part of the business office, 
therefore, is part of the

[[Page 82503]]

health care component, and part of the business office is outside the 
health care component. This means that the non-health care component 
part of the business office is not covered by the rules below. Under 
our hypothetical, then, the business office would not be required to 
handle its personnel records in accordance with the rules below. The 
hybrid entity would be required to establish firewalls with respect to 
these record systems, to ensure that the clinic records were handled in 
accordance with the rules.
    With respect to excepted benefits, the rules below operate as 
follows. (Excepted benefits include accident, disability income, 
liability, workers' compensation and automobile medical payment 
insurance.) Excepted benefit programs are excluded from the health care 
component (or components) through the definition of ``health plan.'' If 
a particular organizational unit performs both excepted benefits 
functions and covered functions, the activities associated with the 
excepted benefits program may not be part of the health care component. 
For example, an accountant who works for a covered entity with both a 
health plan and a life insurer would have his or her accounting 
functions performed for the health plan as part of the component, but 
not the life insurance accounting function. See 
Sec. 164.504(c)(2)(iii). We require this segregation of excepted 
benefits because HIPAA does not cover such programs, policies and 
plans, and we do not permit any use or disclosure of protected health 
information for the purposes of operating or performing the functions 
of the excepted benefits without authorization from the individual, 
except as otherwise permitted in this rule.
    In Sec. 164.504(c)(2) we require covered entities with a health 
care component to establish safeguard policies and procedures to 
prevent any access to protected health information by its other 
organizational units that would not be otherwise permitted by this 
rule. We note that section 1173(d)(1)(B) of HIPAA requires policies and 
procedures to isolate the activities of a health care clearinghouse 
from a ``larger organization'' to prevent unauthorized access by the 
larger organization. This safeguard provision is consistent with the 
statutory requirement and extends to any covered entity that performs 
``non-covered entity functions'' or operates or conducts functions of 
more than one type of covered entity.
    Because, as noted, the covered entity in the hybrid entity 
situation is the legal entity itself, we state explicitly what is 
implicitly the case, that the covered entity (legal entity) remains 
responsible for compliance vis-a-vis subpart C of part 160. See 
Sec. 164.504(c)(3)(i). We do this simply to make these responsibilities 
clear and to avoid confusion on this point. Also, in the hybrid entity 
situation the covered entity/legal entity has control over the entire 
workforce, not just the workforce of the health care component. Thus, 
the covered entity is in a position to implement policies and 
procedures to ensure that the part of its workforce that is doing mixed 
or non-covered functions does not impermissibly use or disclose 
protected health information. Its responsibility to do so is clarified 
in Sec. 164.504(c)(3)(ii).

Section 164.504(d)--Affiliated Entities

    Some legally distinct covered entities may share common 
administration of organizationally differentiated but similar 
activities (for example, a hospital chain). In Sec. 164.504(d) we 
permit legally distinct covered entities that share common ownership or 
control to designate themselves, or their health care components, 
together to be a single covered entity. Common control exists if an 
entity has the power, directly or indirectly, significantly to 
influence or direct the actions or policies of another entity. Common 
ownership exists if an entity or entities possess an ownership or 
equity interest of 5 percent or more in another entity.
    Such organizations may promulgate a single shared notice of 
information practices and a consent form. For example, a corporation 
with hospitals in twenty states may designate itself as a covered 
entity and, therefore, able to merge information for joint marketplace 
analyses. The requirements that apply to a covered entity also apply to 
an affiliated covered entity. For example, under the minimum necessary 
provisions, a hospital in one state could not share protected health 
information about a particular patient with another hospital if such a 
use is not necessary for treatment, payment or health care operations. 
The covered entities that together make up the affiliated covered 
entity are separately subject to liability under this rule. The 
safeguarding requirements for affiliated covered entities track the 
requirements that apply to health care components.

Section 164.504(e)--Business Associates

    In the NPRM, we proposed to require a contract between a covered 
entity and a business associate, except for disclosures of protected 
health information by a covered entity that is a health care provider 
to another health care provider for the purposes of consultation or 
referral. A covered entity would have been in violation of this rule if 
the covered entity knew or reasonably should have known of a material 
breach of the contract by a business associate and it failed to take 
reasonable steps to cure the breach or terminate the contract. We 
proposed in the preamble that when a covered entity acted as a business 
associate to another covered entity, the covered entity that was acting 
as business associate also would have been responsible for any 
violations of the regulation.
    We also proposed that covered health care providers receiving 
protected health information for consultation or referral purposes 
would still have been subject to this rule, and could not have used or 
disclosed such protected health information for a purpose other than 
the purpose for which it was received (i.e., the consultation or 
referral). Further, we noted that providers making disclosures for 
consultations or referrals should be careful to inform the receiving 
provider of any special limitations or conditions to which the 
disclosing provider had agreed to impose (e.g., the disclosing provider 
had provided notice to its patients that it would not make disclosures 
for research).
    We proposed that business associates would not have been permitted 
to use or disclose protected health information in ways that would not 
have been permitted of the covered entity itself under these rules, and 
covered entities would have been required to take reasonable steps to 
ensure that protected health information disclosed to a business 
associate remained protected.
    In the NPRM (proposed Sec. 164.506(e)(2)) we would have required 
that the contractual agreement between a covered entity and a business 
associate be in writing and contain provisions that would:
     Prohibit the business associate from further using or 
disclosing the protected health information for any purpose other than 
the purpose stated in the contract.
     Prohibit the business associate from further using or 
disclosing the protected health information in a manner that would 
violate the requirements of this proposed rule if it were done by the 
covered entity.
     Require the business associate to maintain safeguards as 
necessary to ensure that the protected health information is not used 
or disclosed except as provided by the contract.
     Require the business associate to report to the covered 
entity any use or disclosure of the protected health information of 
which the business

[[Page 82504]]

associate becomes aware that is not provided for in the contract.
     Require the business associate to ensure that any 
subcontractors or agents to whom it provides protected health 
information received from the covered entity will agree to the same 
restrictions and conditions that apply to the business associate with 
respect to such information.
     Require the business associate to provide access to non-
duplicative protected health information to the subject of that 
information, in accordance with proposed Sec. 164.514(a).
     Require the business associate to make available its 
internal practices, books and records relating to the use and 
disclosure of protected health information received from the covered 
entity to the Secretary for the purposes of enforcing the provisions of 
this rule.
     Require the business associate, at termination of the 
contract, to return or destroy all protected health information 
received from the covered entity that the business associate still 
maintains in any form to the covered entity and prohibit the business 
associate from retaining such protected health information in any form.
     Require the business associate to incorporate any 
amendments or corrections to protected health information when notified 
by the covered entity that the information is inaccurate or incomplete.
     State that individuals who are the subject of the 
protected health information disclosed are intended to be third party 
beneficiaries of the contract.
     Authorize the covered entity to terminate the contract, if 
the covered entity determines that the business associate has violated 
a material term of the contract.
    We also stated in the preamble to the NPRM that the contract could 
have included any additional arrangements that did not violate the 
provisions of this regulation.
    We explained in the preamble to the NPRM that a business associate 
(including business associates that are covered entities) that had 
contracts with more than one covered entity would have had no authority 
to combine, aggregate or otherwise use for a single purpose protected 
health information obtained from more than one covered entity unless 
doing so would have been a lawful use or disclosure for each of the 
covered entities that supplied the protected health information that is 
being combined, aggregated or used. In addition, the business associate 
would have had to have been authorized through the contract or 
arrangement with each covered entity that supplied the protected health 
information to combine or aggregate the information. A covered entity 
would not have been permitted to obtain protected health information 
through a business associate that it could not otherwise obtain itself.
    In the final rule we retain the overall approach proposed: covered 
entities may disclose protected health information to persons that meet 
the rule's definition of business associate, or hire such persons to 
obtain or create protected health information for them, only if covered 
entities obtain specified satisfactory assurances from the business 
associate that it will appropriately handle the information; the 
regulation specifies the elements of such satisfactory assurances; 
covered entities have responsibilities when such specified satisfactory 
assurances are violated by the business associate. We retain the 
requirement that specified satisfactory assurances must be obtained if 
a covered entity's business associate is also a covered entity. We note 
that a master business associate contract or MOU that otherwise meets 
the requirements regarding specified satisfactory assurances meets the 
requirements with respect to all the signatories.
    A covered entity may disclose protected health information to a 
business associate, consistent with the other requirements of the final 
rule, as necessary to permit the business associate to perform 
functions and activities for or on behalf of the covered entity, or to 
provide the services specified in the business associate definition to 
or for the covered entity. As discussed below, a business associate may 
only use the protected health information it receives in its capacity 
as a business associate to a covered entity as permitted by its 
contract or agreement with the covered entity.
    We do not attempt to directly regulate business associates, but 
pursuant to our authority to regulate covered entities we place 
restrictions on the flow of information from covered entities to non-
covered entities. We add a provision to clarify that a violation of a 
business associate agreement by a covered entity that is a business 
associate of another covered entity constitutes a violation of this 
rule.
    In the final rule, we make significant changes to the requirements 
regarding business associates. As explained below in more detail: we 
make significant changes to the content of the required contractual 
satisfactory assurances; we include exceptions for arrangements that 
would otherwise meet the definition of business associate; we make 
special provisions for government agencies that by law cannot enter 
into contracts with one another or that operate under other legal 
requirements incompatible with some aspects of the required contractual 
satisfactory assurances; we provide a new mechanism for covered 
entities to hire a third party to aggregate data.
    The final rule provides several exception to the business associate 
requirements, where a business associate relationship would otherwise 
exist. We substantially expand the exception for disclosure of 
protected health information for treatment. Rather than allowing 
disclosures without business associate assurances only for the purpose 
of consultation or referral, in the final rule we allow covered 
entities to make any disclosure of protected health information for 
treatment purposes to a health care provider without a business 
associate arrangement. This provision includes all activities that fall 
under the definition of treatment.
    We do not require a business associate contract for a group health 
plan to make disclosures to the plan sponsor, to the extent that the 
health plan meets the applicable requirements of Sec. 164.504(f).
    We also include an exception for certain jointly administered 
government programs providing public benefits. Where a health plan that 
is a government program provides public benefits, such as SCHIP and 
Medicaid, and where eligibility for, or enrollment in, the health plan 
is determined by an agency other than the agency administering the 
health plan, or where the protected health information used to 
determine enrollment or eligibility in the health plan is collected by 
an agency other than the agency administering the health plan, and the 
joint activities are authorized by law, no business associate contract 
is required with respect to the collection and sharing of individually 
identifiable health information for the performance of the authorized 
functions by the health plan and the agency other than the agency 
administering the health plan. We note that the phrase ``government 
programs providing public benefits'' refers to programs offering 
benefits to specified members of the public and not to programs that 
offer benefits only to employees or retirees of government agencies.
    We note that we do not consider a financial institution to be 
acting on behalf of a covered entity, and therefore no business 
associate contract is required, when it processes consumer-conducted 
financial transactions by debit, credit or other payment card,

[[Page 82505]]

clears checks, initiates or processes electronic funds transfers, or 
conducts any other activity that directly facilitates or effects the 
transfer of funds for compensation for health care. A typical consumer-
conducted payment transaction is when a consumer pays for health care 
or health insurance premiums using a check or credit card. In these 
cases, the identity of the consumer is always included and some health 
information (e.g., diagnosis or procedure) may be implied through the 
name of the health care provider or health plan being paid. Covered 
entities that initiate such payment activities must meet the minimum 
necessary disclosure requirements described in the preamble to 
Sec. 164.514.
    In the final rule, we reduce the extent to which a covered entity 
must monitor the actions of its business associate and we make it 
easier for covered entities to identify the circumstances that will 
require them to take actions to correct a business associate's material 
violation of the contract, in the following ways. We delete the 
proposed language requiring covered entities to ``take reasonable steps 
to ensure'' that each business associate complies with the rule's 
requirements. Additionally, we now require covered entities to take 
reasonable steps to cure a breach or terminate the contract for 
business associate behaviors only if they know of a material violation 
by a business associate. In implementing this standard, we will view a 
covered entity that has substantial and credible evidence of a 
violation as knowing of such violation. While this standard relieves 
the covered entity of the need to actively monitor its business 
associates, a covered entity nonetheless is expected to investigate 
when they receive complaints or other information that contain 
substantial and credible evidence of violations by a business 
associate, and it must act upon any knowledge of such violation that it 
possesses. We note that a whistleblowing disclosure by a business 
associate of a covered entity that meets the requirements of 
Sec. 164.502(j)(1) does not put the covered entity in violation of this 
rule, and the covered entity has no duty to correct or cure, or to 
terminate the relationship.
    We also qualify the requirement for terminating contracts with non-
compliant business associates. The final rule still requires that the 
business associate contract authorize the covered entity to terminate 
the contract, if the covered entity determines that the business 
associate has violated a material term of the contract, and it requires 
the covered entity to terminate the contract if steps to cure such a 
material breach fail. The rule now stipulates, however, that if the 
covered entity is unable to cure a material breach of the business 
associate's obligation under the contract, it is expected to terminate 
the contract, when feasible. This qualification has been added to 
accommodate circumstances where terminating the contract would be 
unreasonably burdensome on the covered entity, such as when there are 
no viable alternatives to continuing a contract with that particular 
business associate. It does not mean, for instance, that the covered 
entity can choose to continue the contract with a non-compliant 
business associate merely because it is more convenient or less costly 
than contracts with other potential business associates. We also 
require that if a covered entity determines that it is not feasible to 
terminate a non-compliant business associate, the covered entity must 
notify the Secretary.
    We retain all of the requirements for a business associate contract 
that were listed in proposed Sec. 164.506(e)(2), with some 
modifications. See Sec. 164.504(e)(2).
    We retain the requirement that the business associate contract must 
provide that the business associate will not use or further disclose 
the information other than as permitted or required by the contract or 
as required by law. We do not mean by this requirement that the 
business associate contract must specify each and every use and 
disclosure of protected health information permitted to the business 
associate. Rather, the contract must state the purposes for which the 
business associate may use and disclose protected health information, 
and must indicate generally the reasons and types of persons to whom 
the business associate may make further disclosures. For example, 
attorneys often need to provide information to potential witnesses, 
opposing counsel, and others in the course of their representation of a 
client. The business associate contract pursuant to which protected 
health information is provided to its attorney may include a general 
statement permitting the attorney to disclose protected health 
information to these types of people, within the scope of its 
representation of the covered entity.
    We retain the requirement that a business associate contract may 
not authorize a business associate to use or further disclose protected 
health information in a manner that would violate the requirements of 
this subpart if done by the covered entity, but we add two exceptions. 
First, we permit a covered entity to authorize a business associate to 
use and disclose protected health information it receives in its 
capacity as a business associate for its proper management and 
administration and to carry out its legal responsibilities. The 
contract must limit further disclosures of the protected health 
information for these purposes to those that are required by law and to 
those for which the business associate obtains reasonable assurances 
that the protected health information will be held confidentially and 
that it will be notified by the person to whom it discloses the 
protected health information of any breaches of confidentiality.
    Second, we permit a covered entity to authorize the business 
associate to provide data aggregation services to the covered entity. 
As discussed above in Sec. 164.501, data aggregation, with respect to 
protected health information received by a business associate in its 
capacity as the business associate of a covered entity, is the 
combining of such protected health information by the business 
associate with protected health information received by the business 
associate in its capacity as a business associate of another covered 
entity, to permit the creation of data for analyses that relate to the 
health care operations of the respective covered entities. We added 
this service to the business associate definition to clarify the 
ability of covered entities to contract with business associates to 
undertake quality assurance and comparative analyses that involve the 
protected health information of more than one contracting covered 
entity. We except data aggregation from the general requirement that a 
business associate contract may not authorize a business associate to 
use or further disclose protected health information in a manner that 
would violate the requirements of this subpart if done by the covered 
entity in order to permit the combining or aggregation of protected 
health information received in its capacity as a business associate of 
different covered entities when it is performing this service. In many 
cases, the combining of this information for the respective health care 
operations of the covered entities is not something that the covered 
entities could do--a covered entity cannot generally disclose protected 
health information to another covered entity for the disclosing covered 
entity's health care operations. However, we permit covered entities 
that enter into business associate contracts with a business associate 
for data aggregation to permit the business associate to combine or 
aggregate the protected health information they

[[Page 82506]]

disclose to the business associate for their respective health care 
operations.
    We note that there may be other instances in which a business 
associate may combine or aggregate protected health information 
received in its capacity as a business associate of different covered 
entities, such as when it is performing health care operations on 
behalf of covered entities that participate in an organized health care 
arrangement. A business associate that is performing payment functions 
on behalf of different covered entities also may combine protected 
health information when it is necessary, such as when the covered 
entities share financial risk or otherwise jointly bill for services.
    In the final rule we clarify that the business associate contract 
must require the business associate to make available protected health 
information for amendment and to incorporate such amendments. The 
business associate contract must also require the business associate to 
make available the information required to provide an accounting of 
disclosures. We provide more flexibility to the requirement that all 
protected health information be returned by the business associate upon 
termination of the contract. The rule now stipulates that if feasible, 
the protected health information should be destroyed or returned at the 
end of a contract. Accordingly, a contract with a business associate 
must state that if there are reasons that the return or destruction of 
the information is not feasible and the information must be retained 
for specific reasons and uses, such as for future audits, privacy 
protections must continue after the contract ends, for as long as the 
business associate retains the information. The contract also must 
state that the uses of information after termination of the contract 
must be limited to the specific set of uses or disclosures that make it 
necessary for the business associate to retain the information.
    We also remove the requirement that business associate contracts 
contain a provision stating that individuals whose protected health 
information is disclosed under the contract are intended third-party 
beneficiaries of the contract. Third party beneficiary or similar 
responsibilities may arise under these business associate arrangements 
by operation of state law; we do not intend in this rule to affect the 
operation of such state laws.
    We modify the requirement that a business associate contract 
require the business associate to ensure that agents abide by the 
provisions of the business associate contract. We clarify that agents 
includes subcontractors, and we note that a business associate contract 
must make the business associate responsible for ensuring that any 
person to whom it delegates a function, activity or service which is 
within its business associate contract with the covered entity agrees 
to abide by the restrictions and conditions that apply to the business 
associate under the contract. We note that a business associate will 
need to consider the purpose for which protected health information is 
being disclosed in determining whether the recipient must be bound to 
the restrictions and conditions of the business associate contract. 
When the disclosure is a delegation of a function, activity or service 
that the business associate has agreed to perform for a covered entity, 
the recipient who undertakes such a function steps into the shoes of 
the business associate and must be bound to the restrictions and 
conditions. When the disclosure is to a third party who is not 
performing business associate functions, activities or services for on 
behalf of the covered entity, but is the type of disclosure that the 
covered entity itself could make without giving rise to a business 
associate relationship, the business associate is not required to 
ensure that the restrictions or conditions of the business associate 
contract are maintained.
    For example, if a business associate acts as the billing agent of a 
health care provider, and discloses protected health information on 
behalf of the hospital to health plans, the business associate has no 
responsibility with respect to further uses or disclosures by the 
health plan. In the example above, where a covered entity has a 
business associate contract with a lawyer, and the lawyer discloses 
protected health information to an expert witness in preparation for 
litigation, the lawyer again would have no responsibility under this 
subpart with respect to uses or disclosures by the expert witness, 
because such witness is not undertaking the functions, activities or 
services that the business associate lawyer has agreed to perform. 
However, if a covered entity contracts with a third party administrator 
to provide claims management, and the administrator delegates 
management of the pharmacy benefits to a third party, the business 
associate third party administrator must ensure that the pharmacy 
manager abides by the restrictions and conditions in the business 
associate contract between the covered entity and the third party 
administrator.
    We provide in Sec. 164.504(c)(3) several methods other than a 
business associate contract that will satisfy the requirement for 
satisfactory assurances under this section. First, when a government 
agency is a business associate of another government agency that is a 
covered entity, we permit memorandum of understanding between the 
agencies to constitute satisfactory assurance for the purposes of this 
rule, if the memorandum accomplishes each of the objectives of the 
business associate contract. We recognize that the relationships of 
government agencies are often organized as a matter of law, and that it 
is not always feasible for one agency to contract with another for all 
of the purposes provided for in this section. We also recognize that it 
may be incorrect to view one government agency as ``acting on behalf 
of'' the other government agency; under law, each agency may be acting 
to fulfill a statutory mission. We note that in some instances, it may 
not be possible for the agencies to include the right to terminate the 
arrangement because the relationship may be established under law. In 
such instances, the covered entity government agency would need to 
fulfill the requirement to report known violations of the memorandum to 
the Secretary.
    Where the covered entity is a government agency, we consider the 
satisfactory assurances requirement to be satisfied if other law 
contains requirements applicable to the business associate that 
accomplish each of the objectives of the business associate contract. 
We recognize that in some cases, covered entities that are government 
agencies may be able to impose the requirements of this section 
directly on the persons acting as their business associates. We also 
recognize that often one government agency is acting as a business 
associate of another government agency, and either party may have the 
legal authority to establish the requirements of this section by 
regulation. We believe that imposing these requirements directly on 
business associates provides greater protection than we can otherwise 
provide under this section, and so we recognize such other laws as 
sufficient to substitute for a business associate contract.
    We also recognize that there may be some circumstances where the 
relationship between covered entities and business associates is 
otherwise mandated by law. In the final rule, we provide that where a 
business associate is required by law to act as a business associate to 
a covered entity, the covered entity may disclose protected health 
information to the business associate to the extent necessary to comply 
with the legal mandate without

[[Page 82507]]

meeting the requirement to have a business associate contract (or, in 
the case of government agencies, a memorandum of understanding or law 
pertaining to the business associate) if it makes a good faith attempt 
the obtain satisfactory assurances required by this section and, if 
unable to do so, documents the attempt and the reasons that such 
assurances cannot be obtained. This provision addresses situations 
where law requires one party to act as the business associate of 
another party. The fact that the parties have contractual obligations 
that may be enforceable is not sufficient to meet the required by law 
test in this provision.
    This provision recognizes that in some instances the law requires 
that a government agency act as a business associate of a covered 
entity. For example, the United States Department of Justice is 
required by law to defend tort suits brought against certain covered 
entities; in such circumstances, however, the United States, and not 
the individual covered entity, is the client and is potentially liable. 
In such situations, covered entities must be able to disclose protected 
health information needed to carry out the representation, but the 
particular requirements that would otherwise apply to a business 
associate relationship may not be possible to obtain. Subsection (iii) 
makes clear that, where the relationship is required by law, the 
covered entity complies with the rule if it attempts, in good faith, to 
obtain satisfactory assurances as are required by this paragraph and, 
if such attempt fails, documents the attempts and the reasons that such 
assurances cannot be obtained.
    The operation of the final rule maintains the construction 
discussed in the preamble to the NPRM that a business associate 
(including a business associate that is a covered entity) that has 
business associate contracts with more than one covered entity 
generally may not use or disclose the protected health information that 
it creates or receives in its capacity as a business associate of one 
covered entity for the purposes of carrying out its responsibilities as 
a business associate of another covered entity, unless doing so would 
be a lawful use or disclosure for each of the covered entities and the 
business associate's contract with each of the covered entities permits 
the business associate to undertake the activity. For example, a 
business associate performing a function under health care operations 
on behalf of an organized health care arrangement would be permitted to 
combine or aggregate the protected health information obtained from 
covered entities participating in the arrangement to the extent 
necessary to carry out the authorized activity and in conformance with 
its business associate contracts. As described above, a business 
associate providing data aggregation services to different covered 
entities also could combine and use the protected health information of 
the covered entities to assist with their respective health care 
operations. A covered entity that is undertaking payment activities on 
behalf of different covered entities also may use or disclose protected 
health information obtained as a business associate of one covered 
entity when undertaking such activities as a business associate of 
another covered entity where the covered entities have authorized the 
activities and where they are necessary to secure payment for the 
entities. For example, when a group of providers share financial risk 
and contract with a business associate to conduct payment activities on 
their behalf, the business associate may use the protected health 
information received from the covered entities to assist them in 
managing their shared risk arrangement.
    Finally, we note that the requirements imposed by this provision 
are intended to extend privacy protection to situations in which a 
covered entity discloses substantial amounts of protected health 
information to other persons so that those persons can perform 
functions or activities on its behalf or deliver specified services to 
it. A business associate contract basically requires the business 
associate to maintain the confidentiality of the protected health 
information that it receives and generally to use and disclose such 
information for the purposes for which it was provided. This 
requirement does not interfere with the relationship between a covered 
entity and business associate, or require the business associate to 
subordinate its professional judgment to that of a covered entity. 
Covered entities may rely on the professional judgment of their 
business associates as to the type and amount of protected health 
information that is necessary to carry out a permitted activity. The 
requirements of this provision are aimed at securing the continued 
confidentiality of protected health information disclosed to third 
parties that are serving the covered entity's interests.

Section 164.504(f)--Group Health Plans

    Covered entities under HIPAA include health care clearinghouses, 
health care providers and health plans. Specifically included in the 
definition of ``health plan'' are group health plans (as defined in 
section 2791(a) of the Public Health Service Act) with 50 or more 
participants or those of any size that are administered by an entity 
other than the employer who established and maintains the plan. These 
group health plans may be fully insured or self-insured. Neither 
employers nor other group health plan sponsors are defined as covered 
entities. However, employers and other plan sponsors--particularly 
those sponsors with self-insured group health plans--may perform 
certain functions that are integrally related to or similar to the 
functions of group health plans and, in carrying out these functions, 
often require access to individual health information held by the group 
health plan.
    Most group health plans are also regulated under the Employee 
Retirement Income Security Act of 1974 (ERISA). Under ERISA, a group 
health plan must be a separate legal entity from its plan sponsor. 
ERISA-covered group health plans usually do not have a corporate 
presence, in other words, they may not have their own employees and 
sometimes do not have their own assets (i.e., they may be fully insured 
or the benefits may be funded through the general assets of the plan 
sponsor, rather than through a trust). Often, the only tangible 
evidence of the existence of a group health plan is the contractual 
agreement that describes the rights and responsibilities of covered 
participants, including the benefits that are offered and the eligible 
recipients.
    ERISA requires the group health plan to identify a ``named 
fiduciary,'' a person responsible for ensuring that the plan is 
operated and administered properly and with ultimate legal 
responsibility for the plan. If the plan documents under which the 
group health plan was established and is maintained permit, the named 
fiduciary may delegate certain responsibilities to trustees and may 
hire advisors to assist it in carrying out its functions. While 
generally the named fiduciary is an individual, it may be another 
entity. The plan sponsor or employees of the plan sponsor are often the 
named fiduciaries. These structural and operational relationships 
present a problem in our ability to protect health information from 
being used inappropriately in employment-related decisions. On the one 
hand, the group health plan, and any health insurance issuer or HMO 
providing health insurance or health coverage to the group health plan, 
are covered entities under the regulation and may only disclose 
protected health information as authorized under the

[[Page 82508]]

regulation or with individual consent. On the other hand, plan sponsors 
may need access to protected health information to carry out 
administration functions on behalf of the plan, but under circumstances 
in which securing individual consent is impractical. We note that we 
sometimes refer in the rule and preamble to health insurance issuers 
and HMOs that provide health insurance or health coverage to a group 
health plan as health insurance issuers or HMOs with respect to a group 
health plan.
    The proposed rule used the health care component approach for 
employers and other plan sponsors. Under this approach, only the 
component of an employer or other plan sponsor would be treated as a 
covered entity. The component of the plan sponsor would have been able 
to use protected health information for treatment, payment, and health 
care operations, but not for other purposes, such as discipline, hiring 
and firing, placement and promotions. We have modified the final rule 
in a number of ways.
    In the final rule, we recognize plan sponsors' legitimate need for 
health information in certain situations while, at the same time, 
protecting health information from being used for employment-related 
functions or for other functions related to other employee benefit 
plans or other benefits provided by the plan sponsor. We do not attempt 
to directly regulate employers or other plan sponsors, but pursuant to 
our authority to regulate health plans, we place restrictions on the 
flow of information from covered entities to non-covered entities.
    The final rule permits group health plans, and allows them to 
authorize health insurance issuers or HMOs with respect to the group 
health plan, to disclose protected health information to plan sponsors 
if the plan sponsors voluntarily agree to use and disclose the 
information only as permitted or required by the regulation. The 
information may be used only for plan administration functions 
performed on behalf of the group health plan which are specified in 
plan documents. The group health plan is not required to have a 
business associate contract with the plan sponsor to disclose the 
protected health information or allow the plan sponsor to create 
protected health information on its behalf, if the conditions of 
Sec. 164.504(e) are met.
    In order for the group health plan to disclose protected health 
information to a plan sponsor, the plan documents under which the plan 
was established and is maintained must be amended to: (1) Describe the 
permitted uses and disclosures of protected health information; (2) 
specify that disclosure is permitted only upon receipt of a 
certification from the plan sponsor that the plan documents have been 
amended and the plan sponsor has agreed to certain conditions regarding 
the use and disclosure of protected health information; and (3) provide 
adequate firewalls to: identify the employees or classes of employees 
who will have access to protected health information; restrict access 
solely to the employees identified and only for the functions performed 
on behalf of the group health plan; and provide a mechanism for 
resolving issues of noncompliance.
    Any employee of the plan sponsor who receives protected health 
information for payment, health care operations or other matters 
related to the group health plan must be identified in the plan 
documents either by name or function. We assume that since individuals 
employed by the plan sponsor may change frequently, the group health 
plan would likely describe such individuals in a general manner. Any 
disclosure to employees or classes of employees not identified in the 
plan documents is not a permissible disclosure. To the extent a group 
health plan does have its own employees separate from the plan 
sponsor's employees, as the workforce of a covered entity (i.e. the 
group health plan), they also are bound by the permitted uses and 
disclosures of this rule.
    The certification that must be given to the group health plan must 
state that the plan sponsor agrees to: (1) Not use or further disclose 
protected health information other than as permitted or required by the 
plan documents or as required by law; (2) ensure that any 
subcontractors or agents to whom the plan sponsor provides protected 
health information agree to the same restrictions; (3) not use or 
disclose the protected health information for employment-related 
actions; (4) report to the group health plan any use or disclosure that 
is inconsistent with the plan documents or this regulation; (5) make 
the protected health information accessible to individuals; (6) allow 
individuals to amend their information; (7) provide an accounting of 
its disclosures; (8) make its practices available to the Secretary for 
determining compliance; (9) return and destroy all protected health 
information when no longer needed, if feasible; and (10) ensure that 
the firewalls have been established.
    We have included this certification requirement in part, as a way 
to reduce the burden on health insurance issuers and HMOs. Without a 
certification, health insurance issuers and HMOs would need to review 
the plan documents in order to ensure that the amendments have been 
made before they could disclose protected health information to plan 
sponsors. The certification, however, is a simple statement that the 
amendments have been made and that the plan sponsor has agreed to 
certain restrictions on the use and disclosure of protected health 
information. The receipt of the certification therefore, is sufficient 
basis for the health insurance issuer or HMO to disclose protected 
health information to the plan sponsor.
    Many activities included in the definitions of health care 
operations and payment are commonly referred to as plan administration 
functions in the ERISA group health plan context. For purposes of this 
rule, plan administration activities are limited to activities that 
would meet the definition of payment or health care operations, but do 
not include functions to modify, amend, or terminate the plan or 
solicit bids from prospective issuers. Plan administration functions 
include quality assurance, claims processing, auditing, monitoring, and 
management of carve-out plans--such as vision and dental. Under the 
final rule, ``plan administration'' does not include any employment-
related functions or functions in connection with any other benefits or 
benefit plans, and group health plans may not disclose information for 
such purposes absent an authorization from the individual. For purposes 
of this rule, enrollment functions performed by the plan sponsor on 
behalf of its employees are not considered plan administration 
functions.
    Plan sponsors have access to protected health information only to 
the extent group health plans have access to protected health 
information and plan sponsors are permitted to use or disclose 
protected health information only as would be permitted by group health 
plans. That is, a group health plan may permit a plan sponsor to have 
access to or to use protected health information only for purposes 
allowed by the regulation.
    As explained above, where a group health plan purchases insurance 
or coverage from a health insurance issuer or HMO, the provision of 
insurance or coverage by the health insurance issuer or HMO to the 
group health plan does not make the health insurance issuer or HMO a 
business associate. In such case, the activities of the health 
insurance issuer or HMO are on their own behalf and not on the behalf 
of the group

[[Page 82509]]

health plan. We note that where a group health plan contracts with a 
health insurance issuer or HMO to perform functions or activities or to 
provide services that are in addition to or not directly related to the 
provision of insurance, the health insurance issuer or HMO may be a 
business associate with respect to those additional functions, 
activities, or services. In addition, group health plans that provide 
health benefits only through an insurance contract and do not create, 
maintain, or receive protected health information (except for summary 
information described below or information that merely states whether 
an individual is enrolled in or has been disenrolled from the plan) do 
not have to meet the notice requirements of Sec. 164.520 or the 
administrative requirements of Sec. 164.530, except for the 
documentation requirement in Sec. 164.530(j), because these 
requirements are satisfied by the issuer or HMO that is providing 
benefits under the group health plan. A group health plan, however, may 
not permit a health insurance issuer or HMO to disclose protected 
health information to a plan sponsor unless the notice required in 
164.520 indicate such disclosure may occur.
    The final rule also permits a health plan that is providing 
insurance to a group health plan to provide summary information to the 
plan sponsor to permit the plan sponsor to solicit premium bids from 
other health plans or for the purpose of modifying, amending, or 
terminating the plan. The rule provides that summary information is 
information that summarizes claims history, claims expenses, or types 
of claims experienced by individuals for whom the plan sponsor has 
provided health benefits under a group health plan, provided that 
specified identifiers are not included. Summary information may be 
disclosed under this provision even if it does not meet the definition 
of de-identified information. As part of the notice requirements in 
Sec. 164.520, health plans must inform individuals that they may 
disclose protected health information to plan sponsors. The provision 
to allow summaries of claims experience to be disclosed to plan 
sponsors that purchase insurance will allow them to shop for 
replacement coverage, and get meaningful bids from prospective issuers. 
It also permits a plan sponsor to get summary information as part of 
its consideration of whether or not to change the benefits that are 
offered or employees or whether or not to terminate a group health 
plan.
    We note that a plan sponsor may perform enrollment functions on 
behalf of its employees without meeting the conditions above and 
without using the standard transactions described in the Transactions 
Rule.

Section 164.504(g)--Multiple Covered Function Entities

    Although not addressed in the proposed rule, this final rule also 
recognizes that a covered entity may as a single legal entity, 
affiliated entity, or other arrangement combine the functions or 
operations of health care providers, health plans and health care 
clearinghouses (for example, integrated health plans and health care 
delivery systems may function as both health plans and health care 
providers). The rule permits such covered entities to use or disclose 
the protected health information of its patients or members for all 
covered entity functions, consistent with the other requirements of 
this rule. The health care component must meet the requirements of this 
rule that apply to a particular type of covered entity when it is 
functioning as that entity; e.g., when a health care component is 
operating as a health care provider it must meet the requirements of 
this rule applicable to a health care provider. However, such covered 
entities may not use or disclose the protected health information of an 
individual who is not involved in a particular covered entity function 
for that function, and such information must be segregated from any 
joint information systems. For example, an HMO may integrate data about 
health plan members and clinic services to members, but a health care 
system may not share information about a patient in its hospital with 
its health plan if the patient is not a member of the health plan.

Section 164.506--Uses and Disclosures for Treatment, Payment, and 
Health Care Operations

Introduction: ``Consent'' versus ``Authorization''

    In the proposed rule, we used the term ``authorization'' to 
describe the individual's written permission for a covered entity to 
use and disclose protected health information, regardless of the 
purpose of the use or disclosure. Authorization would have been 
required for all uses and disclosures that were not otherwise permitted 
or required under the NPRM.
    We proposed to permit covered entities, subject to limited 
exceptions for psychotherapy notes and research information unrelated 
to treatment, to use and disclose protected health information to carry 
out treatment, payment, and health care operations without 
authorization. See proposed Sec. 164.506(a)(1).
    We also proposed to prohibit covered entities from requiring 
individuals to sign authorizations for uses and disclosures of 
protected health information for treatment, payment, and health care 
operations, unless required by other applicable law. See proposed 
Sec. 164.508(a)(iv). We instead proposed requiring covered entities to 
produce a notice describing their information practices, including 
practices with respect to uses and disclosures to carry out treatment, 
payment, and health care operations.
    In the final rule, we retain the requirement for covered entities 
to obtain the individual's written permission (an ``authorization'') 
for uses and disclosures of protected health information that are not 
otherwise permitted or required under the rule. However, under the 
final rule, we add a second type of written permission for use or 
disclosure of protected health information: a ``consent'' for uses and 
disclosures to carry out treatment, payment, and health care 
operations. In the final rule, we permit, and in some cases require, 
covered entities to obtain the individual's written permission for the 
covered entity to use or disclose protected health information other 
than psychotherapy notes to carry out treatment, payment, and health 
care operations. We refer to this written permission as a ``consent.''
    The ``consent'' and the ``authorization'' do not overlap. The 
requirement to obtain a ``consent'' applies in different circumstances 
than the requirement to obtain an authorization. In content, a consent 
and an authorization differ substantially from one another.
    As described in detail below, a ``consent'' allows use and 
disclosure of protected health information only for treatment, payment, 
and health care operations. It is written in general terms and refers 
the individual to the covered entity's notice for further information 
about the covered entity's privacy practices. It allows use and 
disclosure of protected health information by the covered entity 
seeking the consent, not by other persons. Most persons who obtain a 
consent will be health care providers; health plans and health care 
clearinghouses may also seek a consent. The consent requirements appear 
in Sec. 164.506 and are described in this section of the preamble.
    With a few exceptions, an ``authorization'' allows use and 
disclosure of protected health information for purposes other than 
treatment, payment, and health care

[[Page 82510]]

operations. In order to make uses and disclosures that are not covered 
by the consent requirements and not otherwise permitted or required 
under the final rule, covered entities must obtain the individual's 
``authorization.'' An ``authorization'' must be written in specific 
terms. It may allow use and disclosure of protected health information 
by the covered entity seeking the authorization, or by a third party. 
In some instances, a covered entity may not refuse to treat or cover 
individuals based on the fact that they refuse to sign an 
authorization. See Sec. 164.508 and the corresponding preamble 
discussion regarding authorization requirements.

Section 164.506(a)--Consent Requirements

    We make significant changes in the final rule with respect to uses 
and disclosures of protected health information to carry out treatment, 
payment, and health care operations. We do not prohibit covered 
entities from seeking an individual's written permission for use or 
disclosure of protected health information to carry out treatment, 
payment, or health care operations.
    Except as described below, we instead require covered health care 
providers to obtain the individual's consent prior to using or 
disclosing protected health information to carry out treatment, 
payment, or health care operations. If the covered provider does not 
obtain the individual's consent, the provider is prohibited from using 
or disclosing protected health information about the individual for 
purposes of treating the individual, obtaining payment for health care 
delivered to the individual, or for the provider's health care 
operations. See Sec. 164.506(a)(1).
    We except two types of health care providers from this consent 
requirement. First, covered health care providers that have an indirect 
treatment relationship with an individual are not required to obtain 
the individual's consent prior to using or disclosing protected health 
information about the individual to carry out treatment, payment, and 
health care operations. An ``indirect treatment relationship'' is 
defined in Sec. 164.501 and described in the corresponding preamble. 
These providers may use and disclose protected health information as 
otherwise permitted under the rule and consistent with their notice of 
privacy practices (see Sec. 164.520 regarding notice requirements and 
Sec. 164.502(i) regarding requirements to adhere to the notice). For 
example, a covered provider that provides consultation services to 
another provider without seeing the patient would have an indirect 
treatment relationship with that patient and would not be required to 
obtain the patient's consent to use protected health information about 
the patient for the consultation. These covered providers are, however, 
permitted to obtain consent, as described below.
    Second, covered health care providers that create or receive 
protected health information in the course of providing health care to 
inmates of a correctional institution are not required to obtain the 
inmate's consent prior to using or disclosing protected health 
information about the inmate to carry out treatment, payment, and 
health care operations. See Sec. 164.501 and the corresponding preamble 
discussion regarding the definitions of ``correctional institution'' 
and ``inmate.'' These providers may use and disclose protected health 
information as otherwise permitted under the rule. These providers are 
permitted, however, to obtain consent, as described below.
    In addition, we permit covered health care providers to use and 
disclose protected health information, without consent, to carry out 
treatment, payment, and health care operations, if the protected health 
information was created or received in certain treatment situations. In 
the treatment situations described in Sec. 164.506(a)(3) and 
immediately below, the covered health care provider must attempt to 
obtain the individual's consent. If the covered provider is unable to 
obtain consent, but documents the attempt and the reason consent was 
not obtained, the covered provider may, without consent, use and 
disclose the protected health information resulting from the treatment 
as otherwise permitted under the rule. All other protected health 
information about that individual that the covered health care provider 
creates or receives, however, is subject to the consent requirements.
    This exception to the consent requirement applies to protected 
health information created or received in any of three treatment 
situations. First, the exception applies to protected health 
information created or received in emergency treatment situations. In 
these situations, covered providers must attempt to obtain the consent 
as soon as reasonably practicable after the delivery of the emergency 
treatment. Second, the exception applies to protected health 
information created or received in situations where the covered health 
care provider is required by law to treat the individual (for example, 
certain publicly funded providers) and the covered health care provider 
attempts to obtain such consent. Third, the exception applies to 
protected health information created or received in treatment 
situations where there are substantial barriers to communicating with 
the individual and, in the exercise of professional judgment, the 
covered provider clearly infers from the circumstances the individual's 
consent to receive treatment. For example, there may be situations in 
which a mentally incapacitated individual seeks treatment from a health 
care provider but is unable to provide informed consent to undergo such 
treatment and does not have a personal representative available to 
provide such consent on the individual's behalf. If the covered 
provider, in her professional judgment, believes she can legally 
provide treatment to that individual, we also permit the provider to 
use and disclose protected health information resulting from the 
treatment without the individual's consent. We intend covered health 
care providers that legally provide treatment without the individual's 
consent to that treatment to be able to use and disclose protected 
health information resulting from that treatment to carry out 
treatment, payment, or health care operations without obtaining the 
individual's consent for such use or disclosure. We do not intend to 
impose unreasonable barriers to individuals' ability to receive, and 
health care providers' ability to provide, health care.
    Under Sec. 164.506(a)(4), covered health care providers that have 
an indirect treatment relationship with an individual, as well as 
health plans and health care clearinghouses, may elect to seek consent 
for their own uses and disclosures to carry out treatment, payment, and 
health care operations. If such a covered entity seeks consent for 
these purposes, the consent must meet the minimum requirements 
described below.
    If a covered health care provider with an indirect treatment 
relationship, a health plan, or a health care clearinghouse does not 
seek consent, the covered entity may use or disclose protected health 
information to carry out treatment, payment, and health care operations 
as otherwise permitted under the rule and consistent with its notice of 
privacy practices (see Sec. 164.520 regarding notice requirements and 
Sec. 164.502(i) regarding requirements to adhere to the notice).
    If a covered health care provider with an indirect treatment 
relationship, a health plan, or a health care clearinghouse does ask an 
individual to sign a consent, and the individual does not do so, the 
covered entity is

[[Page 82511]]

prohibited under Sec. 164.502(a)(1) from using or disclosing protected 
health information for the purpose(s) included in the consent. A 
covered entity that seeks a consent must adhere to the individual's 
decision.
    In Sec. 164.506(a)(5), we specify that a consent obtained by one 
covered entity is not effective to permit another covered entity to use 
or disclose protected health information, unless the consent is a joint 
consent. See Sec. 164.506(f) and the corresponding preamble discussion 
below regarding joint consents. A consent provides the individual's 
permission only for the covered entity that obtains the consent to use 
or disclose protected health information for treatment, payment, and 
health care operations. A consent under this section does not operate 
to authorize another covered entity to use or disclose protected health 
information, except where the other covered entity is operating as a 
business associate. We note that, where a covered entity is acting as a 
business associate of another covered entity, the business associate 
covered entity is acting for or on behalf of the principal covered 
entity, and its actions for or on behalf of the principal covered 
entity are authorized by the consent obtained by the principal covered 
entity. Thus, under this section, a health plan can obtain a consent 
that permits the health plan and its business associates to use and 
disclose protected health information that the health plan and its 
business associates create or receive. That consent cannot, however, 
permit another covered entity (that is not a business associate) to 
disclose protected health information to the health plan or to any 
other person.
    If a covered entity wants to obtain the individual's permission for 
another covered entity to disclose protected health information to it 
for treatment, payment, or health care operations purposes, it must 
seek an authorization in accordance with Sec. 164.508(e). For example, 
when a covered provider asks the individual for written permission to 
obtain the individual's medical record from another provider for 
treatment purposes, it must do so with an authorization, not a consent. 
Since the permission is for disclosure of protected health information 
by another person, a consent may not be used.

Section 164.506(b)--Consent General Requirements

    In the final rule, we permit a covered health care provider to 
condition the provision of treatment on the receipt of the individual's 
consent for the covered provider to use and disclose protected health 
information to carry out treatment, payment, and health care 
operations. Covered providers may refuse to treat individuals who do 
not consent to uses and disclosures for these purposes. See 
Sec. 164.506(b)(1). We note that there are exceptions to the consent 
requirements for covered health care providers that are required by law 
to treat individuals. See Sec. 164.506(a)(3), described above.
    Similarly, in the final rule, we permit health plans to condition 
an individual's enrollment in the health plan on the receipt of the 
individual's consent for the health plan to use and disclose protected 
health information to carry out treatment, payment, and health care 
operations, if the consent is sought in conjunction with the enrollment 
process. If the health plan seeks the individual's consent outside of 
the enrollment process, the health plan may not condition any services 
on obtaining such consent.
    Under Sec. 164.520, covered entities must produce a notice of 
privacy practices. A consent may not be combined in a single document 
with the notice of privacy practices. See Sec. 164.506(b)(3).
    Under Sec. 164.506(b)(4), consents for uses and disclosures of 
protected health information to carry out treatment, payment, and 
health care operations may be combined in a single document covering 
all three types of activities and may be combined with other types of 
legal permission from the individual. For example, a consent to use or 
disclose protected health information under this rule may be combined 
with an informed consent to receive treatment, a consent to assign 
payment of benefits to a provider, or narrowly tailored consents 
required under state law for the use or disclosure of specific types of 
protected health information (e.g., state laws requiring specific 
consent for any sharing of information related to HIV/AIDS).
    Within a single consent document, the consent for use and 
disclosure of protected health information required or permitted under 
this rule must be visually and organizationally separate from the other 
consents or authorizations and must be separately signed by the 
individual and dated.
    Where research includes treatment of the individual, a consent 
under this rule may be combined with the authorization for the use or 
disclosure of protected health information created for the research, in 
accordance with Sec. 164.508(f). (This is the only case in which an 
authorization under Sec. 164.508 of this rule may be combined with a 
consent under Sec. 164.506 of this rule. See Sec. 164.508(b)(3).) The 
covered entity that is creating protected health information for the 
research may elect to combine the consent required under this section 
with the research-related authorization required under Sec. 164.508(f). 
For example, a covered health care provider that provides health care 
to an individual for research purposes and for non-research purposes 
must obtain a consent under this section for all of the protected 
health information it maintains. In addition, it must obtain an 
authorization in accordance with Sec. 164.508(f) which describes how it 
will use and disclose the protected health information it creates for 
the research for purposes of treatment, payment, and health care 
operations. Section 164.506(b)(4) permits the covered entity to satisfy 
these two requirements with a single document. See Sec. 164.508(f) and 
the corresponding preamble discussion for a more detailed description 
of research authorization requirements.
    Under Sec. 164.506(b)(5), individuals may revoke a consent in 
writing at any time, except to the extent that the covered entity has 
taken action in reliance on the consent. Upon receipt of the written 
revocation, the covered entity must stop processing the information for 
use or disclosure, except to the extent that it has taken action in 
reliance on the consent. A covered health care provider may refuse, 
under this rule, to continue to treat an individual that revokes his or 
her consent. A health plan may disenroll an individual that revokes a 
consent that was sought in conjunction with the individual's enrollment 
in the health plan.
    Covered entities must document and retain any signed consent as 
required by Sec. 164.530(j).

Section 164.506(c)--Consent Content Requirements

    Under Sec. 164.506(c), the consent must be written in plain 
language. See the preamble discussion regarding notice of privacy 
practices for a description of plain language requirements. We do not 
provide a model consent in this rule. We will provide further guidance 
on drafting consent documents prior to the compliance date.
    Under Sec. 164.506(c)(1), the consent must inform the individual 
that protected health information may be used and disclosed by the 
covered entity to carry out treatment, payment, or health care 
operations. The covered entity must determine which of these elements 
(use and/or disclosure; treatment, payment, and/or health care 
operations) to include in the consent

[[Page 82512]]

document, as appropriate for the covered entity's practices.
    For covered health care providers that are required to obtain 
consent, the requirement applies only to the extent the covered 
provider uses or discloses protected health information. For example, 
if all of a covered provider's health care operations are conducted by 
members of the covered provider's own workforce, the covered provider 
may choose to obtain consent only for uses, not disclosures, of 
protected health information to carry out health care operations. If an 
individual pays out of pocket for all services received from the 
covered provider and the provider will not disclose any information 
about the patient to a third party payor, the provider may choose not 
to obtain the individual's consent to disclose information for payment 
purposes. In order for a covered provider to be able to use and 
disclose information for all three purposes, however, all three 
purposes must be included in the consent.
    Under Secs. 164.506(c)(2) and (3), the consent must refer the 
individual to the covered entity's notice for additional information 
about the uses and disclosures of information described in the consent. 
The consent must also indicate that the individual has the right to 
review the notice prior to signing the consent. If the covered entity 
has reserved the right to change its privacy practices in accordance 
with Sec. 164.520(b)(1)(v)(C), the consent must indicate that the terms 
of the notice may change and must describe how the individual may 
obtain a revised notice. See Sec. 164.520 and the corresponding 
preamble discussion regarding notice requirements.
    Under Sec. 164.506(c)(4), the consent must inform individuals that 
they have the right to request restrictions on uses and disclosures of 
protected health information for treatment, payment, and health care 
operations purposes. It must also state that the covered entity is not 
required to agree to an individual's request, but that if the covered 
entity does agree to the request, the restriction is binding on the 
covered entity. See Sec. 164.522(a) regarding the right to request 
restrictions.
    Under Sec. 164.506(c)(5), the consent must indicate that the 
individual has the right to revoke the consent in writing, except to 
the extent that the covered entity has taken action in reliance on the 
consent.
    Under Sec. 164.506(c)(6), the consent must include the individual's 
signature and the date of signature. Once we adopt the standards for 
electronic signature, another of the required administrative 
simplification standards we are required to adopt under HIPAA, an 
electronic signature that meets those standards will be sufficient 
under this rule. We do not require any verification of the individual's 
identity or authentication of the individual's signature. We expect 
covered health care providers that are required to obtain consent to 
employ the same level of scrutiny to these signatures as they do to the 
signature obtained on a document regarding the individual's consent to 
undergo treatment by the provider.

Section 164.506(d)--Defective Consents

    Under Sec. 164.506(d), there is no ``consent'' within the meaning 
of the rule if the completed document lacks a required element or if 
the individual has revoked the consent in accordance with 
Sec. 164.506(b)(5).

Section 164.506(e)--Resolving Conflicting Consents and Authorizations

    Situations may arise where a covered entity that has obtained the 
individual's consent for the covered entity to use or disclose 
protected health information to carry out treatment, payment, or health 
care operations is asked to disclose protected health information 
pursuant to another written legal permission from the individual, such 
as an authorization, that was obtained by another person. Under 
Sec. 164.506(e), when the terms of a covered entity's consent conflict 
with the terms of another written legal permission from the individual 
to use or disclose protected health information (such as a consent 
obtained under state law by another covered entity or an 
authorization), the covered entity must adhere to the more restrictive 
document. By conflict, we mean that the consent and authorization 
contain inconsistencies. In implementing this section, we note that the 
consent under this section references the notice provided to the 
individual and the individual's right to request restrictions. In 
determining whether the covered entity's consent conflicts with another 
written legal permission provided by the individual, the covered entity 
must consider any limitations on its uses or disclosures resulting from 
the notice provided to the individual or from restrictions to which it 
has agreed. For example, a covered nursing home may elect to ask the 
patient to sign an authorization for the patient's covered primary care 
physician to forward the patient's medical records to the nursing home. 
The physician may have previously obtained the individual's consent for 
disclosure for treatment purposes. If the authorization obtained by the 
nursing home grants permission for the physician to disclose particular 
types of information, such as genetic information, but the consent 
obtained by the physician excludes such information or the physician 
has agreed to a restriction on that type of information, the physician 
may not disclose that information. The physician must adhere to the 
more restrictive written legal permission from the individual.
    When a conflict between a consent and another written legal 
permission from the individual exists, as described above, the covered 
entity may attempt to resolve the conflict with the individual by 
either obtaining a new consent from the individual or by having a 
discussion or otherwise communicating with the individual to determine 
the individual's preference regarding the use or disclosure. If the 
individual's preference is communicated orally, the covered entity must 
document the individual's preference and act in accordance with that 
preference. In the example described above, the primary care physician 
could ask the patient to sign a new consent that would permit the 
disclosure of the genetic information. Alternatively, the physician 
could ask the patient whether the patient intended for the genetic 
information to be disclosed to the nursing home. If the patient 
confirms that he or she intended for the genetic information to be 
shared, the physician can document that fact (e.g., by making a 
notation in the medical record) and disclose the information to the 
nursing home.
    We believe covered entities will rarely be faced with conflicts 
between consents and other written legal permission from the individual 
for uses and disclosures to carry out treatment, payment, and health 
care operations. Under Sec. 164.506(a)(5), we specify that a consent 
only permits the covered entity that obtains the consent to use or 
disclose protected health information. A consent obtained by one 
covered entity is not effective to permit another different covered 
entity to use or disclose protected health information. Conflicting 
consents obtained by covered entities, therefore, are not possible. We 
expect authorizations that permit another covered entity to use and 
disclose protected health information for treatment, payment, and 
health care operations purposes will rarely be necessary, because we 
expect covered entities that maintain protected health information to 
obtain consents that permit them to make anticipated uses and 
disclosures for these purposes. Nevertheless, covered entities are 
permitted under Sec. 164.508(e) to obtain

[[Page 82513]]

authorization for another covered entity to use or disclose protected 
health information to carry out treatment, payment, and health care 
operations. We recognize these authorizations may be useful to 
demonstrate an individual's intent and relationship to the intended 
recipient of the information. For example, these authorizations may be 
useful in situations where a health plan wants to obtain information 
from one provider in order to determine payment of a claim for services 
provided by a different provider (e.g., information from a primary care 
physician that is necessary to determine payment of services provided 
by a specialist) or where an individual's new physician wants to obtain 
the individual's medical records from prior physicians. Other persons 
not covered by this rule may also seek authorizations and state law may 
require written permission for specific types of information, such as 
information related to HIV/AIDS or to mental health. Because an 
individual may sign conflicting documents over time, we clarify that 
the covered entity maintaining the protected health information to be 
used or disclosed must adhere to the more restrictive permission the 
individual has granted, unless the covered entity resolves the conflict 
with the individual.

Section 164.506(f)--Joint Consents

    Covered entities that participate in an organized health care 
arrangement and that develop a joint notice under Sec. 164.520(d) may 
develop a joint consent in which the individual consents to the uses 
and disclosures of protected health information by each of the covered 
entities in the arrangement to carry out treatment, payment, and/or 
health care operations. The joint consent must identify with reasonable 
specificity the covered entities, or class of covered entities, to 
which the joint consent applies and must otherwise meet the consent 
requirements. If an individual revokes a joint consent, the covered 
entity that receives the revocation must inform the other entities 
covered by the joint consent of the revocation as soon as practicable.
    If any one of the covered entities included in the joint consent 
obtains the individual's consent, as required above, the consent 
requirement is met for all of the other covered entities to which the 
consent applies. For example, a covered hospital and the clinical 
laboratory and emergency departments with which it participates in an 
organized health care arrangement may produce a joint notice and obtain 
a joint consent. If the covered hospital obtains the individual's joint 
consent upon admission, and some time later the individual is 
readmitted through the associated emergency department, the emergency 
department's consent requirement will already have been met. These 
joint consents are the only type of consent by which one covered entity 
can obtain the individual's permission for another covered entity to 
use or disclose protected health information to carry out treatment, 
payment, or health care operations.

Effect of Consent

    These consents, as well as the authorizations described in 
Sec. 164.508, should not be construed to waive, directly or indirectly, 
any privilege granted under federal, state, or local law or procedure. 
Consents obtained under this regulation are not appropriate for the 
disposition of more technical and legal proceedings and may not comport 
with procedures and standards of federal, state, or local judicial 
practice. For example, state courts and other decision-making bodies 
may choose to examine more closely the circumstances and propriety of 
such consent and may adopt more protective standards for application in 
their proceedings. In the judicial setting, as in the legislative and 
executive settings, states may provide for greater protection of 
privacy. Additionally, both the Congress and the Secretary have 
established a general approach to protecting from explicit preemption 
state laws that are more protective of privacy than the protections set 
forth in this regulation.

Section 164.508--Uses and Disclosures for Which an Authorization Is 
Required

Section 164.508(a)--Standard

    We proposed to require covered entities to obtain the individual's 
authorization for all uses and disclosures of protected health 
information not otherwise permitted or required under the proposed 
rule. Uses and disclosures that would have been permitted without 
individual authorization included uses and disclosures for national 
priority purposes such as public health, law enforcement, and research 
(see proposed Sec. 164.510) and uses and disclosures of protected 
health information, other than psychotherapy notes and research 
information unrelated to treatment, for purposes of treatment, payment, 
and health care operations (see proposed Sec. 164.506). We also 
proposed to require covered entities to disclose protected health 
information to the individual for inspection and copying (see proposed 
Sec. 164.514) and to the Secretary as required for enforcement of the 
rule (see proposed Sec. 164.522). Individual authorization would not 
have been required for these uses and disclosures.
    We proposed to require covered entities to obtain the individual's 
authorization for all other uses and disclosures of protected health 
information. Under proposed Sec. 164.508(a), uses and disclosures that 
would have required individual authorization included, but were not 
limited to, the following:
     Use for marketing of health and non-health items and 
services by the covered entity;
     Disclosure by sale, rental, or barter;
     Use and disclosure to non-health related divisions of the 
covered entity, e.g., for use in marketing life or casualty insurance 
or banking services;
     Disclosure, prior to an individual's enrollment in a 
health plan, to the health plan or health care provider for making 
eligibility or enrollment determinations relating to the individual or 
for underwriting or risk rating determinations;
     Disclosure to an employer for use in employment 
determinations; and
     Use or disclosure for fundraising.
    In the preamble to the proposed rule, we stated that covered 
entities would be bound by the terms of authorizations. Uses or 
disclosures by the covered entity for purposes inconsistent with the 
statements made in the authorization would have constituted a violation 
of the rule.
    In the final rule, under Sec. 164.508(a), as in the proposed rule, 
covered entities must have authorization from individuals before using 
or disclosing protected health information for any purpose not 
otherwise permitted or required by this rule. Specifically, except for 
psychotherapy notes (see below), covered entities are not required to 
obtain the individual's authorization to use or disclose protected 
health information to carry out treatment, payment, and health care 
operations. (Covered entities may, however, be required to obtain the 
individual's consent for these uses and disclosures. See the preamble 
regarding Sec. 164.506 for a discussion of ``consent'' versus 
``authorization''.) We also do not require covered entities to obtain 
the individual's authorization for uses and disclosures of protected 
health information permitted under Secs. 164.510 or 164.512, for 
disclosures to the individual, or for required disclosures to the 
Secretary under subpart C of part 160 of this subchapter for 
enforcement of this rule.
    In the final rule, we clarify that covered entities are bound by 
the

[[Page 82514]]

statements provided on the authorization; use or disclosure by the 
covered entity for purposes inconsistent with the statements made in 
the authorization constitutes a violation of this rule.
    Unlike the proposed rule, we do not include in the regulation 
examples of the types of uses and disclosures that require individual 
authorization. We eliminated two examples from the proposed list due to 
potential confusion as to our intent: disclosure by sale, rental, or 
barter and use and disclosure to non-health related divisions of the 
covered entity. We recognize that covered entities sometimes make these 
types of uses and disclosures for purposes that are permitted under the 
rule without authorization. For example, a covered health care provider 
may sell its accounts receivable to a collection agency for payment 
purposes and a health plan may disclose protected health information to 
its life insurance component for payment purposes. We do not intend to 
require authorization for uses and disclosures made by sale, rental, or 
barter or for disclosures made to non-health related divisions of the 
covered entity, if those uses or disclosures could otherwise be made 
without authorization under this rule. As with any other use or 
disclosure, however, uses and disclosures of protected health 
information for these purposes do require authorization if they are not 
otherwise permitted under the rule.
    We also eliminated the remaining proposed examples from the final 
rule due to concern that these examples might be misinterpreted as an 
exhaustive list of all of the uses and disclosures that require 
individual authorization. We discuss the examples here, however, to 
clarify the interaction of the authorization requirements and the 
provisions of the rule that permit uses and disclosures without 
authorization and/or with consent. Uses and disclosures for which 
covered entities must have the individual's authorization include, but 
are not limited to, the following activities.

Marketing

    As in the proposed rule, covered entities must obtain the 
individual's authorization before using or disclosing protected health 
information for marketing purposes. In the final rule, we add a new 
definition of marketing (see Sec. 164.501). For more detail on what 
activities constitute marketing, see Sec. 164.501, definition of 
``marketing,'' and Sec. 164.514(e).

Pre-Enrollment Underwriting

    As in the proposed rule, covered entities must obtain the 
individual's authorization to use or disclose protected health 
information for the purpose of making eligibility or enrollment 
determinations relating to an individual or for underwriting or risk 
rating determinations, prior to the individual's enrollment in a health 
plan (that is, for purposes of pre-enrollment underwriting). For 
example, if an individual applies for new coverage with a health plan 
in the non-group market and the health plan wants to review protected 
health information from the individual's covered health care providers 
before extending an offer of coverage, the individual first must 
authorize the covered providers to share the information with the 
health plan. If the individual applies for renewal of existing 
coverage, however, the health plan would not need to obtain an 
authorization to review its existing claims records about that 
individual, because this activity would come within the definition of 
health care operations and be permissible. We also note that under 
Sec. 164.504(f), a group health plan and a health insurance issuer that 
provides benefits with respect to a group health plan are permitted in 
certain circumstances to disclose summary health information to the 
plan sponsor for the purpose of obtaining premium bids. Because these 
disclosures fall within the definition of health care operations, they 
do not require authorization.

Employment Determinations

    As in the proposed rule, covered entities must obtain the 
individual's authorization to use or disclose protected health 
information for employment determinations. For example, a covered 
health care provider must obtain the individual's authorization to 
disclose the results of a pre-employment physical to the individual's 
employer. The final rule provides that a covered entity may condition 
the provision of health care that is solely for the purpose of creating 
protected health information for disclosure to a third party on the 
provision of authorization for the disclosure of the information to the 
third party.

Fundraising

    Under the proposed regulation, we would have required authorization 
before a covered entity could have used or disclosed protected health 
information for fundraising. In the final rule, we narrow the 
circumstances under which covered entities must obtain the individual's 
authorization to use or disclose protected health information for 
fundraising purposes. As provided in Sec. 164.514(f) and described in 
detail in the corresponding preamble, authorization is not required 
when a covered entity uses or discloses demographic information and 
information about the dates of health care provided to an individual 
for the purpose of raising funds for its own benefit, nor when it 
discloses such information to an institutionally related foundation to 
raise funds for the covered entity.
    Any use or disclosure for fundraising purposes that does not meet 
the requirements of Sec. 164.514(f) and does not fall within the 
definition of health care operations (see Sec. 164.501), requires 
authorization. Specifically, covered entities must obtain the 
individual's authorization to use or disclose protected health 
information to raise funds for any entity other than the covered 
entity. For example, a covered entity must have the individual's 
authorization to use protected health information about the individual 
to solicit funds for a non-profit organization that engages in 
research, education, and awareness efforts about a particular disease.

Psychotherapy Notes

    In the NPRM, we proposed different rules with respect to 
psychotherapy notes than we proposed with respect to all other 
protected health information. The proposed rule would have required 
covered entities to obtain an authorization for any use or disclosure 
of psychotherapy notes to carry out treatment, payment, or health care 
operations, unless the use was by the person who created the 
psychotherapy notes. With respect to all other protected health 
information, we proposed to prohibit covered entities from requiring 
authorization for uses and disclosures for these purposes.
    We significantly revise our approach to psychotherapy notes in the 
final rule. With a few exceptions, covered entities must obtain the 
individual's authorization to use or disclose psychotherapy notes to 
carry out treatment, payment, or health care operations. A covered 
entity must obtain the individual's consent, but not an authorization, 
for the person who created the psychotherapy notes to use the notes to 
carry out treatment and for the covered entity to use or disclose 
psychotherapy notes for conducting training programs in which students, 
trainees, or practitioners in mental health learn under supervision to

[[Page 82515]]

practice or improve their skills in group, joint, family, or individual 
counseling. A covered entity may also use psychotherapy notes to defend 
a legal action or other proceeding brought by the individual pursuant 
to a consent, without a specific authorization. We note that, while 
this provision allows disclosure of these records to the covered 
entity's attorney to defend against the action or proceeding, 
disclosure to others in the course of a judicial or administrative 
proceeding is governed by Sec. 164.512(e). This special provision is 
necessary because disclosure of protected health information for 
purposes of legal representatives may be made under the general consent 
as part of ``health care operations.'' Because we require an 
authorization for disclosure of psychotherapy notes for ``health care 
operations,'' an exception is needed to allow covered entities to use 
protected health information about an individual to defend themselves 
against an action threatened or brought by that individual without 
asking that individual for authorization to do so. Otherwise, a consent 
under Sec. 164.506 is not sufficient for the use or disclosure of 
psychotherapy notes to carry out treatment, payment, or health care 
operations. Authorization is required. We anticipate these 
authorizations will rarely be necessary, since psychotherapy notes do 
not include information that covered entities typically need for 
treatment, payment, or other types of health care operations.
    In the NPRM, we proposed to permit covered entities to use and 
disclose psychotherapy notes for all other purposes permitted or 
required under the rule without authorization. In the final rule, we 
specify a more limited set of uses and disclosures of psychotherapy 
notes that covered entities are permitted to make without 
authorization. An authorization is not required for use or disclosure 
of psychotherapy notes when required for enforcement purposes, in 
accordance with subpart C of part 160 of this subchapter; when mandated 
by law, in accordance with Sec. 164.512(a); when needed for oversight 
of the health care provider who created the psychotherapy notes, in 
accordance with Sec. 164.512(d); when needed by a coroner or medical 
examiner, in accordance with Sec. 164.512(g)(1); or when needed to 
avert a serious and imminent threat to health or safety, in accordance 
with Sec. 164.512(j)(1)(i). We also provide transition provisions in 
Sec. 164.532 regarding the effect of express legal permission obtained 
from an individual prior to the compliance date of this rule.

Section 164.508(b)--Implementation Specifications for Authorizations

Valid and Defective Authorizations

    We proposed to require a minimum set of elements for authorizations 
requested by the individual and an additional set of elements for 
authorizations requested by a covered entity. We would have permitted 
covered entities to use and disclose protected health information 
pursuant to authorizations containing the applicable required elements. 
We would have prohibited covered entities from acting on an 
authorization if the submitted document had any of the following 
defects:
     The expiration date had passed;
     The form had not been filled out completely;
     The covered entity knew the authorization had been 
revoked;
     The completed form lacked a required element; or
     The covered entity knew the information on the form was 
false.
    In Sec. 164.508(b)(1) of the final rule, we specify that an 
authorization containing the applicable required elements (as described 
below) is a valid authorization. We clarify that a valid authorization 
may contain additional, non-required elements, provided that these 
elements are not inconsistent with the required elements. Covered 
entities are not required to use or disclose protected health 
information pursuant to a valid authorization. Our intent is to clarify 
that a covered entity that uses or discloses protected health 
information pursuant to an authorization meeting the applicable 
requirements will be in compliance with this rule.
    We retain the provision prohibiting covered entities from acting on 
an authorization if the submitted document had any of the listed 
defects, with a few changes. First, in Sec. 164.508(c)(1)(iv) we 
specify that an authorization may expire upon a certain event or on a 
specific date. For example, a valid authorization may state that it 
expires upon acceptance or rejection of an application for insurance or 
upon the termination of employment (for example, in an authorization 
for disclosure of protected health information for fitness-for-duty 
purposes) or similar event. The expiration event must, however, be 
related to the individual or the purpose of the use or disclosure. An 
authorization that purported to expire on the date when the stock 
market reached a specified level would not be valid. Under 
Sec. 164.508(b)(2)(i), if the expiration event is known by the covered 
entity to have occurred, the authorization is defective. Second, we 
clarify that certain compound authorizations, as described below, are 
defective. We also clarify that authorizations that are not completely 
filled out with respect to the required elements are defective. 
Finally, we clarify that an authorization with information that the 
covered entity knows to be false is defective only if the information 
is material.
    As under the proposed regulation, an authorization that the covered 
entity knows has been revoked is not a valid authorization. We note 
that, although an authorization must be revoked in writing, the covered 
entity may not always ``know'' that an authorization has been revoked. 
The writing required for an individual to revoke an authorization may 
not always trigger the ``knowledge'' required for a covered entity to 
consider an authorization defective. Conversely, a copy of the written 
revocation is not required before a provider ``knows'' that an 
authorization has been revoked.
    Many authorizations will be obtained by persons other than the 
covered entity. If the individual revokes an authorization by writing 
to that other person, and neither the individual nor the other person 
informs the covered entity of the revocation, the covered entity will 
not ``know'' that the authorization has been revoked. For example, a 
government agency may obtain an individual's authorization for ``all 
providers who have seen the individual in the past year'' to disclose 
protected health information to the agency for purposes of determining 
eligibility for benefits. The individual may revoke the authorization 
by writing to the government agency requesting such revocation. We 
cannot require the agency to inform all covered entities to whom it has 
presented the authorization that the authorization has been revoked. If 
a covered entity does not know of the revocation, the covered entity 
will not violate this rule by acting pursuant to the authorization. At 
the same time, if the individual does inform the covered entity of the 
revocation, even orally, the covered entity ``knows'' that the 
authorization has been revoked and can no longer treat the 
authorization as valid under this rule. Thus, in this example, if the 
individual tells a covered entity that the individual has revoked the 
authorization, the covered entity ``knows'' of the revocation and must 
consider the authorization defective under Sec. 164.508(b)(2).

[[Page 82516]]

Compound Authorizations

    Except for authorizations requested in connection with a clinical 
trial, we proposed to prohibit covered entities from combining an 
authorization for use or disclosure of protected health information for 
purposes other than treatment, payment, or health care operations with 
an authorization or consent for treatment (e.g., an informed consent to 
receive care) or payment (e.g., an assignment of benefits).
    We clarify the prohibition on compound authorizations in the final 
rule. Other than as described below, Sec. 164.508(b)(3) prohibits a 
covered entity from acting on an authorization required under this rule 
that is combined with any other document, including any other written 
legal permission from the individual. For example, an authorization 
under this rule may not be combined with a consent for use or 
disclosure of protected health information under Sec. 164.506, with the 
notice of privacy practices under Sec. 164.520, with any other form of 
written legal permission for the use or disclosure of protected health 
information, with an informed consent to participate in research, or 
with any other form of consent or authorization for treatment or 
payment.
    There are three exceptions to this prohibition. First, under 
Sec. 164.508(f) (described in more detail, below), an authorization for 
the use or disclosure of protected health information created for 
research that includes treatment of the individual may be combined with 
a consent for the use or disclosure of that protected health 
information to carry out treatment, payment, or health care operations 
under Sec. 164.506 and with other documents as provided in 
Sec. 164.508(f). Second, authorizations for the use or disclosure of 
psychotherapy notes for multiple purposes may be combined in a single 
document, but may not be combined with authorizations for the use or 
disclosure of other protected health information. Third, authorizations 
for the use or disclosure of protected health information other than 
psychotherapy notes may be combined, provided that the covered entity 
has not conditioned the provision of treatment, payment, enrollment, or 
eligibility on obtaining the authorization. If a covered entity 
conditions any of these services on obtaining an authorization from the 
individual, as permitted in Sec. 164.508(b)(4) and described below, the 
covered entity must not combine the authorization with any other 
document.
    The following are examples of valid compound authorizations: an 
authorization for the disclosure of information created for clinical 
research combined with a consent for the use or disclosure of other 
protected health information to carry out treatment, payment, and 
health care operations, and the informed consent to participate in the 
clinical research; an authorization for disclosure of psychotherapy 
notes for both treatment and research purposes; and an authorization 
for the disclosure of the individual's demographic information for both 
marketing and fundraising purposes. Examples of invalid compound 
authorizations include: an authorization for the disclosure of 
protected health information for treatment, for research, and for 
determining payment of a claim for benefits, when the covered entity 
will refuse to pay the claim if the individual does not sign the 
authorization; or an authorization for the disclosure of psychotherapy 
notes combined with an authorization to disclose any other protected 
health information.

Prohibition on Conditioning Treatment, Payment, Eligibility, or 
Enrollment

    We proposed to prohibit covered entities from conditioning 
treatment or payment on the provision by the individual of an 
authorization, except when the authorization was requested in 
connection with a clinical trial. In the case of authorization for use 
or disclosure of psychotherapy notes or research information unrelated 
to treatment, we proposed to prohibit covered entities from 
conditioning treatment, payment, or enrollment in a health plan on 
obtaining such an authorization.
    We retain this basic approach but refine its application in the 
final rule. In addition to the general prohibition on conditioning 
treatment and payment, covered entities are also prohibited (with 
certain exceptions described below) from conditioning eligibility for 
benefits or enrollment in a health plan on obtaining an authorization. 
This prohibition extends to all authorizations, not just authorizations 
for use or disclosure of psychotherapy notes. This prohibition is 
intended to prevent covered entities from coercing individuals into 
signing an authorization for a use or disclosure that is not necessary 
to carry out the primary services that the covered entity provides to 
the individual. For example, a health care provider could not refuse to 
treat an individual because the individual refused to authorize a 
disclosure to a pharmaceutical manufacturer for the purpose of 
marketing a new product.
    We clarify the proposed research exception to this prohibition. 
Covered entities seeking authorization in accordance with 
Sec. 164.508(f) to use or disclose protected health information created 
for the purpose of research that includes treatment of the individual, 
including clinical trials, may condition the research-related treatment 
on the individual's authorization. Permitting use of protected health 
information is part of the decision to receive care through a clinical 
trial, and health care providers conducting such trials should be able 
to condition research-related treatment on the individual's willingness 
to authorize the use or disclosure of his or her protected health 
information for research associated with the trial.
    In addition, we permit health plans to condition eligibility for 
benefits and enrollment in the health plan on the individual's 
authorization for the use or disclosure of protected health information 
for purposes of eligibility or enrollment determinations relating to 
the individual or for its underwriting or risk-rating determinations. 
We also permit health plans to condition payment of a claim for 
specified benefits on the individual's authorization for the disclosure 
of information maintained by another covered entity to the health plan, 
if the disclosure is necessary to determine payment of the claim. These 
exceptions do not apply, however, to authorization for the use or 
disclosure of psychotherapy notes. Health plans may not condition 
payment, eligibility, or enrollment on the receipt of an authorization 
for the use or disclosure of psychotherapy notes, even if the health 
plan intends to use the information for underwriting or payment 
purposes.
    Finally, when a covered entity provides treatment for the sole 
purpose of providing information to a third party, the covered entity 
may condition the treatment on the receipt of an authorization to use 
or disclose protected health information related to that treatment. For 
example, a covered health care provider may have a contract with an 
employer to provide fitness-for-duty exams to the employer's employees. 
The provider may refuse to conduct the exam if an individual refuses to 
authorize the provider to disclose the results of the exam to the 
employer. Similarly, a covered health care provider may have a contract 
with a life insurer to provide pre-enrollment physicals to applicants 
for life insurance coverage. The provider may refuse to conduct the 
physical if an individual refuses to authorize the provider to disclose 
the results of the physical to the life insurer.

[[Page 82517]]

Revocation of Authorizations

    We proposed to allow individuals to revoke an authorization at any 
time, except to the extent that the covered entity had taken action in 
reliance on the authorization.
    We retain this provision, but specify that the individual must 
revoke the authorization in writing. When an individual revokes an 
authorization, a covered entity that knows of such revocation must stop 
making uses and disclosures pursuant to the authorization to the 
greatest extent practical. A covered entity may continue to use and 
disclose protected health information in accordance with the 
authorization only to the extent the covered entity has taken action in 
reliance on the authorization. For example, a covered entity is not 
required to retrieve information that it has already disclosed in 
accordance with the authorization. (See above for discussion of how 
written revocation of an authorization and knowledge of that revocation 
may differ.)
    We also include an additional exception. Under Sec. 164.508(b)(5), 
individuals do not have the right to revoke an authorization if the 
authorization was obtained as a condition of obtaining insurance 
coverage and other applicable law provides the insurer that obtained 
the authorization with the right to contest a claim under the policy. 
We intend this exception to permit insurers to obtain necessary 
protected health information during contestability periods under state 
law. For example, an individual may not revoke an authorization for the 
disclosure of protected health information to a life insurer for the 
purpose of investigating material misrepresentation if the individual's 
policy is still subject to the contestability period.

Documentation

    In the final rule, we clarify that a covered entity must document 
and retain any signed authorization as required by Sec. 164.530(j) (see 
below).

Section 164.508(c)--Core Elements and Requirements

    We proposed to require authorizations requested by individuals to 
contain a minimum set of elements: a description of the information to 
be used or disclosed; the name of the covered entity, or class of 
entities or persons, authorized to make the use or disclosure; the name 
or types of recipient(s) of the information; an expiration date; the 
individual's signature and date of signature; if signed by a 
representative, a description of the representative's authority or 
relationship to the individual; a statement regarding the individual's 
right to revoke the authorization; and a statement that the information 
may no longer be protected by the federal privacy law. We proposed a 
model authorization form that entities could have used to satisfy the 
authorization requirements. If the model form was not used, we proposed 
to require covered entities to use authorization forms written in plain 
language.
    We modify the proposed approach, by eliminating the distinction 
between authorizations requested by the individuals and authorizations 
requested by others. Instead, we prescribe a minimum set of elements 
for authorizations and certain additional elements when the 
authorization is requested by a covered entity for its own use or 
disclosure of protected health information it maintains or for receipt 
of protected health information from another covered entity to carry 
out treatment, payment, or health care operations.
    The core elements are required for all authorizations, not just 
authorizations requested by individuals. Individuals seek disclosure of 
protected health information about them to others in many 
circumstances, such as when applying for life or disability insurance, 
when government agencies conduct suitability investigations, and in 
seeking certain job assignments when health status is relevant. Another 
common instance is tort litigation, when an individual's attorney needs 
individually identifiable health information to evaluate an injury 
claim and asks the individual to authorize disclosure of records 
relating to the injury to the attorney. In each of these situations, 
the individual may go directly to the covered entity and ask it to send 
the relevant information to the intended recipient. Alternatively, the 
intended recipient may ask the individual to complete a form, which the 
recipient will submit to the covered entity on the individual's behalf, 
that authorizes the covered entity to disclose the information. Whether 
the authorization is submitted to the covered entity by the individual 
or by another person on the individual's behalf, the covered entity 
maintaining protected health information may not use or disclose it 
pursuant to an authorization unless the authorization meets the 
following requirements.
    First, the authorization must include a description of the 
information to be used or disclosed, with sufficient specificity to 
allow the covered entity to know which information the authorization 
references. For example, the authorization may include a description of 
``laboratory results from July 1998'' or ``all laboratory results'' or 
``results of MRI performed in July 1998.'' The covered entity can then 
use or disclose that information and only that information. If the 
covered entity does not understand what information is covered by the 
authorization, the use or disclosure is not permitted unless the 
covered entity clarifies the request.
    There are no limitations on the information that can be authorized 
for disclosure. If an individual wishes to authorize a covered entity 
to disclose his or her entire medical record, the authorization can so 
specify. In order for the covered entity to disclose the entire medical 
record, the authorization must be specific enough to ensure that the 
individual has a clear understanding that the entire record will be 
disclosed. For example, if the Social Security Administration seeks 
authorization for release of all health information to facilitate the 
processing of benefit applications, then the description on the 
authorization form must specify ``all health information'' or the 
equivalent.
    In some instances, a covered entity may be reluctant to undertake 
the effort to review the record and select portions relevant to the 
request (or redact portions not relevant). In such circumstances, 
covered entities may provide the entire record to the individual, who 
may then redact and release the more limited information to the 
requestor. This rule does not require a covered entity to disclose 
information pursuant to an individual's authorization.
    Second, the authorization must include the name or other specific 
identification of the person(s) or class of persons that are authorized 
to use or disclose the protected health information. If an 
authorization permits a class of covered entities to disclose 
information to an authorized person, the class must be stated with 
sufficient specificity so that a covered entity presented with the 
authorization will know with reasonable certainty that the individual 
intended the covered entity to release protected health information. 
For example, a covered licensed nurse practitioner presented with an 
authorization for ``all physicians'' to disclose protected health 
information could not know with reasonable certainty that the 
individual intended for the practitioner to be included in the 
authorization.
    Third, the authorization must include the name or other specific 
identification of the person(s) or class of persons to

[[Page 82518]]

whom the covered entity is authorized to make the use or disclosure. 
The authorization must identify these persons with sufficient 
specificity to reasonably permit a covered entity responding to the 
authorization to identify the authorized user or recipient of the 
protected health information. Often, individuals provide authorizations 
to third parties, who present them to one or more covered entities. For 
example, an authorization could be completed by an individual and given 
to a government agency, authorizing the agency to receive medical 
information from any health care provider that has treated the 
individual within a defined period of time. Such an authorization is 
permissible (subject to the other requirements of this part) if it 
sufficiently identifies the government entity that is authorized to 
receive the disclosed protected health information.
    Fourth, the authorization must state an expiration date or event. 
This expiration date or event must either be a specific date (e.g., 
January 1, 2001), a specific time period (e.g., one year from the date 
of signature), or an event directly relevant to the individual or the 
purpose of the use or disclosure (e.g., for the duration of the 
individual's enrollment with the health plan that is authorized to make 
the use or disclosure). We note that the expiration date or event is 
subject to otherwise applicable and more stringent law. For example, 
the National Association of Insurance Commissioners' Insurance 
Information and Privacy Protection Model Act, adopted in at least 
fifteen states, specifies that authorizations signed for the purpose of 
collecting information in connection with an application for a life, 
health, or disability insurance policy are permitted to remain valid 
for no longer than thirty months. In those states, the longest such an 
authorization may remain in effect is therefore thirty months, 
regardless of the expiration date or event indicated on the form.
    Fifth, the authorization must state that the individual has the 
right to revoke an authorization in writing, except to the extent that 
action has been taken in reliance on the authorization or, if 
applicable, during a contestability period. The authorization must 
include instructions on how the individual may revoke the 
authorization. For example, the person obtaining the authorization from 
the individual can include an address where the individual can send a 
written request for revocation.
    Sixth, the authorization must inform the individual that, when the 
information is used or disclosed pursuant to the authorization, it may 
be subject to re-disclosure by the recipient and may no longer be 
protected by this rule.
    Seventh, the authorization must include the individual's signature 
and the date of the signature. Once we adopt the standards for 
electronic signature, another of the required administrative 
simplification standards we are required to adopt under HIPAA, an 
electronic signature that meets those standards will be sufficient 
under this rule. We do not require verification of the individual's 
identity or authentication of the individual's signature.
    Finally, if the authorization is signed by a personal 
representative of the individual, the representative must indicate his 
or her authority to act for the individual.
    As in the proposed rule, the authorization must be written in plain 
language. See the preamble discussion regarding notice of privacy 
practices (Sec. 164.520) for a discussion of the plain language 
requirement. We do not provide a model authorization in this rule. We 
will provide further guidance on this issue prior to the compliance 
date.

Section 164.508(d)--Authorizations Requested by a Covered Entity for 
Its Own Uses and Disclosures

    We proposed to require covered entities to include additional 
elements in authorizations initiated by the covered entity. Before a 
covered entity could use or disclose protected health information of an 
individual pursuant to a request the covered entity made, we proposed 
to require the entity to obtain an authorization containing the minimum 
elements described above and the following additional elements: except 
for authorizations requested for clinical trials, a statement that the 
entity will not condition treatment or payment on the individual's 
authorization; a description of the purpose of the requested use or 
disclosure; a statement that the individual may inspect or copy the 
information to be used or disclosed and may refuse to sign the 
authorization; and, if the use or disclosure of the requested 
information will result in financial gain to the entity, a statement 
that such gain will result.
    We additionally proposed to require covered entities, when 
requesting an individual's authorization, to request only the minimum 
amount of information necessary to accomplish the purpose for which the 
request was made. We also proposed to require covered entities to 
provide the individual with a copy of the executed authorization.
    We retain the proposed approach, but apply these additional 
requirements when the covered entity requests the individual's 
authorization for the entity's own use or disclosure of protected 
health information maintained by the covered entity itself. For 
example, a health plan may ask individuals to authorize the plan to 
disclose protected health information to a subsidiary to market life 
insurance to the individual. A pharmaceutical company may also ask a 
covered provider to recruit patients for drug research; if the covered 
provider asks patients to sign an authorization for the provider to 
disclose protected health information to the pharmaceutical company for 
this research, this is also an authorization requested by a covered 
entity for disclosure of protected health information maintained by the 
covered entity. When covered entities initiate the authorization by 
asking individuals to authorize the entity to use or disclose protected 
health information that the entity maintains, the authorization must 
include all of the elements required above as well as several 
additional elements.
    Authorizations requested by covered entities for the covered 
entity's own use or disclosure of protected health information must 
state, as applicable under Sec. 164.508(b)(4), that the covered entity 
will not condition treatment, payment, enrollment, or eligibility on 
the individual's authorization for the use or disclosure. For example, 
if a health plan asks an individual to sign an authorization for the 
health plan to disclose protected health information to a non-profit 
advocacy group for the advocacy group's fundraising purposes, the 
authorization must contain a statement that the health plan will not 
condition treatment, payment, enrollment in the health plan, or 
eligibility for benefits on the individual providing the authorization.
    Authorizations requested by covered entities for their own uses and 
disclosures of protected health information must also identify each 
purpose for which the information is to be used or disclosed. The 
required statement of purpose(s) must provide individuals with the 
facts they need to make an informed decision whether to allow release 
of the information. We prohibit the use of broad or blanket 
authorizations requesting the use or disclosure of protected health 
information for a wide range of unspecified purposes. Both the 
information that is to be used or disclosed and the specific purpose(s) 
for such uses or disclosures must be stated in the authorization.

[[Page 82519]]

    Authorizations requested by covered entities for their own uses and 
disclosures must also advise individuals of certain rights available to 
them under this rule. The authorization must state that the individual 
may inspect or copy the information to be used or disclosed as provided 
in Sec. 164.524 regarding access for inspection and copying and that 
the individual may refuse to sign the authorization.
    We alter the proposed requirements with respect to authorizations 
for which the covered entity will receive financial gain. When the 
covered entity initiates the authorization and the covered entity will 
receive direct or indirect remuneration from a third party (rather than 
financial gain, as proposed) in exchange for using or disclosing the 
protected health information, the authorization must include a 
statement that such remuneration will result. For example, a health 
plan may wish to sell or rent its enrollee mailing list or a 
pharmaceutical company may offer a covered provider a discount on its 
products if the provider obtains authorization to disclose the 
demographic information of patients with certain diagnoses so that the 
company can market new drugs to them directly. In each case, the 
covered entity must obtain the individual's authorization, and the 
authorization must include a statement that the covered entity will 
receive remuneration.
    In Sec. 164.508(d)(2), we continue to require a covered entity that 
requests an authorization for its own use or disclosure of protected 
health information to provide the individual with a copy of the signed 
authorization. While we eliminate from this section the provision 
requiring covered entities to obtain authorization for use or 
disclosure of the minimum necessary protected health information, 
Sec. 164.514(d)(4) requires covered entities to request only the 
minimum necessary protected health information to accomplish the 
purpose for which the request is made. This requirement applies to 
these authorizations, as well as other requests.

Section 164.508(e)--Authorizations Requested by a Covered Entity for 
Disclosures by Others

    In the proposed rule, we would have prohibited all covered entities 
from requiring the individual's written legal permission (as proposed, 
an ``authorization'') for the use or disclosure of protected health 
information to carry out treatment, payment, or health care operations. 
We generally eliminate this prohibition in the final rule, except to 
specify that a consent obtained by one covered entity is not effective 
to permit another covered entity to use or disclose protected health 
information. See Sec. 164.506(a)(5) and the corresponding preamble 
discussion.
    In the final rule, if a covered entity seeks the individual's 
written legal permission to obtain protected health information about 
the individual from another covered entity for any purpose, it must 
obtain the individual's authorization for the covered entity that 
maintains the protected health information to make the disclosure. If 
the authorization is for the purpose of obtaining protected health 
information for purposes other than treatment, payment, or health care 
operations, the authorization need only contain the core elements 
required by Sec. 164.508(c) and described above.
    If the authorization, however, is for the purpose of obtaining 
protected health information to carry out treatment, payment, or health 
care operations, the authorization must meet the requirements of 
Sec. 164.508(e). We expect such authorizations will rarely be 
necessary, because we expect covered entities that maintain protected 
health information to obtain consents that permit them to make 
anticipated uses and disclosures for these purposes. An authorization 
obtained by another covered entity that authorizes the covered entity 
maintaining the protected health information to make a disclosure for 
the same purpose, therefore, would be unnecessary.
    We recognize, however, that these authorizations may be useful to 
demonstrate an individual's intent and relationship to the intended 
recipient of the information when the intent or relationship is not 
already clear. For example, a long term care insurer may need 
information from an individual's health care providers about the 
individual's ability to perform activities of daily living in order to 
determine payment of a long term care claim. The providers that hold 
the information may not be providing the long term care and may not, 
therefore, be aware of the individual's coverage under the policy or 
that the individual is receiving long term care services. An 
authorization obtained by the long term care insurer will help to 
demonstrate these facts to the providers holding the information, which 
will make them more confident that the individual intends for the 
information to be shared. Similarly, an insurer with subrogation 
obligations may need health information from the enrollee's providers 
to assess or prosecute the claim. A patient's new physician may also 
need medical records from the patient's prior providers in order to 
treat the patient. Without an authorization that demonstrates the 
patient's intent for the information to be shared, the covered entity 
that maintains the protected health information may be reluctant to 
provide the information, even if that covered entity's consent permits 
such disclosure to occur.
    These authorizations may also be useful to accomplish clinical 
coordination and integration among covered entities that do not meet 
the definitions of affiliated covered entities or organized health care 
arrangements. For example, safety-net providers that participate in the 
Community Access Program (CAP) may not qualify as organized health care 
arrangements but may want to share protected health information with 
each other in order to develop and expand integrated systems of care 
for uninsured people. An authorization under this section would permit 
such providers to receive protected health information from other CAP 
participants to engage in such activities.
    Because of such concerns, we permit a covered entity to request the 
individual's authorization to obtain protected health information from 
another covered entity to carry out treatment, payment, and health care 
operations. In these situations, the authorization must contain the 
core elements described above and must also describe each purpose of 
the requested disclosure.
    With one exception, the authorization must also indicate that the 
authorization is voluntary. It must state that the individual may 
refuse to sign the authorization and that the covered entity requesting 
the authorization will not condition the provision of treatment, 
payment, enrollment in the health plan, or eligibility for benefits on 
obtaining the individual's authorization. If the authorization is for a 
disclosure of information that is necessary to determine payment of a 
claim for specified benefits, however, the health plan requesting the 
authorization may condition the payment of the claim on obtaining the 
authorization from the individual. See Sec. 164.508(b)(4)(iii). In this 
case, the authorization does not have to state that the health plan 
will not condition payment on obtaining the authorization.
    The covered entity requesting the authorization must provide the 
individual with a copy of the signed authorization. We note that the 
covered entity requesting the authorization is also subject to the 
requirements in

[[Page 82520]]

Sec. 164.514 to request only the minimum necessary information needed 
for the purpose of the authorization.
    We additionally note that, when the covered entity that maintains 
the protected health information has already obtained a consent for 
disclosure of protected health information to carry out treatment, 
payment, and/or health care operations under Sec. 164.506, and that 
consent conflicts with an authorization obtained by another covered 
entity under Sec. 164.508(e), the covered entity maintaining the 
protected health information is bound by the more restrictive document. 
See Sec. 164.506(e) and the corresponding preamble discussion for 
further explanation.

Section 164.508(f)--Authorizations for Uses and Disclosures of 
Protected Health Information Created for Research that Includes 
Treatment of Individuals

    In the proposed rule, we would have required individual 
authorization for any use or disclosure of research information 
unrelated to treatment. In the final rule, we eliminate the special 
rules for this category of information and, instead, require covered 
entities to obtain an authorization for the use or disclosure of 
protected health information the covered entity creates for the purpose 
of research that includes treatment of individuals, except as otherwise 
permitted by Sec. 164.512(i).
    The intent of this provision is to permit covered entities that 
conduct research involving treatment to bind themselves to a more 
limited scope of uses and disclosures of research information than they 
would otherwise be permitted to make with non-research information. 
Rather than creating a single definition of ``research information,'' 
we allow covered entities the flexibility to define that subset of 
protected health information they create during clinical research that 
is not necessary for treatment, payment, or health care operations and 
that the covered entity will use or disclose under more limited 
circumstances than it uses or discloses other protected health 
information. In designing their authorizations, we expect covered 
entities to be mindful of the often highly sensitive nature of research 
information and the impact of individuals' privacy concerns on their 
willingness to participate in research.
    Covered entities seeking authorization to use or disclose protected 
health information they create for the purpose of research that 
includes treatment of individuals, including clinical trials, must 
include in the authorization (in addition to the applicable elements 
required above) a description of the extent to which some or all of the 
protected health information created for the research will also be used 
or disclosed for purposes of treatment, payment, and health care 
operations. For example, if the covered entity intends to seek 
reimbursement from the individual's health plan for the routine costs 
of care associated with the research protocol, it must explain in the 
authorization the types of information that it will provide to the 
health plan for this purpose. This information, and the circumstances 
under which disclosures will be made for treatment, payment, and health 
care operations, may be more limited than the information and 
circumstances described in the covered entity's general consent and 
notice of privacy practices. To the extent the covered entity limits 
itself to a subset of uses or disclosures that are otherwise 
permissible under the rule and the covered entity's consent and notice, 
the covered entity is bound by the statements made in the research-
related authorization. In these circumstances, the authorization must 
indicate that the authorization, not the general consent and notice, 
controls.
    If the covered entity's primary interaction with the individual is 
through the research, the covered entity may combine the general 
consent for treatment, payment, and health care operations required 
under Sec. 164.506 with this research authorization and need not obtain 
an additional consent under Sec. 164.506. If the entity has already 
obtained, or intends to obtain, a separate consent as required under 
Sec. 164.506, the research authorization must refer to that consent and 
state that the practices described in the research-related 
authorization are binding on the covered entity as to the information 
covered by the research-related authorization. The research-related 
authorization may also be combined in the same document as the informed 
consent for participation in the research. This is an exception to the 
general rule in Sec. 164.508(b)(3) that an authorization under this 
section may not be combined with any other document (see above).
    The covered entity must also include in the authorization a 
description of the extent to which it will not use or disclose the 
protected health information it obtains in connection with the research 
protocol for purposes that are permitted without individual 
authorization under this rule (under Secs. 164.510 and 164.512). To the 
extent that the entity limits itself to a subset of uses or disclosures 
that are otherwise permissible under the rule and the entity's notice, 
the entity is bound by the statements made in the research 
authorization. In these circumstances, the authorization must indicate 
that the authorization, not the notice, controls. The covered entity 
may not, however, purport to preclude itself from making uses or 
disclosures that are required by law or that are necessary to avert a 
serious and imminent threat to health or safety.
    In some instances, the covered entity may wish to make a use or 
disclosure of the research information that it did not include in its 
general consent or notice or for which authorization is required under 
this rule. To the extent the entity includes uses or disclosures in the 
research authorization that are otherwise not permissible under the 
rule and the entity's consent and notice of information practices, the 
entity must include all of the elements required by Secs. 164.508(c) 
and (d) in the research-related authorization. The covered entity is 
bound by these statements.
    Research that involves the delivery of treatment to participants 
sometimes relies on existing health information, such as to determine 
eligibility for the trial. We note that under Sec. 164.508(b)(3)(iii), 
the covered entity may combine the research-related authorization 
required under Sec. 164.508(f) with any other authorization for the use 
or disclosure of protected health information (other than psychotherapy 
notes), provided that the covered entity does not condition the 
provision of treatment on the individual signing the authorization. For 
example, a covered health care provider that had a treatment 
relationship with an individual prior to the individual's enrollment in 
a clinical trial, but that is now providing research-related treatment 
to the individual, may elect to request a compound authorization from 
the individual: an authorization under Sec. 164.508(d) for the provider 
to use the protected health information it created prior to the 
initiation of the research that involves treatment, combined with an 
authorization under Sec. 164.508(f) regarding use and disclosure of 
protected health information the covered provider will create for the 
purpose of the clinical trial. This compound authorization would be 
valid, provided the covered provider did not condition the research-
related treatment on obtaining the authorization required under 
Sec. 164.508(f), as permitted in Sec. 164.508(b)(4)(i).
    However, we anticipate that covered entities will almost always, if 
not always, condition the provision of research-related treatment on 
the individual signing the authorization under Sec. 164.508(f) for the 
covered

[[Page 82521]]

entity's use or disclosure of protected health information created for 
the research. Therefore, we expect that the vast majority of covered 
providers who wish to use or disclose protected health information 
about an individual that will be created for research that includes 
treatment and wish to use existing protected health information about 
that individual for the research that includes treatment, will be 
required to obtain two authorizations from the individual: (1) an 
authorization for the use and disclosure of protected health 
information to be created for the research that involves treatment of 
the individual (as required under Sec. 164.508(f)), and (2) an 
authorization for the use of existing protected health information for 
the research that includes treatment of the individual (as required 
under Sec. 164.508(d)).

Effect of Authorization

    As noted in the discussion about consents in the preamble to 
Sec. 164.506, authorizations under this rule should not be construed to 
waive, directly or indirectly, any privilege granted under federal, 
state, or local laws or procedures.

Section 164.510--Uses and Disclosures Requiring an Opportunity for 
the Individual To Agree or To Object

Introduction

    Section 164.510 of the NPRM proposed the uses and disclosures of 
protected health information that covered entities could make for 
purposes other than treatment, payment, or health care operations and 
for which an individual authorization would not have been required. 
These allowable uses and disclosures were designed to permit and 
promote key national health care priorities, and to promote the smooth 
operation of the health care system. In each of these areas, the 
proposal permitted, but would not have required, covered entities to 
use or disclose protected health information.
    We proposed to require covered entities to obtain the individual's 
oral agreement before making a disclosure to a health care facility's 
directory or to the individual's next-of-kin or to another person 
involved in the individual's health care. Because there is an 
expectation in these two areas that individuals will have some input 
into a covered entity's decision to use or disclose protected health 
information, we decided to place disclosures to health facility 
directories and to persons involved in an individual's care in a 
separate section. In the final rule, requirements regarding disclosure 
of protected health information for facility directories and to others 
involved in an individual's care are included in Sec. 164.510(a) and 
Sec. 164.510(b), respectively. In the final rule, we include in 
Sec. 164.510(b) provisions to address a type of disclosure not 
addressed in the NPRM: disclosures to entities providing relief and 
assistance in disasters such as floods, fires, and terrorist attacks. 
Requirements for most of the remaining categories of disclosures 
addressed in proposed Sec. 164.510 of the NPRM are included in a new 
Sec. 164.512 of the final rule, as discussed below.
    Section 164.510 of the final rule addresses situations in which the 
interaction between the covered entity and the individual is relatively 
informal and agreements are made orally, without written authorizations 
for use or disclosure. In general, under the final rule, to disclose or 
use protected health information for these purposes, covered entities 
must inform individuals in advance and must provide a meaningful 
opportunity for the individual to prevent or restrict the disclosure. 
In exceptional circumstances, where even this informal discussion 
cannot practicably take place, covered entities are permitted to make 
decisions regarding disclosure or use based on the exercise of 
professional judgment of what is in the individual's best interest.

Section 164.510(a)--Use and Disclosure for Facility Directories

    The NPRM proposed to allow covered health care providers to 
disclose through an inpatient facility's directory a patient's name, 
location in the facility, and general health condition, provided that 
the individual had agreed to the disclosure. The NPRM would have 
allowed this agreement to be oral. Pursuant to the NPRM, when making 
decisions about incapacitated individuals, a covered health care 
provider could have disclosed such information at the entity's 
discretion and consistent with good medical practice and any prior 
expressions of patient preference of which the covered entity was 
aware.
    The preamble to the NPRM listed several factors that we encouraged 
covered entities to take into account when making decisions about 
whether to include an incapacitated patient's information in the 
directory. These factors included: (1) Whether disclosing that an 
individual is in the facility could reasonably cause harm or danger to 
the individual (e.g., if it appeared that an unconscious patient had 
been abused and disclosing the information could give the attacker 
sufficient information to seek out the person and repeat the abuse); 
(2) whether disclosing a patient's location within a facility 
implicitly would give information about the patient's condition (e.g., 
whether a patient's room number revealed that he or she was in a 
psychiatric ward); (3) whether it was necessary or appropriate to give 
information about patient status to family or friends (e.g., if giving 
information to a family member about an unconscious patient could help 
a physician administer appropriate medications); and (4) whether an 
individual had, prior to becoming incapacitated, expressed a preference 
not to be included in the directory. The preamble stated that if a 
covered entity learned of such a preference, it would be required to 
act in accordance with the preference.
    The preamble to the NPRM said that when individuals entered a 
facility in an incapacitated state and subsequently gained the ability 
to make their own decisions, health facilities should ask them within a 
reasonable time period for permission to include their information in 
the facility's directory.
    In the final rule, we change the NPRM's opt-in authorization 
requirement to an opt-out approach for inclusion of patient information 
in a health care facility's directory. The final rule allows covered 
health care providers--which in this case are health care facilities--
to include patient information in their directory only if: (1) They 
inform incoming patients of their policies regarding the directory; (2) 
they give patients a meaningful opportunity to opt out of the directory 
listing or to restrict some or all of the uses and disclosures that can 
be included in the directory; and (3) the patient does not object to 
being included in the directory. A patient must be allowed, for 
example, to have his or her name and condition included in the 
directory while not having his or her religious affiliation included. 
The facility's notice and the individual's opt-out or restriction may 
be oral.
    Under the final rule, subject to the individual's right to object, 
or known prior expressed preferences, a covered health care provider 
may disclose the following information to persons who inquire about the 
individual by name: (1) The individual's general condition in terms 
that do not communicate specific medical information about the 
individual (e.g., fair, critical, stable, etc.); and (2) location in 
the facility. This approach represents a slight change to the NPRM, 
which did not require members of the general public to ask for a 
patient by name in order to obtain directory information and which,

[[Page 82522]]

in fact, would have allowed covered entities to disclose the 
individual's name as part of directory information.
    Under the final rule, we also establish provisions for disclosure 
of directory information to clergy that are slightly different from 
those which apply for disclosure to the general public. Subject to the 
individual's right to object or restrict the disclosure, the final rule 
permits a covered entity to disclose to a member of the clergy: (1) The 
individual's name; (2) the individual's general condition in terms that 
do not communicate specific medical information about the individual; 
(3) the individual's location in the facility; and (4) the individual's 
religious affiliation. A disclosure of directory information may be 
made to members of the clergy even if they do not inquire about an 
individual by name. We note that the rule in no way requires a covered 
health care provider to inquire about the religious affiliation of an 
individual, nor must individuals supply that information to the 
facility. Individuals are free to determine whether they want their 
religious affiliation disclosed to clergy through facility directories.
    We believe that allowing clergy to access patient information 
pursuant to this section does not violate the Establishment Clause of 
the First Amendment, which prohibits laws ``respecting an establishment 
of religion.'' Courts traditionally turn to the Lemon test when 
evaluating laws that might raise Establishment Clause concerns. A law 
does not violate the Clause if it has a secular purpose, is not 
primarily to advance religion, and does not cause excessive government 
entanglement with religion. The privacy regulation passes this test 
because its purpose is to protect the privacy of individuals--
regardless of their religious affiliation--and it does not cause 
excessive government entanglement.
    More specifically, although this section provides a special rule 
for members of the clergy, it does so as an accommodation to patients 
who seek to engage in religious conduct. For example, restricting the 
disclosure of an individual's religious affiliation, room number, and 
health status to a priest could cause significant delay that would 
inhibit the ability of a Catholic patient to obtain sacraments provided 
during the last rites. We believe this accommodation does not violate 
the Establishment Clause, because it avoids a government-imposed 
restriction on the disclosure of information that could 
disproportionately affect the practice of religion. In that way, it is 
no different from accommodations upheld by the U.S. Supreme Court, such 
as exceptions to laws banning the use of alcohol in religious 
ceremonies.
    The final rule expands the circumstances under which health care 
facilities can disclose specified health information to the patient 
directory without the patient's agreement. Besides allowing such 
disclosures when patients are incapacitated, as the NPRM would have 
allowed, the final rule allows such disclosures in emergency treatment 
circumstances. For example, when a patient is conscious and capable of 
making a decision, but is so seriously injured that asking permission 
to include his or her information in the directory would delay 
treatment such that the patient's health would be jeopardized, health 
facilities can make decisions about including the patient's information 
in the directory according to the same rules that apply when the 
patient is incapacitated. The final rule modifies the NPRM requirements 
for cases in which an incapacitated patient is admitted to a health 
care facility. Whereas the NPRM would have allowed health care 
providers to disclose an incapacitated patient's information to the 
facility's directory ``at its discretion and consistent with good 
medical practice and any prior expressions of preference of which the 
covered entity [was] aware,'' the final rule states that in these 
situations (and in other emergency treatment circumstances), covered 
health care providers must make the decision on whether to include the 
patient's information in the facility's directory in accordance with 
professional judgment as to the patient's best interest. In addition, 
when making decisions involving incapacitated patients and patients in 
emergency situations, covered health care providers may decide to 
include some portions of the patient's information (such as name) but 
not other information (such as location in the facility) in order to 
protect patient interests.
    As in the preamble to the NPRM, we encourage covered health care 
providers to take into account the four factors listed above when 
making decisions about whether to include patient information in a 
health care facility's directory when patients are incapacitated or are 
in an emergency treatment circumstance. In addition, we retain the 
requirement stated in the preamble of the NPRM that if a covered health 
care provider learns of an incapacitated patient's prior expression of 
preference not to be included in a facility's directory, the facility 
must not include the patient's information in the directory. For cases 
involving patients admitted to a health care facility in an 
incapacitated or emergency treatment circumstance who during the course 
of their stay become capable of decisionmaking, the final rule takes an 
approach similar to that described in the NPRM. The final rule states 
that when an individual who was incapacitated or in an emergency 
treatment circumstance upon admission to an inpatient facility and 
whose condition stabilizes such that he or she is capable of 
decisionmaking, a covered health care provider must, when it becomes 
practicable, inform the individual about its policies regarding the 
facility's directory and provide the opportunity to object to the use 
or disclosure of protected health information about themselves for the 
directory.

Section 164.510(b)--Uses and Disclosures for Involvement in the 
Individual's Care and Notification Purposes

    In cases involving an individual with the capacity to make health 
care decisions, the NPRM would have allowed covered entities to 
disclose protected health information about the individual to a next-
of-kin, to other family members, or to close personal friends of the 
individual if the individual had agreed orally to such disclosure. If 
such agreement could not practicably or reasonably be obtained (e.g., 
when the individual was incapacitated), the NPRM would have allowed 
disclosure of protected health information that was directly relevant 
to the person's involvement in the individual's health care, consistent 
with good health professional practices and ethics. The NPRM defined 
next-of-kin as defined under state law.
    Under the final rule, we specify that covered entities may disclose 
to a person involved in the current health care of the individual (such 
as a family member, other relative, close personal friend, or any other 
person identified by the individual) protected health information 
directly related to the person's involvement in the current health care 
of an individual or payment related to the individual's health care. 
Such persons involved in care and other contact persons might include, 
for example: blood relatives; spouses; roommates; boyfriends and 
girlfriends; domestic partners; neighbors; and colleagues. Inclusion of 
this list is intended to be illustrative only, and it is not intended 
to change current practices with respect to: (1) Involvement of other 
persons in individuals' treatment decisions; (2) informal information-
sharing among individuals involved in a person's care; or (3) sharing 
of protected health

[[Page 82523]]

information to contact persons during a disaster. The final rule also 
includes new language stating that covered entities may use or disclose 
protected health information to notify or assist in notification of 
family members, personal representatives, or other persons responsible 
for an individual's care with respect to an individual's location, 
condition, or death. These provisions allow, for example, covered 
entities to notify a patient's adult child that his father has suffered 
a stroke and to tell the person that the father is in the hospital's 
intensive care unit.
    The final rule includes separate provisions for situations in which 
the individual is present and for when the individual is not present at 
the time of disclosure. When the individual is present and has the 
capacity to make his or her own decisions, a covered entity may 
disclose protected health information only if the covered entity: (1) 
Obtains the individual's agreement to disclose to the third parties 
involved in their care; (2) provides the individual with an opportunity 
to object to such disclosure and the individual does not express an 
objection; or (3) reasonably infers from the circumstances, based on 
the exercise of professional judgment, that the individual does not 
object to the disclosure. Situations in which covered providers may 
infer an individual's agreement to disclose protected health 
information pursuant to option (3) include, for example, when a patient 
brings a spouse into the doctor's office when treatment is being 
discussed, and when a colleague or friend has brought the individual to 
the emergency room for treatment.
    We proposed that when a covered entity could not practicably obtain 
oral agreement to disclose protected health information to next-of-kin, 
relatives, or those with a close personal relationship to the 
individual, the covered entity could make such disclosures consistent 
with good health professional practice and ethics. In such instances, 
we proposed that covered entities could disclose only the minimum 
information necessary for the friend or relative to provide the 
assistance he or she was providing. For example, health care providers 
could not disclose to a friend or relative simply driving a patient 
home from the hospital extensive information about the patient's 
surgery or past medical history when the friend or relative had no need 
for this information.
    The final rule takes a similar approach. Under the final rule, when 
an individual is not present (for example, when a friend of a patient 
seeks to pick up the patient's prescription at a pharmacy) or when the 
opportunity to agree or object to the use or disclosure cannot 
practicably be provided due to the individual's incapacity or an 
emergency circumstance, covered entities may, in the exercise of 
professional judgment, determine whether the disclosure is in the 
individual's best interests and if so, disclose only the protected 
health information that is directly relevant to the person's 
involvement with the individual's health care. For example, this 
provision allows covered entities to inform relatives or others 
involved in a patient's care, such as the person who accompanied the 
individual to the emergency room, that a patient has suffered a heart 
attack and to provide updates on the patient's progress and prognosis 
when the patient is incapacitated and unable to make decisions about 
such disclosures. In addition, this section allows covered entities to 
disclose functional information to individuals assisting in a patient's 
care; for example, it allows hospital staff to give information about a 
person's mobility limitations to a friend driving the patient home from 
the hospital. It also allows covered entities to use professional 
judgment and experience with common practice to make reasonable 
inferences of the individual's best interest in allowing a person to 
act on an individual's behalf to pick up filled prescriptions, medical 
supplies, X-rays, or other similar forms of protected health 
information. Thus, under this provision, pharmacists may release a 
prescription to a patient's friend who is picking up the prescription 
for him or her. Section 164.510(b) is not intended to disrupt most 
covered entities' current practices or state law with respect to these 
types of disclosures.
    This provision is intended to allow disclosures directly related to 
a patient's current condition and should not be construed to allow, for 
example, disclosure of extensive information about the patient's 
medical history that is not relevant to the patient's current condition 
and that could prove embarrassing to the patient. In addition, if a 
covered entity suspects that an incapacitated patient is a victim of 
domestic violence and that a person seeking information about the 
patient may have abused the patient, covered entities should not 
disclose information to the suspected abuser if there is reason to 
believe that such a disclosure could cause the patient serious harm. In 
all of these situations regarding possible disclosures of protected 
health information about an patient who is not present or is unable to 
agree to such disclosures due to incapacity or other emergency 
circumstance, disclosures should be in accordance with the exercise of 
professional judgment as to the patient's best interest.
    This section is not intended to provide a loophole for avoiding the 
rule's other requirements, and it is not intended to allow disclosures 
to a broad range of individuals, such as journalists who may be curious 
about a celebrity's health status. Rather, it should be construed 
narrowly, to allow disclosures to those with the closest relationships 
with the patient, such as family members, in circumstances when a 
patient is unable to agree to disclosure of his or her protected health 
information. Furthermore, when a covered entity cannot practicably 
obtain an individual's agreement before disclosing protected health 
information to a relative or to a person involved in the individual's 
care and is making decisions about such disclosures consistent with the 
exercise of professional judgment regarding the individual's best 
interest, covered entities must take into account whether such a 
disclosure is likely to put the individual at risk of serious harm.
    Like the NPRM, the final rule does not require covered entities to 
verify the identity of relatives or other individuals involved in the 
individual's care. Rather, the individual's act of involving the other 
persons in his or her care suffices as verification of their identity. 
For example, the fact that a person brings a family member into the 
doctor's office when treatment information will be discussed 
constitutes verification of the involved person's identity for purposes 
of this rule. Likewise, the fact that a friend arrives at a pharmacy 
and asks to pick up a specific prescription for an individual 
effectively verifies that the friend is involved in the individual's 
care, and the rule allows the pharmacist to give the filled 
prescription to the friend.
    We also clarify that the final rule does not allow covered entities 
to assume that an individual's agreement at one point in time to 
disclose protected health information to a relative or to another 
person assisting in the individual's care implies agreement to disclose 
protected health information indefinitely in the future. We encourage 
the exercise of professional judgment in determining the scope of the 
person's involvement in the individual's care and the time period for 
which the individual is agreeing to the other person's involvement. For 
example, if a friend simply picks up a patient from the hospital but 
has played no other role

[[Page 82524]]

in the individual's care, hospital staff should not call the friend to 
disclose lab test results a month after the initial encounter with the 
friend. However, if a patient routinely brings a spouse into the 
doctor's office when treatment is discussed, a physician can infer that 
the spouse is playing a long-term role in the patient's care, and the 
rule allows disclosure of protected health information to the spouse 
consistent with his or her role in the patient's care, for example, 
discussion of treatment options.
    The NPRM did not specifically address situations in which disaster 
relief organizations may seek to obtain protected health information 
from covered entities to help coordinate the individual's care, or to 
notify family or friends of an individual's location or general 
condition in a disaster situation. In the final rule, we account for 
disaster situations in this paragraph. Specifically, we allow covered 
entities to use or disclose protected health information without 
individual agreement to federal, state, or local government agencies 
engaged in disaster relief activities, as well as to private disaster 
relief or disaster assistance organizations (such as the Red Cross) 
authorized by law or by their charters to assist in disaster relief 
efforts, to allow these organizations to carry out their 
responsibilities in a specific disaster situation. Covered entities may 
make these disclosures to disaster relief organizations, for example, 
so that these organizations can help family members, friends, or others 
involved in the individual's care to locate individuals affected by a 
disaster and to inform them of the individual's general health 
condition. This provision also allows disclosure of information to 
disaster relief or disaster assistance organizations so that these 
organizations can help individuals obtain needed medical care for 
injuries or other health conditions caused by a disaster.
    We encourage disaster relief organizations to protect the privacy 
of individual health information to the extent practicable in a 
disaster situation. However, we recognize that the nature of disaster 
situations often makes it impossible or impracticable for disaster 
relief organizations and covered entities to seek individual agreement 
or authorization before disclosing protected health information 
necessary for providing disaster relief. Thus, we note that we do not 
intend to impede disaster relief organizations in their critical 
mission to save lives and reunite loved ones and friends in disaster 
situations.

Section 164.512--Uses and Disclosures for Which Consent, an 
Authorization, or Opportunity To Agree or Object Is Not Required

Introduction

    The final rule's requirements regarding disclosures for directory 
information and to family members or others involved in an individual's 
care are in a section separate from that covering disclosures allowed 
for other national priority purposes. In the final rule, we place most 
of the other disclosures for national priority purposes in a new 
Sec. 164.512.
    As in the NPRM, in Sec. 164.512 of the final rule, we allow covered 
entities to make these national priority uses and disclosures without 
individual authorization. As in the NPRM, these uses and disclosures 
are discretionary. Covered entities are free to decide whether or not 
to use or disclose protected health information for any or all of the 
permitted categories. However, as in the NPRM, nothing in the final 
rule provides authority for a covered entity to restrict or refuse to 
make a use or disclosure mandated by other law.
    The new Sec. 164.512 includes paragraphs on: Uses and disclosures 
required by law; uses and disclosures for public health activities; 
disclosures about victims of abuse, neglect, or domestic violence; uses 
and disclosures for health oversight activities; disclosures for 
judicial and administrative proceedings; disclosures for law 
enforcement purposes; uses and disclosures about decedents; uses and 
disclosures for cadaveric donation of organs, eyes, or tissues; uses 
and disclosures for research purposes; uses and disclosures to avert a 
serious threat to health or safety (which we had called ``emergency 
circumstances'' in the NPRM); uses and disclosures for specialized 
government functions (referred to as ``specialized classes'' in the 
NPRM); and disclosures to comply with workers' compensation laws.
    Section 164.512(c) in the final rule, which addresses uses and 
disclosures regarding adult victims of abuse, neglect and domestic 
violence, is new, although it incorporates some provisions from 
proposed Sec. 164.510 of the NPRM. In the final rule we also eliminate 
proposed Sec. 164.510(g) on government health data systems and proposed 
Sec. 164.510(i) on banking and payment processes. These changes are 
discussed below.

Approach to Use of Protected Health Information

    Proposed Sec. 164.510 of the NPRM included specific subparagraphs 
addressing uses of protected health information by covered entities 
that were also public health agencies, health oversight agencies, 
government entities conducting judicial or administrative proceedings, 
or government heath data systems. Such covered entities could use 
protected health information in all instances for which they could 
disclose the information for these purposes. In the final rule, as 
discussed below, we retain this language in the paragraphs on public 
health activities and health oversight. However, we eliminate this 
clause with respect to uses of protected health information for 
judicial and administrative proceedings, because we no longer believe 
that there would be any situations in which a covered entity would also 
be a judicial or administrative tribunal. Proposed Sec. 164.510(e) of 
the NPRM, regarding disclosure of protected health information to 
coroners, did not include such a provision. In the final rule we have 
added it because we believe there are situations in which a covered 
entity, for example, a public hospital conducting post-mortem 
investigations, may need to use protected health information for the 
same purposes for which it would have disclosed the information to a 
coroner.
    While the right to request restrictions under Sec. 164.522 and the 
consents required under Sec. 164.506 do not apply to the use and 
disclosure of protected health information under Sec. 164.512, we do 
not intend to preempt any state or other restrictions, or any right to 
enforce such agreements or consents under other law.
    We note that a covered entity may use or disclose protected health 
information as permitted by and in accordance with one of the 
paragraphs of Sec. 164.512, regardless of whether that use or 
disclosure fails to meet the requirements for use or disclosure under a 
different paragraph in Sec. 164.512 or elsewhere in the rule.

Verification for Disclosures Under Sec. 164.512

    In Sec. 164.510(a) of the NPRM, we proposed that covered entities 
verify the identity and authority of persons to whom they made 
disclosure under the section. In the final rule, we generally have 
retained the proposed requirements. Verification requirements are 
discussed in Sec. 164.514 of the final rule.

Section 164.512(a)--Uses and Disclosures Required by Law

    In the NPRM we would have allowed covered entities to use or 
disclose protected health information without individual authorization 
where such use

[[Page 82525]]

or disclosure was required by other law, as long as the use or 
disclosure met all relevant requirements of such law. However, a 
legally mandated use or disclosure which fell into one or more of the 
national priority purposes expressly identified in proposed 
Sec. 164.510 of the NPRM would have been subject to the terms and 
conditions specified by the applicable paragraph of proposed 
Sec. 164.510. Thus, a disclosure required by law would have been 
allowed only to the extent it was not otherwise prohibited or 
restricted by another provision in proposed Sec. 164.510. For example, 
mandatory reporting to law enforcement officials would not have been 
allowed unless such disclosures conformed to the requirements of 
proposed Sec. 164.510(f) of the NPRM, on uses and disclosures for law 
enforcement purposes. As explained in the NPRM, this provision was not 
intended to obstruct access to information deemed important enough by 
federal, state or other government authorities to require it by law.
    In Sec. 164.512(a) of the final rule, we retain the proposed 
approach, and we permit covered entities to comply with laws requiring 
the use or disclosure of protected health information, provided the use 
or disclosure meets and is limited to the relevant requirements of such 
other laws. To more clearly address where the substantive and 
procedural requirements of other provisions in this section apply, we 
have deleted the general sentence from the NPRM which stated that the 
provision ``does not apply to uses or disclosures that are covered by 
paragraphs (b) through (m)'' of proposed Sec. 164.510. Instead, in 
Sec. 164.512 (a)(2) we list the specific paragraphs that have 
additional requirements with which covered entities must comply. They 
are disclosures about victims of abuse, neglect or domestic violence 
(Sec. 164.512(c)), for judicial and administrative proceedings 
(Sec. 164.512(e)), and for law enforcement purposes (Sec. 164.512(f)). 
We include a new definition of ``required by law.'' See Sec. 164.501. 
We clarify that the requirements provided for in Sec. 164.514(h) 
relating to verification apply to disclosures under this paragraph. 
Those provisions require covered entities to verify the identity and 
authority of persons to whom they make disclosures. We note that the 
minimum necessary requirements of Sec. 164.514(d) do not apply to 
disclosures made under this paragraph.
    We note that this rule does not affect what is required by other 
law, nor does it compel a covered entity to make a use or disclosure of 
protected health information required by the legal demands or reporting 
requirements listed in the definition of ``required by law.'' Covered 
entities will not be sanctioned under this rule for responding in good 
faith to such legal process and reporting requirements. However, 
nothing in this rule affects, either by expanding or contracting, a 
covered entity's right to challenge such process or reporting 
requirements under other laws. The only disclosures of protected health 
information compelled by this rule are disclosures to an individual (or 
the personal representative of an individual) or to the Secretary for 
the purposes of enforcing this rule.
    Uses and disclosures permitted under this paragraph must be limited 
to the protected health information necessary to meet the requirements 
of the law that compels the use or disclosure. For example, disclosures 
pursuant to an administrative subpoena are limited to the protected 
health information authorized to be disclosed on the face of the 
subpoena.

Section 164.512(b)--Uses and Disclosures for Public Health Activities

    The NPRM would have allowed covered entities to disclose protected 
health information without individual authorization to: (1) A public 
health authority authorized by law to collect or receive such 
information for the purpose of preventing or controlling disease, 
injury, or disability, including, but not limited to, the reporting of 
disease, injury, vital events such as birth or death, and the conduct 
of public health surveillance, public health investigations, and public 
health interventions; (2) a public health authority or other 
appropriate authority authorized by law to receive reports of child 
abuse or neglect; (3) a person or entity other than a governmental 
authority that could demonstrate or demonstrated that it was acting to 
comply with requirements or direction of a public health authority; or 
(4) a person who may have been exposed to a communicable disease or may 
otherwise be at risk of contracting or spreading a disease or condition 
and was authorized by law to be notified as necessary in the conduct of 
a public health intervention or investigation.
    In the final rule, we broaden the scope of permissible disclosures 
pursuant to item (1) listed above. We narrow the scope of disclosures 
permissible under item (3) of this list, and we add language to clarify 
the scope of permissible disclosures with respect to item (4) on the 
list. We broaden the scope of allowable disclosures regarding item (1) 
by allowing covered entities to disclose protected health information 
not only to U.S. public health authorities but also, at the direction 
of a public health authority, to an official of a foreign government 
agency that is acting in collaboration with a public health authority. 
For example, we allow covered entities to disclose protected health 
information to a foreign government agency that is collaborating with 
the Centers for Disease Control and Prevention to limit the spread of 
infectious disease.
    We narrow the conditions under which covered entities may disclose 
protected health information to non-government entities. We allow 
covered entities to disclose protected health information to a person 
subject to the FDA's jurisdiction, for the following activities: to 
report adverse events (or similar reports with respect to food or 
dietary supplements), product defects or problems, or biological 
product deviations, if the disclosure is made to the person required or 
directed to report such information to the FDA; to track products if 
the disclosure is made to a person required or directed by the FDA to 
track the product; to enable product recalls, repairs, or replacement, 
including locating and notifying individuals who have received products 
regarding product recalls, withdrawals, or other problems; or to 
conduct post-marketing surveillance to comply with requirements or at 
the direction of the FDA.
    The terms included in Sec. 164.512(b)(iii) are intended to have 
both their commonly understood meanings, as well as any specialized 
meanings, pursuant to the Food, Drug, and Cosmetic Act (21 U.S.C. 321 
et seq.) or the Public Health Service Act (42 U.S.C. 201 et seq.). For 
example, ``post-marketing surveillance'' is intended to mean activities 
related to determining the safety or effectiveness of a product after 
it has been approved and is in commercial distribution, as well as 
certain Phase IV (post-approval) commitments by pharmaceutical 
companies. With respect to devices, ``post-marketing surveillance'' can 
be construed to refer to requirements of section 522 of the Food, Drug, 
and Cosmetic Act regarding certain implanted, life-sustaining, or life-
supporting devices. The term ``track'' includes, for example, tracking 
devices under section 519(e) of the Food, Drug, and Cosmetic Act, units 
of blood or other blood products, as well as trace-backs of 
contaminated food.
    In Sec. 164.512(b)(iii), the term ``required'' refers to 
requirements in statute, regulation, order, or other

[[Page 82526]]

legally binding authority exercised by the FDA. The term ``directed,'' 
as used in this section, includes other official agency communications 
such as guidance documents.
    We note that under this provision, a covered entity may disclose 
protected health information to a non-governmental organization without 
individual authorization for inclusion in a private data base or 
registry only if the disclosure is otherwise for one of the purposes 
described in this provision (e.g., for tracking products pursuant to 
FDA direction or requirements, for post-marketing surveillance to 
comply with FDA requirements or direction.)
    To make a disclosure that is not for one of these activities, 
covered entities must obtain individual authorization or must meet the 
requirements of another provision of this rule. For example, covered 
entities may disclose protected health information to employers for 
inclusion in a workplace surveillance database only: with individual 
authorization; if the disclosure is required by law; if the disclosure 
meets the requirements of Sec. 164.512(b)(v); or if the disclosure 
meets the conditions of another provision of this regulation, such as 
Sec. 154.512(i) relating to research. Similarly, if a pharmaceutical 
company seeks to create a registry containing protected health 
information about individuals who had taken a drug that the 
pharmaceutical company had developed, covered entities may disclose 
protected health information without authorization to the 
pharmaceutical company pursuant to FDA requirements or direction. If 
the pharmaceutical company's registry is not for any of these purposes, 
covered entities may disclose protected health information to it only 
with patient authorization, if required by law, or if disclosure meets 
the conditions of another provision of this rule.
    The final rule continues to permit covered entities to disclose 
protected health information without individual authorization directly 
to public health authorities, such as the Food and Drug Administration, 
the Occupational Safety and Health Administration, the Centers for 
Disease Control and Prevention, as well as state and local public 
health departments, for public health purposes as specified in the 
NPRM.
    The final rule retains the NPRM provision allowing covered entities 
to disclose protected health information to public health authorities 
or other appropriate government authorities authorized by law to 
receive reports of child abuse or neglect. In addition, we clarify the 
NPRM's provision regarding disclosure of protected health information 
to persons who may have been exposed to a communicable disease or who 
may otherwise be at risk of contracting or spreading a disease or 
condition. Under the final rule, covered entities may disclose 
protected health information to such individuals when the covered 
entity or public health authority is authorized by law to notify these 
individuals as necessary in the conduct of a public health intervention 
or investigation.
    In addition, as in the NPRM, under the final rule, a covered entity 
that is acting as a public health authority--for example, a public 
hospital conducting infectious disease surveillance in its role as an 
arm of the public health department--may use protected health 
information in all cases for which it is allowed to disclose such 
information for public health activities as described above.
    The proposed rule did not contain a specific provision relating to 
disclosures by covered health care providers to employers concerning 
work-related injuries or illnesses or workplace medical surveillance. 
Under the proposed rule, a covered entity would have been permitted to 
disclose protected health information without individual authorization 
for public health purposes to private person if the person could 
demonstrate that it was acting to comply with requirements or at the 
direction of a public health authority.
    As discussed above, in the final rule we narrow the scope of this 
paragraph as it applies to disclosures to persons other than public 
health authorities. To ensure that covered health care providers may 
make disclosures of protected health information without individual 
authorization to employers when appropriate under federal and state 
laws addressing work-related injuries and illnesses or workplace 
medical surveillance, we include a new provision in the final rule. The 
provision permits covered health care providers who provide health care 
as a workforce member of or at the request of an employer to disclose 
to that employer protected health information concerning work-related 
injuries or illnesses or workplace medical surveillance in situations 
where the employer has a duty under the Occupational Safety and Health 
Act, the Federal Mine Safety and Health Act, or under a similar state 
law, to keep records on or act on such information. For example, OSHA 
regulations in 29 CFR part 1904 require employers to record work-
related injuries and illnesses if medical treatment is necessary; MSHA 
regulations at 30 CFR part 50 require mine operators to report injuries 
and illnesses experienced by miners. Similarly, OSHA rules require 
employers to monitor employees' exposure to certain substances and to 
remove employees from exposure when toxic thresholds have been met. To 
obtain the relevant health information necessary to determine whether 
an injury or illness should be recorded, or whether an employee must be 
medically removed from exposure at work, employers must refer employees 
to health care providers for examination and testing.
    OSHA and MSHA rules do not impose duties directly upon health care 
providers to disclose health information pertaining to recordkeeping 
and medical monitoring requirements to employers. Rather, these rules 
operate on the presumption that health care providers who provide 
services at the request of an employer will be able to disclose to the 
employer work-related health information necessary for the employer to 
fulfill its compliance obligations. This new provision permits covered 
entities to make disclosures necessary for the effective functioning of 
OSHA and MSHA requirements, or those of similar state laws, by 
permitting a health care provider to make disclosures without the 
authorization of the individual concerning work-related injuries or 
illnesses or workplace medical surveillance in situations where the 
employer has a duty under OSHA and MSHA requirements, or under a 
similar state laws, to keep records on or act on such information.
    We require health care providers who make disclosures to employers 
under this provision to provide notice to individuals that it discloses 
protected health information to employers relating to the medical 
surveillance of the workplace and work-related illnesses and injuries. 
The notice required under this provision is separate from the notice 
required under Sec. 164.520. The notice required under this provision 
may be met giving a copy of the notice to the individual at the time it 
provides the health care services, or, if the health care services are 
provided on the work site of the employer, by posting the notice in a 
prominent place at the location where the health care services are 
provided.
    This provision applies only when a covered health care provider 
provides health care services as a workforce member of or at the 
request of an employer and for the purposes discussed above. The 
provision does not affect the application of this rule to other health 
care provided to

[[Page 82527]]

individuals or to their relationship with health care providers that 
they select.

Section 164.512(c)--Disclosures About Victims of Abuse, Neglect or 
Domestic Violence

    The NPRM included two provisions related to disclosures about 
persons who are victims of abuse. In the NPRM, we would have allowed 
covered entities to report child abuse to a public health authority or 
other appropriate authority authorized by law to receive reports of 
child abuse or neglect. In addition, under proposed Sec. 164.510(f)(3) 
of the NPRM, we would have allowed covered entities to disclose 
protected health information about a victim of a crime, abuse or other 
harm to a law enforcement official under certain circumstances. The 
NPRM recognized that most, if not all, states had laws that mandated 
reporting of child abuse or neglect to the appropriate authorities. 
Moreover, HIPAA expressly carved out state laws on child abuse and 
neglect from preemption or any other interference. The NPRM further 
acknowledged that most, but not all, states had laws mandating the 
reporting of abuse, neglect or exploitation of the elderly or other 
vulnerable adults. We did not intend to impede reporting in compliance 
with these laws.
    The final rule includes a new paragraph, Sec. 164.512(c), which 
allows covered entities to report protected health information to 
specified authorities in abuse situations other than those involving 
child abuse and neglect. In the final rule, disclosures of protected 
health information related to child abuse continues to be addressed in 
the paragraph allowing disclosure for public health activities 
(Sec. 164.512(b)), as described above. Because HIPAA addresses child 
abuse specifically in connection with a state's public health 
activities, we believe it would not be appropriate to include child 
abuse-related disclosures in this separate paragraph on abuse. State 
laws continue to apply with respect to child abuse, and the final rule 
does not in any way interfere with a covered entity's ability to comply 
with these laws.
    In the final rule, we address disclosures about other victims of 
abuse, neglect and domestic violence in Sec. 164.512(c) rather than in 
the law enforcement paragraph. Section 164.512(c) establishes 
conditions for disclosure of protected health information in cases 
involving domestic violence other than child abuse (e.g., spousal 
abuse), as well as those involving abuse or neglect (e.g., abuse of 
nursing home residents or residents of facilities for the mentally 
retarded). This paragraph addresses reports to law enforcement as well 
as to other authorized public officials. The provisions of this 
paragraph supersede the provisions of Sec. 164.512(a) and 
Sec. 164.512(f)(1)(i) to the extent that those provisions address the 
subject matter of this paragraph.
    Under the circumstances described below, the final rule allows 
covered entities to disclose protected health information about an 
individual whom the covered entity reasonably believes to be a victim 
of abuse, neglect, or domestic violence. In this paragraph, references 
to ``individual'' should be construed to mean the individual believed 
to be the victim. The rule allows such disclosure to any governmental 
authority authorized by law to receive reports of such abuse, neglect, 
or domestic violence. These entities may include, for example, adult 
protective or social services agencies, state survey and certification 
agencies, ombudsmen for the aging or those in long-term care 
facilities, and law enforcement or oversight.
    The final rule specifies three circumstances in which disclosures 
of protected health information is allowed in order to report abuse, 
neglect or domestic violence. First, this paragraph allows disclosure 
of protected health information related to abuse if required by law and 
the disclosure complies with and is limited to the relevant 
requirements of such law. As discussed below, the final rule requires 
covered entities that make such disclosures pursuant to a state's 
mandatory reporting law to inform the individual of the report.
    Second, this paragraph allows covered entities to disclose 
protected health information related to abuse if the individual has 
agrees to such disclosure. When considering the possibility of 
disclosing protected health information in an abuse situation pursuant 
to this section, we encourage covered entities to seek the individual's 
agreement whenever possible.
    Third, this paragraph allows covered entities to disclose protected 
health information about an individual without the individual's 
agreement if the disclosure is expressly authorized by statute or 
regulation and either: (1) The covered entity, in the exercise of its 
professional judgment, believes that the disclosure is necessary to 
prevent serious harm to the individual or to other potential victims; 
or (2) if the individual is unable to agree due to incapacity, a law 
enforcement or other public official authorized to received the report 
represents that the protected health information for which disclosure 
is sought is not intended to be used against the individual, and that 
an immediate enforcement activity that depends on the disclosure would 
be materially and adversely affected by waiting until the individual is 
able to agree to the disclosure.
    We emphasize that disclosure under this third part of the paragraph 
also may be made only if it is expressly authorized by statute or 
regulation. We use this formulation, rather than the broader ``required 
by law,'' because of the heightened privacy and safety concerns in 
these situations. We believe it appropriate to defer to other public 
determinations regarding reporting of this information only where a 
legislative or executive body has determined the reporting to be of 
sufficient importance to warrant enactment of a law or promulgation of 
a regulation. Law and regulations reflect a clear decision to authorize 
the particular disclosure of protected health information, and reflect 
greater public accountability (e.g., through the required public 
comment process or because enacted by elected representatives).
    For example, a Wisconsin law (Wis. Stat Sec. 46.90(4)) states that 
any person may report to a county agency or state official that he or 
she believes that abuse or neglect has occurred. Pursuant to 
Sec. 164.512(c)(1)(iii), a covered entity may make a report only if the 
specific type or subject matter of the report (e.g., abuse or neglect 
of the elderly) is included in the law authorizing the report, and such 
a disclosure may only be made to a public authority specifically 
identified in the law authorizing the report. Furthermore, we note that 
disclosures under this part of the paragraph are further limited to two 
circumstances. In the first case, a covered entity, in the exercise of 
professional judgment, must believe that the disclosure is necessary to 
prevent serious harm to the individual or to other potential victims. 
The second case addresses situations in which an individual who is a 
victim of abuse, neglect or domestic violence is unable to agree due to 
incapacity and a law enforcement or other public official authorized to 
receive the report represents that the protected health information for 
which disclosure is sought is not intended to be used against the 
individual and that an immediate law enforcement activity that depends 
on the disclosure would be materially and adversely affected by waiting 
until the individual if able to agree to the disclosure. We note that, 
in this second case, a covered entity may exercise discretion, 
consistent with professional judgment as to the patient's

[[Page 82528]]

best interest, in deciding whether to make the requested disclosure.
    The rules governing disclosure in this third set of circumstances 
are different from those governing disclosures pursuant to 
Sec. 164.512(f)(3) regarding disclosure to law enforcement about 
victims of crime and other harm. We believe that in abuse situations--
to a greater extent than in situations involving crime victims in 
general--there is clear potential for abusers to cause further serious 
harm to the victim or to others, such as other family members in a 
household or other residents of a nursing home. The provisions allowing 
reporting of abuse when authorized by state law, as described above, 
are consistent with principles articulated by the AMA's Council on 
Ethical and Judicial Affairs, which state that when reporting abuse is 
voluntary under state law, it is justified when necessary to prevent 
serious harm to a patient. Through the provisions of Sec. 164.512(c), 
we recognize the unique circumstances surrounding abuse and domestic 
violence, and we seek to provide an appropriate balance between 
individual privacy interests and important societal interests such as 
preventing serious harm to other individuals. We note that here we are 
relying on covered entities, in the exercise of professional judgment, 
to determine what is in the best interests of the patient.
    Finally, we require covered entities to inform the individual in 
all of the situations described above that the covered entity has 
disclosed protected health information to report abuse, neglect, or 
domestic violence. We allow covered entities to provide this 
information orally. We do not require written notification, nor do we 
encourage it, due to the sensitivity of abuse situations and the 
potential for the abuser to cause further harm to the individual if, 
for example, a covered entity sends written notification to the home of 
the individual and the abuser. Whenever possible, covered entities 
should inform the individual at the same time that they determine abuse 
has occurred and decide that the abuse should be reported. In cases 
involving patient incapacity, we encourage covered entities to inform 
the individual of such disclosures as soon as it is practicable to do 
so.
    The rule provides two exceptions to the requirement to inform the 
victim about a report to a government authority, one based on concern 
for future harm and one based on past harm. First, a covered entity 
need not inform the victim if the covered entity, in the exercise of 
professional judgment, believes that informing the individual would 
place the individual at risk of serious harm. We believe that this 
exception is necessary to address the potential for future harm, either 
physical or emotional, that the individual may face from knowing that 
the report has been made. Second, a covered entity may choose not to 
meet the requirement for informing the victim, if the covered entity 
actually would be informing a personal representative (such as a parent 
of a minor) and the covered entity reasonably believes that such person 
is responsible for the abuse, neglect, or other injury that has already 
occurred and that informing that person would not be in the 
individual's best interests.

Section 164.512(d)--Uses and Disclosures for Health Oversight 
Activities

    Under Sec. 164.510(c) of the NPRM, we proposed to permit covered 
entities to disclose protected health information to health oversight 
agencies for oversight activities authorized by law, including audit, 
investigation, inspection, civil, criminal, or administrative 
proceeding or action, or other activity necessary for appropriate 
oversight of: (i) the health care system; (ii) government benefit 
programs for which health information is relevant to beneficiary 
eligibility; or (iii) government regulatory programs for which health 
information is necessary for determining compliance with program 
standards.
    In Sec. 164.512(d) of the final rule, we modify the proposed 
language to include civil and criminal investigations. In describing 
``other activities necessary for oversight'' of particular entities, we 
add the phrase ``entities subject to civil rights laws for which health 
information is necessary for determining compliance.'' In addition, in 
the final rule, we add ``licensure or disciplinary actions'' to the 
list of oversight activities authorized by law for which covered 
entities may disclose protected health information to health oversight 
agencies. The NPRM's definition of ``health oversight agency'' (in 
proposed Sec. 164.504) included this phrase, but it was inadvertently 
excluded from the regulation text at proposed Sec. 164.510(c). We make 
this change in the regulation text of the final rule to conform to the 
NPRM's definition of health oversight agency and to reflect the full 
range of activities for which we intend to allow covered entities to 
disclose protected health information to health oversight agencies.
    The NPRM would have allowed, but would not have required, covered 
entities to disclose protected health information to public oversight 
agencies and to private entities acting under grant of authority from 
or under contract with oversight agencies for oversight purposes 
without individual authorization for health oversight activities 
authorized by law. When a covered entity was also an oversight agency, 
it also would have been permitted to use protected health information 
in all cases in which it would have been allowed to disclose such 
information for health oversight purposes. The NPRM would not have 
established any new administrative or judicial process prior to 
disclosure for health oversight, nor would it have permitted 
disclosures forbidden by other law. The proposed rule also would not 
have created any new right of access to health records by oversight 
agencies, and it could not have been used as authority to obtain 
records not otherwise legally available to the oversight agency.
    The final rule retains this approach to health oversight. As in the 
NPRM, the final rule provides that when a covered entity is also an 
oversight agency, it is allowed to use protected health information in 
all cases in which it is allowed to disclose such information for 
health oversight purposes. For example, if a state insurance department 
is acting as a health plan in operating the state's Medicaid managed 
care program, the final rule allows the insurance department to use 
protected health information in all cases for which the plan can 
disclose the protected health information for health oversight 
purposes. For example, the state insurance department in its capacity 
as the state Medicaid managed care plan can use protected health 
information in the process of investigating and disciplining a state 
Medicaid provider for attempting to defraud the Medicaid system. As in 
the NPRM, the final rule does not establish any new administrative or 
judicial process prior to disclosure for health oversight, nor does it 
prohibit covered entities from making any disclosures for health 
oversight that are otherwise required by law. Like the NPRM, it does 
not create any new right of access to health records by oversight 
agencies and it cannot be used as authority to obtain records not 
otherwise legally available to the oversight agency.

Overlap Between Law Enforcement and Oversight

    Under the NPRM, the proposed definitions of law enforcement and 
oversight, and the rules governing disclosures for these purposes

[[Page 82529]]

overlapped. Specifically, this overlap occurred because: (1) The NPRM 
preamble, but not the NPRM regulation text, indicated that agencies 
conducting both oversight and law enforcement activities would be 
subject to the oversight requirements when conducting oversight 
activities; and (2) the NPRM addressed some disclosures for 
investigations of health care fraud in the law enforcement paragraph 
(proposed Sec. 164.510(f)(5)(i)), while health care fraud 
investigations are central to the purpose of health care oversight 
agencies (covered under proposed Sec. 164.510(c)). In the final rule, 
we make substantial changes to these provisions, in an attempt to 
prevent confusion.
    In Sec. 164.512(d)(2), we include explicit decision rules 
indicating when an investigation is considered law enforcement and when 
an investigation is considered oversight under this regulation. An 
investigation or activity is not considered health oversight for 
purposes of this rule if: (1) The individual is the subject of the 
investigation or activity; and (2) The investigation or activity does 
not arise out of and is not directly related to: (a) The receipt of 
health care; (b) a claim for public benefits related to health; or (c) 
qualification for, or receipt of public benefits or services where a 
patient's health is integral to the claim for benefits or services. In 
such cases, where the individual is the subject of the investigation 
and the investigation does not relate to issues (a) through (c), the 
rules regarding disclosure for law enforcement purposes (see 
Sec. 164.512(f)) apply. For the purposes of this rule, we intend for 
investigations regarding issues (a) through (c) above to mean 
investigations of health care fraud.
    Where the individual is not the subject of the activity or 
investigation, or where the investigation or activity relates to the 
subject matter in (a) through (c) of the preceding sentence, a covered 
entity may make a disclosure pursuant to Sec. 164.512(d)(1). For 
example, when the U.S. Department of Labor's Pension and Welfare 
Benefits Administration (PWBA) needs to analyze protected health 
information about health plan enrollees in order to conduct an audit or 
investigation of the health plan (i.e., the enrollees are not subjects 
of the investigation) to investigate potential fraud by the plan, the 
health plan may disclose protected health information to the PWBA under 
the health oversight rules. These rules and distinctions are discussed 
in greater detail in our responses to comments.
    To clarify further that health oversight disclosure rules apply 
generally in health care fraud investigations (subject to the exception 
described above), in the final rule, we eliminate proposed 
Sec. 164.510(f)(5)(i), which would have established requirements for 
disclosure related to health care fraud for law enforcement purposes. 
All disclosures of protected health information that would have been 
permitted under proposed Sec. 164.510(f)(5)(i) are permitted under 
Sec. 164.512(d).
    In the final rule, we add new language (Sec. 164.512(d)(3)) to 
address situations in which health oversight activities are conducted 
in conjunction with an investigation regarding a claim for public 
benefits not related to health (e.g., claims for Food Stamps). In such 
situations, for example, when a state Medicaid agency is working with 
the Food Stamps program to investigate suspected fraud involving 
Medicaid and Food Stamps, covered entities may disclose protected 
health information to the entities conducting the joint investigation 
under the health oversight provisions of the rule.
    In the proposed rule, the definitions of ``law enforcement 
proceeding'' and ``oversight activity'' both included the phrase 
``criminal, civil, or administrative proceeding.'' For reasons 
explained below, the final rule retains this phrase in both 
definitions. The final rule does not attempt to distinguish between 
these activities based on the agency undertaking them or the applicable 
enforcement procedures. Rather, as described above, the final rule 
carves out certain activities which must always be considered law 
enforcement for purposes of disclosure of protected health information 
under this rule.

Additional Considerations

    We note that covered entities are permitted to initiate disclosures 
that are permitted under this paragraph. For example, a covered entity 
could disclose protected health information in the course of reporting 
suspected health care fraud to a health oversight agency.
    We delete language in the NPRM that would have allowed disclosure 
under this section only to law enforcement officials conducting or 
supervising an investigation, official inquiry, or a criminal, civil or 
administrative proceeding authorized by law. In some instances, a 
disclosure by a covered entity under this section will initiate such an 
investigation or proceeding, but it will not already be ongoing at the 
time the disclosure is made.

Section 164.512(e)--Disclosures and Uses for Judicial and 
Administrative Proceedings

    Section 164.512(e) addresses when a covered entity is permitted to 
disclose protected health information in response to requests for 
protected health information that are made in the course of judicial 
and administrative proceedings--for example, when a non-party health 
care provider receives a subpoena (under Federal Rule of Civil 
Procedure Rule 45 or similar provision) for medical records from a 
party to a law suit. In the NPRM we would have allowed covered entities 
to disclose protected health information in the course of any judicial 
or administrative proceeding: (1) In response to an order of a court or 
administrative tribunal; or (2) where an individual was a party to the 
proceeding and his or her medical condition or history was at issue and 
the disclosure was pursuant to lawful process or otherwise authorized 
by law. Under the NPRM, if the request for disclosure of protected 
health information was accompanied by a court order, a covered entity 
could have disclosed that protected health information which the court 
order authorized to be disclosed. If the request for disclosure of 
protected health information were not accompanied by a court order, 
covered entities could not have disclosed the information requested 
unless a request authorized by law had been made by the agency 
requesting the information or by legal counsel representing a party to 
litigation, with a written statement certifying that the protected 
health information requested concerned a litigant to the proceeding and 
that the health condition of the litigant was at issue at the 
proceeding.
    In Sec. 164.512(e) of the final rule, we permit covered entities to 
disclose protected health information in a judicial or administrative 
proceeding if the request for such protected health information is made 
through or pursuant to an order from a court or administrative tribunal 
or in response to a subpoena or discovery request from, or other lawful 
process by a party to the proceeding. When a request is made pursuant 
to an order from a court or administrative tribunal, a covered entity 
may disclose the information requested without additional process. For 
example, a subpoena issued by a court constitutes a disclosure which is 
required by law as defined in this rule, and nothing in this rule is 
intended to interfere with the ability of the covered entity to comply 
with such subpoena.

[[Page 82530]]

    However, absent an order of, or a subpoena issued by, a court or 
administrative tribunal, a covered entity may respond to a subpoena or 
discovery request from, or other lawful process by, a party to the 
proceeding only if the covered entity obtains either: (1) Satisfactory 
assurances that reasonable efforts have been made to give the 
individual whose information has been requested notice of the request; 
or (2) satisfactory assurances that the party seeking such information 
has made reasonable efforts to secure a protective order that will 
guard the confidentiality of the information. In meeting the first 
test, a covered entity is considered to have received satisfactory 
assurances from the party seeking the information if that party 
demonstrates that it has made a good faith effort (such as by sending a 
notice to the individual's last known address) to provide written 
notice to the individual whose information is the subject of the 
request, that the written notice included sufficient information about 
the proceeding to permit the individual to raise an objection, and that 
the time for the individual to raise objections to the court or 
administrative tribunal has elapsed and no objections were filed or any 
objections filed by the individual have been resolved.
    Unless required to do so by other law, the covered entity is not 
required to explain the procedures (if any) available for the 
individual to object to the disclosure. Under the rule, the individual 
exercises the right to object before the court or other body having 
jurisdiction over the proceeding, and not to the covered entity. The 
provisions in this paragraph are not intended to disrupt current 
practice whereby an individual who is a party to a proceeding and has 
put his or her medical condition at issue will not prevail without 
consenting to the production of his or her protected health 
information. In such cases, we presume that parties will have ample 
notice and an opportunity to object in the context of the proceeding in 
which the individual is a party.
    As described above, in this paragraph we also permit a covered 
entity to disclose protected health information in response to a 
subpoena, discovery request, or other lawful process if the covered 
entity receives satisfactory assurances that the party seeking the 
information has made reasonable efforts to seek a qualified protective 
order that would protect the privacy of the information. A ``qualified 
protective order'' means an order of a court or of an administrative 
tribunal or a stipulation that: (1) Prohibits the parties from using or 
disclosing the protected health information for any purpose other than 
the litigation or proceeding for which the records are requested; and 
(2) requires the return to the covered entity or destruction of the 
protected health information (including all copies made) at the end of 
the litigation or proceeding. Satisfactory assurances of reasonable 
efforts to secure a qualified protective order are a statement and 
documentation that the parties to the dispute have agreed to a 
protective order and that it has been submitted to the court or 
administrative tribunal with jurisdiction, or that the party seeking 
the protected health information has requested a qualified protective 
order from such court or tribunal. We encourage the development of 
``model'' protective orders that will facilitate adherence with this 
subpart.
    In the final rule we also permit the covered entity itself to 
satisfy the requirement to make reasonable efforts to notify the 
individual whose information has been requested or to seek a qualified 
protective order. We intend this to be a permissible activity for 
covered entities: we do not require covered entities to undertake these 
efforts in response to a subpoena, discovery request, or similar 
process (other than an order from a court or administrative tribunal). 
If a covered entity receives such a request without receiving the 
satisfactory assurances described above from the party requesting the 
information, the covered entity is free to object to the disclosure and 
is not required to undertake the reasonable efforts itself.
    We clarify that the provisions of this paragraph do not supersede 
or otherwise invalidate other provisions of this rule that permit uses 
and disclosures of protected health information. For example, the fact 
that protected health information is the subject of a matter before a 
court or tribunal does not prevent its disclosure under another 
provision of the rule, such as Secs. 164.512(b), 164.512(d), or 
164.512(f), even if a public agency's method of requesting the 
information is pursuant to an administrative proceeding. For example, 
where a public agency commences a disciplinary action against a health 
professional, and requests protected health information as part of its 
investigation, the disclosure made be made to the agency under 
paragraph (d) of this section (relating to health oversight) even if 
the method of making the request is through the proceeding. As with any 
request for disclosure under this section, the covered entity will need 
to verify the authority under which the request is being made, and we 
expect that public agencies will identify their authority when making 
such requests. We note that covered entities may reasonably rely on 
assertions of authority made by government agencies.

Additional Considerations

    Where a disclosure made pursuant to this paragraph is required by 
law, such as in the case of an order from a court or administrative 
tribunal, the minimum necessary requirements in Sec. 164.514(d) do not 
apply to disclosures made under this paragraph. A covered entity making 
a disclosure under this paragraph, however, may of course disclose only 
that protected health information that is within the scope of the 
permitted disclosure. For instance, in response to an order of a court 
or administrative tribunal, the covered entity may disclose only the 
protected health information that is expressly authorized by such an 
order. Where a disclosure is not considered under this rule to be 
required by law, the minimum necessary requirements apply, and the 
covered entity must make reasonable efforts to limit the information 
disclosed to that which is reasonably necessary to fulfill the request. 
A covered entity is not required to second guess the scope or purpose 
of the request, or take action to resist the request because they 
believe that it is over broad. In complying with the request, however, 
the covered entity must make reasonable efforts not to disclose more 
information than is requested. For example, a covered entity may not 
provide a party free access to its medical records under the theory 
that the party can identify the information necessary for the request. 
In some instances, it may be appropriate for a covered entity, 
presented with a relatively broad discovery request, to permit access 
to a relatively large amount of information in order for a party to 
identify the relevant information. This is permissible as long as the 
covered entity makes reasonable efforts to circumscribe the access as 
appropriate.
    The NPRM indicated that when a covered entity was itself a 
government agency, the covered entity could use protected health 
information in all cases in which it would have been allowed to 
disclose such information in the course of any judicial or 
administrative proceeding. As explained above, the final rule does not 
include this provision.

[[Page 82531]]

Section 164.512(f)--Disclosure for Law Enforcement Purposes

Disclosures Pursuant to Process and as Otherwise Required by Law

    In the NPRM we would have allowed covered entities to disclose 
protected health information without individual authorization as 
required by other law. However, as explained above, if a legally 
mandated use or disclosure fell into one or more of the national 
priority purposes expressly identified in other paragraphs of proposed 
Sec. 164.510, the disclosure would have been subject to the terms and 
conditions specified by the applicable paragraph of proposed 
Sec. 164.510. For example, mandatory reporting to law enforcement 
officials would not have been allowed unless such disclosures conformed 
to the requirements of proposed Sec. 164.510(f) of the NPRM. Proposed 
Sec. 164.510(f) did not explicitly recognize disclosures required by 
other laws, and it would not have permitted covered entities to comply 
with some state and other mandatory reporting laws that require covered 
entities to disclose protected health information to law enforcement 
officials, such as the reporting of gun shot wounds, stab wounds, and/
or burn injuries.
    We did not intend to preempt generally state and other mandatory 
reporting laws, and in Sec. 164.512(f)(1)(i) of the final rule, we 
explicitly permit covered entities to disclose protected health 
information for law enforcement purposes as required by other law. This 
provision permits covered entities to comply with these state and other 
laws. Under this provision, to the extent that a mandatory reporting 
law falls under the provisions of Sec. 164.512(c)(1)(i) regarding 
reporting of abuse, neglect, or domestic violence, the requirements of 
those provisions supersede.
    In the final rule, we specify that covered entities may disclose 
protected health information pursuant to this provision in compliance 
with and as limited by the relevant requirements of legal process or 
other law. In the NPRM, for the purposes of this portion of the law 
enforcement paragraph, we proposed to define ``law enforcement inquiry 
or proceeding'' as an investigation or official proceeding inquiring 
into a violation of or failure to comply with law; or a criminal, civil 
or administrative proceeding arising from a violation of or failure to 
comply with law. In the final rule, we do not include this definition 
in Sec. 164.512(f), because it is redundant with the definition of 
``law enforcement official'' in Sec. 164.501.
    Proposed Sec. 164.510(f)(1) of the NPRM would have authorized 
disclosure of protected health information to a law enforcement 
official conducting or supervising a law enforcement inquiry or 
proceeding authorized by law pursuant to process, under three 
circumstances.
    First, we proposed to permit such disclosures pursuant to a 
warrant, subpoena, or other order issued by a judicial officer that 
documented a finding by the officer. The NPRM did not specify 
requirements for the nature of the finding. In the final rule, we 
eliminate the requirement for a ``finding,'' and we make changes to the 
list of orders in response to which covered entities may disclose under 
this provision. Under the final rule, covered entities may disclose 
protected health information in compliance with and as limited by 
relevant requirements of: a court order or court-ordered warrant, or a 
subpoena or summons issued by a judicial officer. We made this change 
to the list to conform to the definition of ``required by law'' in 
Sec. 164.501.
    Second, we proposed to permit such disclosures pursuant to a state 
or federal grand jury subpoena. In the final rule, we leave this 
provision of the NPRM unchanged.
    Third, we proposed to permit such disclosures pursuant to an 
administrative request, including an administrative subpoena or 
summons, a civil investigative demand, or similar process, under 
somewhat stricter standards than exist today for such disclosures. We 
proposed to permit a covered entity to disclose protected health 
information pursuant to an administrative request only if the request 
met three conditions, as follows: (i) The information sought was 
relevant and material to a legitimate law enforcement inquiry; (ii) the 
request was as specific and narrowly drawn as reasonably practicable; 
and (iii) de-identified information could not reasonably have been used 
to meet the purpose of the request.
    The final rules generally adopts this provision of the NPRM. In the 
final rule, we modify the list of orders in response to which covered 
entities may disclose protected health information, to include 
administrative subpoenas or summons, civil or authorized investigative 
demands, or similar process authorized by law. We made this change to 
the list to conform with the definition of ``required by law'' in 
Sec. 164.501. In addition, we slightly modify the second of the three 
conditions under which covered entities may respond to such requests, 
to allow disclosure if the request is specific and is limited in scope 
to the extent reasonably practicable in light of the purpose for which 
the information is sought.

Limited Information for Identification and Location Purposes

    The NPRM would have allowed covered entities to disclose ``limited 
identifying information'' for purposes of identifying a suspect, 
fugitive, material witness, or missing person, in response to a law 
enforcement request. We proposed to define ``limited identifying 
information'' as (i) name; (ii) address; (iii) Social Security number; 
(iv) date of birth; (v) place of birth; (vi) type of injury or other 
distinguishing characteristic; and (vii) date and time of treatment.
    The final rules generally adopts this provision of the NPRM with a 
few modifications. In the final rule, we expand the circumstances under 
which limited information about suspects, fugitives, material 
witnesses, and missing persons may be disclosed, to include not only 
cases in which law enforcement officials are seeking to identify such 
individuals, but also cases in which law enforcement officials are 
seeking to locate such individuals. In addition, the final rule 
modifies the list of data elements that may be disclosed under this 
provision, in several ways. We expand the list of elements that may be 
disclosed under these circumstances, to include ABO blood type and Rh 
factor, as well as date and time of death, if applicable. We remove 
``other distinguishing characteristic'' from the list of items that may 
be disclosed for the location and identification purposes described in 
this paragraph, and instead allow covered entities to disclose only a 
description of distinguishing physical characteristics, such as scars 
and tattoos, height, weight, gender, race, hair and eye color, and the 
presence or absence of facial hair such as a beard or moustache. In 
addition, in the final rule, protected health information associated 
with the following cannot be disclosed pursuant to Sec. 164.512(f)(2): 
DNA data and analyses; dental records; or typing, samples or analyses 
of tissues or bodily fluids other than blood (e.g., saliva). If a 
covered entity discloses additional information under this provision, 
the covered entity will be out of compliance and subject to sanction.
    We clarify our intent not to allow covered entities to initiate 
disclosures of limited identifying information to law enforcement in 
the absence of a law enforcement request; a covered entity may disclose 
protected health information under this provision only in response to a 
request from law enforcement. We allow a ``law enforcement official's 
request'' to be

[[Page 82532]]

made orally or in writing, and we intend for it to include requests by 
a person acting on behalf of law enforcement, for example, requests by 
a media organization making a television or radio announcement seeking 
the public's assistance in identifying a suspect. Such a request also 
may include a ``Wanted'' poster and similar postings.

Disclosure About a Victim of Crime

    The NPRM would have allowed covered entities to disclose protected 
health information about a victim of a crime, abuse or other harm to a 
law enforcement official, if the law enforcement official represented 
that: (i) The information was needed to determine whether a violation 
of law by a person other than the victim had occurred; and (ii) 
immediate law enforcement activity that depended on obtaining the 
information may have been necessary.
    The final rule modifies the conditions under which covered entities 
can disclose protected health information about victims. In addition, 
as discussed above, the final rule includes a new Sec. 164.512(c), 
which establishes conditions for disclosure of protected health 
information about victims of abuse, neglect or domestic violence. In 
addition, as discussed above, we have added Sec. 164.512(f)(1)(i) to 
this paragraph to explicitly recognize that in some cases, covered 
entities' disclosure of protected health information is mandated by 
state or other law. The rule's requirements for disclosure in 
situations not covered under mandatory reporting laws are different 
from the rule's provisions regarding disclosure pursuant to a mandatory 
reporting law.
    The final rule requires covered entities to obtain individual 
agreement as a condition of disclosing the protected health information 
about victims to law enforcement, unless the disclosure is permitted 
under Sec. 164.512(b) or (c) or Sec. 164.512(f)(1) above. The required 
agreement may be obtained orally, and does not need to meet the 
requirements of Sec. 164.508 of this rule (regarding authorizations). 
The rule waives the requirement for individual agreement if the victim 
is unable to agree due to incapacity or other emergency circumstance 
and: (1) The law enforcement official represents that the protected 
health information is needed to determine whether a violation of law by 
a person other than the victim has occurred and the information is not 
intended to be used against the victim; (2) the law enforcement 
official represents that immediate law enforcement activity that 
depends on such disclosure would be materially and adversely affected 
by waiting until the individual is able to agree to the disclosure; and 
(3) the covered entity, in the exercise of professional judgment, 
determines that the disclosure is in the individual's best interests. 
We intend that assessing the individual's best interests includes 
taking into account any further risk of harm to the individual. This 
provision does not allow covered entities to initiate disclosures of 
protected health information to law enforcement; the disclosure must be 
in response to a request from law enforcement.
    We do not intend to create a new legal duty on the part of covered 
entities with respect to the safety of their patients. Rather, we 
intend to ensure that covered entities can continue to exercise their 
professional judgment in these circumstances, on a case-by-case basis, 
as they do today.
    In some cases, a victim may also be a fugitive or suspect. For 
example, an individual may receive a gunshot wound during a robbery and 
seek treatment in a hospital emergency room. In such cases, when law 
enforcement officials are requesting protected health information 
because the individual is a suspect (and thus the information may be 
used against the individual), covered entities may disclose the 
protected health information pursuant to Sec. 164.512(f)(2) regarding 
suspects and not pursuant to Sec. 164.512(f)(3) regarding victims. 
Thus, in these situations, covered entities may disclose only the 
limited identifying information listed in Sec. 164.512(f)(2)--not all 
of the protected health information that may be disclosed under 
Sec. 164.512(f)(3).
    The proposed rule did not address whether a covered entity could 
disclose protected health information to a law enforcement official to 
alert the official of the individual's death.

Disclosures About Decedents

    In the final rule, we add a new provision Sec. 164.512(f)(4) in 
which we permit covered entities to disclose protected health 
information about an individual who has died to a law enforcement 
official for the purpose of alerting law enforcement of the death if 
the covered entity has a suspicion that such death may have resulted 
from criminal conduct. In such circumstances consent of the individual 
is not available and it may be difficult to determine the identity of a 
personal representative and gain consent for disclosure of protected 
health information. Permitting disclosures in this circumstance will 
permit law enforcement officials to begin their investigation into the 
death more rapidly, increasingly the likelihood of success.

Intelligence and National Security Activities

    Section 164.510(f)(4) of the NPRM would have allowed covered 
entities to disclose protected health information to a law enforcement 
official without individual authorization for the conduct of lawful 
intelligence activities conducted pursuant to the National Security Act 
of 1947 (50 U.S.C. 401 et seq.) or in connection with providing 
protective services to the President or other individuals pursuant to 
section 3056 of title 18, United States Code. In the final rule, we 
move provisions regarding disclosures of protected health information 
for intelligence and protective services activities to Sec. 164.512(k) 
regarding uses and disclosures for specialized government functions.

Criminal Conduct on the Premises of a Covered Entity

    The NPRM would have allowed covered entities on their own 
initiative to disclose to law enforcement officials protected health 
information that the covered entity believed in good faith constituted 
evidence of criminal conduct that arose out of and was directly related 
to: (A) The receipt of health care or payment for health care, 
including a fraudulent claim for health care; (B) qualification for or 
receipt of benefits, payments, or services based on a fraudulent 
statement or material misrepresentation of the health of the 
individual; that occurred on the covered entity's premises or was 
witnessed by a member of the covered entity's workforce.
    In the final rule, we modify this provision substantially, by 
eliminating language allowing disclosures already permitted in other 
sections of the regulation. The proposed provision overlapped with 
other sections of the NPRM, in particular proposed Sec. 164.510(c) 
regarding disclosure for health oversight activities. In the final 
regulation, we clarify that this provision applies only to disclosures 
to law enforcement officials of protected health information that the 
covered entity believes in good faith constitutes evidence of a crime 
committed on the premises. We eliminate proposed Sec. 164.510(f)(5)(i) 
regarding health care fraud from the law enforcement section, because 
all disclosures that would have been allowed under that provision are 
allowed under Sec. 164.512(d) of the final rule (health oversight). 
Similarly, in the final rule, we eliminate proposed

[[Page 82533]]

Sec. 164.510(f)(5)(iii) on disclosure of protected health information 
to law enforcement officials regarding criminal activity witnessed by a 
member of a health plan workforce. All disclosures that would have been 
permitted by that provision are included in Sec. 164.512(f)(5), which 
allows disclosure of information to report a crime committed on the 
covered entity's premises, and by Sec. 164.502, which provides that a 
covered entity is not in violation of the rule when a member of its 
workforce or person working for a business associate uses or discloses 
protected health information while acting as a ``whistle blower.'' 
Thus, Sec. 164.512(f)(5) allows covered entities to disclose health 
information only on the good faith belief that it constitutes evidence 
of a crime on their premises. The preamble to the NPRM said that if the 
covered entity disclosed protected health information in good faith but 
was wrong in its belief that the information was evidence of a 
violation of law, the covered entity would not be subject to sanction 
under this regulation. The final rule retains this approach.

Reporting Crime in Emergencies

    The proposed rule did not address disclosures by emergency medical 
personnel to a law enforcement official intended to alert law 
enforcement about the commission of a crime. Because the provisions of 
proposed rule were limited to individually identifiable health 
information that was reduced to electronic form, many communications 
that occur between emergency medical personnel and law enforcement 
officials at the scene of a crime would not have been covered by the 
proposed provisions.
    In the final rule we include a new provision Sec. 164.512(f)(6) 
that addresses ``911'' calls for emergency medical technicians as well 
as other emergency health care in response to a medical emergency. The 
final rule permits a covered health care provider providing emergency 
health care in response to a medical emergency, other than such 
emergency on the premises of the covered health care provider, to 
disclose protected health information to a law enforcement official if 
such disclosure appears necessary to alert law enforcement to (1) the 
commission and nature of a crime, (2) the location of such crime or of 
the victim(s) of such crime, and (3) the identity, description, and 
location of the perpetrator of such crime. A disclosure is not 
permitted under this section if health care provider believes that the 
medical emergency is the result of abuse, neglect, or domestic violence 
of the individual in need of emergency health care. In such cases, 
disclosures to law enforcement would be governed by paragraph (c) of 
this section.
    This added provision recognizes the special role of emergency 
medical technicians and other providers who respond to medical 
emergencies. In emergencies, emergency medical personnel often arrive 
on the scene before or at the same time as police officers, 
firefighters, and other emergency response personnel. In these cases, 
providers may be in the best position, and sometimes be the only ones 
in the position, to alert law enforcement about criminal activity. For 
instance, providers may be the first persons aware that an individual 
has been the victim of a battery or an attempted murder. They may also 
be in the position to report in real time, through use of radio or 
other mechanism, information that may immediately contribute to the 
apprehension of a perpetrator of a crime.
    We note that disclosure under this provision is at the discretion 
of the health care provider. Disclosures in some instances may be 
governed more strictly, such as by applicable ethical standards and 
state and local laws.
    Finally, the NPRM also included a proposed Sec. 164.510(f)(5), 
which duplicated proposed Sec. 164.510(f)(3). The final rule does not 
include this duplicate provision.

Additional Considerations

    As stated in the NPRM, this paragraph is not intended to limit or 
preclude a covered entity from asserting any lawful defense or 
otherwise contesting the nature or scope of the process when the 
procedural rules governing the proceeding so allow. At the same time, 
it is not intended to create a basis for appealing to federal court 
concerning a request by state law enforcement officials. Each covered 
entity will continue to have available legal procedures applicable in 
the appropriate jurisdiction to contest such requests where warranted.
    As was the case with the NPRM, this rule does not create any new 
affirmative requirement for disclosure of protected health information. 
Similarly, this section is not intended to limit a covered entity from 
disclosing protected health information to law enforcement officials 
where other sections of the rule permit such disclosure, e.g., as 
permitted by Sec. 164.512(j) to avert an imminent threat to health or 
safety, for health oversight activities, to coroners or medical 
examiners, and in other circumstances permitted by the rule. For 
additional provisions permitting covered entities to disclose protected 
health information to law enforcement officials, see 
Sec. 164.512(j)(1)(i) and (ii).
    Under the NPRM and under the final rule, to obtain protected health 
information, law enforcement officials must comply with whatever other 
law is applicable. In certain circumstances, while this provision could 
authorize a covered entity to disclose protected health information to 
law enforcement officials, there could be additional applicable 
statutes or rules that further govern the specific disclosure. If the 
preemption provisions of this regulation do not apply, the covered 
entity must comply with the requirements or limitations established by 
such other law, regulation or judicial precedent. See Secs. 160.201 
through 160.205. For example, if state law permits disclosure only 
after compulsory process with court review, a provider or payor is not 
allowed to disclose information to state law enforcement officials 
unless the officials have complied with that requirement. Similarly, 
disclosure of substance abuse patient records subject to, 42 U.S.C. 
290dd-2, and the implementing regulations, 42 CFR part 2, continue to 
be governed by those provisions.
    In some instances, disclosure of protected health information to 
law enforcement officials will be compelled by other law, for example, 
by compulsory judicial process or compulsory reporting laws (such as 
laws requiring reporting of wounds from violent crimes, suspected child 
abuse, or suspected theft of controlled substances). As discussed 
above, disclosure of protected health information under such other 
mandatory law is permitted under Sec. 164.512(a).
    In the responses to comments we clarify that items such as cells 
and tissues are not protected health information, but that analyses of 
them is. The same treatment would be given other physical items, such 
as clothing, weapons, or a bloody knife. We note, however, that while 
these items are not protected health information and may be disclosed, 
some communications that could accompany the disclosure will be 
protected health information under the rule. For example, if a person 
provides cells to a researcher, and tells the researcher that these are 
an identified individual's cancer cells, that accompanying statement is 
protected health information about that individual. Similarly, if a 
person provides a bullet to law enforcement, and tells law enforcement 
that the bullet was extracted from an identified

[[Page 82534]]

individual, the person has disclosed the fact that the individual was 
treated for a wound, and the additional statement is a disclosure of 
protected health information.
    To be able to make the additional statement accompanying the 
provision of the bullet, a covered entity must look to the rule to find 
a provision under which a disclosure may be made to law enforcement. 
Section 164.512(f) of the rule addresses disclosures for law 
enforcement purposes. Under Sec. 164.512(f)(1), the additional 
statement may be disclosed to a law enforcement official if required by 
law or with appropriate process. Under Sec. 164.512(f)(2), we permit 
covered entities to disclose limited identifying information without 
legal process in response to a request from a law enforcement official 
for the purpose of identifying or locating a suspect, fugitive, 
material witness, or missing person. Thus, in the case of bullet 
described above, the covered entity may, in response to a law 
enforcement request, provide the extracted bullet and such additional 
limited identifying information as is permitted under 
Sec. 164.512(f)(2).

Section 164.512(g)--Uses and Disclosures About Decedents

    In the NPRM we proposed to allow covered entities to disclose 
protected health information without individual authorization to 
coroners and medical examiners, consistent with applicable law, for 
identification of a deceased person or to determine cause of death.
    In Sec. 164.512(g) of the final rule, we permit covered entities to 
disclose protected health information to coroners, medical examiners, 
and funeral directors as part of a new paragraph on disclosures related 
to death. The final rule retains the NPRM approach regarding disclosure 
of protected health information to coroners and medical examiners, and 
it allows the information disclosed to coroners and medical examiners 
to include identifying information about other persons that may be 
included in the individual's medical record. Redaction of such names is 
not required prior to disclosing the individual's record to coroners or 
medical examiners. Since covered entities may also perform duties of a 
coroner or medical examiner, where a covered entity is itself a coroner 
or medical examiner, the final rule permits the covered entity to use 
protected health information in all cases in which it is permitted to 
disclose such information for its duties as a coroner or medical 
examiner.
    Section 164.512(g) allows covered entities to disclose protected 
health information to funeral directors, consistent with applicable 
law, as necessary to carry out their duties with respect to a decedent. 
For example, the rule allows hospitals to disclose to funeral directors 
the fact that an individual has donated an organ or tissue, because 
this information has implications for funeral home staff duties 
associated with embalming. When necessary for funeral directors to 
carry out their duties, covered entities may disclose protected health 
information prior to and in reasonable anticipation of the individual's 
death.
    Whereas the NPRM did not address the issue of disclosure of 
psychotherapy notes without individual authorization to coroners and 
medical examiners, the final rule allows such disclosures.
    The NPRM did not include in proposed Sec. 164.510(e) language 
stating that where a covered entity was itself a coroner or medical 
examiner, it could use protected health information for the purposes of 
engaging in a coroner's or a medical examiner's activities. The final 
rule includes such language to address situations such as where a 
public hospital performs medical examiner functions. In such cases, the 
hospital's on-staff coroners can use protected health information while 
conducting post-mortem investigations, and other hospital staff can 
analyze any information associated with these investigations, for 
example, as part of the process of determining the cause of the 
individual's death.

Section 164.512(h)--Uses and Disclosures for Cadaveric Donation of 
Organs, Eyes, or Tissues

    In the NPRM we proposed to include the procurement or banking of 
blood, sperm, organs, or any other tissue for administration to 
patients in the definition of ``health care'' (described in proposed 
Sec. 160.103). The NPRM's proposed approach did not differentiate 
between situations in which the donor was competent to consent to the 
donation--for example, when an individual is donating blood, sperm, a 
kidney, or a liver or lung lobe--and situations in which the donor was 
deceased, for example, when cadaveric organs and tissues were being 
donated. We also proposed to allow use and disclosure of protected 
health information for treatment without consent.
    In the final rule, we take a different approach. In 
Sec. 164.512(h), we permit covered entities to disclose protected 
health information without individual authorization to organ 
procurement organizations or other entities engaged in the procurement, 
banking, or transplantation of cadaveric organs, eyes, or tissue for 
donation and transplantation. This provision is intended to address 
situations in which an individual has not previously indicated whether 
he or she seeks to donate organs, eyes, or tissues (and therefore 
authorized release of protected health information for this purpose). 
In such situations, this provision is intended to allow covered 
entities to initiate contact with organ and tissue donation and 
transplantation organizations to facilitate transplantation of 
cadaveric organs, eyes, and tissues.

Disclosures and Uses for Government Health Data Systems

    In the NPRM we proposed to permit covered entities to disclose 
protected health information to a government agency, or to a private 
entity acting on behalf of a government agency, for inclusion in a 
government health data system collecting health data for analysis in 
support of policy, planning, regulatory, or management functions 
authorized by law. The NPRM stated that when a covered entity was 
itself a government agency collecting health data for these functions, 
it could use protected health information in all cases for which it was 
permitted to disclose such information to government health data 
systems.
    In the final rule, we eliminate the provision that would have 
allowed covered entities to disclose protected health information to 
government health data systems without authorization. Thus, under the 
final rule, covered entities cannot disclose protected health 
information without authorization to government health data systems--or 
to private health data systems--unless the disclosure is permissible 
under another provision of the rule.

Disclosures for Payment Processes

    In the NPRM we proposed to permit covered entities to disclose, in 
connection with routine banking activities or payment by debit, credit, 
or other payment card, or other payment means, the minimum amount of 
protected health information necessary to complete a banking or payment 
activity to financial institutions or to entities acting on behalf of 
financial institutions to authorize, process, clear, settle, bill, 
transfer, reconcile, or collect payments for financial institutions.
    The preamble to the NPRM clarified the proposed rule's intent 
regarding disclosure of diagnostic and treatment information along with 
payment

[[Page 82535]]

information to financial institutions. The preamble to the proposed 
rule said that diagnostic and treatment information never was necessary 
to process a payment transaction. The preamble said we believed that in 
most cases, the permitted disclosure would include only: (1) The name 
and address of the account holder; (2) the name and address of the 
payor or provider; (3) the amount of the charge for health services; 
(4) the date on which health services were rendered; (5) the expiration 
date for the payment mechanism, if applicable; and (6) the individual's 
signature. The preamble noted that the proposed regulation text did not 
include an exclusive list of information that could lawfully be 
disclosed to process payments, and it solicited comments on whether 
more elements would be needed for banking and payment transactions and 
on whether including a specific list of protected health information 
that could be disclosed was an appropriate approach.
    The preamble also noted that under section 1179 of HIPAA, certain 
activities of financial institutions were exempt from this rule, to the 
extent that these activities constituted authorizing, processing, 
clearing, settling, billing, transferring, reconciling, or collecting 
payments for health care or health plan premiums.
    In the final rule, we eliminate the NPRM's provision on ``banking 
and payment processes.'' All disclosures that would have been allowed 
pursuant to proposed Sec. 164.510(i) are allowed under Sec. 164.502(a) 
of the final rule, regarding disclosure for payment purposes.

Section 164.512(i)--Uses and Disclosures for Research Purposes

    The NPRM would have permitted covered entities to use and disclose 
protected health information for research--regardless of funding 
source--without individual authorization, provided that the covered 
entity obtained documentation of the following:
    (1) A waiver, in whole or in part, of authorization for the use or 
disclosure of protected health information was approved by an 
Institutional Review Board (IRB) or a privacy board that was composed 
as stipulated in the proposed rule;
    (2) The date of approval of the waiver, in whole or in part, of 
authorization by an IRB or privacy board;
    (3) The IRB or privacy board had determined that the waiver, in 
whole or in part satisfied the following criteria:
    (i) The use or disclosure of protected health information involves 
no more than minimal risk to the subjects;
    (ii) The waiver will not adversely affect the rights and welfare of 
the subjects;
    (iii) The research could not practicably be conducted without the 
waiver;
    (iv) Whenever appropriate, the subjects will be provided with 
additional pertinent information after participation;
    (v) The research could not practicably be conducted without access 
to and use of the protected health information;
    (vi) The research is of sufficient importance so as to outweigh the 
intrusion of the privacy of the individual whose information is subject 
to the disclosure;
    (vii) There is an adequate plan to protect the identifiers from 
improper use and disclosure; and
    (viii) There is an adequate plan to destroy the identifiers at the 
earliest opportunity consistent with the conduct of the research, 
unless there is a health or research justification for retaining the 
identifiers; and
    (4) The written documentation was signed by the chair of, as 
applicable, the IRB or the privacy board.
    The NPRM also proposed that IRBs and privacy boards be permitted to 
adopt procedures for ``expedited review'' similar to those provided in 
the Common Rule (Common Rule Sec. ____.110) for records research that 
involved no more than minimal risk. However, this provision for 
expedited review was not included in the proposed regulation text.
    The board that would determine whether the research protocol met 
the eight specified criteria for waiving the patient authorization 
requirements (described above), could have been an IRB constituted as 
required by the Common Rule, or a privacy board, whose proposed 
composition is described below. The NPRM proposed no requirements for 
the location or sponsorship of the IRB or privacy board. Under the 
NPRM, the covered entity could have created such a board and could have 
relied on it to review research proposals for uses and disclosures of 
protected health information for research. A covered entity also could 
have relied on the necessary documentation from an outside researcher's 
own university IRB or privacy board. In addition, a covered entity 
could have engaged the services of an outside IRB or privacy board to 
obtain the necessary documentation.
    Absent documentation that the requirements described above had been 
met, the NPRM would have required individuals' authorization for the 
use or disclosure of protected health information for research, 
pursuant to the authorization requirements in proposed Sec. 164.508. 
For research conducted with patient authorization, documentation of IRB 
or privacy board approval would not have been required.
    The final rule retains the NPRM's proposed framework for permitting 
uses and disclosures of protected health information for research 
purposes, although we are making several important changes for the 
final rule. These changes are discussed below:

Documentation Requirements of IRB or Privacy Board Approval of Waiver

    The final rule retains these documentation requirements, but 
modifies some of them and includes two additional documentation 
requirements. The final rule's modifications to the NPRM's proposed 
documentation requirements are described first, followed by a 
description of the three documentation requirements added in the final 
rule.
    The final rule makes the following modifications to the NPRM's 
proposed documentation requirements for the waiver of individual 
authorization:
    1. IRB and privacy board membership. The NPRM stipulated that to 
meet the requirements of proposed Sec. 164.510(j), the documentation 
would need to indicate that the IRB had been composed as required by 
the Common Rule (Sec. ____.107), and the privacy board had been 
composed as follows: ``(A) Has members with varying backgrounds and 
appropriate professional competency as necessary to review the research 
protocol; (B) Includes at least one member who is not affiliated with 
the entity conducting the research, or related to a person who is 
affiliated with such entity; and (C) Does not have any member 
participating in a review of any project in which the member has a 
conflict of interest'' (Sec. 164.510(j)(1)(ii)).
    The final rule modifies the first of the requirements for the 
composition of a privacy board to focus on the effect of the research 
protocol on the individual's privacy rights and related interests. 
Therefore, under the final rule, the required documentation must 
indicate that the privacy board has members with varying backgrounds 
and appropriate professional competency as necessary to review the 
effect of the research protocol on the individual's privacy rights and 
related interests.
    In addition, the final rule further restricts the NPRM's proposed 
requirement that the privacy board include at least one member who was

[[Page 82536]]

not affiliated with the entity conducting the research, or related to a 
person who is affiliated with such entity. Under the final rule, the 
board must include at least one member who is not affiliated with the 
covered entity, not affiliated with any entity conducting or sponsoring 
the research, and not related to any person who is affiliated with such 
entities.
    The other documentation requirements for the composition of an IRB 
and privacy board remain the same.
    2. Waiver of authorization criteria. The NPRM proposed to prohibit 
the use or disclosure of protected health information for research 
without individual authorization as stipulated in proposed Sec. 164.508 
unless the covered entity had documentation indicating that an IRB or 
privacy board had determined that the following waiver criteria had 
been met:
    (i) The use or disclosure of protected health information involves 
no more than minimal risk to the subjects;
    (ii) The waiver will not adversely affect the rights and welfare of 
the subjects;
    (iii) The research could not practicably be conducted without the 
waiver;
    (iv) Whenever appropriate, the subjects will be provided with 
additional pertinent information after participation;
    (v) The research could not be practicably be conducted without 
access to and use of the protected health information;
    (vi) The research is of sufficient importance so as to outweigh the 
intrusion of the privacy of the individual whose information is subject 
to the disclosure;
    (vii) There is an adequate plan to protect the identifiers from 
improper use and disclosure; and
    (viii) There is an adequate plan to destroy the identifiers at the 
earliest opportunity consistent with the conduct of the research, 
unless there is a health or research justification for retaining the 
identifiers.
    The final rule continues to permit the documentation of IRB or 
privacy board approval of a waiver of an authorization as required by 
Sec. 164.508, to indicate that only some or all of the Sec. 164.508 
authorization requirements have been waived. In addition, the final 
rule clarifies that the documentation of IRB or privacy board approval 
may indicate that the authorization requirements have been altered. 
Also, for all of the proposed waiver of authorization criteria that 
used the term ``subject,'' we replace this term with the term 
``individual'' in the final rule.
    In addition, the final rule (1) eliminates proposed waiver 
criterion iv, (2) modifies proposed waiver criteria ii, iii, vi, and 
viii, and (3) adds a waiver criterion.
    Proposed waiver criterion ii (waiver criterion 
Sec. 164.512(i)(2)(ii)(B) in the final rule) is revised as follows to 
focus more narrowly on the privacy interests of individuals, and to 
clarify that it also pertains to alterations of individual 
authorization: ``the alteration or waiver will not adversely affect the 
privacy rights and the welfare of the individuals.'' Under criterion 
Sec. 164.512(i)(2)(ii)(B), the question is whether the alteration or 
waiver of individual authorization would adversely affect the privacy 
rights and the welfare of individuals, not whether the research project 
itself would adversely affect the privacy rights or the welfare of 
individuals.
    Proposed waiver criterion iii (waiver criterion 
Sec. 164.512(i)(2)(ii)(C) in the final rule) is revised as follows to 
clarify that it also pertains to alterations of individual 
authorization: ``the research could not practicably be conducted 
without the alteration or waiver.''
    Proposed waiver criterion vi (waiver criterion 
Sec. 164.512(i)(2)(ii)(E) in the final rule) is revised as follows to 
be more consistent with one of the Common Rule's requirements for the 
approval of human subjects research (Common Rule, Sec. ____.111(a)(2)): 
``the privacy risks to individuals whose protected health information 
is to be used or disclosed are reasonable in relation to anticipated 
benefits if any to individuals, and the importance of the knowledge 
that may reasonably be expected to result from the research.'' Under 
criterion Sec. 164.512(i)(2)(ii)(E), the question is whether the risks 
to an individual's privacy from participating in the research are 
reasonable in relation to the anticipated benefits from the research. 
This criterion is unlike waiver criterion Sec. 164.512(i)(2)(ii)(B) in 
that it focuses on the privacy risks and benefits of the research 
project more broadly, not on the waiver of individual authorization.
    Proposed waiver criterion viii (waiver criterion 
Sec. 164.512(i)(2)(ii)(G) in the final rule) is revised as follows: 
``there is an adequate plan to destroy the identifiers at the earliest 
opportunity consistent with the conduct of the research, unless there 
is a health or research justification for retaining the identifiers, or 
such retention is otherwise required by law.''
    In addition, the final rule includes another waiver criterion: 
waiver criterion Sec. 164.512(i)(2)(ii)(H). The NPRM proposed no 
restriction on a researcher's further use or disclosure of protected 
health information that had been received under proposed 
Sec. 164.510(j). The final rule requires that the covered entity obtain 
written agreement from the person or entity receiving protected health 
information under Sec. 164.512(i) not to re-use or disclose protected 
health information to any other person or entity, except: (1) As 
required by law, (2) for authorized oversight of the research project, 
or (3) for other research for which the use or disclosure of protected 
health information would be permitted by this subpart. For instance, in 
assessing whether this criterion has been met, we encourage IRBs and 
privacy boards to obtain adequate assurances that the protected health 
information will not be disclosed to an individual's employer for 
employment decisions without the individual's authorization.
    3. Required signature. The rule broadens the types of individuals 
who are permitted to sign the required documentation of IRB or privacy 
board approval. The final rule requires the documentation of the 
alteration or waiver of authorization to be signed by (1) the chair of, 
as applicable, the IRB or the privacy board, or (2) a member of the IRB 
or privacy board, as applicable, who is designated by the chair to sign 
the documentation.
    Furthermore, the final rule makes the following three additions to 
the proposed documentation requirements for the alteration or waiver of 
authorization:
    1. Identification of the IRB or privacy board. The NPRM did not 
propose that the documentation of waiver include a statement 
identifying the IRB or privacy board that approved the waiver of 
authorization. In the final rule we require that such a statement be 
included in the documentation of alteration or waiver of individual 
authorization. By this requirement we mean that the name of the IRB or 
privacy board must be included in such documentation, not the names of 
individual members of the board.
    2. Description of protected health information approved for use or 
disclosure. The NPRM did not propose that the documentation of waiver 
include a description of the protected health information that the IRB 
or privacy board had approved for use or disclosure without individual 
authorization. In considering waiver of authorization criterion 
Sec. 164.512(i)(2)(ii)(D), we expect the IRB or privacy board to 
consider the amount of information that is minimally needed for the 
study. The final rule requires that the documentation of IRB or

[[Page 82537]]

privacy board approval of the alteration or waiver of authorization 
describe the protected health information for which use or access has 
been determined to be necessary for the research by the IRB or privacy 
board. For example, if the IRB or privacy board approves only the use 
or disclosure of certain information from patients' medical records, 
and not patients' entire medical record, this must be stated on the 
document certifying IRB or privacy board approval.
    3. Review and approval procedures. The NPRM would not have required 
documentation of IRBs' or privacy boards' review and approval 
procedures. In the final rule, the documentation of the alteration or 
waiver of authorization must state that the alteration or waiver has 
been reviewed and approved by: (1) an IRB that has followed the voting 
requirements stipulated in the Common Rule (Sec. ____.108(b)), or the 
expedited review procedures as stipulated in Sec. ____.110(b); or (2) a 
privacy board that has reviewed the proposed research at convened 
meetings at which a majority of the privacy board members are present, 
including at least one member who is not affiliated with the covered 
entity, not affiliated with any entity conducting or sponsoring the 
research, and not related to any person who is affiliated with any such 
entities, and the alteration or waiver of authorization is approved by 
the majority of privacy board members present at the meeting, unless an 
expedited review procedure is used.
    For documentation of IRB approval that used an expedited review 
procedure, the covered entity must ensure that the documentation 
indicates that the IRB followed the expedited review requirements of 
the Common Rule (Sec. ____.110). For documentation of privacy board 
approval that used an expedited review procedure, the covered entity 
must ensure that the documentation indicates that the privacy board met 
the expedited review requirements of the privacy rule. In the final 
rule, a privacy board may use an expedited review procedure if the 
research involves no more than minimal risk to the privacy of the 
individuals who are the subject of the protected health information for 
which disclosure is being sought. If a privacy board elects to use an 
expedited review procedure, the review and approval of the alteration 
or waiver of authorization may be carried out by the chair of the 
privacy board, or by one or more members of the privacy board as 
designated by the chair. Use of the expedited review mechanism permits 
review by a single member of the IRB or privacy board, but continues to 
require that the covered entity obtain documentation that all of the 
specified waiver criteria have been met.

Reviews Preparatory to Research

    Under the NPRM, if a covered entity used or disclosed protected 
health information for research, but the researcher did not record the 
protected health information in a manner that persons could be 
identified, such an activity would have constituted a research use or 
disclosure that would have been subject to either the individual 
authorization requirements of proposed Sec. 164.508 or the 
documentation of the waiver of authorization requirements of proposed 
Sec. 164.510(j).
    The final rule permits the use and disclosure of protected health 
information for research without requiring authorization or 
documentation of the alteration or waiver of authorization, if the 
research is conducted in such a manner that only de-identified 
protected health information is recorded by the researchers and the 
protected health information is not removed from the premises of the 
covered entity. For such uses and disclosures of protected health 
information, the final rule requires that the covered entity obtain 
from the researcher representations that use or disclosure is sought 
solely to review protected health information as necessary to prepare a 
research protocol or for similar purposes preparatory to research, no 
protected health information is to be removed from the covered entity 
by the researcher in the course of the review, and the protected health 
information for which use or access is sought is necessary for the 
research purposes. The intent of this provision is to permit covered 
entities to use and disclose protected health information to assist in 
the development of a research hypothesis and aid in the recruitment of 
research participants. We understand that researchers sometimes require 
access to protected health information to develop a research protocol, 
and to determine whether a specific covered entity has protected health 
information of prospective research participants that would meet the 
eligibility criteria for enrollment into a research study. Therefore, 
this provision permits covered entities to use and disclose protected 
health information for these preliminary research activities without 
individual authorization and without documentation that an IRB or 
privacy board has altered or waived individual authorization.

Research on Protected Health Information of the Deceased

    The NPRM would have permitted the use and disclosure of protected 
health information of deceased persons for research without the 
authorization of a legal representative, and without the requirement 
for written documentation of IRB or privacy board approval in proposed 
Sec. 164.510(j). In the final rule, we retain the exception for uses 
and disclosures for research purposes but in addition require that the 
covered entity take certain protective measures prior to release of the 
decedent's protected health information for such purposes. 
Specifically, the final rule requires that the covered entity obtain 
representation that the use or disclosure is sought solely for research 
on the protected health information of decedent, and representation 
that the protected health information for which use or disclosure is 
sought is necessary for the research purposes. In addition, the final 
rule allows covered entities to request from the researcher 
documentation of the death of the individuals about whom protected 
health information is being sought.

Good Faith Reliance

    The final rule clarifies that covered entities are allowed to rely 
on the IRB's or privacy board's representation that the research 
proposal meets the documentation requirements of Sec. 164.512(i)(1)(i) 
and the minimum necessary requirements of Sec. 164.514.
    In addition, when using or disclosing protected health information 
for reviews preparatory to research (Sec. 164.512(i)(1)(ii)) or for 
research solely on the protected health information of decedents 
(Sec. 164.512)(1)(iii)), the final rule clarifies that the covered 
entity may rely on the requesting researcher's representation that the 
purpose of the request is for one of these two purpose, and that the 
request meets the minimum necessary requirements of Sec. 164.514. 
Therefore, the covered entity has not violated the rule if the 
requesting researcher misrepresents his or her intended use of the 
protected health information to the covered entity.

Additional Research Provisions

Research Including Treatment

    To the extent that a researcher provided treatment to persons as 
part of a research study, the NPRM would have covered such researchers 
as health care providers for purposes of that treatment, and required 
that the researcher comply with all of the provisions of the rule that

[[Page 82538]]

would be applicable to health care providers. The final rule retains 
this requirement.

Individual Access to Research Information

    Under proposed Sec. 164.514, the NPRM would have applied the 
proposed provision regarding individuals' access to records to research 
that includes the delivery of treatment. The NPRM proposed an exception 
to individuals' right to access protected health information for 
clinical trials, where (1) protected health information was obtained by 
a covered entity in the course of clinical trial, (2) the individual 
agreed to the denial of access when consenting to participate in the 
trial (if the individual's consent to participate was obtained), and 
(3) the trial was still in progress.
    Section 164.524 of the final rule retains this exception to access 
for research that includes treatment. In addition, the final rule 
requires that participants in such research be informed that their 
right of access to protected health information about them will be 
reinstated once the research is complete.

Obtaining the Individual's Authorization for Research

    The NPRM would have required covered entities obtaining 
individuals' authorization for the use or disclosure of information for 
research to comply with the requirements applicable to individual 
authorization for the release of protected health information (proposed 
Sec. 164.508(a)(2)). If an individual had initiated the use or 
disclosure of his/her protected health information for research, or any 
other purpose, the covered entity would have been required to obtain a 
completed authorization for the use or disclosure of protected health 
information as proposed in Sec. 164.508(c).
    The final rule retains these requirements for research conducted 
with authorization, as required by Sec. 164.508. In addition, for the 
use and disclosure of protected health information created by a covered 
entity for the purpose, in whole or in part, of research that includes 
treatment of the individual, the covered entity must meet the 
requirements of Sec. 164.508(f).

Interaction with the Common Rule

    The NPRM stated that the proposed rule would not override the 
Common Rule. Where both the NPRM and the Common Rule would have applied 
to research conducted by the covered entity--either with or without 
individuals' authorization--both sets of regulations would have needed 
to be followed. This statement remains true in the final rule. In 
addition, we clarify that FDA's human subjects regulations must also be 
followed if applicable.

Section 164.512(j)--Uses and Disclosures to Avert a Serious Threat to 
Health or Safety

    In the NPRM we proposed to allow covered entities to use or 
disclose protected health information without individual 
authorization--consistent with applicable law and ethics standards--
based on a reasonable belief that use or disclosure of the protected 
health information was necessary to prevent or lessen a serious and 
imminent threat to health or safety of an individual or of the public. 
Pursuant to the NPRM, covered entities could have used or disclosed 
protected health information in these emergency circumstances to a 
person or persons reasonably able to prevent or lessen the threat, 
including the target of the threat. The NPRM stated that covered 
entities that made disclosures in these circumstances were presumed to 
have acted under a reasonable belief if the disclosure was made in good 
faith, based on credible representation by a person with apparent 
knowledge or authority. The NPRM did not include verification 
requirements specific to this paragraph.
    In Sec. 164.512(j) of the final rule, we retain the NPRM's approach 
to uses and disclosures made to prevent or lessen serious and imminent 
threats to health or safety, as well as its language regarding the 
presumption of good faith. We also clarify that: (1) Rules governing 
these situations, which the NPRM referred to as ``emergency 
circumstances,'' are not intended to apply to emergency care treatment, 
such as health care delivery in a hospital emergency room; and (2) the 
``presumption of good faith belief'' is intended to apply only to this 
provision and not to all disclosures permitted without individual 
authorization. The final rule allows covered entities to use or 
disclose protected health information without an authorization on their 
own initiative in these circumstances, when necessary to prevent or 
lessen a serious and imminent threat, consistent with other applicable 
ethical or legal standards.
    The rule's approach is consistent with the ``duty to warn'' third 
persons at risk, which has been established through case law. In 
Tarasoff v. Regents of the University of California (17 Cal. 3d 425 
(1976)), the Supreme Court of California found that when a therapist's 
patient had made credible threats against the physical safety of a 
specific person, the therapist had an obligation to use reasonable care 
to protect the intended victim of his patient against danger, including 
warning the victim of the danger. Many states have adopted, through 
either statutory or case law, versions of the Tarasoff duty to warn. 
The rule is not intended to create a duty to warn or disclose. Rather, 
it permits disclosure to avert a serious and imminent threat to health 
or safety consistent with other applicable legal or ethical standards. 
If disclosure in these circumstances is prohibited by state law, this 
rule would not allow the disclosure.
    As indicated above, in some situations (for example, when a person 
is both a fugitive and a victim and thus covered entities could 
disclose protected health information pursuant either to 
Sec. 164.512(f)(2) regarding fugitives or to Sec. 164.512(f)(3) 
establishing conditions for disclosure about victims), more than one 
section of this rule potentially could apply with respect to a covered 
entity's potential disclosure of protected health information. 
Similarly, in situations involving a serious and imminent threat to 
public health or safety, law enforcement officials may be seeking 
protected health information from covered entities to locate a 
fugitive. In the final rule, we clarify that if a situation fits one 
section of the rule (for example, Sec. 164.512(j) on serious and 
imminent threats to health or safety), covered entities may disclose 
protected health information pursuant to that section, regardless of 
whether the disclosure also could be made pursuant to another section 
(e.g., Sec. 164.512(f)), regarding disclosure to law enforcement 
officials).
    The proposed rule did not address situations in which covered 
entities could make disclosures to law enforcement officials about oral 
statements admitting participation in violent conduct or about 
escapees.
    In the final rule we permit, but do not require, covered entities 
to use or disclose protected health information, consistent with 
applicable law and standards of ethical conduct, in specific situations 
in which the covered entity, in good faith, believes the use or 
disclosure is necessary to permit law enforcement authorities to 
identify or apprehend an individual. Under paragraph (j)(1)(ii)(A) of 
this section, a covered entity may take such action because of a 
statement by an individual admitting participation in a violent crime 
that the covered entity reasonably believes may have resulted in 
serious physical harm to the victim. The

[[Page 82539]]

protected health information that is disclosed in this case is limited 
to the statement and to the protected health information included under 
the limited identifying and location information in Sec. 164.512(f)(2), 
such as name, address, and type of injury. Under paragraph 
(j)(1)(ii)(B) of this section, a covered entity may take such action 
where it appears from all the circumstances that the individual has 
escaped from a correctional institution or from lawful custody.
    A disclosure may not be made under paragraph (j)(1)(ii)(A) for a 
statement admitting participation in a violent crime if the covered 
entity learns the information in the course of counseling or therapy. 
Similarly, such a disclosure is not permitted if the covered entity 
learns the information in the course of treatment to affect the 
propensity to commit the violent crimes that are described in the 
individual's statements. We do not intend to discourage individuals 
from speaking accurately in the course of counseling or therapy 
sessions, or to discourage other treatment that specifically seeks to 
reduce the likelihood that someone who has acted violently in the past 
will do so again in the future. This prohibition on disclosure is 
triggered once an individual has made a request to initiate or be 
referred to such treatment, therapy, or counseling.
    The provision permitting use and disclosure has been added in light 
of the broadened definition in the final rule of protected health 
information. Under the NPRM, protected health information meant 
individually identifiable health information that is or has been 
electronically transmitted or electronically maintained by a covered 
entity. Under the final rule, protected health information includes 
information transmitted by electronic media as well as such information 
transmitted or maintained in any other form or medium. The new 
definition includes oral statements to covered entities as well as 
individually identifiable health information transmitted ``in any other 
form.''
    The definition of protected health information, for instance, would 
now apply to a statement by a patient that is overheard by a hospital 
security guard in a waiting room. Such a statement would have been 
outside the scope of the proposed rule (unless it was memorialized in 
an electronic record), but is within the scope of the final rule. For 
the example with the hospital guard, the new provision permitting 
disclosure of a statement by an individual admitting participation in a 
violent crime would have the same effect as the proposed rule--the 
statement could be disclosed to law enforcement, so long as the other 
aspects of the regulation are followed. Similarly, where it appears 
from all the circumstances that the individual has escaped from prison, 
the expanded definition of protected health information should not 
prevent the covered entity from deciding to report this information to 
law enforcement.
    The disclosures that covered entities may elect to make under this 
paragraph are entirely at their discretion. These disclosures to law 
enforcement are in addition to other disclosure provisions in the rule. 
For example, under paragraph Sec. 164.512(f)(2) of this section, a 
covered entity may disclose limited categories of protected health 
information in response to a request from a law enforcement official 
for the purpose of identifying or locating a suspect, fugitive, 
material witness, or missing person. Paragraph Sec. 164.512(f)(1) of 
this section permits a covered entity to make disclosures that are 
required by other laws, such as state mandatory reporting laws, or are 
required by legal process such as court orders or grand jury subpoena.

Section 164.512(k)--Uses and Disclosures for Specialized Government 
Functions

Application to Military Services

    In the NPRM we would have permitted a covered entity providing 
health care to Armed Forces personnel to use and disclose protected 
health information for activities deemed necessary by appropriate 
military command authorities to assure the proper execution of the 
military mission, where the appropriate military authority had 
published by notice in the Federal Register (In the NPRM, we proposed 
that the Department of Defense would publish this Federal Register 
notice in the future.) The final rule takes a similar approach while 
making some modifications to the NPRM. One modification concerns the 
information that will be required in the Federal Register notice. The 
NPRM would have required a listing of (i) appropriate military command 
authorities; (ii) the circumstances for which use or disclosure without 
individual authorization would be required; and (iii) activities for 
which such use or disclosure would occur in order to assure proper 
execution of the military mission. In the final rule, we eliminate the 
third category and also slightly modify language in the second category 
to read: ``the purposes for which the protected health information may 
be used or disclosed.''
    An additional modification concerns the rule's application to 
foreign military and diplomatic personnel. The NPRM would have excluded 
foreign diplomatic and military personnel, as well as their dependents, 
from the proposed definition of ``individual,'' thereby excluding any 
protected health information created about these personnel from the 
NPRM's privacy protections. Foreign military and diplomatic personnel 
affected by this provision include, for example, allied military 
personnel who are in the United States for training. The final rule 
applies a more limited exemption to foreign military personnel only 
(Foreign diplomatic personnel will have the same protections granted to 
all other individuals under the rule). Under the final rule, foreign 
military personnel are not excluded from the definition of 
``individual.'' Covered entities will be able to use and disclose 
protected health information of foreign military personnel to their 
appropriate foreign military authority for the same purposes for which 
uses and disclosures are permitted for U.S. Armed Forces personnel 
under the notice to be published in the Federal Register. Foreign 
military personnel do have the same rights of access, notice, right to 
request privacy protection, copying, amendment, and accounting as do 
other individuals pursuant to Secs. 164.520-164.526 (sections on 
access, notice, right to request privacy protection for protected 
health information, amendment, inspection, copying) of the rule.
    The NPRM likewise would have exempted overseas foreign national 
beneficiaries from the proposed rule's requirements by excluding them 
from the definition of ``individual.'' Under the final rule, these 
beneficiaries no longer are exempt from the definition of 
``individual.'' However, the rule's provisions do not apply to the 
individually identifiable health information of overseas foreign 
nationals who receive care provided by the Department of Defense, other 
federal agencies, or by non-governmental organizations incident to U.S. 
sponsored missions or operations.
    The final rule includes a new provision to address separation or 
discharge from military service. The preamble to the NPRM noted that 
upon completion of individuals' military service, DOD and the 
Department of Transportation routinely transfer entire military service 
records, including protected health information to the Department of 
Veterans Affairs so that

[[Page 82540]]

the file can be retrieved quickly if the individuals or their 
dependents apply for veterans benefits. The NPRM would have required 
consent for such transfers. The final rule no longer requires consent 
in such situations. Thus, under the final rule, a covered entity that 
is a component of DOD or the Department of Transportation may disclose 
to DVA the protected health information of an Armed Forces member upon 
separation or discharge from military service for the purpose of a 
determination by DVA of the individual's eligibility for or entitlement 
to benefits under laws administered by the Secretary of Veterans 
Affairs.

Department of Veterans Affairs

    Under the NPRM, a covered entity that is a component of the 
Department of Veterans Affairs could have used and disclosed protected 
health information to other components of the Department that determine 
eligibility for, or entitlement to, or that provide benefits under the 
laws administered by the Secretary of Veterans Affairs. In the final 
rule, we retain this approach.

Application to Intelligence Community

    The NPRM would have provided an exemption from its proposed 
requirements to the intelligence community. As defined in section 4 of 
the National Security Act, 50 U.S.C. 401a, the intelligence community 
includes: the Office of the Director of Central Intelligence Agency; 
the Office of the Deputy Director of Central Intelligence; the National 
Intelligence Council and other such offices as the Director may 
designate; the Central Intelligence Agency; the National Security 
Agency; the Defense Intelligence Agency; the National Imagery and 
Mapping Agency ; the National Reconnaissance Office; other offices 
within the DOD for the collection of specialized national intelligence 
through reconnaissance programs; the intelligence elements of the Army, 
the Navy, the Air Force, the Marine Corps, the Federal Bureau of 
Investigation, the Department of the Treasury, and the Department of 
Energy; the Bureau of Intelligence and Research of the Department of 
State; and such other elements of any other department or agency as may 
be designated by the President, or designated jointly by the Director 
of Central Intelligence and the head of the department or agency 
concerned, as an element of the intelligence community. It would have 
allowed a covered entity to use without individual authorization 
protected health information of employees of the intelligence 
community, and of their dependents, if such dependents were being 
considered for posting abroad. The final rule does not include such an 
exemption. Rather, the final rule does not except intelligence 
community employees and their dependents from the general rule 
requiring an authorization in order for protected health information to 
be used and disclosed.

National Security and Intelligence Activities

    The NPRM included a provision, in Sec. 164.510(f)--Disclosure for 
Law Enforcement Purposes--that would allow covered entities to disclose 
protected health information without consent for the conduct of lawful 
intelligence activities under the National Security Act, and in 
connection with providing protective services to the President or to 
foreign heads of state pursuant to 18 U.S.C. 3056 and 22 U.S.C. 
2709(a)(3) respectively. The final rule preserves these exemptions, 
with slight modifications, but moves them from proposed Sec. 164.510(f) 
to Sec. 164.512(k). It also divides this area into two paragraphs--one 
called ``National Security and Intelligence Activities'' and the second 
called ``Protective services for the President and Others.''
    The final rule, with modifications, allows a covered entity to 
disclose protected health information to an authorized federal official 
for the conduct of lawful intelligence, counter-intelligence, and other 
national security activities authorized by the National Security Act 
and implementing authority (e.g., Executive Order 1233). The references 
to ``counter-intelligence and other national security activities'' are 
new to the final rule. The reference to ``implementing authority (e.g. 
Executive Order 12333)'' is also new. The final rule also adds 
specificity to the provision on protective services. It states that a 
covered entity may disclose protected health information to authorized 
federal officials for the provision of protective services to the 
President or other persons as authorized by 18 U.S.C. 3056, or to 
foreign heads of state or other persons as authorized by 22 U.S.C. 
2709(a)(3), or for the conduct of investigations authorized by 18 
U.S.C. 871 and 879.

Application to the State Department

    The final rule creates a narrower exemption for Department of State 
for uses and disclosures of protected health information (1) for 
purposes of a required security clearance conducted pursuant to 
Executive Orders 10450 and 12698; (2) as necessary to meet the 
requirements of determining worldwide availability or availability for 
mandatory service abroad under Sections 101(a)(4) and 504 of the 
Foreign Service Act; and (3) for a family member to accompany a Foreign 
Service Officer abroad, consistent with Section 101(b)(5) and 904 of 
the Foreign Service Act.
    Regarding security clearances, nothing prevents any employer from 
requiring that individuals provide authorization for the purpose of 
obtaining a security clearance. For the Department of State, however, 
the final rule provides a limited exemption that allows a component of 
the Department of State without an authorization to (1) use protected 
health information to make medical suitability determinations and (2) 
to disclose whether or not the individual was determined to be 
medically suitable to authorized officials in the Department of State 
for the purpose of a security clearance investigation conducted 
pursuant to Executive Order 10450 and 12698.
    Sections 101(a)(4) and 504 of the Foreign Service Act require that 
Foreign Service members be available to serve in assignments throughout 
the world. The final rule permits disclosures to officials who need 
protected health information to determine availability for duty 
worldwide.
    Section 101(b)(5) of the Foreign Service Act requires the 
Department of State to mitigate the impact of hardships, disruptions, 
and other unusual conditions on families of Foreign Service Officers. 
Section 904 requires the Department to establish a health care program 
to promote and maintain the physical and mental health of Foreign 
Service member family members. The final rule permits disclosure of 
protected health information to officials who need protected health 
information for a family member to accompany a Foreign Service member 
abroad.
    This exemption does not permit the disclosure of specific medical 
conditions, diagnoses, or other specific medical information. It 
permits only the disclosure of the limited information needed to 
determine whether the individual should be granted a security clearance 
or whether the Foreign Service member of his or her family members 
should be posted to a certain overseas assignment.

Application to Correctional Facilities

    The NPRM would have excluded the individually identifiable health 
information of correctional facility inmates and detention facility 
detainees from the definition of protected health information. Thus, 
none of the NPRM's

[[Page 82541]]

proposed privacy protections would have applied to correctional 
facility inmates or to detention facility detainees while they were in 
these facilities or after they had been released.
    The final rule takes a different approach. First, to clarify that 
we are referring to individuals who are incarcerated in correctional 
facilities that are part of the criminal justice system or in the 
lawful custody of a law enforcement official--and not to individuals 
who are ``detained'' for non-criminal reasons, for example, in 
psychiatric institutions--Sec. 164.512(k) covers disclosure of 
protected health information to correctional institutions or law 
enforcement officials having such lawful custody. In addition, where a 
covered health care provider is also a health care component of a 
correctional institution, the final rule permits the covered entity to 
use protected health information in all cases in which it is permitted 
to disclose such information.
    We define correctional institution as defined pursuant to 42 U.S.C. 
13725(b)(1), as a ``prison, jail, reformatory, work farm, detention 
center, or halfway house, or any other similar institution designed for 
the confinement or rehabilitation of criminal offenders.'' The rules 
regarding disclosure and use of protected health information specified 
in Sec. 164.512(k) cover individuals who are in transitional homes, and 
other facilities in which they are required by law to remain for 
correctional reasons and from which they are not allowed to leave. This 
section also covers individuals who are confined to psychiatric 
institutions for correctional reasons and who are not allowed to leave; 
however, it does not apply to disclosure of information about 
individuals in psychiatric institutions for treatment purposes only, 
who are not there due to a crime or under a mandate from the criminal 
justice system. The disclosure rules described in this section do not 
cover release of protected health information about individuals in 
pretrial release, probation, or on parole, such persons are not 
considered to be incarcerated in a correctional facility.
    As described in Sec. 164.512(k), correctional facility inmates' 
individually identifiable health information is not excluded from the 
definition of protected health information. When individuals are 
released from correctional facilities, they will have the same privacy 
rights that apply to all other individuals under this rule.
    Section 164.512(k) of the final rule states that while individuals 
are in a correctional facility or in the lawful custody of a law 
enforcement official, covered entities (for example, the prison's 
clinic) can use or disclose protected health information about these 
individuals without authorization to the correctional facility or the 
law enforcement official having custody as necessary for: (1) The 
provision of health care to such individuals; (2) the health and safety 
of such individual or other inmates; (3) the health and safety of the 
officers of employees of or others at the correctional institution; and 
(4) the health and safety of such individuals and officers or other 
persons responsible for the transporting of inmates or their transfer 
from one institution or facility to another; (5) law enforcement on the 
premises of the correctional institution; and (6) the administration 
and maintenance of the safety, security, and good order of the 
correctional institution. This section is intended to allow, for 
example, a prison's doctor to disclose to a van driver transporting a 
criminal that the individual is a diabetic and frequently has seizures, 
as well as information about the appropriate action to take if the 
individual has a seizure while he or she is being transported.
    We permit covered entities to disclose protected health information 
about these individuals if the correctional institution or law 
enforcement official represents that the protected health information 
is necessary for these purposes. Under 164.514(h), a covered entity may 
reasonably rely on the representation of such public officials.

Application to Public Benefits Programs Required to Share Eligibility 
Information

    We create a new provision for covered entities that are a 
government program providing public benefits. This provision allows the 
following disclosures of protected health information.
    First, where other law requires or expressly authorizes information 
relating to the eligibility for, or enrollment in more than one public 
program to be shared among such public programs and/or maintained in a 
single or combined data system, a public agency that is administering a 
health plan may maintain such a data base and may disclose information 
relating to such eligibility or enrollment in the health plan to the 
extent authorized by such other law.
    Where another public entity has determined that the appropriate 
balance between the need for efficient administration of public 
programs and public funds and individuals' privacy interests is to 
allow information sharing for these limited purposes, we do not upset 
that determination. For example, section 1137 of the Social Security 
Act requires a variety of public programs, including the Social 
Security program, state medicaid programs, the food stamp program, 
certain unemployment compensation programs, and others, to participate 
in a joint income and eligibility verification system. Similarly, 
section 222 of the Social Security Act requires the Social Security 
Administration to provide information to certain state vocational 
rehabilitation programs for eligibility purposes. In some instances, it 
is a covered entity that first collects or creates the information that 
is then disclosed for these systems. We do not prohibit those 
disclosures.
    This does not authorize these entities to share information for 
claims determinations or ongoing administration of these public 
programs. This provision is limited to the agencies and activities 
described above.
    Second, Sec. 164.512(k)(6) permits a covered entity that is a 
government agency administering a government program providing public 
benefits to disclose protected health information relating to the 
program to another covered entity that is a government agency 
administering a government program providing public benefits if the 
programs serve the same or similar populations and the disclosure of 
protected health information is necessary to coordinate the covered 
functions of such programs.
    The second provision permits covered entities that are government 
program providing public benefits that serve the same or similar 
populations to share protected health information for the purposes of 
coordinating covered functions of the programs and for general 
management and administration relating to the covered functions of the 
programs. Often, similar government health programs are administered by 
different government agencies. For example, in some states, the 
Medicaid program and the State Children's Health Insurance Program are 
administered by different agencies, although they serve similar 
populations. Many states coordinate eligibility for these two programs, 
and sometimes offer services through the same delivery systems and 
contracts. This provision would permit the covered entities 
administering these programs to share protected health information of 
program participants to coordinate enrollment and services and to 
generally improve the health care operations of the programs. We note 
that this provision does not authorize the

[[Page 82542]]

agencies to use or disclose the protected health information that is 
shared for purposes other than as provided for in this paragraph.

Section 164.512(l)--Disclosures For Workers' Compensation

    The NPRM did not contain special provisions permitting covered 
entities to disclose protected health information for the purpose of 
complying with workers' compensation and similar laws. Under HIPAA, 
workers' compensation and certain other forms of insurance (such as 
automobile or disability insurance) are ``excepted benefits.'' 
Insurance carriers that provide this coverage are not covered entities 
even though they provide coverage for health care services. To carry 
out their insurance functions, these non-covered insurers typically 
seek individually identifiable health information from covered health 
care providers and group health plans. In drafting the proposed rule, 
the Secretary was faced with the challenge of trying to carry out the 
statutory mandate of safeguarding the privacy of individually 
identifiable health information by regulating the flow of such 
information from covered entities while at the same time respecting the 
Congressional intent to shield workers' compensation carriers and other 
excepted benefit plans from regulation as covered entities.
    In the proposed rule we allowed covered entities to disclose 
protected health information without individual consent for purposes of 
treatment, payment or health care operations--even when the disclosure 
was to a non-covered entity such as a workers' compensation carrier. In 
addition, we allowed protected health information to be disclosed if 
required by state law for purposes of determining eligibility for 
coverage or fitness for duty. The proposed rule also required that 
whenever a covered entity disclosed protected health information to a 
non-covered entity, even though authorized under the rule, the 
individual who was the subject of the information must be informed that 
the protected health information was no longer subject to privacy 
protections.
    Like other disclosures under the proposed rule, the information 
provided to workers' compensation carriers for treatment, payment or 
health care operations was subject to the minimum necessary standard. 
However, to the extent that protected health information was disclosed 
to the carrier because it was required by law, it was not subject to 
the minimum necessary standard. In addition, individuals were entitled 
to an accounting when protected health information was disclosed for 
purposes other than treatment, payment or health care operations.
    In the final rule, we include a new provision in this section that 
clarifies the ability of covered entities to disclose protected health 
information without authorization to comply with workers' compensation 
and similar programs established by law that provide benefits for work-
related illnesses or injuries without regard to fault. Although most 
disclosures for workers' compensation would be permissible under other 
provisions of this rule, particularly the provisions that permit 
disclosures for payment and as required by law, we are aware of the 
significant variability among workers' compensation and similar laws, 
and include this provision to ensure that existing workers' 
compensation systems are not disrupted by this rule. We note that the 
minimum necessary standard applies to disclosures under this paragraph.
    Under this provision, a covered entity may disclose protected 
health information regarding an individual to a party responsible for 
payment of workers' compensation benefits to the individual, and to an 
agency responsible for administering and/or adjudicating the 
individual's claim for workers' compensation benefits. For purposes of 
this paragraph, workers' compensation benefits include benefits under 
programs such as the Black Lung Benefits Act, the federal Employees' 
Compensation Act, the Longshore and Harbor Workers' Compensation Act, 
and the Energy Employees' Occupational Illness Compensation Program 
Act.

Additional Considerations

    We have included a general authorization for disclosures under 
workers' compensation systems to be consistent with the intent of 
Congress, which defined workers' compensation carriers as excepted 
benefits under HIPAA. We recognize that there are significant privacy 
issues raised by how individually identifiable health information is 
used and disclosed in workers' compensation systems, and believe that 
states or the federal government should enact standards that address 
those concerns.

Section 164.514--Other Procedural Requirements Relating To Uses and 
Disclosures of Protected Health Information

Section 164.514(a)-(c)--De-identification

    In Sec. 164.506(d) of the NPRM, we proposed that the privacy 
standards would apply to ``individually identifiable health 
information,'' and not to information that does not identify the 
subject individual. The statute defines individually identifiable 
health information as certain health information:
    (i) Which identifies the individual, or
    (ii) With respect to which there is a reasonable basis to believe 
that the information can be used to identify the individual.
    As we pointed out in the NPRM, difficulties arise because, even 
after removing obvious identifiers (e.g., name, social security number, 
address), there is always some probability or risk that any information 
about an individual can be attributed to that individual.
    The NPRM proposed two alternative methods for determining when 
sufficient identifying information has been removed from a record to 
render the information de-identified and thus not subject to the rule. 
First, the NPRM proposed the establishment of a ``safe harbor'': if all 
of a list of 19 specified items of information had been removed, and 
the covered entity had no reason to believe that the remaining 
information could be used to identify the subject of the information 
(alone or in combination with other information), the covered entity 
would have been presumed to have created de-identified information. 
Second, the NPRM proposed an alternative method so that covered 
entities with sufficient statistical experience and expertise could 
remove or encrypt a combination of information different from the 
enumerated list, using commonly accepted scientific and statistical 
standards for disclosure avoidance. Such covered entities would have 
been able to include information from the enumerated list of 19 items 
if they (1) believed that the probability of re-identification was very 
low, and (2) removed additional information if they had a reasonable 
basis to believe that the resulting information could be used to re-
identify someone.
    We proposed that covered entities and their business partners be 
permitted to use protected health information to create de-identified 
health information using either of these two methods. Covered entities 
would have been permitted to further use and disclose such de-
identified information in any way, provided that they did not disclose 
the key or other mechanism that would have enabled the information to 
be re-identified, and provided that they reasonably believed that such 
use or disclosure of de-identified information would not have resulted 
in the use or

[[Page 82543]]

disclosure of protected health information.
    A number of examples were provided of how valuable such de-
identified information would be for various purposes. We expressed the 
hope that covered entities, their business partners, and others would 
make greater use of de-identified health information than they do 
today, when it is sufficient for the purpose, and that such practice 
would reduce the burden and the confidentiality concerns that result 
from the use of individually identifiable health information for some 
of these purposes.
    In Secs. 164.514(a)-(c) of this final rule, we make several 
modifications to the provisions for de-identification. First, we 
explicitly adopt the statutory standard as the basic regulatory 
standard for whether health information is individually identifiable 
health information under this rule. Information is not individually 
identifiable under this rule if it does not identify the individual, or 
if the covered entity has no reasonable basis to believe it can be used 
to identify the individual. Second, in the implementation 
specifications we reformulate the two ways in which a covered entity 
can demonstrate that it has met the standard.
    One way a covered entity may demonstrate that it has met the 
standard is if a person with appropriate knowledge and experience 
applying generally accepted statistical and scientific principles and 
methods for rendering information not individually identifiable makes a 
determination that the risk is very small that the information could be 
used, either by itself or in combination with other available 
information, by anticipated recipients to identify a subject of the 
information. The covered entity must also document the analysis and 
results that justify the determination. We provide guidance regarding 
this standard in our responses to the comments we received on this 
provision.
    We also include an alternate, safe harbor, method by which covered 
entities can demonstrate compliance with the standard. Under the safe 
harbor, a covered entity is considered to have met the standard if it 
has removed all of a list of enumerated identifiers, and if the covered 
entity has no actual knowledge that the information could be used alone 
or in combination to identify a subject of the information. We note 
that in the NPRM, we had proposed that to meet the safe harbor, a 
covered entity must have ``no reason to believe'' that the information 
remained identifiable after the enumerated identifiers were removed. In 
the final rule, we have changed the standard to one of actual knowledge 
in order to provide greater certainty to covered entities using the 
safe harbor approach.
    In the safe harbor, we explicitly allow age and some geographic 
location information to be included in the de-identified information, 
but all dates directly related to the subject of the information must 
be removed or limited to the year, and zip codes must be removed or 
aggregated (in the form of most 3-digit zip codes) to include at least 
20,000 people. Extreme ages of 90 and over must be aggregated to a 
category of 90+ to avoid identification of very old individuals. Other 
demographic information, such as gender, race, ethnicity, and marital 
status are not included in the list of identifiers that must be 
removed.
    The intent of the safe harbor is to provide a means to produce some 
de-identified information that could be used for many purposes with a 
very small risk of privacy violation. The safe harbor is intended to 
involve a minimum of burden and convey a maximum of certainty that the 
rules have been met by interpreting the statutory ``reasonable basis to 
believe that the information can be used to identify the individual'' 
to produce an easily followed, cook book approach.
    Covered entities may use codes and similar means of marking records 
so that they may be linked or later re-identified, if the code does not 
contain information about the subject of the information (for example, 
the code may not be a derivative of the individual's social security 
number), and if the covered entity does not use or disclose the code 
for any other purpose. The covered entity is also prohibited from 
disclosing the mechanism for re-identification, such as tables, 
algorithms, or other tools that could be used to link the code with the 
subject of the information.
    Language to clarify that covered entities may contract with 
business associates to perform the de-identification has been added to 
the section on business associates.

Section 164.514(d)--Minimum Necessary

    The proposed rule required a covered entity to make all reasonable 
efforts not to use or disclose more than the minimum amount of 
protected health information necessary to accomplish the intended 
purpose of the use or disclosure (proposed Sec. 164.506(b)).
    The proposed minimum necessary standard did not apply to uses or 
disclosures that were made by covered entities at the request of the 
individual, either to allow the individual access to protected health 
information about him or her or pursuant to an authorization initiated 
by the individual. The requirement also did not apply to uses and 
disclosures made: pursuant to the compliance and enforcement provisions 
of the rule; as required by law and permitted by the regulation without 
individual authorization; by a covered health care provider to a health 
plan, when the information was requested for audit and related 
purposes. Finally, the standard did not apply to the HIPAA 
administrative simplification transactions.
    The proposed implementation specifications would have required a 
covered entity to have procedures to: (i) Identify appropriate persons 
within the entity to determine what information should be used or 
disclosed consistent with the minimum necessary standard; (ii) ensure 
that those persons make the minimum necessary determinations, when 
required; and (iii) within the limits of the entity's technological 
capabilities, provide for the making of such determinations 
individually. The proposal allowed a covered entity, when making 
disclosures to public officials that were permitted without individual 
authorization but not required by other law, to reasonably rely on the 
representations of such officials that the information requested was 
the minimum necessary for the stated purpose(s).
    The preamble provided further guidance. The preamble explained that 
covered entities could not have general policies of approving all 
requests (or all requests of a particular type) without carefully 
considering certain criteria (see ``Criteria,'' below) as well as other 
information specific to the request. The minimum necessary 
determination would have needed to be consistent with and directly 
related to the purpose of the use or disclosure. Where there was 
ambiguity regarding the information to be used or disclosed, the 
preamble directed covered entities to interpret the ``minimum 
necessary'' standard to ``require'' the covered entity to make some 
effort to limit the amount of protected health information used/
disclosed.
    The proposal would have required the minimum necessary 
determination to take into consideration the ability of a covered 
entity to delimit the amount of information used or disclosed. The 
preamble noted that these determinations would have to be made under a 
reasonableness standard: covered entities would be required to make 
reasonable efforts and to incur reasonable expense to limit the use or

[[Page 82544]]

disclosure. The ``reasonableness'' of limiting particular uses or 
disclosures was to be determined based on the following factors (which 
were not included in the regulatory text):
    a. The extent to which the use or disclosure would extend the 
number of persons with access to the protected health information.
    b. The likelihood that further uses or disclosures of the protected 
health information could occur.
    c. The amount of protected health information that would be used or 
disclosed.
    d. The importance of the use or disclosure.
    e. The potential to achieve substantially the same purpose with de-
identified information. For disclosures, each covered entity would have 
been required to have policies for determining when protected health 
information must be stripped of identifiers.
    f. The technology available to limit the amount of protected health 
information used/disclosed.
    g. The cost of limiting the use/disclosure.
    h. Any other factors that the covered entity believed were relevant 
to the determination.
    The proposal shifted the ``minimum necessary'' burden off of 
covered providers when they were being audited by a health plan. The 
preamble explained that the duty would have been shifted to the payor 
to request the minimum necessary information for the audit purpose, 
although the regulatory text did not include such a requirement. 
Outside of the audit context, the preamble stated that a health plan 
would be required, when requesting a disclosure, to limit its requests 
to the information required to achieve the purpose of the request; the 
regulation text did not include this requirement.
    The preamble stated that disclosure of an entire medical record, in 
response to a request for something other than the entire medical 
record, would presumptively violate the minimum necessary standard.
    This final rule significantly modifies the proposed requirements 
for implementing the minimum necessary standard. For all uses and many 
disclosures and requests for disclosures from other covered entities, 
we require covered entities to implement policies and procedures for 
``minimum necessary'' uses and disclosures. Implementation of such 
policies and procedures is required in lieu of making the ``minimum 
necessary'' determination for each separate use or disclosure as 
discussed in the proposal. Disclosures to or requests by a health care 
provider for treatment purposes are not subject to the standard (see 
Sec. 164.502).
    Specifically (and as further described below), the proposed 
requirement for individual review of all uses of protected health 
information is replaced with a requirement for covered entities to 
implement policies and procedures that restrict access and uses based 
on the specific roles of members of the covered entity's workforce. 
Routine disclosures also are not subject to individual review; instead, 
covered entities must implement policies and procedures to limit the 
protected health information in routine disclosures to the minimum 
necessary to achieve the purpose of that type of disclosure. The 
proposed exclusion of disclosures to health plans for audit purposes is 
deleted and replaced with a general requirement that covered entities 
must limit requests to other covered entities for individually 
identifiable health information to what is reasonably necessary for the 
use or disclosure intended. The other exclusions from the standard are 
unchanged from the proposed rule (e.g., for individuals' access to 
information about themselves, pursuant to an authorization initiated by 
the individual, for enforcement of this rule, as required by law).
    The language of the basic ``standard'' itself is largely unchanged; 
covered entities must make reasonable efforts to use or disclose or to 
request from another covered entity, only the minimum amount of 
protected health information required to achieve the purpose of a 
particular use or disclosure. We delete the word ``all'' from the 
``reasonable efforts'' that covered entities must take in making a 
``minimum necessary'' determination. The implementation specifications 
are significantly modified, and differ based on whether the activity is 
a use or disclosure.
    Similarly, a ``minimum necessary'' disclosure for oversight 
purposes in accordance with Sec. 164.512(d) could include large numbers 
of records to allow oversight agencies to perform statistical analyses 
to identify deviations in payment or billing patterns, and other data 
analyses.

Uses of Protected Health Information

    A covered entity must implement policies and procedures to identify 
the persons or classes of persons in the entity's workforce who need 
access to protected health information to carry out their duties, the 
category or categories of protected health information to which such 
persons or classes need access, and the conditions, as appropriate, 
that would apply to such access. Covered entities must also implement 
policies and procedures to limit access to only the identified persons, 
and only to the identified protected health information. The policies 
and procedures must be based on reasonable determinations regarding the 
persons or classes of persons who require protected health information, 
and the nature of the health information they require, consistent with 
their job responsibilities.
    For example, a hospital could implement a policy that permitted 
nurses access to all protected health information of patients in their 
ward while they are on duty. A health plan could permit its 
underwriting analysts unrestricted access to aggregate claims 
information for rate setting purposes, but require documented approval 
from its department manager to obtain specific identifiable claims 
records of a member for the purpose of determining the cause of 
unexpected claims that could influence renewal premium rate setting.
    The ``minimum necessary'' standard is intended to reflect and be 
consistent with, not override, professional judgment and standards. For 
example, we expect that covered entities will implement policies that 
allow persons involved in treatment to have access to the entire 
record, as needed.

Disclosures of Protected Health Information

    For any type of disclosure that is made on a routine, recurring 
basis, a covered entity must implement policies and procedures (which 
may be standard protocols) that permit only the disclosure of the 
minimum protected health information reasonably necessary to achieve 
the purpose of the disclosure. Individual review of each disclosure is 
not required. Instead, under Sec. 164.514(d)(3), these policies and 
procedures must identify the types of protected health information to 
be disclosed, the types of persons who would receive the protected 
health information, and the conditions that would apply for such 
access. We recognize that specific disclosures within a type may vary, 
and require that the policies address what is the norm for the type of 
disclosure involved. For example, a covered entity may decide to 
participate in research studies and therefore establish a protocol to 
minimize the information released for such purposes, e.g., by requiring 
researchers requesting disclosure of data contained in paper-based 
records to review the paper records on-site and to

[[Page 82545]]

abstract only the information relevant to the research. Covered 
entities must develop policies and procedures (which may be standard 
protocols) to apply to disclosures to routinely hired types of business 
associates. For instance, a standard protocol could describe the subset 
of information that may be disclosed to medical transcription services.
    For non-routine disclosures, a covered entity must develop 
reasonable criteria for determining, and limiting disclosure to, only 
the minimum amount of protected health information necessary to 
accomplish the purpose of the disclosure. They also must establish and 
implement procedures for reviewing such requests for disclosures on an 
individual basis in accordance with these criteria.
    Disclosures to health care providers for treatment purposes are not 
subject to these requirements.
    Covered entities' policies and procedures must provide that 
disclosure of an entire medical record will not be made except pursuant 
to policies which specifically justify why the entire medical record is 
needed. For instance, disclosure of all protected health information to 
an accreditation group would not necessarily violate the regulation, 
because the entire record may be the ``minimum necessary'' for its 
purpose; covered entities may establish policies allowing for and 
justifying such a disclosure. Disclosure of the entire medical record 
absent such documented justification is a presumptive violation of this 
rule.

Requests for Protected Health Information

    For requests for protected health information from other covered 
entities made on a routine, recurring basis, the requesting covered 
entities' policies and procedures may establish standard protocols 
describing what information is reasonably necessary for the purposes 
and limiting their requests to only that information, in lieu of making 
this determination individually for each request. For all other 
requests, the policies and procedures must provide for review of the 
requests on an individualized basis. A request by a covered entity may 
be made in order to obtain information that will subsequently be 
disclosed to a third party, for example, to obtain information that 
will then be disclosed to a business associate for quality assessment 
purposes; such requests are subject to this requirement.
    Covered entities' policies and procedures must provide that 
requests for an entire medical record will not be made except pursuant 
to policies which specifically justify why the entire medical record is 
needed. For instance, a health plan's request for all protected health 
information from an applicant for insurance would not necessarily 
violate the regulation, because the entire record may be the ``minimum 
necessary'' for its purpose. Covered entities may establish policies 
allowing for and justifying such a request. A request for the entire 
medical record absent such documented justification is a presumptive 
violation of this rule.

Reasonable Reliance

    A covered entity may reasonably rely on the assertion of a 
requesting covered entity that it is requesting the minimum protected 
health information necessary for the stated purpose. A covered entity 
may also rely on the assertions of a professional (such as attorneys 
and accountants) who is a member of its workforce or its business 
associate regarding what protected health information he or she needs 
in order to provide professional services to the covered entity when 
such person represents that the information requested is the minimum 
necessary. As we proposed in the NPRM, covered entities making 
disclosures to public officials that are permitted under Sec. 164.512 
may rely on the representation of a public official that the 
information requested is the minimum necessary.

Uses and Disclosures for Research

    In making a minimum necessary determination regarding the use or 
disclosure of protected health information for research purposes, a 
covered entity may reasonably rely on documentation from an IRB or 
privacy board describing the protected health information needed for 
research and consistent with the requirements of Sec. 164.512(i), 
``Uses and Disclosures for Research Purposes.'' A covered entity may 
also reasonably rely on a representation made by the requestor that the 
information is necessary to prepare a research protocol or for research 
on decedents. The covered entity must ensure that the representation or 
documentation of IRB or privacy board approval it obtains from a 
researcher describes with sufficient specificity the protected health 
information necessary for the research. Covered entities must use or 
disclose such protected health information in a manner that minimizes 
the scope of the use or disclosure.

Standards for Electronic Transactions

    We clarify that under Sec. 164.502(b)(2)(v), covered entities are 
not required to apply the minimum necessary standard to the required or 
situational data elements specified in the implementation guides for 
HIPAA administrative simplification standard transactions in the 
Transactions Rule. The standard does apply for uses or disclosures in 
standard transactions that are made at the option of the covered 
entity.

Section 164.514(e)--Marketing

    In the proposed rule, we would have required covered entities to 
obtain the individual's authorization in order to use or disclose 
protected health information to market health and non-health items and 
services.
    We have made a number of changes in the final rule that relate to 
marketing. In the final rule, we retain the general rule that covered 
entities must obtain the individual's authorization before making uses 
or disclosures of protected health information for marketing. However, 
we add a new definition of ``marketing'' that clarifies that certain 
activities, such as communications made by a covered entity for the 
purpose of describing the products and services it provides, are not 
marketing. See Sec. 164.501 and the associated preamble regarding the 
definition of marketing. In the final rule we also permit covered 
entities to use and disclose protected health information for certain 
marketing activities without individual authorization, subject to 
conditions enumerated at Sec. 164.514(e).
    First, Sec. 164.514(e) permits a covered entity to use or disclose 
protected health information without individual authorization to make a 
marketing communication if the communication occurs in a face-to-face 
encounter with the individual. This provision would permit a covered 
entity to discuss any services and products, including those of a 
third-party, without restriction during a face-to-face communication. A 
covered entity also could give the individual sample products or other 
information in this setting.
    Second, we permit a covered entity to use or disclose protected 
health information without individual authorization to make marketing 
communications involving products or services of only nominal value. 
This provision ensures that covered entities do not violate the rule 
when they distribute calendars, pens and other merchandise that 
generally promotes the covered entity.
    Third, we permit a covered entity to use or disclose protected 
health information without individual authorization to make marketing 
communications about the health-

[[Page 82546]]

related products or services of the covered entity or of a third party 
if the communication: (1) Identifies the covered entity as the party 
making the communication; (2) to the extent that the covered entity 
receives direct or indirect remuneration from a third-party for making 
the communication, prominently states that fact; (3) except in the case 
of a general communication (such as a newsletter), contains 
instructions describing how the individual may opt-out of receiving 
future communications about health-related products and services; and 
(4) where protected health information is used to target the 
communication about a product or service to individuals based on their 
health status or health condition, explains why the individual has been 
targeted and how the product or service relates to the health of the 
individual. The final rule also requires a covered entity to make a 
determination, prior to using or disclosing protected health 
information to target a communication to individuals based on their 
health status or condition, that the product or service may be 
beneficial to the health of the type or class of individual targeted to 
receive the communication.
    This third provision accommodates the needs of health care entities 
to be able to discuss their own health-related products and services, 
or those of third parties, as part of their everyday business and as 
part of promoting the health of their patients and enrollees. The 
provision is restricted to uses by covered entities or disclosures to 
their business associates pursuant to a contract that requires 
confidentiality, ensuring that protected health information is not 
distributed to third parties. To provide individuals with a better 
understanding of how their protected health information is being used 
for marketing, the provision requires that the communication identify 
that the covered entity is the source of the communication; a covered 
entity may not send out information about the product of a third party 
without disclosing to the individual where the communication 
originated. We also require covered entities to disclose any direct or 
indirect remuneration from third parties. This requirement permits 
individuals to better understand why they are receiving a 
communication, and to weigh the extent to which their information is 
being used to promote their health or to enrich the covered entity. 
Covered entities also are required to include in their communication 
(unless it is a general newsletter or similar device) how the 
individual may prevent further communications about health-related 
products and services. This provision enhances individuals' control 
over how their information is being used. Finally, where a covered 
entity targets communications to individuals on the basis of their 
health status or condition, we require that the entity make a 
determination that the product or service being communicated may be 
beneficial to the health of the type of individuals targeted, and that 
the communication to the targeted individuals explain why they have 
been targeted and how the product or service relates to their health. 
This final provision balances the advantages that accrue from health 
care entities informing their patients and enrollees of new or valuable 
health products with individuals' expectations that their protected 
health information will be used to promote their health.

Section 164.514(f)--Fundraising

    We proposed in the NPRM to require covered entities to obtain 
authorization from an individual in order to use the individual's 
protected health information for fundraising activities.
    As noted in Sec. 164.501, in the final rule we define fundraising 
on behalf of a covered entity to be a health care operation. In 
Sec. 164.514, we permit a covered entity to use protected health 
information without individual authorization for fundraising on behalf 
of itself, provided that it limits the information that it uses to 
demographic information about the individual and the dates that it has 
provided service to the individual (see the Sec. 164.501 discussion of 
``health care operations''). In addition, we require fundraising 
materials to explain how the individual may opt out of any further 
fundraising communications, and covered entities are required to honor 
such requests. We permit a covered entity to disclose the limited 
protected health information to a business associate for fundraising on 
its own behalf. We also permit a covered entity to disclose the 
information to an institutionally related foundation.
    By ``institutionally related foundation,'' we mean a foundation 
that qualifies as a nonprofit charitable foundation under section 
501(c)(3) of the Internal Revenue Code and that has in its charter 
statement of charitable purposes an explicit linkage to the covered 
entity. An institutionally related foundation may, as explicitly stated 
in its charter, support the covered entity as well as other covered 
entities or health care providers in its community. For example, a 
covered hospital may disclose for fundraising on its own behalf the 
specified protected health information to a nonprofit foundation 
established for the specific purpose of raising funds for the hospital 
or to a foundation that has as its mission the support of the members 
of a particular hospital chain that includes the covered hospital. The 
term does not include an organization with a general charitable 
purpose, such as to support research about or to provide treatment for 
certain diseases, that may give money to a covered entity, because its 
charitable purpose is not specific to the covered entity.

Section 164.514(g)--Underwriting

    As described under the definition of ``health care operations'' 
(Sec. 164.501), protected health information may be used or disclosed 
for underwriting and other activities relating to the creation, 
renewal, or replacement of a contract of health insurance or health 
benefits. This final rule includes a requirement, not included in the 
NPRM, that health plans receiving such information for these purposes 
may not use or disclose it for any other purpose, except as may be 
required by law, if the insurance or benefits contract is not placed 
with the health plan.

Section 164.514(h)--Verification of Identity and Authority of Persons 
Requesting Protected Health Information

Disclosure of Protected Health Information

    We reorganize the provision regarding verification of identity of 
individuals requesting protected health information to improve clarity, 
but we retain the substance of requirements proposed in the NPRM in 
Sec. 164.518(c), as follows.
    The covered entity must establish and use written policies and 
procedures (which may be standard protocols) that are reasonably 
designed to verify the identity and authority of the requestor where 
the covered entity does not know the person requesting the protected 
health information. The knowledge of the person may take the form of a 
known place of business, address, phone or fax number, as well a known 
human being. Where documentation, statements or representations, 
whether oral or written, from the person requesting the protected 
health information is a condition of disclosure under this rule or 
other law, this verification must involve obtaining such documentation 
statement, or representation. In such a case, additional verification 
is only required where this regulation (or other law)

[[Page 82547]]

requires additional proof of authority and identity.
    The NPRM proposed that covered entities would be permitted to rely 
on the required documentation of IRB or privacy board approval to 
constitute sufficient verification that the person making the request 
was a researcher and that the research is authorized. The final rule 
retains this provision.
    For most disclosures, verifying the authority for the request means 
taking reasonable steps to verify that the request is lawful under this 
regulation. Additional proof is required by other provisions of this 
regulation where the request is made pursuant to Sec. 164.512 for 
national priority purposes. Where the person requesting the protected 
health information is a public official, covered entities must verify 
the identity of the requester by examination of reasonable evidence, 
such as a written statement of identity on agency letterhead, an 
identification badge, or similar proof of official status. Similarly, 
covered entities are required to verify the legal authority supporting 
the request by examination of reasonable evidence, such as a written 
request provided on agency letterhead that describes the legal 
authority for requesting the release. Where Sec. 164.512 explicitly 
requires written evidence of legal process or other authority before a 
disclosure may be made, a public official's proof of identity and the 
official's oral statement that the request is authorized by law are not 
sufficient to constitute the required reasonable evidence of legal 
authority; under these provisions, only the required written evidence 
will suffice.
    In some circumstances, a person or entity acting on behalf of a 
government agency may make a request for disclosure of protected health 
information under these subsections. For example, public health 
agencies may contract with a nonprofit agency to collect and analyze 
certain data. In such cases, the covered entity is required to verify 
the requestor's identity and authority through examination of 
reasonable documentation that the requestor is acting on behalf of the 
government agency. Reasonable evidence includes a written request 
provided on agency letterhead that describes the legal authority for 
requesting the release and states that the person or entity is acting 
under the agency's authority, or other documentation, including a 
contract, a memorandum of understanding, or purchase order that 
confirms that the requestor is acting on behalf of the government 
agency.
    In some circumstances, identity or authority will be verified as 
part of meeting the underlying requirements for disclosure. For 
example, a disclosure under Sec. 164.512(j)(1)(i) to avert an imminent 
threat to safety is lawful only if made in the good faith belief that 
the disclosure is necessary to prevent or lessen a serious and imminent 
threat to the health or safety of a person or the public, and to a 
person reasonably able to prevent or lessen the threat. If these 
conditions are met, no further verification is needed. In such 
emergencies, the covered entity is not required to demand written proof 
that the person requesting the protected health information is legally 
authorized. Reasonable reliance on verbal representations are 
appropriate in such situations.
    Similarly, disclosures permitted under Sec. 164.510(a) for facility 
directories may be made to the general public; the covered entity's 
policies and procedures do not need to address verifying the identity 
and authority for these disclosures. In Sec. 164.510(b) we do not 
require verification of identity for persons assisting in an 
individual's care or for notification purposes. For disclosures when 
the individual is not present, such as when a friend is picking up a 
prescription, we allow the covered entity to use professional judgment 
and experience with common practice to make reasonable inferences.
    Under Sec. 164.524, a covered entity is required to give 
individuals access to protected health information about them (under 
most circumstances). Under the general verification requirements of 
Sec. 164.514(h), the covered entity is required to take reasonable 
steps to verify the identity of the individual making the request. We 
do not mandate particular identification requirements (e.g., drivers 
licence, photo ID), but rather leave this to the discretion of the 
covered entity. The covered entity must also establish and document 
procedures for verification of identity and authority of personal 
representatives, if not known to the entity. For example, a health care 
provider can require a copy of a power of attorney, or can ask 
questions to determine that an adult acting for a young child has the 
requisite relationship to the child.
    In Subpart C of Part 160, we require disclosure to the Secretary 
for purposes of enforcing this regulation. When a covered entity is 
asked by the Secretary to disclose protected health information for 
compliance purposes, the covered entity must verify the same 
information that it is required to verify for any other law enforcement 
or oversight request for disclosure.

Use of Protected Health Information

    The proposed rule's verification requirements applied to any person 
requesting protected health information, whether for a use or a 
disclosure. In the final regulation, the verification provisions apply 
only to disclosures of protected health information. The requirements 
in Sec. 164.514(d), for implementation of policies and procedures for 
``minimum necessary'' uses of protected health information, are 
sufficient to ensure that only appropriate persons within a covered 
entity will have access to protected health information.

Section 164.520--Notice of Privacy Practices for Protected Health 
Information

Section 164.520(a)--Right to Notice

    We proposed to establish a right for individuals to receive 
adequate notice of how covered health care providers and health plans 
use and disclose protected health information, and of the individual's 
rights with respect to that information.
    In the final regulation, we retain the general right for 
individuals to receive and the requirement for covered entities to 
produce a notice of privacy practices, with significant modifications 
to the content and distribution requirements.
    We also modify the requirements with respect to certain covered 
entities. First, in Sec. 164.500(b)(2), we clarify that a health care 
clearinghouse that creates or receives protected health information 
other than as a business associate of a covered entity must produce a 
notice. If a health care clearinghouse creates or receives protected 
health information only as a business associate of other covered 
entities, it is not required to produce a notice.
    Second, in Sec. 164.520(a)(2), we clarify the notice requirements 
with respect to group health plans. Individuals who receive health 
benefits under a group health plan other than through insurance are 
entitled to a notice from the group health plan; self-insured group 
health plans must maintain a notice that meets the requirements of this 
section and must provide the notice in accordance with the requirements 
of Sec. 164.520(c). At a minimum, the self-insured group health plan's 
notice must describe the group health plan's privacy practices with 
respect to the protected health information it creates or receives 
through its self-insured arrangements. For example, if a group health 
plan maintains both fully-insured and self-insured arrangements, the 
group health plan must, at a minimum, maintain and provide a notice 
that describes its

[[Page 82548]]

privacy practices with respect to protected health information it 
creates or receives through the self-insured arrangements. This notice 
would be distributed to all participants in the self-insured 
arrangements (in accordance with Sec. 164.520(c)(1)) and would also be 
available on request to other persons, including participants in the 
fully-insured arrangements.
    Individuals who receive health benefits under a group health plan 
through an insurance contract (i.e., a fully-insured group health plan) 
are entitled to a notice from the issuer or HMO through which they 
receive their health benefits. The health insurance issuer or HMO must 
maintain and provide the notice in accordance with Sec. 164.520(c)(1). 
In addition, some fully-insured group health plans are required to 
maintain and provide a notice of the group health plan's privacy 
practices. If a group health plan provides health benefits solely 
through an insurance contract with a health insurance issuer or HMO, 
and the group health plan creates or receives protected health 
information in addition to summary information (as defined in 
Sec. 164.504(a)) and information about individuals' enrollment in or 
disenrollment from a health insurance issuer or HMO offered by the 
group health plan, the group health plan must maintain a notice that 
meets the requirements of this section and must provide the notice upon 
request of any person. The group health plan is not required to meet 
the other distribution requirements of Sec. 164.520(c)(1). Individuals 
enrolled in such group health plans have the right to notice of the 
health insurance issuer or HMO's privacy practices and, on request, to 
notice of the group health plan's privacy practices. If the group 
health plan, however, provides health benefits solely through an 
insurance contract with a health insurance issuer or HMO, and the only 
protected health information the group health plan creates or receives 
is summary information (as defined in Sec. 164.504(a)) and information 
about individuals' enrollment in or disenrollment from a health 
insurance issuer or HMO offered by the group health plan, the group 
health plan is not required to maintain or provide a notice under this 
section. In this case, the individuals enrolled in the group health 
plan would receive notice of the health insurance issuer or HMO's 
privacy practices, but would not be entitled to notice of the group 
health plan's privacy practices.
    Third, in Sec. 164.520(a)(3), we clarify that inmates do not have a 
right to notice under this section and a correctional institution that 
is a covered entity is not required to produce a notice. No person, 
including a current or former inmate, has the right to notice of such a 
covered entity's privacy practices.

Section 164.520(b)--Content of Notice

    We proposed to require the notice to be written in plain language 
and contain each of the following elements: a description of the uses 
and disclosures expected to be made without individual authorization; 
statements that other uses and disclosures would be made only with the 
individual's authorization and that the individual could revoke such 
authorization; descriptions of the rights to request restrictions, 
inspect and copy protected health information, amend or correct 
protected health information, and receive an accounting of disclosures 
of protected health information; statements about the entity's legal 
requirements to protect privacy, provide notice, and adhere to the 
notice; a statement about how individuals would be informed of changes 
to the entity's policies and procedures; instructions on how to make 
complaints with the entity or Secretary; the name and telephone number 
of a contact person or office; and the date the notice was produced. We 
provided a model notice of information policies and procedures for 
covered health care providers.
    In Sec. 164.520(b), and immediately below in this preamble, we 
describe the notice content requirements for the final rule. As 
described in detail, below, we make substantial changes to the uses and 
disclosures of protected health information that must be described in 
the notice. Unlike the proposed rule, we do not include a model notice. 
We intend to develop further guidance on notice requirements prior to 
the compliance date of this rule. In this section of the final rule, we 
also refer to the covered entity's privacy ``practices,'' rather than 
its ``policies and procedures.'' The purpose of this change in 
vocabulary is to clarify that a covered entity's ``policies and 
procedures'' is a detailed documentation of all of the entity's privacy 
practices as required under this rule, not just those described in the 
notice. For example, we require covered entities to have policies and 
procedures implementing the requirements for ``minimum necessary'' uses 
and disclosures of protected health information, but these policies and 
procedures need not be reflected in the entity's notice. Similarly, we 
require covered entities to have policies and procedures for assuring 
individuals access to protected health information about them. While 
such policies and procedures will need to include documentation of the 
designated record sets subject to access, who is authorized to 
determine when information will be withheld from an individual, and 
similar details, the notice need only explain generally that 
individuals have the right to inspect and copy information about them, 
and tell individuals how to exercise that right.
    A covered entity that adopts and follows the notice content and 
distribution requirements described below will have provided adequate 
notice. However, the requirements for the content of the notice are not 
intended to be exclusive. As with the rest of the rule, we specify 
minimum requirements, not best practices. Covered entities may want to 
include more detail. We note that all federal agencies must still 
comply with the Privacy Act of 1974. This means that federal agencies 
that are covered entities or have covered health care components must 
comply with the notice requirements of the Privacy Act as well as those 
included in this rule.
    In addition, covered entities may want or be required to produce 
more than one notice in order to satisfy the notice content 
requirements under this rule. For example, a covered entity that 
conducts business in multiple states with different laws regarding the 
uses and disclosures that the covered entity is permitted to make 
without authorization may be required to produce a different notice for 
each state. A covered entity that conducts business both as part of an 
organized health care arrangement or affiliated covered entity and as 
an independent enterprise (e.g., a physician who sees patients through 
an on-call arrangement with a hospital and through an independent 
private practice) may want to adopt different privacy practices with 
respect to each line of business; such a covered entity would be 
required to produce a different notice describing the practices for 
each line of business. Covered entities must produce notices that 
accurately describe the privacy practices that are relevant to the 
individuals receiving the notice.

Required Elements

Plain Language
    As in the proposed rule, we require the notice to be written in 
plain language. A covered entity can satisfy the plain language 
requirement if it makes a reasonable effort to: organize material to 
serve the needs of the reader; write short sentences in the active 
voice, using ``you'' and other pronouns; use common, everyday words in 
sentences; and divide material into short sections.

[[Page 82549]]

    We do not require particular formatting specifications, such as 
easy-to-read design features (e.g., lists, tables, graphics, 
contrasting colors, and white space), type face, and font size. 
However, the purpose of the notice is to inform the recipients about 
their rights and how protected health information collected about them 
may be used or disclosed. Recipients who cannot understand the covered 
entity's notice will miss important information about their rights 
under this rule and about how the covered entity is protecting health 
information about them. One of the goals of this rule is to create an 
environment of open communication and transparency with respect to the 
use and disclosure of protected health information. A lack of clarity 
in the notice could undermine this goal and create misunderstandings. 
Covered entities have an incentive to make their notice statements 
clear and concise. We believe that the more understandable the notice 
is, the more confidence the public will have in the covered entity's 
commitment to protecting the privacy of health information.
    It is important that the content of the notice be communicated to 
all recipients and therefore we encourage the covered entity to 
consider alternative means of communicating with certain populations. 
We note that any covered entity that is a recipient of federal 
financial assistance is generally obligated under Title VI of the Civil 
Rights Act of 1964 to provide material ordinarily distributed to the 
public in the primary languages of persons with limited English 
proficiency in the recipients' service areas. Specifically, this Title 
VI obligation provides that, where a significant number or proportion 
of the population eligible to be served or likely to be directly 
affected by a federally assisted program needs service or information 
in a language other than English in order to be effectively informed of 
or participate in the program, the recipient shall take reasonable 
steps, considering the scope of the program and the size and 
concentration of such population, to provide information in languages 
appropriate to such persons. For covered entities not subject to Title 
VI, the Title VI standards provide helpful guidance for effectively 
communicating the content of their notices to non-English speaking 
populations.
    We also encourage covered entities to be attentive to the needs of 
individuals who cannot read. For example, an employee of the covered 
entity could read the notice to individuals upon request or the notice 
could be incorporated into a video presentation that is played in the 
waiting area.
Header
    Unlike the proposed rule, covered entities must include prominent 
and specific language in the notice that indicates the importance of 
the notice. This is the only specific language we require covered 
entities to include in the notice. The header must read, ``THIS NOTICE 
DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED 
AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT 
CAREFULLY.''
Uses and Disclosures
    We proposed to require covered entities to describe in plain 
language the uses and disclosures of protected health information, and 
the covered entity's policies and procedures with respect to such uses 
and disclosures, that the health plan or covered provider expected to 
make without individual authorization. The covered provider or health 
plan would have had to distinguish between those uses and disclosures 
required by law and those permitted but not required by law.
    We also proposed to require covered health care providers and 
health plans to state in the notice that all other uses and disclosures 
would be made only with the individual's authorization and that such 
authorization could be revoked. The notice would also have been 
required to state that the individual could request restrictions on 
certain uses and disclosures and that the covered entity would not be 
required to agree to such a request.
    We significantly modify these requirements in the final rule. 
Covered entities must describe all uses and disclosures of protected 
health information that they are permitted or required to make under 
this rule without authorization, including those uses and disclosures 
subject to the consent requirements under Sec. 164.506. If other 
applicable law prohibits or materially limits the covered entity's 
ability to make any uses or disclosures that would otherwise be 
permitted under the rule, the covered entity must describe only the 
uses and disclosures permitted under the more stringent law.
    Covered entities must separately describe each purpose for which 
they are permitted to use or disclose protected health information 
under this rule without authorization, and must do so in sufficient 
detail to place the individual on notice of those uses and disclosures. 
With respect to uses and disclosures to carry out treatment, payment, 
and health care operations, the description must include at least one 
example of the types of uses and disclosures that the covered entity is 
permitted to make. This requirement is intended to inform individuals 
of all the uses and disclosures that the covered entity is legally 
required or permitted to make under applicable law, even if the covered 
entity does not anticipate actually making such uses and disclosures. 
We do not require covered entities to distinguish in their notices 
between those uses and disclosures required by law and those permitted 
but not required by law.
    Unlike the proposed rule, we additionally require covered entities 
that wish to contact individuals for any of the following activities to 
list these activities in the notice: providing appointment reminders, 
describing or recommending treatment alternatives, providing 
information about health-related benefits and services that may be of 
interest to the individual, or soliciting funds to benefit the covered 
entity. If the covered entity does not include these statements in its 
notice, it is prohibited from using or disclosing protected health 
information for these activities without authorization. See 
Sec. 164.502(i).
    In addition, if a group health plan, or a health insurance issuer 
or HMO with respect to a group health plan, wants the option to 
disclose protected health information to a group health plan sponsor 
without authorization as permitted under Sec. 164.504(f), the group 
health plan, health insurance issuer or HMO must describe that practice 
in its notice.
    As in the proposed rule, the notice must state that all other uses 
and disclosures will be made only with the individual's authorization 
and that the individual has the right to revoke such authorization.
    We anticipate this requirement will lead to significant 
standardization of the notice. This language could be the same for 
every covered entity of a particular type within a state, territory, or 
other locale. We encourage states, state professional associations, and 
other organizations to develop model language to assist covered 
entities in preparing their notices.
Individual Rights
    As in the proposed rule, covered entities must describe 
individuals' rights under the rule and how individuals may exercise 
those rights with respect to the covered entity. Covered entities must 
describe each of the following rights, as provided under the rule: the 
right to request restrictions

[[Page 82550]]

on certain uses and disclosures, including a statement that the covered 
entity is not required to agree to a requested restriction 
(Sec. 164.522(a)); the right to receive confidential communications of 
protected health information (Sec. 164.522(b)); the right to inspect 
and copy protected health information (Sec. 164.524); the right to 
amend protected health information (Sec. 164.526); and the right to an 
accounting of disclosures of protected health information 
(Sec. 164.528). We additionally require the notice to describe the 
right of an individual, including an individual that has agreed to 
receive the notice electronically, to obtain a paper copy of the notice 
upon request.
Covered Entity's Duties
    As in the proposed rule, covered entities must state in the notice 
that they are required by law to maintain the privacy of protected 
health information, to provide a notice of their legal duties and 
privacy practices, and to abide by the terms of the notice currently in 
effect. In the final rule, we additionally require the covered entity, 
if it wishes to reserve the right to change its privacy practices and 
apply the revised practices to protected health information previously 
created or received, to make a statement to that effect and describe 
how it will provide individuals with a revised notice. (See below for a 
more detailed discussion of a covered entity's responsibilities when it 
changes its privacy practices.)
Complaints
    As in the proposed rule, a covered entity's notice must inform 
individuals about how they can lodge complaints with the covered entity 
if they believe their privacy rights have been violated. See 
Sec. 164.530(d) and the corresponding preamble discussion for the 
requirements on covered entities for receiving complaints. The notice 
must also state that individuals may file complaints with the 
Secretary. In the final rule, we additionally require the notice to 
include a statement that the individual will not suffer retaliation for 
filing a complaint.
Contact
    As in the proposed rule, the notice must identify a point of 
contact where the individual can obtain additional information about 
any of the matters identified in the notice.
Effective Date
    The notice must include the date the notice went into effect, 
rather than the proposed requirement to include the date the notice was 
produced. The effective date cannot be earlier than the date on which 
the notice was first printed or otherwise published. Covered entities 
may wish to highlight or otherwise emphasize any material modifications 
that it has made, in order to help the individual recognize such 
changes.

Optional Elements

    As described above, we proposed to require covered entities to 
describe the uses and disclosures of protected health information that 
the covered entity in fact expected to make without the individual's 
authorization. We did not specify any optional elements.
    While the final rule requires covered entities to describe all of 
the types of uses and disclosures permitted or required by law (not 
just those that the covered entity intends to make), we also permit and 
encourage covered entities to include optional elements that describe 
the actual, more limited, uses and disclosures they intend to make 
without authorization. We anticipate that some covered entities will 
want to distinguish themselves on the basis of their more stringent 
privacy practices. For example, covered health care providers who 
routinely treat patients with particularly sensitive conditions may 
wish to assure their patients that, even though the law permits them to 
disclose information for a wide array of purposes, the covered health 
care provider will only disclose information in very specific 
circumstances, as required by law, and to avert a serious and imminent 
threat to health or safety. A covered entity may not include statements 
in the notice that purport to limit the entity's ability to make uses 
or disclosures that are required by law or necessary to avert a serious 
and imminent threat to health or safety.
    As described above, if the covered entity wishes to reserve the 
right to change its privacy practices with respect to the more limited 
uses and disclosures and apply the revised practices to protected 
health information previously created or received, it must make a 
statement to that effect and describe how it will provide individuals 
with a revised notice. (See below for a more detailed discussion of a 
covered entity's responsibilities when it changes its privacy 
practices.)

Revisions to the Notice

    We proposed to require a covered entity to adhere to the terms of 
its notice, and would have permitted it to change its information 
policies and procedures at any time. We would have required covered 
health care providers and health plans to update the notice to reflect 
material changes to the information policies and procedures described 
in the notice. Changes to the notice would have applied to all 
protected health information held by the covered entity, including 
information collected under prior notices. That is, we would not have 
require covered entities to segregate their records according to the 
notice in effect at the time the record was created. We proposed to 
prohibit covered entities from implementing a change to an information 
policy or procedure described in the notice until the notice was 
updated to reflect the change, unless a compelling reason existed to 
make a use or disclosure or take other action that the notice would not 
have permitted. In these situations, we proposed to require covered 
entities to document the compelling reason and, within 30 days of the 
use, disclosure, or other action, change its notice to permit the 
action.
    As in the proposed rule, covered entities are required to adhere to 
the terms of the notice currently in effect. See Sec. 164.502(i). When 
a covered entity materially changes any of the uses or disclosures, the 
individual's rights, the covered entity's legal duties, or other 
privacy practices described in its notice, it must promptly revise its 
notice accordingly. See Sec. 164.520(b)(3). (Pursuant to 
Sec. 164.530(i), it must also revise its policies and procedures.) 
Except when required by law, a material change to any term in the 
notice may not be implemented prior to the effective date of the notice 
in which such material change is reflected. In the final rule, however, 
we revise the circumstances under and extent to which the covered 
entity may revise the practices stated in the notice and apply the new 
practices to protected health information it created or received under 
prior notice.
    Under Sec. 164.530(i), a covered entity that wishes to change its 
practices over time without segregating its records according to the 
notice in effect at the time the records were created must reserve the 
right to do so in its notice. For example, a covered hospital that 
states in its notice that it will only make public health disclosures 
required by law, and that does not reserve the right to change this 
practice, is prohibited from making any discretionary public health 
disclosures of protected health information created or received during 
the effective period of that notice. If the covered hospital wishes at 
some point in the future to make discretionary disclosures for public 
health purposes, it must revise its notice to so state, and

[[Page 82551]]

must segregate its records so that protected health information created 
or received under the prior notice is not disclosed for discretionary 
public health purposes. This hospital may then make discretionary 
public health disclosures of protected health information created or 
received after the effective date of the revised notice.
    If a second covered hospital states in its notice that it will only 
make public health disclosures required by law, but does reserve the 
right to change its practices, it is prohibited from making any 
discretionary public health disclosures of protected health information 
created or received during the effective period of that notice. If this 
hospital wishes at some point in the future to make discretionary 
disclosures for public health purposes, it must revise its notice to so 
state, but need not segregate its records. As of the effective date of 
the revised notice, it may disclose any protected health information, 
including information created or received under the prior notice, for 
discretionary public health purposes.
    Section 164.530(i) and the corresponding discussion in this 
preamble describes requirements for revision of a covered entity's 
privacy policies and procedures, including the privacy practices 
reflected in its notice.

Section 164.520(c)--Provision of Notice

    As in the proposed rule, all covered entities that are required to 
produce a notice must provide the notice upon request of any person. 
The requestor does not have to be a current patient or enrollee. We 
intend the notice to be a public document that people can use in 
choosing between covered entities.
    For health plans, we proposed to require health plans to distribute 
the notice to individuals covered by the health plan as of the 
compliance date; after the compliance date, at enrollment in the health 
plan; after enrollment, within 60 days of a material revision to the 
content of the notice; and no less frequently than once every three 
years.
    As in the proposed rule, under the final rule health plans must 
provide the notice to all health plan enrollees as of the compliance 
date. After the compliance date, health plans must provide the notice 
to all new enrollees at the time of enrollment and to all enrollees 
within 60 days of a material revision to the notice. Of course, the 
term ``enrollees'' includes participants and beneficiaries in group 
health plans.
    Unlike the proposed rule, we do not require health plans to 
distribute the notice every three years. Instead, health plans must 
notify enrollees no less than once every three years about the 
availability of the notice and how to obtain a copy.
    We also clarify that, in each of these circumstances, if a named 
insured and one or more dependents are covered by the same policy, the 
health plan can satisfy the distribution requirement with respect to 
the dependents by sending a single copy of the notice to the named 
insured. For example, if an employee of a firm and her three dependents 
are all covered under a single health plan policy, that health plan can 
satisfy the initial distribution requirement by sending a single copy 
of the notice to the employee rather than sending four copies, each 
addressed to a different member of the family.
    We further clarify that if a health plan has more than one notice, 
it satisfies its distribution requirement by providing the notice that 
is relevant to the individual or other person requesting the notice. 
For example, a health insurance issuer may have contracts with two 
different group health plans. One contract specifies that the issuer 
may use and disclose protected health information about the 
participants in the group health plan for research purposes without 
authorization (subject to the requirements of this rule) and one 
contract specifies that the issuer must always obtain authorizations 
for these uses and disclosures. The issuer accordingly develops two 
notices reflecting these different practices and satisfies its 
distribution requirements by providing the relevant notice to the 
relevant group health plan participants.
    We proposed to require covered health care providers with face-to-
face contact with individuals to provide the notice to all such 
individuals at the first service delivery to the individual during the 
one year period after the compliance date. After this one year period, 
covered providers with face-to-face contact with individuals would have 
been required to distribute the notice to all new patients at the first 
service delivery. Covered providers without face-to-face contact with 
individuals would have been required to provide the notice in a 
reasonable period of time following first service delivery.
    We proposed to require all covered providers to post the notice in 
a clear and prominent location where it would be reasonable to expect 
individuals seeking services from the covered provider to be able to 
read the notice. We would have required revisions to be posted 
promptly.
    In the final rule, we vary the distribution requirements according 
to whether the covered health care provider has a direct treatment 
relationship with an individual, rather than whether the covered health 
care provider has face-to-face contact with an individual. See 
Sec. 164.501 and the corresponding discussion in this preamble 
regarding the definition of indirect treatment relationship.
    Covered health care providers that have direct treatment 
relationships with individuals must provide the notice to such 
individuals as of the first service delivery after the compliance date. 
This requirement applies whether the first service is delivered 
electronically or in person. Covered providers may satisfy this 
requirement by sending the notice to all of their patients at once, by 
giving the notice to each patient as he or she comes into the 
provider's office or facility or contacts the provider electronically, 
or by some combination of these approaches. Covered providers that 
maintain a physical service delivery site must prominently post the 
notice where it is reasonable to expect individuals seeking service 
from the provider to be able to read the notice. The notice must also 
be available on site for individuals to take on request. In the event 
of a revision to the notice, the covered provider must promptly post 
the revision and make it available on site.
    Covered health care providers that have indirect treatment 
relationships with individuals are only required to produce the notice 
upon request, as described above.
    The proposed rule was silent regarding electronic distribution of 
the notice. Under the final rule, a covered entity that maintains a web 
site describing the services and benefits it offers must make its 
privacy notice prominently available through the site.
    A covered entity may satisfy the applicable distribution 
requirements described above by providing the notice to the individual 
electronically, if the individual agrees to receiving materials from 
the covered entity electronically and the individual has not withdrawn 
his or her agreement. If the covered entity knows that the electronic 
transmission has failed, the covered entity must provide a paper copy 
of the notice to the individual.
    If an individual's first service delivery from a covered provider 
occurs electronically, the covered provider must provide electronic 
notice automatically and contemporaneously in response to the 
individual's first request for service. For example, the first time an 
individual requests to fill a prescription through a covered internet 
pharmacy, the pharmacy must automatically and contemporaneously provide 
the individual with the

[[Page 82552]]

pharmacy's notice of privacy practices. An individual that receives a 
covered entity's notice electronically retains the right to request a 
paper copy of the notice as described above. This right must be 
described in the notice.
    We note that the Electronic Signatures in Global and National 
Commerce Act (Pub. L. 106-229) may apply to documents required under 
this rule to be provided in writing. We do not intend to affect the 
application of that law to documents required under this rule.

Section 164.520(d)--Joint Notice by Separate Covered Entities

    The proposed rule was silent regarding the ability of legally 
separate covered entities to produce a single notice.
    In the final rule, we allow covered entities that participate in an 
organized health care arrangement to comply with this section by 
producing a single notice that describes their combined privacy 
practices. See Sec. 164.501 and the corresponding preamble discussion 
regarding the definition of organized health care arrangement. (We note 
that, under Sec. 164.504(d), covered entities that are under common 
ownership or control may designate themselves as a single affiliated 
covered entity. Joint notice requirements do not apply to such 
entities. Single affiliated covered entities must produce a single 
notice, consistent with the requirements described above for any other 
covered entity. Covered entities under common ownership or control that 
elect not to designate themselves as a single affiliated covered 
entity, however, may elect to produce a joint notice if they meet the 
definition of an organized health care arrangement.)
    The joint notice must meet all of the requirements described above. 
The covered entities must agree to abide by the terms of the notice 
with respect to protected health information created or received by the 
covered entities as part of their participation in the organized health 
care arrangement. In addition, the joint notice must reasonably 
identify the covered entities, or class of covered entities, to which 
the joint notice applies and the service delivery sites, or classes of 
service delivery sites, to which the joint notice applies. If the 
covered entities participating in the organized health care arrangement 
will share protected health information with each other as necessary to 
carry out treatment, payment, or health care operations relating to the 
arrangement, that fact must be stated in the notice.
    Typical examples where this policy may be useful are health care 
facilities where physicians and other providers who have offices 
elsewhere also provide services at the facility (e.g. hospital staff 
privileges, physicians visiting their patients at a residential 
facility). In these cases, a single notice may cover both the physician 
and the facility, if the above conditions are met. The physician is 
required to have a separate notice covering the privacy practices at 
the physician's office if those practices are different than the 
practices described in the joint notice.
    If any one of the covered entities included in the joint notice 
distributes the notice to an individual, as required above, the 
distribution requirement is met for all of the covered entities 
included in the joint notice.

Section 164.520(e)--Documentation

    As in the proposed rule, we establish documentation requirements 
for covered entities subject to this provision. In the final rule, we 
specify that covered entities must retain copies of the notice(s) they 
issue in accordance with Sec. 164.530(j). See Sec. 164.530(j) and the 
corresponding preamble discussion for further description of the 
documentation requirements.

Section 164.522--Rights To Request Privacy Protection for Protected 
Health Information

Section 164.522(a)--Right of An Individual To Request Restriction of 
Uses and Disclosures

    We proposed that individuals have the right to request that a 
covered health care provider restrict the use or disclosure of 
protected health information for treatment, payment, or health care 
operations. Providers would not have been required to agree to 
requested restrictions. However, a covered provider that agreed to a 
restriction could not use or disclose protected health information 
inconsistent with the restriction. The requirement would not have 
applied to permissible uses or disclosures under proposed Sec. 164.510, 
including uses and disclosures in emergency circumstances under 
proposed Sec. 164.510(k); when the health care services provided were 
emergency services; or to required disclosures to the Secretary under 
proposed Sec. 164.522. We would have required covered providers to have 
procedures for individuals to request restrictions, for agreed-upon 
restrictions to be documented, for the provider to honor such 
restrictions, and for notification of the existence of a restriction to 
others to whom such protected health information is disclosed.
    In the final rule, we retain the general right of an individual to 
request that uses and disclosures of protected health information be 
restricted and the requirement for covered entities to adhere to 
restrictions to which they have agreed. However, we include some 
significant changes and clarifications.
    Under the final rule, we extend the right to request restrictions 
to health plans and to health care clearinghouses that create or 
receive protected health information other than as a business associate 
of another covered entity. All covered entities must permit individuals 
to request that uses and disclosures of protected health information to 
carry out treatment, payment, and health care operations be restricted 
and must adhere to restrictions to which they have agreed. A covered 
entity is not required to agree to a restriction. We note that 
restrictions between an individual and a covered entity for these or 
other purposes may be otherwise enforceable under other law.
    Under Sec. 164.522(a)(1)(i)(B), the right to request restrictions 
applies to disclosures to persons assisting in the individual's care 
under Sec. 164.510(b). An individual may request that a covered entity 
agree not to disclose protected health information to persons assisting 
with the individual's care, even if such disclosure is permissible in 
accordance with Sec. 164.510(b). For example, if an individual requests 
that a covered entity never disclose protected health information to a 
particular family member, and the covered entity agrees to that 
restriction, the covered entity is prohibited from disclosing protected 
health information to that family member, even if the disclosure would 
otherwise be permissible under Sec. 164.510(b). We note that 
individuals additionally have the opportunity to agree or object to 
disclosures to persons assisting in the individual's care under 
Sec. 164.510(b)(2). The individual retains the right to agree or object 
to such disclosures under Sec. 164.510(b)(2), in accordance with the 
standards of that provision, regardless of whether the individual has 
requested a restriction under Sec. 164.522(a). See Sec. 164.510(b) and 
the corresponding preamble discussion regarding the individual's right 
to agree or object to disclosures to persons assisting in the 
individual's care.
    In Secs. 164.522(a)(1)(iii) and (iv) we clarify the requirements 
with respect to emergency treatment situations. In emergency treatment 
situations, a covered entity that has agreed to a restriction may use, 
or disclose to a health care provider, restricted protected health 
information that is

[[Page 82553]]

necessary to provide the emergency treatment. If the covered entity 
discloses restricted protected health information to a health care 
provider for emergency treatment purposes, it must request that the 
provider not further use or disclose the information. We expect covered 
entities to consider the need for access to protected health 
information for treatment purposes when considering a request for a 
restriction, to discuss this need with the individual making the 
request for restriction, and to agree to restrictions that will not 
foreseeably impede the individual's treatment. Therefore, we expect 
covered entities will rarely need to use or disclose restricted 
protected health information in emergency treatment situations. We do 
not intend, however, to adversely impact the delivery of health care. 
We therefore provide a means for the use and disclosure of restricted 
protected health information in emergency treatment situations, where 
an unexpected need for the information could arise and there is 
insufficient time to secure the individual's permission to use or 
disclose the restricted information.
    In Sec. 164.522(a)(1)(v) we clarify that restrictions are not 
effective under this rule to prevent uses and disclosures required by 
Sec. 164.502(a)(2)(ii) or permitted under Sec. 164.510(a) (regarding 
facility directories) or Sec. 164.512 (regarding uses and disclosures 
for which consent, individual authorization, or opportunity to agree or 
object is not required). Covered entities are permitted to agree to 
such restrictions, but if they do so, the restrictions are not 
enforceable under this rule. For example, a provider who makes a 
disclosure under Sec. 164.512(j)(1)(i) relating to serious and imminent 
threats will not be in violation of this rule even if the disclosure is 
contrary to a restriction agreed to under this paragraph.
    In Sec. 164.522(a)(2) we clarify a covered entity's ability to 
terminate a restriction to which it has agreed. A covered entity may 
terminate a restriction with the individual's written or oral 
agreement. If the individual's agreement is obtained orally, the 
covered entity must document that agreement. A note in the medical 
record or similar notation is sufficient documentation. If the 
individual agrees to terminate the restriction, the covered entity may 
use and disclose protected health information as otherwise permitted 
under the rule. If the covered entity wants to terminate the 
restriction without the individual's agreement, it may only terminate 
the restriction with respect to protected health information it creates 
or receives after it informs the individual of the termination. The 
restriction continues to apply to protected health information created 
or received prior to informing the individual of the termination. That 
is, any protected health information that had been collected before the 
termination may not be used or disclosed in a way that is inconsistent 
with the restriction, but any information that is collected after 
informing the individual of the termination of the restriction may be 
used or disclosed as otherwise permitted under the rule.
    In Sec. 164.522(a)(3), we clarify that a covered entity must 
document a restriction to which it has agreed. We do not require a 
specific form of documentation; a note in the medical record or similar 
notation is sufficient. The documentation must be retained for six 
years from the date it was created or the date it was last in effect, 
whichever is later, in accordance with Sec. 164.530(j).
    We eliminate the requirement from the NPRM for covered entities to 
inform persons to whom they disclose protected health information of 
the existence of any restriction on that information. A restriction is 
only binding on the covered entity that agreed to the restriction. We 
encourage covered entities to inform others of the existence of a 
restriction when it is appropriate to do so. We note, however, that 
disclosure of the existence of a restriction often amounts to a de 
facto disclosure of the restricted information itself. If a restriction 
does not permit a covered entity to disclose protected health 
information to a particular person, the covered entity must carefully 
consider whether disclosing the existence of the restriction to that 
person would also violate the restriction.

Section 164.522(b)--Confidential Communications Requirements

    In the NPRM, we did not directly address the issue of whether an 
individual could request that a covered entity restrict the manner in 
which it communicated with the individual. As described above, the NPRM 
would have provided individuals with the right to request that health 
care providers restrict uses and disclosures of protected health 
information for treatment, payment and health care operations, but 
would not have required providers to agree to such a restriction.
    In the final rule, we require covered entities to permit 
individuals to request that the covered entity provide confidential 
communications of protected health information about the individual. 
The requirement applies to communications from the covered entity to 
the individual, and also communications from the covered entity that 
would otherwise be sent to the named insured of an insurance policy 
that covers the individual as a dependent of the named insured. 
Individuals may request that the covered entity send such 
communications by alternative means or at alternative locations. For 
example, an individual who does not want his or her family members to 
know about a certain treatment may request that the provider 
communicate with the individual about that treatment at the 
individual's place of employment, by mail to a designated address, or 
by phone to a designated phone number. Similarly, an individual may 
request that the provider send communications in a closed envelope 
rather than a post card, as an ``alternative means.'' Covered health 
care providers must accommodate all reasonable requests. Health plans 
must accommodate all reasonable requests, if the individual clearly 
states that the disclosure of all or part of the protected health 
information could endanger the individual. For example, if an 
individual requests that a health plan send explanations of benefits 
about particular services to the individual's work rather than home 
address because the individual is concerned that a member of the 
individual's household (e.g., the named insured) might read the 
explanation of benefits and become abusive towards the individual, the 
health plan must accommodate the request.
    The reasonableness of a request made under this paragraph must be 
determined by a covered entity solely on the basis of the 
administrative difficulty of complying with the request and as 
otherwise provided in this section. A covered health care provider or 
health plan cannot refuse to accommodate a request based on its 
perception of the merits of the individual's reason for making the 
request. A covered health care provider may not require the individual 
to provide a reason for the request as a condition of accommodating the 
request. As discussed above, a health plan is not required to 
accommodate a request unless the individual indicates that the 
disclosure could endanger the individual. If the individual indicates 
such endangerment, however, the covered entity cannot further consider 
the individual's reason for making the request in determining whether 
it must accommodate the request.
    A covered health care provider or health plan may refuse to 
accommodate a request, however, if the individual has

[[Page 82554]]

not provided information as to how payment, if applicable, will be 
handled, or if the individual has not specified an alternative address 
or method of contact.

Section 164.524--Access of Individuals to Protected Health 
Information

Section 164.524(a)--Right of Access

    In the NPRM, we proposed to establish a right for individuals to 
access (i.e., inspect and obtain a copy of) protected health 
information about them maintained by a covered provider or health plan, 
or its business partners, in a designated record set.
    As in the proposed rule, in the final rule we provide that 
individuals have a right of access to protected health information that 
is maintained in a designated record set. This right applies to health 
plans, covered health care providers, and health care clearinghouses 
that create or receive protected health information other than as a 
business associate of another covered entity (see Sec. 164.500(b)). In 
the final rule, however, we modify the definition of designated record 
set. For a discussion of the significant changes made to the definition 
of designated record set, see Sec. 164.501 and the corresponding 
preamble.
    Under the revised definition, individuals have a right of access to 
any protected health information that is used, in whole or in part, to 
make decisions about individuals. This information includes, for 
example, information used to make health care decisions or information 
used to determine whether an insurance claim will be paid. Covered 
entities often incorporate the same protected health information into a 
variety of different data systems, not all of which will be utilized to 
make decisions about individuals. For example, information systems that 
are used for quality control or peer review analyses may not be used to 
make decisions about individuals. In that case, the information systems 
would not fall within the definition of designated record set. We do 
not require entities to grant an individual access to protected health 
information maintained in these types of information systems.

Duration of the Right of Access

    As in the proposed rule, covered entities must provide access to 
individuals for as long as the protected health information is 
maintained in a designated record set.

Exceptions to the Right of Access

    In the NPRM, we proposed to establish a right for individuals to 
access any protected health information maintained in a designated 
record set. Though we proposed to permit covered entities to deny 
access in certain situations relating to the particular individual 
requesting access, we did not specifically exclude any protected health 
information from the right of access.
    In the final rule, we specify three types of information to which 
individuals do not have a right of access, even if the information is 
maintained in a designated record set. They are psychotherapy notes, 
information compiled in reasonable anticipation of, or for use in, a 
civil, criminal, or administrative action or proceeding, and certain 
protected health information maintained by a covered entity that is 
subject to or exempted from the Clinical Laboratory Improvements 
Amendments of 1988 (CLIA). Covered entities may, but are not required 
to, provide access to this information.
    First, unlike the proposed rule, we specify that individuals do not 
have a right of access to psychotherapy notes.
    Second, individuals do not have a right of access to information 
compiled in reasonable anticipation of, or for use in, a civil, 
criminal, or administrative action or proceeding. In the NPRM, we would 
have permitted covered entities to deny a request for access to 
protected health information complied in reasonable anticipation of, or 
for use in, a legal proceeding. We change the language in the final 
rule to clarify that a legal proceeding includes civil, criminal, and 
administrative actions and proceedings. In the final rule, we clarify 
that an individual does not have a right to this information by 
including it in the list of exceptions rather than stating that a 
covered entity may deny access to this information. Under this 
exception, the covered entity may deny access to any information that 
relates specifically to legal preparations but may not deny access to 
the individual's underlying health information. We do not intend to 
require covered entities to provide access to documents protected by 
attorney work-product privilege nor do we intend to alter rules of 
discovery.
    Third, unlike the proposed rule, individuals do not have a right of 
access to protected health information held by clinical laboratories if 
CLIA prohibits such access. CLIA states that clinical laboratories may 
provide clinical laboratory test records and reports only to 
``authorized persons,'' as defined primarily by state law. The 
individual who is the subject of the information is not always included 
in this set of authorized persons. When an individual is not an 
authorized person, this restriction effectively prohibits the clinical 
laboratory from providing an individual access to this information. We 
do not intend to preempt CLIA and, therefore, do not require covered 
clinical laboratories to provide an individual access to this 
information if CLIA prohibits them from doing so. We note, however, 
that individuals have the right of access to this information if it is 
maintained by a covered health care provider, clearinghouse, or health 
plan that is not subject to CLIA.
    Finally, unlike the proposed rule, individuals do not have access 
to protected health information held by certain research laboratories 
that are exempt from the CLIA regulations. The CLIA regulations 
specifically exempt the components or functions of ``research 
laboratories that test human specimens but do not report patient 
specific results for the diagnosis, prevention or treatment of any 
disease or impairment of, or the assessment of the health of individual 
patients.'' 42 CFR 493.3(a)(2). If subject to the access requirements, 
these laboratories, or the applicable components of them, would be 
forced to comply with the CLIA regulations once they provided an 
individual with the access under this privacy rule. Therefore, to 
alleviate this additional regulatory burden, we have exempted these 
laboratories, or the relevant components of them, from the access 
requirements of this regulation.

Grounds for Denial of Access

    In the NPRM we proposed to permit covered health care providers and 
health plans to deny an individual access to inspect and copy protected 
health information about them for five reasons: (1) a licensed health 
care professional determined the inspection and copying was reasonably 
likely to endanger the life or physical safety of the individual or 
another person; (2) the information was about another person (other 
than a health care provider) and a licensed health care professional 
determined the inspection and copying was reasonably likely to cause 
substantial harm to that other person; (3) the information was obtained 
under a promise of confidentiality from someone other than a health 
care provider and the inspection and copying was likely to reveal the 
source of the information; (4) the information was obtained by a 
covered provider in the course of a clinical trial, the individual 
agreed to the denial of access in consenting to participate in the 
trial, and the trial was in progress; and (5) the information was 
compiled in reasonable anticipation of, or for use in, a legal

[[Page 82555]]

proceeding. In the NPRM, covered entities would not have been permitted 
to use these grounds to deny individuals access to protected health 
information that was also subject to the Privacy Act.
    In the final rule, we retain all of these grounds for denial, with 
some modifications. One of the proposed grounds for denial (regarding 
legal proceedings) is retained as an exception to the right of access. 
(See discussion above.) We also include additional grounds for denial 
and create a right for individuals to request review of certain 
denials.
    There are five types of denials covered entities may make without 
providing the individual with a right to have the denial reviewed.
    First, a covered entity may deny an individual access to any 
information that is excepted from the right of access under 
Sec. 164.524(a)(1). (See discussion above.)
    Second, we add a new provision that permits a covered entity that 
is a correctional institution or covered health care provider acting 
under the direction of a correctional institution to deny an inmate's 
request to obtain a copy of protected health information if obtaining a 
copy would jeopardize the health, safety, security, custody, or 
rehabilitation of the individual or other inmates or the safety of any 
officer, employee or other person at the correctional institution or 
responsible for the transporting of the inmate. This ground for denial 
is restricted to an inmate's request to obtain a copy of protected 
health information. If an inmate requests inspection of protected 
health information, the request must be granted unless one of the other 
grounds for denial applies. The purpose for this exception, and the 
reason that the exception is limited to denying an inmate a copy and 
not to denying a right to inspect, is to give correctional institutions 
the ability to maintain order in these facilities and among inmates 
without denying an inmate the right to review his or her protected 
health information.
    Third, as in the proposed rule, a covered entity may deny an 
individual access to protected health information obtained by a covered 
provider in the course of research that includes treatment of the 
research participants, while such research is in progress. For this 
exception to apply, the individual must have agreed to the denial of 
access in conjunction with the individual's consent to participate in 
the research and the covered provider must have informed the individual 
that the right of access will be reinstated upon completion of the 
research. If either of these conditions is not met, the individual has 
the right to inspect and copy the information (subject to the other 
exceptions we provide here). In all cases, the individual has the right 
to inspect and copy the information after the research is complete.
    As with all the grounds for denial, covered entities are not 
required to deny access under the research exception. We expect all 
researchers to maintain a high level of ethical consideration for the 
welfare of research participants and provide access in appropriate 
circumstances. For example, if a participant has a severe adverse 
reaction, disclosure of information during the course of the research 
may be necessary to give the participant adequate information for 
proper treatment decisions.
    Fourth, we clarify the ability of a covered entity to deny 
individuals access to protected health information that is also subject 
to the Privacy Act. In the final rule, we specify that a covered entity 
may deny an individual access to protected health information that is 
contained in records that are subject to the Privacy Act if such denial 
is permitted under the Privacy Act. This ground for denial exists in 
addition to the other grounds for denial available under this rule. If 
an individual requests access to protected health information that is 
also subject to the Privacy Act, a covered entity may deny access to 
that information for any of the reasons permitted under the Privacy Act 
and for any of the reasons permitted under this rule.
    Fifth, as in the proposed rule, a covered entity may deny an 
individual access to protected health information if the covered entity 
obtained the requested information from someone other than a health 
care provider under a promise of confidentiality and such access would 
be reasonably likely to reveal the source of the information. This 
provision is intended to preserve a covered entity's ability to 
maintain an implicit or explicit promise of confidentiality. A covered 
entity may not, however, deny access to protected health information 
when the information has been obtained from a health care provider. An 
individual is entitled to have access to all information about him or 
her generated by the health care system (apart from the other 
exceptions we provide here). Confidentiality promises to health care 
providers should not interfere with that access.
    As in the proposed rule, a covered entity may deny access to 
protected health information under certain circumstances in which the 
access may harm the individual or others. In the final rule, we specify 
that a covered entity may only deny access for these reasons if the 
covered entity provides the individual with a right to have the denial 
reviewed. (See below for a discussion of the right to review.)
    There are three types of denials for which covered entities must 
provide the individual with a right to review. A denial under these 
provisions requires a determination by a licensed health care 
professional (such as a physician, physician's assistant, or nurse) 
based on an assessment of the particular circumstances and current 
professional medical standards of harm. Therefore, when the request is 
made to a health plan or clearinghouse, the covered entity will need to 
consult with a licensed health care professional before denying access 
under this provision.
    First, as in the proposed rule, covered entities may deny 
individuals access to protected health information about them if a 
licensed health care professional has determined, in the exercise of 
professional judgment, that the access requested is reasonably likely 
to endanger the life or physical safety of the individual or another 
person. The most commonly cited example is when an individual exhibits 
suicidal or homicidal tendencies. If a licensed health care 
professional determines that an individual exhibits such tendencies and 
that permitting inspection or copying of some of the individual's 
protected health information is reasonably likely to result in the 
individual committing suicide, murder, or other physical violence, then 
the health care professional may deny the individual access to that 
information. Under this reason for denial, covered entities may not 
deny access on the basis of the sensitivity of the health information 
or the potential for causing emotional or psychological harm.
    Second, as in the proposed rule, covered entities may deny an 
individual access to protected health information if the information 
requested makes reference to someone other than the individual (and 
other than a health care provider) and a licensed health care 
professional has determined, in the exercise of professional judgment, 
that the access requested is reasonably likely to cause serious harm to 
that other person. On some occasions when health information about one 
person is relevant to the care of another, a physician may incorporate 
it into the latter's record, such as information from group therapy 
sessions and information about illnesses with a genetic component. This 
provision permits a covered entity to withhold information in such 
cases if

[[Page 82556]]

the release of such information is reasonably likely to cause 
substantial physical, emotional, or psychological harm.
    Third, we add a new provision regarding denial of access requested 
by personal representatives. Under Sec. 164.502(g), a person that is a 
personal representative of an individual may exercise the rights of the 
individual, including the right to inspect and copy protected health 
information about the individual that is relevant to such person's 
representation. The provision permits covered entities to refuse to 
treat a personal representative as the individual, generally, if the 
covered entity has a reasonable belief that the individual has been or 
will be subjected to domestic violence, abuse or neglect by the 
personal representative, or that treating the personal representative 
as the individual may endanger the individual and, in its professional 
judgment, the covered entity decides that it is not in the best 
interest of the individual to treat such person as the personal 
representative.
    In addition to that provision, we add a new provision at 
Sec. 164.524(a)(3)(iii) to clarify that a covered entity may deny a 
request to inspect or copy protected health information if the 
information is requested by a personal representative of the individual 
and a licensed health care professional has determined that, in the 
exercise of professional judgment, such access is reasonably likely to 
cause substantial harm to the individual who is the subject of the 
information or to another person. The health care professional need not 
have a reasonable belief that the personal representative has abused or 
neglected the individuals and the harm that is likely to result need 
not be limited to the individual who is the subject of the requested 
protected health information. Therefore, a covered entity can recognize 
a person as a personal representative but deny such person access to 
protected health information as a personal representative.
    We do not intend these provisions to create a legal duty for the 
covered entity to review all of the relevant protected health 
information before releasing it. Rather, we are preserving the 
flexibility and judgment of covered entities to deny access under 
appropriate circumstances. Denials are not mandatory; covered entities 
may always elect to provide requested health information to the 
individual. For each request by an individual, the covered entity may 
provide all of the information requested or evaluate the requested 
information, consider the circumstances surrounding the individual's 
request, and make a determination as to whether that request should be 
granted or denied, in whole or in part, in accordance with one of the 
reasons for denial under this rule. We intend to create narrow 
exceptions to the right of access and we expect covered entities to 
employ these exceptions rarely, if at all. Covered entities may only 
deny access for the reasons specifically provided in the rule.

Review of a Denial of Access

    In the NPRM, we proposed to require covered entities, when denying 
an individual's request for access, to inform the individual of how to 
make a complaint to the covered entity and the Secretary.
    We retain in the final rule the proposed approach (see below). In 
addition, if the covered entity denies the request on the basis of one 
of the reviewable grounds for denial described above, the individual 
has the right to have the denial reviewed by a licensed health care 
professional who is designated by the covered entity to act as a 
reviewing official and who did not participate in the original decision 
to deny access. The covered entity must provide access in accordance 
with the reviewing official's determination. ( See below for further 
description of the covered entity's requirements under 
Sec. 164.524(d)(4) if the individual requests a review of denial of 
access.)

Section 164.524(b)--Requests for Access and Timely Action

    In the NPRM, we proposed to require covered health care providers 
and health plans to provide a means for individuals to request access 
to protected health information about them. We proposed to require 
covered health care providers and health plans to take action on a 
request for access as soon as possible, but not later than 30 days 
following the request.
    As in the proposed rule, the final rule requires covered entities 
to permit an individual to request access to inspect or to obtain a 
copy of the protected health information about the individual that is 
maintained in a designated record set. We additionally permit covered 
entities to require individuals to make requests for access in writing, 
if the individual is informed of this requirement.
    In the final rule, we eliminate the requirement for the covered 
entity to act on a request as soon as possible. We recognize that 
circumstances may arise in which an individual will request access on 
an expedited basis. We encourage covered entities to have procedures in 
place for handling such requests. The time limitation is intended to be 
an outside deadline, rather than an expectation.
    In the final rule, covered entities must act on a request for 
access within 30 days of receiving the request if the information is 
maintained or accessible on-site. Covered entities must act on a 
request for access within 60 days of receiving the request if the 
information is not maintained or accessible on-site. If the covered 
entity is unable to act on a request within the applicable deadline, it 
may extend the deadline by no more than 30 days by providing the 
individual with a written statement of the reasons for the delay and 
the date by which the covered entity will complete its action on the 
request. This written statement describing the extension must be 
provided within the standard deadline. A covered entity may only extend 
the deadline once per request for access. This provision permits a 
covered entity to take a total of up to 60 days to act on a request for 
access to information maintained on-site and up to 90 days to act on a 
request for access to information maintained off-site.
    The requirements for a covered entity to comply with or deny a 
request for access, in whole or in part, are described below.

Section 164.524(c)--Provision of Access

    In the NPRM, we proposed to require covered health care providers 
and health plans, upon accepting a request for access, to notify the 
individual of the decision and of any steps necessary to fulfill the 
request; to provide the information requested in the form or format 
requested, if readily producible in such form or format; and to 
facilitate the process of inspection and copying.
    We generally retain the proposed approach in the final rule. If a 
covered entity accepts a request, in whole or in part, it must notify 
the individual of the decision and provide the access requested. 
Individuals have the right both to inspect and to copy protected health 
information in a designated record set. The individual may choose 
whether to inspect the information, to copy the information, or to do 
both.
    In the final rule, we clarify that if the same protected health 
information is maintained in more than one designated record set or at 
more than one location, the covered entity is required to produce the 
information only once per request for access. We intend this provision 
to reduce covered entities' burden in complying with requests without 
reducing individuals' access to protected health information. We note 
that summary information and reports

[[Page 82557]]

are not the same as the underlying information on which the summary or 
report was based. Individuals have the right to obtain access both to 
summaries and to the underlying information. An individual retains the 
right of access to the underlying information even if the individual 
requests access to, or production of, a summary. (See below regarding 
requests for summaries.)
    The covered entity must provide the information requested in the 
form or format requested if it is readily producible in such form or 
format. For example, if the covered entity maintains health information 
electronically and the individual requests an electronic copy, the 
covered entity must accommodate such request, if possible. 
Additionally, we specify that if the information is not available in 
the form or format requested, the covered entity must produce a readily 
readable hard copy of the information or another form or format to 
which the individual and covered entity can agree. If the individual 
agrees, including agreeing to any associated fees (see below), the 
covered entity may provide access to a summary of information rather 
than all protected health information in designated record sets. 
Similarly, a covered entity may provide an explanation in addition to 
the protected health information, if the individual agrees in advance 
to the explanation and any associated fees.
    The covered entity must provide the access requested in a timely 
manner, as described above, and arrange for a mutually convenient time 
and place for the individual to inspect the protected health 
information or obtain a copy. If the individual requests that the 
covered entity mail a copy of the information, the covered entity must 
do so, and may charge certain fees for copying and mailing. For 
requests to inspect information that is maintained electronically, the 
covered entity may print a copy of the information and allow the 
individual to view the print-out on-site. Covered entities may discuss 
the request with the individual as necessary to facilitate the timely 
provision of access. For example, if the individual requested a copy of 
the information by mail, but the covered entity is able to provide the 
information faster by providing it electronically, the covered entity 
may discuss this option with the individual.
    We proposed in the NPRM to permit the covered entity to charge a 
reasonable, cost-based fee for copying the information.
    We clarify this provision in the final rule. If the individual 
requests a copy of protected health information, a covered entity may 
charge a reasonable, cost-based fee for the copying, including the 
labor and supply costs of copying. If hard copies are made, this would 
include the cost of paper. If electronic copies are made to a computer 
disk, this would include the cost of the computer disk. Covered 
entities may not charge any fees for retrieving or handling the 
information or for processing the request. If the individual requests 
the information to be mailed, the fee may include the cost of postage. 
Fees for copying and postage provided under state law, but not for 
other costs excluded under this rule, are presumed reasonable. If such 
per page costs include the cost of retrieving or handling the 
information, such costs are not acceptable under this rule.
    If the individual requests an explanation or summary of the 
information provided, and agrees in advance to any associated fees, the 
covered entity may charge for preparing the explanation or summary as 
well.
    The inclusion of a fee for copying is not intended to impede the 
ability of individuals to copy their records. Rather, it is intended to 
reduce the burden on covered entities. If the cost is excessively high, 
some individuals will not be able to obtain a copy. We encourage 
covered entities to limit the fee for copying so that it is within 
reach of all individuals.
    We do not intend to affect the fees that covered entities charge 
for providing protected health information to anyone other than the 
individual. For example, we do not intend to affect current practices 
with respect to the fees one health care provider charges for 
forwarding records to another health care provider for treatment 
purposes.

Section 164.524(d)--Denial of Access

    We proposed in the NPRM to require a covered health care provider 
or health plan that elects to deny a request for inspection or copying 
to make any other protected health information requested available to 
the individual to the extent possible, consistent with the denial.
    In the final rule, we clarify the proposed approach. A covered 
entity that denies access, in whole or in part, must, to the extent 
possible, give the individual access to any other protected health 
information requested after excluding the protected health information 
to which the covered entity has a ground to deny access. We intend 
covered entities to redact or otherwise exclude only the information 
that falls within one or more of the denial criteria described above 
and to permit inspection and copying of all remaining information, to 
the extent it is possible to do so.
    We also proposed to require covered providers and health plans, 
upon denying a request for access in whole or in part, to provide the 
individual with a written statement in plain language of the basis for 
the denial and how the individual could make a complaint to the covered 
entity or the Secretary.
    We retain the proposed approach. A covered entity that denies 
access, in whole or in part, must provide the individual with a written 
denial in plain language that explains the basis for the denial. The 
written denial could include a direct reference to the section of the 
regulation relied upon for the denial, but the regulatory citation 
alone does not sufficiently explain the reason for the denial. The 
written denial must also describe how the individual can complain to 
the covered entity and the Secretary and must include the name or title 
and the telephone number of the covered entity's contact person or 
office that is responsible for receiving complaints.
    In the final rule, we impose two additional requirements when the 
covered entity denies access, in whole or in part. First, if a covered 
entity denies a request on the basis of one of the reviewable grounds 
for denial, the written denial must describe the individual's right to 
a review of the denial and how the individual may exercise this right. 
Second, if the covered entity denies the request because it does not 
maintain the requested information, and the covered entity knows where 
the requested information is maintained, the covered entity must inform 
the individual where to direct the request for access.
    Finally, we specify a covered entity's responsibilities when an 
individual requests a review of a denial. If the individual requests a 
review of a denial made under Sec. 164.524(a)(3), the covered entity 
must designate a licensed health care professional to act as the 
reviewing official. This reviewing official must not have been involved 
in the original decision to deny access. The covered entity must 
promptly refer a request for review to the designated reviewing 
official. The reviewing official must determine, within a reasonable 
period of time, whether or not to deny the access requested based on 
the standards in Sec. 164.524(a)(3). The covered entity must promptly 
provide the individual with written notice of the reviewing official's 
decision and otherwise carry out the decision in accordance with the 
requirements of this section.

[[Page 82558]]

Section 164.524(e)--Policies, Procedures, and Documentation

    As in the proposed rule, we establish documentation requirements 
for covered entities that are subject to this provision. In accordance 
with Sec. 164.530(j), the covered entity must retain documentation of 
the designated record sets that are subject to access by individuals 
and the titles of the persons or offices responsible for receiving and 
processing requests for access by individuals.

Section 164.526--Amendment of Protected Health Information

Section 164.526(a)--Right to Amend

    In proposed Sec. 164.516, we proposed to establish the individual's 
right to request a covered health care provider or health plan to amend 
or correct protected health information about the individual for as 
long as the covered entity maintains the information.
    In Sec. 164.526 of the final rule, we retain the general proposed 
approach, but establish an individual's right to have the covered 
entity amend, rather than amend or correct, protected health 
information. This right applies to protected health information and 
records in a designated record set for as long as the information is 
maintained in the designated record set. In the final rule, covered 
health care providers, health plans, and health care clearinghouses 
that create or receive protected health information other than as a 
business associate must comply with these requirements.

Denial of Amendment

    We proposed to permit a covered health care provider or health plan 
to deny a request for amendment if it determined that the protected 
health information that was the subject of the request was not created 
by the covered provider or health plan, would not be available for 
inspection and copying under proposed Sec. 164.514, or was accurate and 
complete. A covered entity would have been permitted, but not required, 
to deny a request if any of these conditions were met.
    As in the proposed rule, the final rule permits a covered entity to 
deny a request for amendment if the covered entity did not create the 
protected health information or record that is the subject of the 
request for amendment. We add one exception to this provision: if the 
individual provides a reasonable basis to believe that the originator 
of the protected health information is no longer available to act on 
the requested amendment, the covered entity must address the request 
for amendment as though the covered entity had created the information.
    As in the proposed rule, a covered entity also may deny a request 
for amendment if the protected health information that is the subject 
of the request for amendment is not part of a designated record set or 
would not otherwise be available for inspection under Sec. 164.524. We 
eliminate the ability to deny a request for amendment if the 
information or record that is the subject of the request would not be 
available for copying under the rule. Under Sec. 164.524(a)(2)(ii), an 
inmate may be denied a copy of protected health information about the 
inmate. We intend to preserve an inmate's ability to request amendments 
to information, even if a copy of the information would not be 
available to the inmate, subject to the other exceptions provided in 
this section.
    Finally, as in the proposed rule, a covered entity may deny a 
request for amendment if the covered entity determines that the 
information in dispute is accurate and complete. We draw this concept 
from the Privacy Act of 1974, governing records held by federal 
agencies, which permits an individual to request correction or 
amendment of a record ``which the individual believes is not accurate, 
relevant, timely, or complete.'' (5 U.S.C. 552a(d)(2)). We adopt the 
standards of ``accuracy'' and ``completeness'' and draw on the 
clarification and analysis of these terms that have emerged in 
administrative and judicial interpretations of the Privacy Act during 
the last 25 years. We note that for federal agencies that are also 
covered entities, this rule does not diminish their present obligations 
under the Privacy Act of 1974.
    This right is not intended to interfere with medical practice or to 
modify standard business record keeping practices. Perfect records are 
not required. Instead, a standard of reasonable accuracy and 
completeness should be used. In addition, this right is not intended to 
provide a procedure for substantive review of decisions such as 
coverage determinations by payors. It is intended only to affect the 
content of records, not the underlying truth or correctness of 
materials recounted therein. Attempts under the Privacy Act of 1974 to 
use this mechanism as a basis for collateral attack on agency 
determinations have generally been rejected by the courts. The same 
results are intended here.

Section 164.526(b)--Requests for Amendment and Timely Action

    We proposed to require covered health care providers and health 
plans to provide a means for individuals to request amendment of 
protected health information about them. Under the NPRM, we would have 
required covered health care providers and health plans to take action 
on a request for amendment or correction within 60 days of the request.
    As in the proposed rule, covered entities must permit individuals 
to request that the covered entity amend protected health information 
about them. We also permit certain specifications for the form and 
content of the request. If a covered entity informs individuals of such 
requirements in advance, a covered entity may require individuals to 
make requests for amendment in writing and to provide a reason to 
support a requested amendment. If the covered entity imposes such a 
requirement and informs individuals of the requirement in advance, the 
covered entity is not required to act on an individual's request that 
does not meet the requirements.
    We retain the requirement for covered entities to act on a request 
for amendment within 60 days of receipt of the request. In the final 
rule, we specify the nature of the action the covered entity must take 
within the time frame. The covered entity must inform the individual, 
as described below, that the request has been either accepted or 
denied, in whole or in part. It must also take certain actions pursuant 
to its decision to accept or deny the request, as described below. If 
the covered entity is unable to meet the deadline, the covered entity 
may extend the deadline by no more than 30 days. The covered entity 
must inform the individual in writing, within the initial 60-day 
period, of the reason for the delay and the date by which the covered 
entity will complete its action on the request. A covered entity may 
only extend the deadline one time per request for amendment.

Section 164.526(c)--Accepting the Amendment

    If a covered health care provider or health plan accepted a request 
for amendment, in whole or in part, we proposed to require the covered 
entity to make the appropriate change. The covered entity would have 
had to identify the challenged entries as amended or corrected and 
indicate the location of the amended or corrected information.

[[Page 82559]]

    We also proposed to require the covered provider or health plan to 
make reasonable efforts to notify certain entities of the amendment: 1) 
entities the individual identified as needing to be notified and 2) 
entities the covered provider or health plan knew had received the 
erroneous or incomplete information and who may have relied, or could 
foreseeably rely, on such information to the detriment of the 
individual.
    The covered provider or health plan would also have been required 
to notify the individual of the decision to amend the information.
    As in the proposed rule, if a covered entity accepts an 
individual's request for amendment or correction, it must make the 
appropriate amendment. In the final rule, we clarify that, at a 
minimum, the covered entity must identify the records in the designated 
record set that are affected by the amendment and must append or 
otherwise provide a link to the location of the amendment. We do not 
require covered entities to expunge any protected health information. 
Covered entities may expunge information if doing so is consistent with 
other applicable law and the covered entity's record keeping practices.
    We alter some of the required procedures for informing the 
individual and others of the accepted amendment. As in the proposed 
rule, the covered entity must inform individuals about accepted 
amendments. In the final rule, the covered entity must obtain the 
individual's agreement to have the amended information shared with 
certain persons. If the individual agrees, the covered entity must make 
reasonable efforts to provide a copy of the amendment within a 
reasonable time to: (1) Persons the individual identifies as having 
received protected health information about the individual and needing 
the amendment; and (2) persons, including business associates, that the 
covered entity knows have the unamended information and who may have 
relied, or could foreseeably rely, on the information to the detriment 
of the individual. For example, a covered entity must make reasonable 
efforts to inform a business associate that uses protected health 
information to make decisions about individuals about amendments to 
protected health information used for such decisions.

Section 164.526(d)--Denying the Amendment

    If a covered health care provider or health plan denied a request 
for amendment, in whole or in part, we proposed to require the covered 
entity to provide the individual with a written statement in plain 
language of the basis for the denial, a description of how the 
individual could submit a written statement of disagreement with the 
denial, and a description of how the individual could make a complaint 
with the covered entity and the Secretary.
    We proposed to require covered health care providers and health 
plans to have procedures to permit the individual to file a written 
statement of disagreement with the denial and to include the covered 
entity's statement of denial and the individual's statement of 
disagreement with any subsequent disclosure of the disputed 
information. Covered entities would have been permitted to establish a 
limit to the length of the individual's statement of disagreement and 
to summarize the statement if necessary. We also proposed to permit 
covered entities to provide a rebuttal to the individual's statement 
with future disclosures.
    As in the proposed rule, if a covered entity denies a request for 
amendment, it must provide the individual with a statement of denial 
written in plain language. The written denial must include the basis 
for the denial, how the individual may file a written statement 
disagreeing with the denial, and how the individual may make a 
complaint to the covered entity and the Secretary.
    In the final rule, we additionally require the covered entity to 
inform individuals of their options with respect to future disclosures 
of the disputed information in order to ensure that an individual is 
aware of his or her rights. The written denial must state that if the 
individual chooses not to file a statement of disagreement, the 
individual may request that the covered entity include the individual's 
request for amendment and the covered entity's denial of the request 
with any future disclosures of the protected health information that is 
the subject of the requested amendment.
    As in the proposed rule, the covered entity must permit the 
individual to submit a written statement disagreeing with the denial 
and the basis of such disagreement. The covered entity may reasonably 
limit the length of a statement of disagreement and may prepare a 
written rebuttal to the individual's statement of disagreement. If the 
covered entity prepares a rebuttal, it must provide a copy to the 
individual.
    The covered entity must identify the record or protected health 
information that is the subject of the disputed amendment and append or 
otherwise link the following information to the designated record set: 
the individual's request for amendment, the covered entity's denial of 
the request, the individual's statement of disagreement (if any), and 
the covered entity's rebuttal (if any). If the individual submits a 
written statement of disagreement, all of the appended or linked 
information, or an accurate summary of it, must be included with any 
subsequent disclosure of the protected health information to which the 
disagreement relates. If the individual does not submit a written 
statement of disagreement, the covered entity must include the appended 
or linked information only if the individual requests that the covered 
entity do so.
    In the final rule, we clarify that when a subsequent disclosure is 
a standard transaction adopted under the Transactions Rule that cannot 
accommodate the additional materials described above, the covered 
entity may separately disclose the additional material to the recipient 
of the transaction.

Section 164.526(e)--Actions on Notices of Amendment

    We proposed to require any covered entity that received a 
notification of amendment to have procedures in place to make the 
amendment in any of its designated record sets and to notify its 
business associates, if appropriate, of amendments.
    We retain the proposed approach in the final rule. If a covered 
entity receives a notification of amended protected health information 
from another covered entity as described above, the covered entity must 
make the necessary amendment to protected health information in 
designated record sets it maintains. In addition, covered entities must 
require their business associates who receive such notifications to 
incorporate any necessary amendments to designated record sets 
maintained on the covered entity's behalf. (See Sec. 164.504 regarding 
business associate requirements.)

Section 164.526(f)--Policies, Procedures, and Documentation

    As in the proposed rule, we establish documentation requirements 
for covered entities subject to this provision. In accordance with 
Sec. 164.530(j), the covered entity must document the titles of the 
persons or offices responsible for receiving and processing requests 
for amendment.

Sec. 164.528--Accounting of Disclosures of Protected Health 
Information

Right to an Accounting of Disclosures

    We proposed in the NPRM to grant individuals a right to receive an

[[Page 82560]]

accounting of all disclosures of protected health information about 
them by a covered entity for purposes other than treatment, payment, 
and health care operations. We proposed this right to exist for as long 
as the covered entity maintained the protected health information.
    We also proposed that individuals would not have a right to an 
accounting of disclosures to health oversight or law enforcement 
agencies if the agency provided a written request for exclusion for a 
specified time period and the request stated that access by the 
individual during that time period would be reasonably likely to impede 
the agency's activities.
    We generally retain the proposed approach in the final rule. As in 
the proposed rule, individuals have a right to receive an accounting of 
disclosures made by a covered entity, including disclosures by or to a 
business associate of the covered entity, for purposes other than 
treatment, payment, and health care operations, subject to certain 
exceptions as discussed below.
    We revise the duration of this right under the final rule. 
Individuals have a right to an accounting of the applicable disclosures 
that have been made in the 6 year period prior to the date of a request 
for an accounting. We additionally clarify in Sec. 164.528(b)(1) that 
an individual may request, and a covered entity may then provide, an 
accounting of disclosures for a period of time less than 6 years from 
the date of the request. For example, an individual could request an 
accounting only of disclosures that occurred during the year prior to 
the request.
    In the final rule, we exclude several additional types of 
disclosures from the accounting requirement. Covered entities are not 
required to include in the accounting disclosures to the individual as 
provided in Sec. 164.502; disclosures for facility directories, 
disclosures to persons involved in the individual's care, or other 
disclosures for notification purposes as provided in Sec. 164.510; 
disclosures for national security or intelligence purposes as provided 
in Sec. 164.512(k)(2); disclosures to correctional institutions or law 
enforcement officials as provided in Sec. 164.512(k)(5); or any 
disclosures that were made by the covered entity prior to the 
compliance date of the rule for that covered entity.
    We retain the time-limited exclusion for disclosures to health 
oversight and law enforcement agencies, but require rather than permit 
the exclusion for the specified time period. Covered entities must 
exclude disclosures to a health oversight agency or law enforcement 
official from the accounting for the time period specified by the 
applicable agency or official if the agency or official provides the 
covered entity with a statement that inclusion of the disclosure(s) in 
the accounting to the individual during that time period would be 
reasonably likely to impede the agency or official's activities. The 
agency or official's statement must specifically state how long the 
information must be excluded. At the expiration of that period, the 
covered entity is required to include the disclosure(s) in an 
accounting for the individual. If the agency or official's statement is 
made orally, the covered entity must document the identity of the 
agency or official who made the statement and must exclude the 
disclosure(s) for no longer than 30 days from the date of the oral 
statement, unless a written statement is provided during that time. If 
the agency or official provides a written statement, the covered entity 
must exclude the disclosure(s) for the time period specified in the 
written statement.

Content of the Accounting

    We proposed in the NPRM to require the accounting to include all 
disclosures as described above, including disclosures authorized by the 
individual. The accounting would have been required to contain the date 
of each disclosure; the name and address of the organization or person 
who received the protected health information; a brief description of 
the information disclosed; and copies of all requests for disclosures. 
For disclosures other than those made at the request of the individual, 
the accounting would have also included the purpose for which the 
information was disclosed.
    We generally retain the proposed approach in the final rule, but do 
not require covered entities to make copies of authorizations or other 
requests for disclosures available with the accounting. Instead, we 
require the accounting to contain a brief statement of the purpose of 
the disclosure. The statement must reasonably inform the individual of 
the basis for the disclosure. In lieu of the statement of purpose, a 
covered entity may include a copy of the individual's authorization 
under Sec. 164.508 or a copy of a written request for disclosure, if 
any, under Sec. 164.502(a)(2)(ii) or Sec. 164.512. We also clarify that 
covered entities are only required to include the address of the 
recipient of the disclosed protected health information if the covered 
entity knows the address.
    We add a provision allowing for a summary accounting of recurrent 
disclosures. For multiple disclosures to the same recipient pursuant to 
a single authorization under Sec. 164.508 or for a single purpose under 
Secs. 164.502(a)(2)(ii) or 164.512, the covered entity may provide a 
summary accounting addressing the series of disclosures rather than a 
detailed accounting of each disclosure in the series. In this 
circumstance, a covered entity may limit the accounting of the series 
of disclosures to the following information: the information otherwise 
required above for the first disclosure in the series during the 
accounting period; the frequency, periodicity, or number of disclosures 
made during the accounting period; and the date of the most recent 
disclosure in the series. For example, if under Sec. 164.512(b), a 
covered entity discloses the same protected health information to a 
public health authority for the same purpose every month, it can 
account for those disclosures by including in the accounting the date 
of the first disclosure, the public health authority to whom the 
disclosures were made and the public health authority's address, a 
brief description of the information disclosed, a brief description of 
the purpose of the disclosures, the fact that the disclosures were made 
every month during the accounting period, and the date of the most 
recent disclosure.

Provision of the Accounting

    We proposed in the NPRM to require covered entities to provide 
individuals with an accounting of disclosures as soon as possible, but 
not later than 30 days following receipt of the request for the 
accounting.
    In the final rule, we eliminate the requirement for the covered 
entity to act as soon as possible. We recognize that circumstances may 
arise in which an individual will request an accounting on an expedited 
basis. We encourage covered entities to implement procedures for 
handling such requests. The time limitation is intended to be an 
outside deadline, rather than an expectation. We expect covered 
entities always to be attentive to the circumstances surrounding each 
request and to respond in an appropriate time frame.
    In the final rule, covered entities must provide a requested 
accounting no later than 60 days after receipt of the request. If the 
covered entity is unable to meet the deadline, the covered entity may 
extend the deadline by no more than 30 days. The covered entity must 
inform the individual in writing, within the standard 60-day deadline, 
of the reason for the delay and the date by which the covered entity 
will provide the request.

[[Page 82561]]

A covered entity may only extend the deadline one time per request for 
accounting.
    The NPRM did not address whether a covered entity could charge a 
fee for the accounting of disclosures.
    In the final rule, we provide that individuals have a right to 
receive one free accounting per 12 month period. For each additional 
request by an individual within the 12 month period, the covered entity 
may charge a reasonable, cost-based fee. If it imposes such a fee, the 
covered entity must inform the individual of the fee in advance and 
provide the individual with an opportunity to withdraw or modify the 
request in order to avoid or reduce the fee.

Procedures and Documentation

    As in the proposed rule, we establish documentation requirements 
for covered entities subject to this provision. In accordance with 
Sec. 164.530(j), for disclosures that are subject to the accounting 
requirement, the covered entity must retain documentation of the 
information required to be included in the accounting. The covered 
entity must also retain a copy of any accounting provided and must 
document the titles of the persons or offices responsible for receiving 
and processing requests for an accounting.

Section 164.530--Administrative Requirements

Designation of a Privacy Official and Contact Person

    In Sec. 164.518(a) of the NPRM, we proposed that covered entities 
be required to designate an individual as the covered entity's privacy 
official, responsible for the implementation and development of the 
entity's privacy policies and procedures. We also proposed that covered 
entities be required to designate a contact person to receive 
complaints about privacy and provide information about the matters 
covered by the entity's notice. We indicated that the contact person 
could be, but was not required to be, the person designated as the 
privacy official. We proposed to leave implementation details to the 
discretion of the covered entity. We expected implementation to vary 
widely depending on the size and nature of the covered entity, with 
small offices assigning this as an additional duty to an existing staff 
person, and large organizations creating a full-time privacy official. 
In proposed Sec. 164.512, we also proposed to require the covered plan 
or provider's privacy notice to include the name of a contact person 
for privacy matters.
    The final regulation retains the requirements for a privacy 
official and contact person as specified in the NPRM. These 
designations must be documented. The designation of privacy official 
and contact person positions within affiliated entities will depend on 
how the covered entity chooses to designate the covered entity(ies) 
under Sec. 164.504(b). If a subsidiary is defined as a covered entity 
under this regulation, then a separate privacy official and contact 
person is required for that covered entity. If several subsidiaries are 
designated as a single covered entity, pursuant to Sec. 164.504(b), 
then together they need have only a single privacy officer and contact 
person. If several covered entities share a notice for services 
provided on the same premises, pursuant to Sec. 164.520(d), that notice 
need designate only one privacy official and contact person for the 
information collected under that notice.
    These requirements are consistent with the approach recommended by 
the Joint Commission on Accreditation of Healthcare Organizations, and 
the National Committee for Quality Assurance, in its paper ``Protecting 
Personal Health Information; A framework for Meeting the Challenges in 
a Managed Care Environment.'' This paper notes that ``accountability is 
enhanced by having focal points who are responsible for assessing 
compliance with policies and procedures * * * '' (p. 29)

Training

    In Sec. 164.518(b) of the NPRM we proposed to require that covered 
entities provide training on the entities' policies and procedures to 
all members of the workforce likely to have access to protected health 
information. Each entity would be required to provide initial training 
by the date on which this rule became applicable. After that date, each 
covered entity would have to provide training to new members of the 
workforce within a reasonable time after joining the entity. In 
addition, we proposed that when a covered entity made material changes 
in its privacy policies or procedures, it would be required to retrain 
those members of the workforce whose duties were related to the change 
within a reasonable time of making the change.
    The NPRM would have required that, upon completion of the training, 
the trainee would be required to sign a statement certifying that he or 
she received the privacy training and would honor all of the entity's 
privacy policies and procedures. Entities would determine the most 
effective means of achieving this training requirement for their 
workforce. We also proposed that, at least every three years after the 
initial training, covered entities would be required to have each 
member of the workforce sign a new statement certifying that he or she 
would honor all of the entity's privacy policies and procedures. The 
covered entity would have been required to document its policies and 
procedures for complying with the training requirements.
    The final regulation requires covered entities to train all members 
of their workforce on the policies and procedures with respect to 
protected health information required by this rule, as necessary and 
appropriate for the members of the workforce to carry out their 
functions within the covered entity. We do not change the proposed time 
lines for training existing and new members of the workforce, or for 
training due to material changes in the covered entity's policies and 
procedures. We eliminate both the requirement for employees to sign a 
certification following training and the triennial re-certification 
requirement. Covered entities are responsible for implementing policies 
and procedures to meet these requirements and for documenting that 
training has been provided.

Safeguards

    In Sec. 164.518(c) of the NPRM, we proposed to require covered 
entities to put in place administrative, technical, and physical 
safeguards to protect the privacy of protected health information. We 
made reference in the preamble to similar requirements proposed for 
certain electronic information in the Notice of Proposed Rulemaking 
entitled the Security and Electronic Signature Standards (HCFA-0049-P). 
We stated that we were proposing parallel and consistent requirements 
for safeguarding the privacy of protected health information. In 
Sec. 164.518(c)(3) of the NPRM, we required covered entities to have 
safeguards to ensure that information was not used in violation of the 
requirements of this subpart or by people who did not have proper 
authorization to access the information.
    We do not change the basic proposed requirements that covered 
entities have administrative, technical and physical safeguards to 
protect the privacy of protected health information. We combine the 
proposed requirements into a single standard that requires covered 
entities to safeguard protected health information from accidental or 
intentional use or disclosure that is a violation of the requirements 
of this rule

[[Page 82562]]

and to protect against the inadvertent disclosure of protected health 
information to persons other than the intended recipient. Limitations 
on access to protected health information by the covered entities 
workforce will also be covered by the policies and procedures for 
``minimum necessary'' use of protected health information, pursuant to 
Sec. 164.514(d). We expect these provisions to work in tandem.
    We do not prescribe the particular measures that covered entities 
must take to meet this standard, because the nature of the required 
policies and procedures will vary with the size of the covered entity 
and the type of activities that the covered entity undertakes. (That 
is, as with other provisions of this rule, this requirement is 
``scalable.'') Examples of appropriate safeguards include requiring 
that documents containing protected health information be shredded 
prior to disposal, and requiring that doors to medical records 
departments (or to file cabinets housing such records) remain locked 
and limiting which personnel are authorized to have the key or pass-
code. We intend this to be a common sense, scalable, standard. We do 
not require covered entities to guarantee the safety of protected 
health information against all assaults. Theft of protected health 
information may or may not signal a violation of this rule, depending 
on the circumstances and whether the covered entity had reasonable 
policies to protect against theft. Organizations such as the 
Association for Testing and Materials (ASTM) and the American Health 
Information Management Association (AHIMA) have developed a body of 
recommended practices for handling of protected health information that 
covered entities may find useful.
    We note that the proposed HIPAA Security Standards would require 
covered entities to safeguard the privacy and integrity of health 
information. For electronic information, compliance with both 
regulations will be required.
    In Sec. 164.518(c)(2) of the NPRM we proposed requirements for 
verification procedures to establish identity and authority for 
permitted disclosures of protected health information.
    In the final rule, this material has been moved to Sec. 164.514(h).

Use or Disclosure of Protected Health Information by Whistleblowers

    In Sec. 164.518(c)(4) of the NPRM, this provision was entitled 
``Implementation Specification: Disclosures by whistleblowers.'' It is 
now retitled ``Disclosures by whistleblowers,'' with certain changes, 
and moved to Sec. 164.502(j)(1).

Complaints to the Covered Entity

    In Sec. 164.518(d) of the NPRM, we proposed to require covered 
entities to have a mechanism for receiving complaints from individuals 
regarding the health plan's or provider's compliance with the 
requirements of this proposed rule. We did not require that the health 
plan or provider develop a formal appeals mechanism, nor that ``due 
process'' or any similar standard be applied. Additionally, there was 
no requirement to respond in any particular manner or time frame.
    We proposed two basic requirements for the complaint process. 
First, the covered health plan or health care provider would be 
required to identify in the notice of information practices a contact 
person or office for receiving complaints. Second, the health plan or 
provider would be required to maintain a record of the complaints that 
are filed and a brief explanation of their resolution, if any.
    In the final rule, we retain the requirement for an internal 
complaint process for compliance with this rule, including the two 
basic requirements of identifying a contact person and documenting 
complaints received and their dispositions, if any. We expand the scope 
of complaints that covered entities must have a means of receiving to 
include complaints concerning violations of the covered entity's 
privacy practices, not just violations of the rule. For example, a 
covered entity must have a mechanism for receiving a complaint that 
patient information is used at a nursing station in a way that it can 
also be viewed by visitors to the hospital, regardless of whether the 
practices at the nursing stations might constitute a violation of this 
rule.

Sanctions

    In Sec. 164.518(e) of the NPRM, we proposed to require all covered 
entities to develop, and apply when appropriate, sanctions against 
members of its workforce who failed to comply with privacy policies or 
procedures of the covered entity or with the requirements of the rule. 
Covered entities would be required to develop and impose sanctions 
appropriate to the nature of the violation. The preamble stated that 
the type of sanction applied would vary depending on factors such as 
the severity of the violation, whether the violation was intentional or 
unintentional, and whether the violation indicated a pattern or 
practice of improper use or disclosure of protected health information. 
Sanctions could range from a warning to termination. The NPRM preamble 
language also stated that covered entities would be required to apply 
sanctions against business associates that violated the proposed rule.
    In the final rule, we retain the requirement for sanctions against 
members of a covered entity's workforce. We also require a covered 
entity to have written policies and procedures for the application of 
appropriate sanctions for violations of this subpart and to document 
those sanctions. These sanctions do not apply to whistleblower 
activities that meet the provisions of Sec. 164.502(j) or complaints, 
investigations, or opposition that meet the provisions of 
Sec. 164.530(g)(2). We eliminate language regarding business associates 
from this section. Requirements with respect to business associates are 
stated in Sec. 164.504.

Duty To Mitigate

    In proposed Sec. 164.518(f), we would have required covered 
entities to have policies and procedures for mitigating, to the extent 
practicable, any deleterious effect of a use or disclosure of protected 
health information in violation of the requirements of this subpart. 
The NPRM preamble also included specific language applying this 
requirement to harm caused by members of the covered entity's workforce 
and business associates.
    With respect to business associates, the NPRM preamble but not the 
NPRM rule text, stated that covered entities would have a duty to take 
reasonable steps in response to breaches of contract terms. Covered 
entities generally would not be required to monitor the activities of 
their business associates, but would be required to take steps to 
address problems of which they become aware, and, where the breach was 
serious or repeated, would also be required to monitor the business 
associate's performance to ensure that the wrongful behavior had been 
remedied. Termination of the arrangement would be required only if it 
became clear that a business associate could not be relied upon to 
maintain the privacy of protected health information provided to it.
    In the final rule, we clarify this requirement by imposing a duty 
for covered entities to mitigate any harmful effect of a use or 
disclosure of protected health information that is known to the covered 
entity. We apply the duty to mitigate to a violation of the covered 
entity's policies and procedures, not just a violation of the 
requirements of the subpart. We resolve the ambiguities in the NPRM by 
imposing this duty on covered entities for harm caused by

[[Page 82563]]

either members of their workforce or by their business associates.
    We eliminate the language regarding potential breaches of business 
associate contracts from this section. All other requirements with 
respect to business associates are stated in Sec. 164.504.

Refraining from Intimidating or Retaliatory Acts

    In Sec. 164.522(d)(4) of the NPRM, in the Compliance and 
Enforcement section, we proposed that one of the responsibilities of a 
covered entity would be to refrain from intimidating or retaliatory 
acts. Specifically, the rule provided that ``[a] covered entity may not 
intimidate, threaten, coerce, discriminate against, or take other 
retaliatory action against any individual for the filing of a complaint 
under this section, for testifying, assisting, participating in any 
manner in an investigation, compliance review, proceeding or hearing 
under this Act, or opposing any act or practice made unlawful by this 
subpart.''
    In the final rule, we continue to require that entities refrain 
from intimidating or retaliatory acts; however, the provisions have 
been moved to the Administrative Requirements provisions in 
Sec. 164.530. This change is not just clerical; in making this change, 
we apply this provision to the privacy rule alone rather than to all 
the HIPAA administrative simplification rules. (The compliance and 
enforcement provisions that were in Sec. 164 are now in Part 160, 
Subpart C.)
    We continue to prohibit retaliation against individuals for filing 
a complaint with the Secretary, but also prohibit retaliation against 
any other person who files such a complaint. This is the case because 
the term ``individual'' is generally limited to the person who is the 
subject of the information. The final rule prohibits retaliation 
against persons, not just individuals, for testifying, assisting, or 
participating in an investigation, compliance review, proceeding or 
hearing under Part C of Title XI. The proposed regulation referenced 
the ``Act,'' which is defined in Part 160 as the Social Security Act. 
Because we only intend to protect activities such as participation in 
investigations and hearings under the Administrative Simplification 
provisions of HIPAA, the final rule references Part C of Title XI of 
the Social Security Act.
    The proposed rule would have prohibited retaliatory actions against 
individuals for opposing any act or practice made unlawful by this 
subpart. The final rule retains this provision, but applies it to any 
person, only if the person ``has a good faith belief that the practice 
opposed is unlawful, the manner of the opposition is reasonable and 
does not involve a disclosure of protected health information in 
violation of this subpart.'' The final rule provides additional 
protections, which had been included in the preamble to the proposed 
rule. Specifically, we prohibit retaliatory actions against individuals 
who exercise any right, or participate in any process established by 
the privacy rule (Part 164 Subpart E), and include as an example the 
filing of a complaint with the covered entity.

Waiver of Rights

    In the final regulation, but not in the proposed regulation, we 
provide that a covered entity may not require individuals to waive 
their rights to file a complaint with the Secretary or their other 
rights under this rule as a condition of the provision of treatment, 
payment, enrollment in a health plan or eligibility for benefits. This 
provision ensures that covered entities do not take away the rights 
that individuals have been provided in Parts 160 and 164.

Requirements for Policies and Procedures, and Documentation 
Requirements

    In Sec. 164.520 of the NPRM, we proposed to require covered 
entities to develop and document their policies and procedures for 
implementing the requirements of the rule. In the final regulation we 
retain this approach, but specify which standards must be documented in 
each of the relevant sections. In this section, we state the general 
administrative requirements applicable to all policies and procedures 
required throughout the regulation.
    In Sec. 164.530(i), (j), and (k) of the final rule, we amend the 
NPRM language in several respects. In Sec. 164.530(i) we require that 
the policies and procedures be reasonably designed to comply with the 
standards, implementation specifications, and other requirements of the 
relevant part of the regulation, taking into account the size of the 
covered entity and the nature of the activities undertaken by the 
covered entity that relate to protected health information. However, we 
clarify that the requirements that policies and procedures be 
reasonably designed may not be interpreted to permit or excuse any 
action that violates the privacy regulation. Where the covered entity 
has stated in its notice that it reserves the right to change 
information practices, we allow the new practice to apply to 
information created or collected prior to the effective date of the new 
practice and establish requirements for making this change. We also 
establish the conditions for making changes if the covered entity has 
not reserved the right to change its practices.
    We require covered entities to modify in a prompt manner their 
policies and procedures to comply with changes in relevant law and, 
where the change also affects the practices stated in the notice, to 
change the notice. We make clear that nothing in our requirements 
regarding changes to policies and procedures or changes to the notice 
may be used by a covered entity to excuse a failure to comply with 
applicable law.
    In Sec. 164.530(j), we require that the policies and procedures 
required throughout the regulation be maintained in writing, and that 
any other communication, action, activity, or designation that must be 
documented under this regulation be documented in writing. We note that 
``writing'' includes electronic storage; paper records are not 
required. We also note that, if a covered entity is required to 
document the title of a person, we mean the job title or similar 
description of the relevant position or office.
    We require covered entities to retain any documentation required 
under this rule for at least six years (the statute of limitations 
period for the civil penalties) from the date of the creation of the 
documentation, or the date when the document was last in effect, which 
ever is later. This generalizes the NPRM provision to cover all 
documentation required under the rule. The language on ``last was in 
effect'' is a change from the NPRM which was worded ``unless a longer 
period applies under this subpart.''
    This approach is consistent with the approach recommended by the 
Joint Commission on Accreditation of Healthcare Organizations, and the 
National Committee for Quality Assurance, in its paper ``Protecting 
Personal Health Information; A framework for Meeting the Challenges in 
a Managed Care Environment.'' This paper notes that ``MCOs [Managed 
Care Organizations] should have clearly defined policies and procedures 
for dealing with confidentiality issues.'' (p. 29).

Standards for Certain Group Health Plans

    We add a new provision (Sec. 164.530(k)) to clarify the 
administrative responsibilities of group health plans that offer 
benefits through issuers and HMOs. Specifically, a group health plan 
that provides benefits solely through an issuer or HMO, and that does 
not create, receive or maintain protected health

[[Page 82564]]

information other than summary health information or information 
regarding enrollment and disenrollment, is not subject to the 
requirements of this section regarding designation of a privacy 
official and contact person, workforce training, safeguards, 
complaints, mitigation, or policies and procedures. Such a group health 
plan is only subject to the requirements of this section regarding 
documentation with respect to its plan documents. Issuers and HMOs are 
covered entities under this rule, and thus have independent obligations 
to comply with this section with respect to the protected health 
information they maintain about the enrollees in such group health 
plans. The group health plans subject to this provision will have only 
limited protected health information. Therefore, imposing these 
requirements on the group health plan would impose burdens not 
outweighed by a corresponding enhancement in privacy protections.

Section 164.532--Transition Provisions

    In the NPRM, we did not address the effect of the regulation on 
consents and authorizations covered entities obtained prior to the 
compliance date of the regulation.
    In the final rule, we clarify that, in certain circumstances, a 
covered entity may continue to rely upon consents, authorizations, or 
other express legal permissions obtained prior to the compliance date 
of this regulation to use or disclose protected health information even 
if these consents, authorizations, or permissions do not meet the 
requirements set forth in Secs. 164.506 or 164.508.
    We realize that a covered entity may wish to rely upon a consent, 
authorization, or other express legal permission obtained from an 
individual prior to the compliance date of this regulation which 
permits the use or disclosure of individually identifiable health 
information for activities that come within treatment, payment, or 
health care operations (as defined in Sec. 164.501), but that do not 
meet the requirements for consents set forth in Sec. 164.506. In the 
final rule, we permit a covered entity to rely upon such consent, 
authorization, or permission to use or disclose protected health 
information that it created or received before the applicable 
compliance date of the regulation to carry out the treatment, payment, 
or health care operations as long as it meets two requirements. First, 
the covered entity may not make any use or disclosure that is expressly 
excluded from the consent, authorization, or permission. Second, the 
covered entity must comply with all limitations expressed in the 
consent, authorization, or permission. Thus, we do not require a 
covered entity to obtain a consent that meets the requirements of 
Sec. 164.506 to use or disclose this previously obtained protected 
health information as long as the use or disclosure is consistent with 
the requirements of this section. However, a covered entity will need 
to obtain a consent that meets the requirements of Sec. 164.506 to the 
extent that it is required to obtain a consent under Sec. 164.506 from 
an individual before it may use or disclose any protected health 
information it creates or receives after the date by which it must 
comply with this rule.
    Similarly, we recognize that a covered entity may wish to rely upon 
a consent, authorization, or other express legal permission obtained 
from an individual prior to the applicable compliance date of this 
regulation that specifically permits the covered entity to use or 
disclose individually identifiable health information for activities 
other than to carry out treatment, payment, or health care operations. 
In the final rule, we permit a covered entity to rely upon such a 
consent, authorization, or permission to use or disclose protected 
health information that it created or received before the applicable 
compliance date of the regulation for the specific activities described 
in the consent, authorization, or permission as long as the covered 
entity complies with two requirements. First, the covered entity may 
not make any use or disclosure that is expressly excluded from the 
consent, authorization, or permission. Second, the covered entity must 
comply with all limitations expressed in the consent, authorization, or 
permission. Thus, we do not required a covered entity to obtain an 
authorization that meets the requirements of Sec. 164.508 to use or 
disclose this previously obtained protected health information so long 
as the use or disclosure is consistent with the requirements of this 
section. However, a covered entity will need to obtain an authorization 
that meets the requirements of Sec. 164.508, to the extent that it is 
required to obtain an authorization under this rule, from an individual 
before it may use or disclose any protected health information it 
creates or receives after the date by which it must comply with this 
rule.
    Additionally, the final rule acknowledges that covered entities may 
wish to rely upon consents, authorizations, or other express legal 
permission obtained from an individual prior to the applicable 
compliance date for a specific research project that includes the 
treatment of individuals, such as clinical trials. These consents, 
authorizations, or permissions may specifically permit a use or 
disclosure of individually identifiable health information for purposes 
of the project. Alternatively, they may be general consents to 
participate in the project. A covered entity may use or disclose 
protected health information it created or received before or after to 
the applicable compliance date of this rule for purposes of the project 
provided that the covered entity complies with all limitations 
expressed in the consent, authorization, or permission.
    If, pursuant to this section, a covered entity relies upon a 
previously obtained consent, authorization, or other express legal 
permission and agrees to a request for a restriction by an individual 
under Sec. 164.522(a), any subsequent use or disclosure under that 
consent, authorization, or permission must comply with the agreed upon 
restriction as well.
    We believe it is necessary to grandfather in previously obtained 
consents, authorizations, or other express legal permissions in these 
circumstances to ensure that important functions of the health care 
system are not impeded. We link the effectiveness of such consents, 
authorizations, or permissions in these circumstances to the applicable 
compliance date to give covered entities sufficient notice of the 
requirements set forth in Secs. 164.506 and 164.508.
    The rule does not change the past effectiveness of consents, 
authorizations, or other express legal permissions that do not come 
within this section. This means that uses or disclosures of 
individually identifiable health information made prior to the 
compliance date of this regulation are not subject to sanctions, even 
if they were made pursuant to documents or permissions that do not meet 
the requirements of this rule or were made without permission. This 
rule alters only the future effectiveness of the previously obtained 
consents, authorizations, or permissions. Covered entities are not 
required to rely upon these consents, authorizations, or permissions 
and may obtain new consents or authorizations that meet the applicable 
requirements of Secs. 164.506 and 164.508.
    When reaching this decision, we considered requiring all covered 
entities to obtain new consents or authorizations consistent with the 
requirements of Secs. 164.506 and 164.508 before they would be able to 
use or disclose protected health information obtained

[[Page 82565]]

after the compliance date of these rules. We rejected this option 
because we recognize that covered entities may not always be able to 
obtain new consents or authorizations consistent with the requirements 
of Secs. 164.506 and 164.508 from all individuals upon whose 
information they rely. We also refrained from impeding the rights of 
covered entities to exercise their interests in the records they have 
created. We do not require covered entities with existing records or 
databases to destroy or remove the protected health information for 
which they do not have valid consents or authorizations that meet the 
requirements of Secs. 164.506 and 164.508. Covered entities may rely 
upon the consents, authorizations, or permissions they obtained from 
individuals prior to the applicable compliance date of this regulation 
consistent with the constraints of those documents and the requirements 
discussed above.
    We note that if a covered entity obtains before the applicable 
compliance date of this regulation a consent that meets the 
requirements of Sec. 164.506, an authorization that meets the 
requirements of Sec. 164.508, or an IRB or privacy board waiver of 
authorization that meets the requirements of Sec. 164.512(i), the 
consent, authorization, or waiver is effective for uses or disclosures 
that occur after the compliance date and that are consistent with the 
terms of the consent, authorization, or waiver.

Section 164.534--Compliance Dates for Initial Implementation of the 
Privacy Standards

    In the NPRM, we provided that a covered entity must be in 
compliance with this subpart not later than 24 months following the 
effective date of this rule, except that a covered entity that is a 
small health plan must be in compliance with this subpart not later 
than 36 months following the effective date of the rule.
    The final rule did not make any substantive changes. The format is 
changed so as to more clearly present the various compliance dates. The 
final rule lists the types of covered entities and then the various 
dates that would apply to each of these entities.

III. Section-by-Section Discussion of Comments

    The following describes the provisions in the final regulation, and 
the changes we make to the proposed provisions section-by-section. 
Following each section are our responses to the comments to that 
section. This section of the preamble is organized to follow the 
corresponding section of the final rule, not the NPRM.

General Comments

    We received many comments on the rule overall, not to a particular 
provision. We respond to those comments here. Similar comments, but 
directed to a specific provision in the proposed rule, are answered 
below in the corresponding section of this preamble.

Comments on the Need for Privacy Standards, and Effects of this 
Regulation on Current Protections

    Comment: Many commenters expressed the opinion that federal 
legislation is necessary to protect the privacy of individuals' health 
information. One comment advocated Congressional efforts to provide a 
comprehensive federal health privacy law that would integrate the 
substance abuse regulations with the privacy regulation.
    Response: We agree that comprehensive privacy legislation is 
urgently needed. This administration has urged the Congress to pass 
such legislation. While this regulation will improve the privacy of 
individuals' health information, only legislation can provide the full 
array of privacy protection that individuals need and deserve.
    Comment: Many commenters noted that they do not go to a physician, 
or do not completely share health information with their physician, 
because they are concerned about who will have access to that 
information. Many physicians commented on their patients' reluctance to 
share information because of fear that their information will later be 
used against them.
    Response: We agree that strong federal privacy protections are 
necessary to enhance patients' trust in the health care system.
    Comment: Many commenters expressed concerns that this regulation 
will allow access to health information by those who today do not have 
such access, or would allow their physician to disclose information 
which may not lawfully be disclosed today. Many of these commenters 
stated that today, they consent to every disclosure of health 
information about them, and that absent their consent the privacy of 
their health information is ``absolute.'' Others stated that, today, 
health information is disclosed only pursuant to a judicial order. 
Several commenters were concerned that this regulation would override 
stronger state privacy protection.
    Response: This regulation does not, and cannot, reduce current 
privacy protections. The statutory language of the HIPAA specifically 
mandates that this regulation does not preempt state laws that are more 
protective of privacy.
    As discussed in more detail in later this preamble, while many 
people believe that they must be asked permission prior to any release 
of health information about them, current laws generally do not impose 
such a requirement. Similarly, as discussed in more detail later in 
this preamble, judicial review is required today only for a small 
proportion of releases of health information.
    Comment: Many commenters asserted that today, medical records 
``belong'' to patients. Others asserted that patients own their medical 
information and health care providers and insurance companies who 
maintain health records should be viewed as custodians of the patients' 
property.
    Response: We do not intend to change current law regarding 
ownership of or responsibility for medical records. In developing this 
rule we reviewed current law on this and related issues, and built on 
that foundation.
    Under state laws, medical records are often the property of the 
health care provider or medical facility that created them. Some state 
laws also provide patients with access to medical records or an 
ownership interest in the health information in medical records. 
However, these laws do not divest the health care provider or the 
medical facility of its ownership interest in medical records. These 
statutes typically provide a patient the right to inspect or copy 
health information from the medical record, but not the right to take 
the provider's original copy of an item in the medical record. If a 
particular state law provides greater ownership rights, this regulation 
leaves such rights in place.
    Comment: Some commenters argued that the use and disclosure of 
sensitive personal information must be strictly regulated, and 
violation of such regulations should subject an entity to significant 
penalties and sanctions.
    Response: We agree, and share the commenters' concern that the 
penalties in the HIPAA statute are not sufficient to fully protect 
individuals' privacy interests. The need for stronger penalties is 
among the reasons we believe Congress should pass comprehensive privacy 
legislation.
    Comment: Many commenters expressed the opinion that the proposed 
ruled should provide stricter privacy protections.

[[Page 82566]]

    Response: We received nearly 52,000 comments on the proposed 
regulation, and make substantial changes to the proposal in response to 
those comments. Many of these changes will strengthen the protections 
that were proposed in the NPRM.
    Comment: Many comments express concerns that their health 
information will be given to their employers.
    Response: We agree that employer access to health information is a 
particular concern. In this final regulation, we make significant 
changes to the NPRM that clarify and provide additional safeguards 
governing when and how the health plans covered by this regulation may 
disclose health information to employers.
    Comment: Several commenters argued that individuals should be able 
to sue for breach of privacy.
    Response: We agree, but do not have the legislative authority to 
grant a private right of action to sue under this statute. Only 
Congress can grant that right.

Objections to Government Access to Protected Health Information

    Comment: Many commenters urged the Department not to create a 
government database of health information, or a tracking system that 
would enable the government to track individuals health information.
    Response: This regulation does not create such a database or 
tracking system, nor does it enable future creation of such a database. 
This regulation describes the ways in which health plans, health care 
clearinghouses, and certain health care providers may use and disclose 
identifiable health information with and without the individual's 
consent.
    Comment: Many commenters objected to government access to or 
control over their health information, which they believe the proposed 
regulation would provide.
    Response: This regulation does not increase current government 
access to health information. This rule sets minimum privacy standards. 
It does not require disclosure of health information, other than to the 
subject of the records or for enforcement of this rule. Health plans 
and health care providers are free to use their own professional ethics 
and judgement to adopt stricter policies for disclosing health 
information.
    Comment: Some commenters viewed the NPRM as creating fewer hurdles 
for government access to protected health information than for access 
to protected health information by private organizations. Some health 
care providers commented that the NPRM would impose substantial new 
restrictions on private sector use and disclosure of protected health 
information, but would make government access to protected health 
information easy. One consumer advocacy group made the same 
observation.
    Response: We acknowledge that many of the national priority 
purposes for which we allow disclosure of protected health information 
without consent or authorization are for government functions, and that 
many of the governmental recipients of such information are not 
governed by this rule. It is the role of government to undertake 
functions in the broader public interest, such as public health 
activities, law enforcement, identification of deceased individuals 
through coroners' offices, and military activities. It is these public 
purposes which can sometimes outweigh an individual's privacy interest. 
In this rule, we specify the circumstances in which that balance is 
tipped toward the public interest with respect to health information. 
We discuss the rationale behind each of these permitted disclosures in 
the relevant preamble sections below.

Miscellaneous Comments

    Comment: Many commenters objected to the establishment of a unique 
identifier for health care or other purposes.
    Response: This regulation does not create an identifier. We assume 
these comments refer to the unique health identifier that Congress 
directed the Secretary to promulgate under section1173(b) of the Social 
Security Act, added by section 262 of the HIPAA. Because of the public 
concerns about such an identifier, in the summer of 1998 Vice President 
Gore announced that the Administration would not promulgate such a 
regulation until comprehensive medical privacy protections were in 
place. In the fall of that year, Congress prohibited the Department 
from promulgating such an identifier, and that prohibition remains in 
place. The Department has no plans to promulgate a unique health 
identifier.
    Comment: Many commenters asked that we withdraw the proposed 
regulation and not publish a final rule.
    Response: Under section 264 of the HIPAA, the Secretary is required 
by Congress to promulgate a regulation establishing standards for 
health information privacy. Further, for the reasons explained 
throughout this preamble above, we believe that the need to protect 
health information privacy is urgent and that this regulation is in the 
public's interest.
    Comment: Many commenters express the opinion that their consent 
should be required for all disclosure of their health information.
    Response: We agree that consent should be required prior to release 
of health information for many purposes, and impose such a requirement 
in this regulation. Requiring consent prior to all release of health 
information, however, would unduly jeopardize public safety and make 
many operations of the health care system impossible. For example, 
requiring consent prior to release of health information to a public 
health official who is attempting to track the source of an outbreak or 
epidemic could endanger thousands of lives. Similarly, requiring 
consent before an oversight official could audit a health plan would 
make detection of health care fraud all but impossible; it could take 
health plans months or years to locate and obtain the consent of all 
current and past enrollees, and the health plan would not have a strong 
incentive to do so. These uses of medical information are clearly in 
the public interest.
    In this regulation, we must balance individuals' privacy interests 
against the legitimate public interests in certain uses of health 
information. Where there is an important public interest, this 
regulation imposes procedural safeguards that must be met prior to 
release of health information, in lieu of a requirement for consent. In 
some instances the procedural safeguards consist of limits on the 
circumstances in which information may be disclosed, in others the 
safeguards consist of limits on what information may be disclosed, and 
in other cases we require some form of legal process (e.g., a warrant 
or subpoena) prior to release of health information. We also allow 
disclosure of health information without consent where other law 
mandates the disclosures. Where such other law exists, another public 
entity has made the determination that the public interests outweigh 
the individual's privacy interests, and we do not upset that 
determination in this regulation. In short, we tailor the safeguards to 
match the specific nature of the public purpose. The specific 
safeguards are explained in each section of this regulation below.
    Comment: Many comments address matters not relevant to this 
regulation, such as alternative fuels, hospital reimbursement, and gulf 
war syndrome.
    Response: These and similar matters are not relevant to this 
regulation and will not be addressed further.

[[Page 82567]]

    Comment: A few commenters questioned why this level of detail is 
needed in response to the HIPAA Congressional mandate.
    Response: This level of detail is necessary to ensure that 
individuals' rights with respect to their health information are clear, 
while also ensuring that information necessary for important public 
functions, such as protecting public health, promoting biomedical 
research, fighting health care fraud, and notifying family members in 
disaster situations, will not be impaired by this regulation. We 
designed this rule to reflect current practices and change some of 
them. The comments and our fact finding revealed the complexity of 
current health information practices, and we believe that the 
complexity entailed in reflecting those practices is better public 
policy than a perhaps simpler rule that disturbed important information 
flows.
    Comment: A few comments stated that the goal of administrative 
simplification should never override the privacy of individuals.
    Response: We believe that privacy is a necessary component of 
administrative simplification, not a competing interest.
    Comment: At least one commenter said that the goal of 
administrative simplification is not well served by the proposed rule.
    Response: Congress recognized that privacy is a necessary component 
of administrative simplification. The standardization of electronic 
health information mandated by the HIPAA that make it easier to share 
that information for legitimate purposes also make the inappropriate 
sharing of that information easier. For this reason, Congress included 
a mandate for privacy standards in this section of the HIPAA. Without 
appropriate privacy protections, public fear and instances of abuse 
would make it impossible for us to take full advantage of the 
administrative and costs benefits inherent in the administrative 
simplification standards.
    Comment: At least one commenter asked us to require 
psychotherapists to assert any applicable legal privilege on patients' 
behalf when protected health information is requested.
    Response: Whether and when to assert a claim of privilege on a 
patient's behalf is a matter for other law and for the ethics of the 
individual health care provider. This is not a decision that can or 
should be made by the federal government.
    Comment: One commenter called for HHS to consider the privacy 
regulation in conjunction with the other HIPAA standards. In 
particular, this comment focused on the belief that the Security 
Standards should be compatible with the existing and emerging health 
care and information technology industry standards.
    Response: We agree that both this regulation and the final Security 
Regulation should be compatible with existing and emerging technology 
industry standards. This regulation is ``technology neutral.'' We do 
not mandate the use of any particular technologies, but rather set 
standards which can be met through a variety of means.
    Comment: Several commenters claimed that the statutory authority 
given under HIPAA cannot provide meaningful privacy protections because 
many entities with access to protected health information, such as 
employers, worker's compensation carriers, and life insurance 
companies, are not covered entities. These commenters expressed support 
for comprehensive legislation to close many of the existing loopholes.
    Response: We agree with the commenters that comprehensive 
legislation is necessary to provide full privacy protection and have 
called for members of Congress to pass such legislation to prevent 
unauthorized and potentially harmful uses and disclosures of 
information.

Part 160--Subpart A--General Provisions

Section 160.103--Definitions

Business Associate

    The response to comments on the definition of ``business partner,'' 
renamed in this rule as ``business associate,'' is included in the 
response to comments on the requirements for business associates in the 
preamble discussion of Sec. 164.504.

Covered Entity

    Comment: A number of commenters urged the Department to expand or 
clarify the definition of ``covered entity'' to include certain 
entities other than health care clearinghouses, health plans, and 
health care providers who conduct standard transactions. For example, 
several commenters asked that the Department generally expand the scope 
of the rule to cover all entities that receive or maintain individually 
identifiable health information; others specifically urged the 
Department to cover employers, marketing firms, and legal entities that 
have access to individually identifiable health information. Some 
commenters asked that life insurance and casualty insurance carriers be 
considered covered entities for purposes of this rule. One commenter 
recommended that Pharmacy Benefit Management (PBM) companies be 
considered covered entities so that they may use and disclose protected 
health information without authorization.
    In addition, a few commenters asked the Department to clarify that 
the definition includes providers who do not directly conduct 
electronic transactions if another entity, such as a billing service or 
hospital, does so on their behalf.
    Response: We understand that many entities may use and disclose 
individually identifiable health information. However, our jurisdiction 
under the statute is limited to health plans, health care 
clearinghouses, and health care providers who transmit any health 
information electronically in connection with any of the standard 
financial or administrative transactions in section 1173(a) of the Act. 
These are the entities referred to in section 1173(a)(1) of the Act and 
thus listed in Sec. 160.103 of the final rule. Consequently, once 
protected health information leaves the purview of one of these covered 
entities, their business associates, or other related entities (such as 
plan sponsors), the information is no longer afforded protection under 
this rule. We again highlight the need for comprehensive federal 
legislation to eliminate such gaps in privacy protection.
    We also provide the following clarifications with regard to 
specific entities.
    We clarify that employers and marketing firms are not covered 
entities. However, employers may be plan sponsors of a group health 
plan that is a covered entity under the rule. In such a case, specific 
requirements apply to the group health plan. See the preamble on 
Sec. 164.504 for a discussion of specific ``firewall'' and other 
organizational requirements for group health plans and their employer 
sponsors. The final rule also contains provisions addressing when an 
insurance issuer providing benefits under a group health plan may 
disclose summary health information to a plan sponsor.
    With regard to life and casualty insurers, we understand that such 
benefit providers may use and disclose individually identifiable health 
information. However, Congress did not include life insurers and 
casualty insurance carriers as ``health plans'' for the purposes of 
this rule and therefore they are not covered entities. See the 
discussion regarding the definition of ``health plan'' and excepted 
benefits.

[[Page 82568]]

    In addition, we clarify that a PBM is a covered entity only to the 
extent that it meets the definition of one or more of the entities 
listed in Sec. 160.102. When providing services to patients through 
managed care networks, it is likely that a PBM is acting as a business 
associate of a health plan, and may thus use and disclose protected 
health information pursuant to the relevant provisions of this rule. 
PBMs may also be business associates of health care providers. See the 
preamble sections on Secs. 164.502, 164.504, and 164.506 for 
discussions of the specific requirements related to business associates 
and consent.
    Lastly, we clarify that health care providers who do not submit 
HIPAA transactions in standard form become covered by this rule when 
other entities, such as a billing service or a hospital, transmit 
standard electronic transactions on their behalf. The provider could 
not circumvent these requirements by assigning the task to a 
contractor.
    Comment: Many commenters urged the Department to restrict or 
clarify the definition of ``covered entity'' to exclude certain 
entities, such as department-operated hospitals (public hospitals); 
state Crime Victim Compensation Programs; employers; and certain lines 
of insurers, such as workers' compensation insurers, property and 
casualty insurers, reinsurers, and stop-loss insurers. One commenter 
expressed concern that clergy, religious practitioners, and other 
faith-based service providers would have to abide by the rule and asked 
that the Department exempt prayer healing and non-medical health care.
    Response: The Secretary provides the following clarifications in 
response to these comments. To the extent that a ``department-operated 
hospital'' meets the definition of a ``health care provider'' and 
conducts any of the standard transactions, it is a covered entity for 
the purposes of this rule. We agree that a state Crime Victim 
Compensation Program is not a covered entity if it is not a health care 
provider that conducts standard transactions, health plan, or health 
care clearinghouse. Further, as described above, employers are not 
covered entities.
    In addition, we agree that workers' compensation insurers, property 
and casualty insurers, reinsurers, and stop-loss insurers are not 
covered entities, as they do not meet the statutory definition of 
``health plan.'' See further discussion in the preamble on Sec. 160.103 
regarding the definition of ``health plan.'' However, activities 
related to ceding, securing, or placing a contract for reinsurance, 
including stop-loss insurance, are health care operations in the final 
rule. As such, reinsurers and stop-loss insurers may obtain protected 
health information from covered entities.
    Also, in response to the comment regarding religious practitioners, 
the Department clarifies that ``health care'' as defined under the rule 
does not include methods of healing that are solely spiritual. 
Therefore, clergy or other religious practitioners that provide solely 
religious healing services are not health care providers within the 
meaning of this rule, and consequently not covered entities for the 
purposes of this rule.
    Comment: A few commenters expressed general uncertainty and 
requested clarification as to whether certain entities were covered 
entities for the purposes of this rule. One commenter was uncertain as 
to whether the rule applies to certain social service entities, in 
addition to clinical social workers that the commenter believes are 
providers. Other commenters asked whether researchers or non-
governmental entities that collect and analyze patient data to monitor 
and evaluate quality of care are covered entities. Another commenter 
requested clarification regarding the definition's application to 
public health agencies that also are health care providers as well as 
how the rule affects public health agencies in their data collection 
from covered entities.
    Response: Whether the professionals described in these comments are 
covered by this rule depends on the activities they undertake, not on 
their profession or degree. The definitions in this rule are based on 
activities and functions, not titles. For example, a social service 
worker whose activities meet this rule's definition of health care will 
be a health care provider. If that social service worker also transmits 
information in a standard HIPAA transaction, he or she will be a 
covered health entity under this rule. Another social service worker 
may provide services that do not meet the rule's definition of health 
care, or may not transmit information in a standard transaction. Such a 
social service worker is not a covered entity under this rule. 
Similarly, researchers in and of themselves are not covered entities. 
However, researchers may also be health care providers if they provide 
health care. In such cases, the persons, or entities in their role as 
health care providers may be covered entities if they conduct standard 
transactions.
    With regard to public health agencies that are also health care 
providers, the health care provider ``component'' of the agency is the 
covered entity if that component conducts standard transactions. See 
discussion of ``health care components'' below. As to the data 
collection activities of a public health agency, the final rule in 
Sec. 164.512(b) permits a covered entity to disclose protected health 
information to public health authorities under specified circumstances, 
and permits public health agencies that are also covered entities to 
use protected health information for these purposes. See 
Sec. 164.512(b) for further details.
    Comment: A few commenters requested that the Department clarify 
that device manufacturers are not covered entities. They stated that 
the proposal did not provide enough guidance in cases where the 
``manufacturer supplier'' has only one part of its business that acts 
as the ``supplier,'' and additional detail is needed about the 
relationship of the ``supplier component'' of the company to the rest 
of the business. Similarly, another commenter asserted that drug, 
biologics, and device manufacturers should not be covered entities 
simply by virtue of their manufacturing activities.
    Response: We clarify that if a supplier manufacturer is a Medicare 
supplier, then it is a health care provider, and it is a covered entity 
if it conducts standard transactions. Further, we clarify that a 
manufacturer of supplies related to the health of a particular 
individual, e.g., prosthetic devices, is a health care provider because 
the manufacturer is providing ``health care'' as defined in the rule. 
However, that manufacturer is a covered entity only if it conducts 
standard transactions. We do not intend that a manufacturer of supplies 
that are generic and not customized or otherwise specifically designed 
for particular individuals, e.g., ace bandages for a hospital, is a 
health care provider. Such a manufacturer is not providing ``health 
care'' as defined in the rule and is therefore not a covered entity. We 
note that, even if such a manufacturer is a covered entity, it may be 
an ``indirect treatment provider'' under this rule, and thus not 
subject to all of the rule's requirements.
    With regard to a ``supplier component,'' the final rule addresses 
the status of the unit or unit(s) of a larger entity that constitute a 
``health care component.'' See further discussion under Sec. 164.504 of 
this preamble.
    Finally, we clarify that drug, biologics, and device manufacturers 
are not health care providers simply by virtue of their manufacturing 
activities. The manufacturer must be providing health care consistent 
with the final

[[Page 82569]]

rule's definition in order to be considered a health care provider.
    Comment: A few commenters asked that the Department clarify that 
pharmaceutical manufacturers are not covered entities. It was explained 
that pharmaceutical manufacturers provide support and guidance to 
doctors and patients with respect to the proper use of their products, 
provide free products for doctors to distribute to patients, and 
operate charitable programs that provide pharmaceutical drugs to 
patients who cannot afford to buy the drugs they need.
    Response: A pharmaceutical manufacturer is only a covered entity if 
the manufacturer provides ``health care'' according to the rule's 
definition and conducts standard transactions. In the above case, a 
pharmaceutical manufacturer that provides support and guidance to 
doctors and patients regarding the proper use of their products is 
providing ``health care'' for the purposes of this rule, and therefore, 
is a health care provider to the extent that it provides such services. 
The pharmaceutical manufacturer that is a health care provider is only 
a covered entity, however, if it conducts standard transactions. We 
note that this rule permits a covered entity to disclose protected 
health information to any person for treatment purposes, without 
specific authorization from the individual. Therefore, a covered health 
care provider is permitted to disclose protected health information to 
a pharmaceutical manufacturer for treatment purposes. Providing free 
samples to a health care provider does not in itself constitute health 
care. For further analysis of pharmacy assistance programs, see 
response to comment on Sec. 164.501, definition of ``payment.''
    Comment: Several commenters asked about the definition of ``covered 
entity'' and its application to health care entities within larger 
organizations.
    Response: A detailed discussion of the final rule's organizational 
requirements and firewall restrictions for ``health care components'' 
of larger entities, as well as for affiliated, and other entities is 
found at the discussion of Sec. 164.504 of this preamble. The following 
responses to comments provide additional information with respect to 
particular ``component entity'' circumstances.
    Comment: Several commenters asked that we clarify the definition of 
covered entity to state that with respect to persons or organizations 
that provide health care or have created health plans but are primarily 
engaged in other unrelated businesses, the term ``covered entity'' 
encompasses only the health care components of the entity. Similarly, 
others recommended that only the component of a government agency that 
is a provider, health plan, or clearinghouse should be considered a 
covered entity.
    Other commenters requested that we revise proposed Sec. 160.102 to 
apply only to the component of an entity that engages in the 
transactions specified in the rule. Commenters stated that companies 
should remain free to employ licensed health care providers and to 
enter into corporate relationships with provider institutions without 
fear of being considered to be a covered entity. Another commenter 
suggested that the regulation not apply to the provider-employee or 
employer when neither the provider nor the company are a covered 
entity.
    Some commenters specifically argued that the definition of 
``covered entity'' did not contemplate an integrated health care system 
and one commenter stated that the proposal would disrupt the multi-
disciplinary, collaborative approach that many take to health care 
today by treating all components as separate entities. Commenters, 
therefore, recommended that the rule treat the integrated entity, not 
its constituent parts, as the covered entity.
    A few commenters asked that the Department further clarify the 
definition with respect to the unique organizational models and 
relationships of academic medical centers and their parent universities 
and the rules that govern information exchange within the institution. 
One commenter asked whether faculty physicians who are paid by a 
medical school or faculty practice plan and who are on the medical 
staff of, but not paid directly by, a hospital are included within the 
covered entity. Another commenter stated that it appears that only the 
health center at an academic institution is the covered entity. 
Uncertainty was also expressed as to whether other components of the 
institution that might create protected health information only 
incidentally through the conduct of research would also be covered.
    Response: The Department understands that in today's health care 
industry, the relationships among health care entities and non-health 
care organizations are highly complex and varied. Accordingly, the 
final rule gives covered entities some flexibility to segregate or 
aggregate its operations for purposes of the application of this rule. 
The new component entity provision can be found at Secs. 164.504(b)-
(c). In response to the request for clarification on whether the rule 
would apply to a research component of the covered entity, we point out 
that if the research activities fall outside of the health care 
component they would not be subject to the rule. One organization may 
have one or several ``health care component(s)'' that each perform one 
or more of the health care functions of a covered entity, i.e., health 
care provider, health plan, health care clearinghouse. In addition, the 
final rule permits covered entities that are affiliated, i.e., share 
common ownership or control, to designate themselves, or their health 
care components, together to be a single covered entity for purposes of 
the rule.
    It appears from the comments that there is not a common 
understanding of the meaning of ``integrated delivery system.'' 
Arrangements that apply this label to themselves operate and share 
information many different ways, and may or may not be financially or 
clinically integrated. In some cases, multiple entities hold themselves 
out as one enterprise and engage together in clinical or financial 
activities. In others, separate entities share information but do not 
provide treatment together or share financial risk. Many health care 
providers participate in more than one such arrangement.
    Therefore, we do not include a separate category of ``covered 
entity'' under this rule for ``integrated delivery systems'' but 
instead accommodate the operations of these varied arrangements through 
the functional provisions of the rule. For example, covered entities 
that operate as ``organized health care arrangements'' as defined in 
this rule may share protected health information for the operation of 
such arrangement without becoming business associates of one another. 
Similarly, the regulation does not require a business associate 
arrangement when protected health information is shared for purposes of 
providing treatment. The application of this rule to any particular 
``integrated system'' will depend on the nature of the common 
activities the participants in the system perform. When the 
participants in such an arrangement are ``affiliated'' as defined in 
this rule, they may consider themselves a single covered entity (see 
Sec. 164. 504).
    The arrangements between academic health centers, faculty practice 
plans, universities, and hospitals are similarly diverse. We cannot 
describe a blanket rule that covers all such arrangements. The 
application of this rule will depend on the purposes for which the 
participants in such arrangements share protected health information, 
whether some or all participants are under common ownership or control, 
and similar matters. We note that physicians who have staff privileges 
at a covered

[[Page 82570]]

hospital do not become part of that hospital covered entity by virtue 
of having such privileges.
    We reject the recommendation to apply the rule only to components 
of an entity that engage in the transactions. This would omit as 
covered entities, for example, the health plan components that do not 
directly engage in the transactions, including components that engage 
in important health plan functions such as coverage determinations and 
quality review. Indeed, we do not believe that the statute permits this 
result with respect to health plans or health care clearinghouses as a 
matter of negative implication from section 1172(a)(3). We clarify that 
only a health care provider must conduct transactions to be a covered 
entity for purposes of this rule.
    We also clarify that health care providers (such as doctors or 
nurses) who work for a larger organization and do not conduct 
transactions on their own behalf are workforce members of the covered 
entity, not covered entities themselves.
    Comment: A few commenters asked the Department to clarify the 
definition to provide that a multi-line insurer that sells insurance 
coverages, some of which do and others which do not meet the definition 
of ``health plan,'' is not a covered entity with respect to actions 
taken in connection with coverages that are not ``health plans.''
    Response: The final rule clarifies that the requirements below 
apply only to the organizational unit or units of the organization that 
are the ``health care component'' of a covered entity, where the 
``covered functions'' are not the primary functions of the entity. 
Therefore, for a multi-line insurer, the ``health care component'' is 
the insurance line(s) that conduct, or support the conduct of, the 
health care function of the covered entity. Also, it should be noted 
that excepted benefits, such as life insurance, are not included in the 
definition of ``health plan.'' (See preamble discussion of 
Sec. 164.504).
    Comment: A commenter questioned whether the Health Care Financing 
Administration (HCFA) is a covered entity and how HCFA will share data 
with Medicare managed care organizations. The commenter also questioned 
why the regulation must apply to Medicaid since the existing Medicaid 
statute requires that states have privacy standards in place. It was 
also requested that the Department provide a definition of ``health 
plan'' to clarify that state Medicaid Programs are considered as such.
    Response: HCFA is a covered entity because it administers Medicare 
and Medicaid, which are both listed in the statute as health plans. 
Medicare managed care organizations are also covered entities under 
this regulation. As noted elsewhere in this preamble, covered entities 
that jointly administer a health plan, such as Medicare + Choice, are 
both covered entities, and are not business associates of each other by 
virtue of such joint administration.
    We do not exclude state Medicaid programs. Congress explicitly 
included the Medicaid program as a covered health plan in the HIPAA 
statute.
    Comment: A commenter asked the Department to provide detailed 
guidance as to when providers, plans, and clearinghouses become covered 
entities. The commenter provided the following example: if a provider 
submits claims only in paper form, and a coordination of benefits (COB) 
transaction is created due to other insurance coverage, will the 
original provider need to be notified that the claim is now in 
electronic form, and that it has become a covered entity? Another 
commenter voiced concern as to whether physicians who do not conduct 
electronic transactions would become covered entities if another entity 
using its records downstream transmits information in connection with a 
standard transaction on their behalf.
    Response: We clarify that health care providers who submit the 
transactions in standard electronic form, health plans, and health care 
clearinghouses are covered entities if they meet the respective 
definitions. Health care providers become subject to the rule if they 
conduct standard transactions. In the above example, the health care 
provider would not be a covered entity if the coordination of benefits 
transaction was generated by a payor.
    We also clarify that health care providers who do not submit 
transactions in standard form become covered by this rule when other 
entities, such as a billing service or a hospital, transmit standard 
electronic transactions on the providers' behalf. However, where the 
downstream transaction is not conducted on behalf of the health care 
provider, the provider does not become a covered entity due to the 
downstream transaction.
    Comment: Several commenters discussed the relationship between 
section 1179 of the Act and the privacy regulations. One commenter 
suggested that HHS retain the statement that a covered entity means 
``the entities to which part C of title XI of the Act applies.'' In 
particular, the commenter observed that section 1179 of the Act 
provides that part C of title XI of the Act does not apply to financial 
institutions or to entities acting on behalf of such institutions that 
are covered by the section 1179 exemption. Thus, under the definition 
of covered entity, they comment that financial institutions and other 
entities that come within the scope of the section 1179 exemption are 
appropriately not covered entities.
    Other commenters maintained that section 1179 of the Act means that 
the Act's privacy requirements do not apply to the request for, or the 
use or disclosure of, information by a covered entity with respect to 
payment: (a) For transferring receivables; (b) for auditing; (c) in 
connection with--(i) a customer dispute; or (ii) an inquiry from or to 
a customer; (d) in a communication to a customer of the entity 
regarding the customer's transactions payment card, account, check, or 
electronic funds transfer; (e) for reporting to consumer reporting 
agencies; or (f) for complying with: (i) a civil or criminal subpoena; 
or (ii) a federal or state law regulating the entity. These companies 
expressed concern that the proposed rule did not include the full text 
of section 1179 when discussing the list of activities that were exempt 
from the rule's requirements. Accordingly, they recommended including 
in the final rule either a full listing of or a reference to section 
1179's full list of exemptions. Furthermore, these firms opposed 
applying the proposed rule's minimum necessary standard for disclosure 
of protected health information to financial institutions because of 
section 1179.
    These commenters suggest that in light of section 1179, HHS lacks 
the authority to impose restrictions on financial institutions and 
other entities when they engage in activities described in that 
section. One commenter expressed concern that even though proposed 
Sec. 164.510(i) would have permitted covered entities to disclose 
certain information to financial institutions for banking and payment 
processes, it did not state clearly that financial institutions and 
other entities described in section 1179 are exempt from the rule's 
requirements.
    Response: We interpret section 1179 of the Act to mean that 
entities engaged in the activities of a financial institution, and 
those acting on behalf of a financial institution, are not subject to 
this regulation when they are engaged in authorizing, processing, 
clearing, settling, billing, transferring, reconciling, or collecting 
payments for a financial institution. The statutory reference to 12 
U.S.C. 3401 indicates that Congress chose to adopt the definition of 
financial institutions found

[[Page 82571]]

in the Right to Financial Privacy Act, which defines financial 
institutions as any office of a bank, savings bank, card issuer, 
industrial loan company, trust company, savings association, building 
and loan, homestead association, cooperative bank, credit union, or 
consumer finance institution located in the United States or one of its 
Territories. Thus, when we use the term ``financial institution'' in 
this regulation, we turn to the definition with which Congress provided 
us. We interpret this provision to mean that when a financial 
institution, or its agent on behalf of the financial institution, 
conducts the activities described in section 1179, the privacy 
regulation will not govern the activity.
    If, however, these activities are performed by a covered entity or 
by another entity, including a financial institution, on behalf of a 
covered entity, the activities are subject to this rule. For example, 
if a bank operates the accounts payable system or other ``back office'' 
functions for a covered health care provider, that activity is not 
described in section 1179. In such instances, because the bank would 
meet the rule's definition of ``business associate,'' the provider must 
enter into a business associate contract with the bank before 
disclosing protected health information pursuant to this relationship. 
However, if the same provider maintains an account through which he/she 
cashes checks from patients, no business associate contract would be 
necessary because the bank's activities are not undertaken for or on 
behalf of the covered entity, and fall within the scope of section 
1179. In part to give effect to section 1179, in this rule we do not 
consider a financial institution to be acting on behalf of a covered 
entity when it processes consumer-conducted financial transactions by 
debit, credit or other payment card, clears checks, initiates or 
processes electronic funds transfers, or conducts any other activity 
that directly facilitates or effects the transfer of funds for 
compensation for health care.
    We do not agree with the comment that section 1179 of the Act means 
that the privacy regulation's requirements cannot apply to the 
activities listed in that section; rather, it means that the entities 
expressly mentioned, financial institutions (as defined in the Right to 
Financial Privacy Act), and their agents that engage in the listed 
activities for the financial institution are not within the scope of 
the regulation. Nor do we interpret section 1179 to support an 
exemption for disclosures to financial institutions from the minimum 
necessary provisions of this regulation.
    Comment: One commenter recommended that HHS include a definition of 
``entity'' in the final rule because HIPAA did not define it. The 
commenter explained that in a modern health care environment, the 
organization acting as the health plan or health care provider may 
involve many interrelated corporate entities and that this could lead 
to difficulties in determining what ``entities'' are actually subject 
to the regulation.
    Response: We reject the commenter's suggestion. We believe it is 
clear in the final rule that the entities subject to the regulation are 
those listed at Sec. 160.102. However, we acknowledge that how the rule 
applies to integrated or other complex health systems needs to be 
addressed; we have done so in Sec. 164.504 and in other provisions, 
such as those addressing organized health care arrangements.
    Comment: The preamble should clarify that self-insured group health 
and workmen's compensation plans are not covered entities or business 
partners.
    Response: In the preamble to the proposed rule we stated that 
certain types of insurance entities, such as workers' compensation, 
would not be covered entities under the rule. We do not change this 
position in this final rule. The statutory definition of health plan 
does not include workers' compensation products, and the regulatory 
definition of the term specifically excludes them. However, HIPAA 
specifically includes most group health plans within the definition of 
``health plan.''
    Comment: A health insurance issuer asserted that health insurers 
and third party administrators are usually required by employers to 
submit reports describing the volume, amount, payee, basis for services 
rendered, types of claims paid and services for which payment was 
requested on behalf of it covered employees. They recommended that the 
rule permit the disclosure of protected health information for such 
purposes.
    Response: We agree that health plans should be able to disclose 
protected health information to employers sponsoring health plans under 
certain circumstances. Section 164.504(f) explains the conditions under 
which protected health information may be disclosed to plan sponsors. 
We believe that this provision gives sponsors access to the information 
they need, but protects individual's information to the extent possible 
under our legislative authority.

Group Health Plan

    For response to comments relating to ``group health plan,'' see the 
response to comments on ``health plan'' below and the response to 
comments on Sec. 164.504.

Health Care

    Comment: A number of commenters asked that we include disease 
management activities and other similar health improvement programs, 
such as preventive medicine, health education services and maintenance, 
health and case management, and risk assessment, in the definition of 
``health care.'' Commenters maintained that the rule should avoid 
limiting technological advances and new health care trends intended to 
improve patient ``health care.''
    Response: Review of these and other comments, and our fact-finding, 
indicate that there are multiple, different, understandings of the 
definition of these terms. Therefore, rather than create a blanket rule 
that includes such terms in or excludes such terms from the definition 
of ``health care,'' we define health care based on the underlying 
activities that constitute health care. The activities described by 
these commenters are considered ``health care'' under this rule to the 
extent that they meet this functional definition. Listing activities by 
label or title would create the risk that important activities would be 
left out and, given the lack of consensus on what these terms mean, 
could also create confusion.
    Comment: Several commenters urged that the Department clarify that 
the activities necessary to procure and distribute eyes and eye tissue 
will not be hampered by the rule. Some of these commenters explicitly 
requested that we include ``eyes and eye tissue'' in the list of 
procurement biologicals as well as ``eye procurement'' in the 
definition of ``health care.'' In addition, it was argued that 
``administration to patients'' be excluded in the absence of a clear 
definition. Also, commenters recommended that the definition include 
other activities associated with the transplantation of organs, such as 
processing, screening, and distribution.
    Response: We delete from the definition of ``health care'' 
activities related to the procurement or banking of blood, sperm, 
organs, or any other tissue for administration to patients. We do so 
because persons who make such donations are not seeking to be treated, 
diagnosed, or assessed or otherwise seeking health care for themselves, 
but are seeking to contribute to the health care of others. In 
addition, the nature of

[[Page 82572]]

these activities entails a unique kind of information sharing and 
tracking necessary to safeguard the nation's organ and blood supply, 
and those seeking to donate are aware that this information sharing 
will occur. Consequently, such procurement or banking activities are 
not considered health care and the organizations that perform such 
activities are not considered health care providers for purposes of 
this rule.
    With respect to disclosure of protected health information by 
covered entities to facilitate cadaveric organ and tissue donation, the 
final rule explicitly permits a covered entity to disclose protected 
health information without authorization, consent, or agreement to 
organ procurement organizations or other entities engaged in the 
procurement, banking, or transplantation of cadaveric organs, eyes, or 
tissue for the purpose of facilitating donation and transplantation. 
See Sec. 164.512(h). We do not include blood or sperm banking in this 
provision because, for those activities, there is direct contact with 
the donor, and thus opportunity to obtain the individual's 
authorization.
    Comment: A large number of commenters urged that the term 
``assessment'' be included in the list of services in the definition, 
as ``assessment'' is used to determine the baseline health status of an 
individual. It was explained that assessments are conducted in the 
initial step of diagnosis and treatment of a patient. If assessment is 
not included in the list of services, they pointed out that the 
services provided by occupational health nurses and employee health 
information may not be covered.
    Response: We agree and have added the term ``assessment'' to the 
definition to clarify that this activity is considered ``health care'' 
for the purposes of the rule.
    Comment: One commenter asked that we revise the definition to 
explicitly exclude plasmapheresis from paragraph (3) of the definition. 
It was explained that plasmapheresis centers do not have direct access 
to health care recipients or their health information, and that the 
limited health information collected about plasma donors is not used to 
provide health care services as indicated by the definition of health 
care.
    Response: We address the commenters' concerns by removing the 
provision related to procurement and banking of human products from the 
definition.

Health Care Clearinghouse

    Comment: The largest set of comments relating to health care 
clearinghouses focused on our proposal to exempt health care 
clearinghouses from the patient notice and access rights provisions of 
the regulation. In our NPRM, we proposed to exempt health care 
clearinghouses from certain provisions of the regulation that deal with 
the covered entities' notice of information practices and consumers' 
rights to inspect, copy, and amend their records. The rationale for 
this exemption was based on our belief that health care clearinghouses 
engage primarily in business-to-business transactions and do not 
initiate or maintain direct relationships with individuals. We proposed 
this position with the caveat that the exemptions would be void for any 
health care clearinghouse that had direct contact with individuals in a 
capacity other than that of a business partner. In addition, we 
indicated that, in most instances, clearinghouses also would be 
considered business partners under this rule and would be bound by 
their contracts with covered plans and providers. They also would be 
subject to the notice of information practices developed by the plans 
and providers with whom they contract.
    Commenters stated that, although health care clearinghouses do not 
have direct contact with individuals, they do have individually 
identifiable health information that may be subject to misuse or 
inappropriate disclosure. They expressed concern that we were proposing 
to exempt health care clearinghouses from all or many aspects of the 
regulation. These commenters suggested that we either delete the 
exemption or make it very narrow, specific and explicit in the final 
regulatory text.
    Clearinghouse commenters, on the other hand, were in agreement with 
our proposal, including the exemption provision and the provision that 
the exemption is voided when the entity does have direct contact with 
individuals. They also stated that a health care clearinghouse that has 
a direct contact with individuals is no longer a health care 
clearinghouse as defined and should be subject to all requirements of 
the regulation.
    Response: In the final rule, where a clearinghouse creates or 
receives protected health information as a business associate of 
another covered entity, we maintain the exemption for health care 
clearinghouses from certain provisions of the regulation dealing with 
the notice of information practices and patient's direct access rights 
to inspect, copy and amend records (Secs. 164.524 and 164.526), on the 
grounds that a health care clearinghouse is engaged in business-to-
business operations, and is not dealing directly with individuals. 
Moreover, as business associates of plans and providers, health care 
clearinghouses are bound by the notices of information practices of the 
covered entities with whom they contract.
    Where a health care clearinghouse creates or receives protected 
health information other than as a business associate, however, it must 
comply with all the standards, requirements, and implementation 
specifications of the rule. We describe and delimit the exact nature of 
the exemption in the regulatory text. See Sec. 164.500(b). We will 
monitor developments in this sector should the basic business-to-
business relationship change.
    Comment: A number of comments relate to the proposed definition of 
health care clearinghouse. Many commenters suggested that we expand the 
definition. They suggested that additional types of entities be 
included in the definition of health care clearinghouse, specifically 
medical transcription services, billing services, coding services, and 
``intermediaries.'' One commenter suggested that the definition be 
expanded to add entities that receive standard transactions, process 
them and clean them up, and then send them on, without converting them 
to any standard format. Another commenter suggested that the health 
care clearinghouse definition be expanded to include entities that do 
not perform translation but may receive protected health information in 
a standard format and have access to that information. Another 
commenter stated that the list of covered entities should include any 
organization that receives or maintains individually identifiable 
health information. One organization recommended that we expand the 
health care clearinghouse definition to include the concept of a 
research data clearinghouse, which would collect individually 
identifiable health information from other covered entities to generate 
research data files for release as de-identified data or with 
appropriate confidentiality safeguards. One commenter stated that HHS 
had gone beyond Congressional intent by including billing services in 
the definition.
    Response: We cannot expand the definition of ``health care 
clearinghouse'' to cover entities not covered by the definition of this 
term in the statute. In the final regulation, we

[[Page 82573]]

make a number of changes to address public comments relating to 
definition. We modify the definition of health care clearinghouse to 
conform to the definition published in the Transactions Rule (with the 
addition of a few words, as noted above). We clarify in the preamble 
that, while the term ``health care clearinghouse'' may have other 
meanings and connotations in other contexts, for purposes of this 
regulation an entity is considered a health care clearinghouse only to 
the extent that it actually meets the criteria in our definition. 
Entities performing other functions but not meeting the criteria for a 
health care clearinghouse are not clearinghouses, although they may be 
business associates. Billing services are included in the regulatory 
definition of ``health care clearinghouse,'' if they perform the 
specified clearinghouse functions. Although we have not added or 
deleted any entities from our original definition, we will monitor 
industry practices and may add other entities in the future as changes 
occur in the health system.
    Comment: Several commenters suggested that we clarify that an 
entity acting solely as a conduit through which individually 
identifiable health information is transmitted or through which 
protected health information flows but is not stored is not a covered 
entity, e.g., a telephone company or Internet Service Provider. Other 
commenters indicated that once a transaction leaves a provider or plan 
electronically, it may flow through several entities before reaching a 
clearinghouse. They asked that the regulation protect the information 
in that interim stage, just as the security NPRM established a chain of 
trust arrangement for such a network. Others noted that these 
``conduit'' entities are likely to be business partners of the 
provider, clearinghouse or plan, and we should clarify that they are 
subject to business partner obligations as in the proposed Security 
Rule.
    Response: We clarify that entities acting as simple and routine 
communications conduits and carriers of information, such as telephone 
companies and Internet Service Providers, are not clearinghouses as 
defined in the rule unless they carry out the functions outlined in our 
definition. Similarly, we clarify that value added networks and 
switches are not health care clearinghouses unless they carry out the 
functions outlined in the definition, and clarify that such entities 
may be business associates if they meet the definition in the 
regulation.
    Comment: Several commenters, including the large clearinghouses and 
their trade associations, suggested that we not treat health care 
clearinghouses as playing a dual role as covered entity and business 
partner in the final rule because such a dual role causes confusion as 
to which rules actually apply to clearinghouses. In their view, the 
definition of health care clearinghouse is sufficiently clear to stand 
alone and identify a health care clearinghouse as a covered entity, and 
allows health care clearinghouses to operate under one consistent set 
of rules.
    Response: For reasons explained in Sec. 164.504 of this preamble, 
we do not create an exception to the business associate requirements 
when the business associate is also a covered entity. We retain the 
concept that a health care clearinghouse may be a covered entity and a 
business associate of a covered entity under the regulation. As 
business associates, they would be bound by their contracts with 
covered plans and providers.

Health Care Provider

    Comment: One commenter pointed out that the preamble referred to 
the obligations of providers and did not use the term, ``covered 
entity,'' and thus created ambiguity about the obligations of health 
care providers who may be employed by persons other than covered 
entities, e.g., pharmaceutical companies. It was suggested that a 
better reading of the statute and rule is that where neither the 
provider nor the company is a covered entity, the rule does not impose 
an obligation on either the provider-employee or the employer.
    Response: We agree. We use the term ``covered entity'' whenever 
possible in the final rule, except for the instances where the final 
rule treats the entities differently, or where use of the term ``health 
care provider'' is necessary for purposes of illustrating an example.
    Comment: Several commenters stated that the proposal's definition 
was broad, unclear, and/or confusing. Further, we received many 
comments requesting clarification as to whether specific entities or 
persons were ``health care providers'' for the purposes of our rule. 
One commenter questioned whether affiliated members of a health care 
group (even though separate legal entities) would be considered as one 
primary health care provider.
    Response: We permit legally distinct covered entities that share 
common ownership or control to designate themselves together to be a 
single covered entity. Such organizations may promulgate a single 
shared notice of information practices and a consent form. For more 
detailed information, see the preamble discussion of Sec. 164.504(d).
    We understand the need for additional guidance on whether specific 
entities or persons are health care providers under the final rule. We 
provide guidance below and will provide additional guidance as the rule 
is implemented.
    Comment: One commenter observed that sections 1171(3), 1861(s) and 
1861(u) of the Act do not include pharmacists in the definition of 
health care provider or pharmacist services in the definition of 
``medical or other health services,'' and questioned whether 
pharmacists were covered by the rule.
    Response: The statutory definition of ``health care provider'' at 
section 1171(3) includes ``any other person or organization who 
furnishes, bills, or is paid for health care in the normal course of 
business.'' Pharmacists' services are clearly within this statutory 
definition of ``health care.'' There is no basis for excluding 
pharmacists who meet these statutory criteria from this regulation.
    Comment: Some commenters recommended that the scope of the 
definition be broadened or clarified to cover additional persons or 
organizations. Several commenters argued for expanding the reach of the 
health care provider definition to cover entities such as state and 
local public health agencies, maternity support services (provided by 
nutritionists, social workers, and public health nurses and the Special 
Supplemental Nutrition Program for Women, Infants and Children), and 
those companies that conduct cost-effectiveness reviews, risk 
management, and benchmarking studies. One commenter queried whether 
auxiliary providers such as child play therapists, and speech and 
language therapists are considered to be health care providers. Other 
commenters questioned whether ``alternative'' or ``complementary'' 
providers, such as naturopathic physicians and acupuncturists would be 
considered health care providers covered by the rule.
    Response: As with other aspects of this rule, we do not define 
``health care provider'' based on the title or label of the 
professional. The professional activities of these kinds of providers 
vary; a person is a ``health care provider'' if those activities are 
consistent with the rule's definition of ``health care provider.'' 
Thus, health care providers include persons, such as those noted by the 
commenters, to the extent that they meet the definition. We note that 
health care providers are only

[[Page 82574]]

subject to this rule if they conduct certain transactions. See the 
definition of ``covered entity.''
    However companies that conduct cost-effectiveness reviews, risk 
management, and benchmarking studies are not health care providers for 
the purposes of this rule unless they perform other functions that meet 
the definition. These entities would be business associates if they 
perform such activities on behalf of a covered entity.
    Comment: Another commenter recommended that the Secretary expand 
the definition of health care provider to cover health care providers 
who transmit or ``or receive'' any health care information in 
electronic form.
    Response: We do not accept this suggestion. Section 1172(a)(3) 
states that providers that ``transmit'' health information in 
connection with one of the HIPAA transactions are covered, but does not 
use the term ``receive'' or a similar term.
    Comment: Some comments related to online companies as health care 
providers and covered entities. One commenter argued that there was no 
reason ``why an Internet pharmacy should not also be covered'' by the 
rule as a health care provider. Another commenter stated that online 
health care service and content companies, including online medical 
record companies, should be covered by the definition of health care 
provider. Another commenter pointed out that the definitions of covered 
entities cover ``Internet providers who `bill' or are `paid' for health 
care services or supplies, but not those who finance those services in 
other ways, such as through sale of identifiable health information or 
advertising.'' It was pointed out that thousands of Internet sites use 
information provided by individuals who access the sites for marketing 
or other purposes.
    Response: We agree that online companies are covered entities under 
the rule if they otherwise meet the definition of health care provider 
or health plan and satisfy the other requirements of the rule, i.e., 
providers must also transmit health information in electronic form in 
connection with a HIPAA transaction. We restate here the language in 
the preamble to the proposed rule that ``An individual or organization 
that bills and/or is paid for health care services or supplies in the 
normal course of business, such as * * * an ``online'' pharmacy 
accessible on the Internet, is also a health care provider for purposes 
of this statute'' (64 FR 59930).
    Comment: We received many comments related to the reference to 
``health clinic or licensed health care professional located at a 
school or business in the preamble's discussion of ``health care 
provider.'' It was stated that including ``licensed health care 
professionals located at a school or business'' highlights the need for 
these individuals to understand they have the authority to disclose 
information to the Social Security Administration (SSA) without 
authorization.
    However, several commenters urged HHS to create an exception for or 
delete that reference in the preamble discussion to primary and 
secondary schools because of employer or business partner 
relationships. One federal agency suggested that the reference 
``licensed health care professionals located at a [school]'' be deleted 
from the preamble because the definition of health care provider does 
not include a reference to schools. The commenter also suggested that 
the Secretary consider: adding language to the preamble to clarify that 
the rules do not apply to clinics or school health care providers that 
only maintain records that have been excepted from the definition of 
protected health information, adding an exception to the definition of 
covered entities for those schools, and limiting paperwork requirements 
for these schools. Another commenter argued for deleting references to 
schools because the proposed rule appeared to supersede or create 
ambiguity as to the Family Educational Rights and Privacy Act (FERPA), 
which gives parents the right to access ``education'' and health 
records of their unemancipated minor children. However, in contrast, 
one commenter supported the inclusion of health care professionals who 
provide services at schools or businesses.
    Response: We realize that our discussion of schools in the NPRM may 
have been confusing. Therefore, we address these concerns and set forth 
our policy regarding protected health information in educational 
agencies and institutions in the ``Relationship to Other Federal Laws'' 
discussion of FERPA, above.
    Comment: Many commenters urged that direct contact with the patient 
be necessary for an entity to be considered a health care provider. 
Commenters suggested that persons and organizations that are remote to 
the patient and have no direct contact should not be considered health 
care providers. Several commenters argued that the definition of health 
care provider covers a person that provides health care services or 
supplies only when the provider furnishes to or bills the patient 
directly. It was stated that the Secretary did not intend that 
manufacturers, such as pharmaceutical, biologics, and device 
manufacturers, health care suppliers, medical-surgical supply 
distributors, health care vendors that offer medical record 
documentation templates and that typically do not deal directly with 
the patient, be considered health care providers and thus covered 
entities. However, in contrast, one commenter argued that, as an in 
vitro diagnostics manufacturer, it should be covered as a health care 
provider.
    Response: We disagree with the comments that urged that direct 
dealings with an individual be a prerequisite to meeting the definition 
of health care provider. Many providers included in the statutory 
definition of provider, such as clinical labs, do not have direct 
contact with patients. Further, the use and disclosure of protected 
health information by indirect treatment providers can have a 
significant effect on individuals' privacy. We acknowledge, however, 
that providers who treat patients only indirectly need not have the 
full array of responsibilities as direct treatment providers, and 
modify the NPRM to make this distinction with respect to several 
provisions (see, for example Sec. 164.506 regarding consent). We also 
clarify that manufacturers and health care suppliers who are considered 
providers by Medicare are providers under this rule.
    Comment: Some commenters suggested that blood centers and plasma 
donor centers that collect and distribute source plasma not be 
considered covered health care providers because the centers do not 
provide ``health care services'' and the blood donors are not 
``patients'' seeking health care. Similarly, commenters expressed 
concern that organ procurement organizations might be considered health 
care providers.
    Response: We agree and have deleted from the definition of ``health 
care'' the term ``procurement or banking of blood, sperm, organs, or 
any other tissue for administration to patients.'' See prior discussion 
under ``health care.''
    Comment: Several commenters proposed to restrict coverage to only 
those providers who furnished and were paid for services and supplies. 
It was argued that a salaried employee of a covered entity, such as a 
hospital-based provider, should not be covered by the rule because that 
provider would be subject both directly to the rule as a covered entity 
and indirectly as an employee of a covered entity.
    Response: The ``dual'' direct and indirect situation described in 
these comments can arise only when a health

[[Page 82575]]

care provider conducts standard HIPAA transactions both for itself and 
for its employer. For example, when the services of a provider such as 
a hospital-based physician are billed through a standard HIPAA 
transaction conducted for the employer, in this example the hospital, 
the physician does not become a covered provider. Only when the 
provider uses a standard transaction on its own behalf does he or she 
become a covered health care provider. Thus, the result is typically as 
suggested by this commenter. When a hospital-based provider is not paid 
directly, that is, when the standard HIPAA transaction is not on its 
behalf, it will not become a covered provider.
    Comment: Other commenters argued that an employer who provides 
health care services to its employees for whom it neither bills the 
employee nor pays for the health care should not be considered health 
care providers covered by the proposed rule.
    Response: We clarify that the employer may be a health care 
provider under the rule, and may be covered by the rule if it conducts 
standard transactions. The provisions of Sec. 164.504 may also apply.
    Comment: Some commenters were confused about the preamble 
statement: ``in order to implement the principles in the Secretary's 
Recommendations, we must impose any protections on the health care 
providers that use and disclose the information, rather than on the 
researcher seeking the information,'' with respect to the rule's policy 
that a researcher who provides care to subjects in a trial will be 
considered a health care provider. Some commenters were also unclear 
about whether the individual researcher providing health care to 
subjects in a trial would be considered a health care provider or 
whether the researcher's home institution would be considered a health 
care provider and thus subject to the rule.
    Response: We clarify that, in general, a researcher is also a 
health care provider if the researcher provides health care to subjects 
in a clinical research study and otherwise meets the definition of 
``health care provider'' under the rule. However, a health care 
provider is only a covered entity and subject to the rule if that 
provider conducts standard transactions. With respect to the above 
preamble statement, we meant that our jurisdiction under the statute is 
limited to covered entities. Therefore, we cannot apply any 
restrictions or requirements on a researcher in that person's role as a 
researcher. However, if a researcher is also a health care provider 
that conducts standard transactions, that researcher/provider is 
subject to the rule with regard to its provider activities.
    As to applicability to a researcher/provider versus the 
researcher's home institution, we provide the following guidance. The 
rule applies to the researcher as a covered entity if the researcher is 
a health care provider who conducts standard transactions for services 
on his or her own behalf, regardless of whether he or she is part of a 
larger organization. However, if the services and transactions are 
conducted on behalf of the home institution, then the home institution 
is the covered entity for purposes of the rule and the researcher/
provider is a workforce member, not a covered entity.
    Comment: One commenter expressed confusion about those instances 
when a health care provider was a covered entity one day, and one who 
``works under a contract'' for a manufacturer the next day.
    Response: If persons are covered under the rule in one role, they 
are not necessarily covered entities when they participate in other 
activities in another role. For example, that person could be a covered 
health care provider in a hospital one day but the next day read 
research records for a different employer. In its role as researcher, 
the person is not covered, and protections do not apply to those 
research records.
    Comment: One commenter suggested that the Secretary modify proposed 
Sec. 160.102, to add the following clause at the end (after (c)) 
(regarding health care provider), ``With respect to any entity whose 
primary business is not that of a health plan or health care provider 
licensed under the applicable laws of any state, the standards, 
requirements, and implementation specifications of this subchapter 
shall apply solely to the component of the entity that engages in the 
transactions specified in [Sec. ] 160.103.'' (Emphasis added.) Another 
commenter also suggested that the definition of ``covered entity'' be 
revised to mean entities that are ``primarily or exclusively engaged in 
health care-related activities as a health plan, health care provider, 
or health care clearinghouse.''
    Response: The Secretary rejects these suggestions because they will 
impermissibly limit the entities covered by the rule. An entity that is 
a health plan, health care provider, or health care clearinghouse meets 
the statutory definition of covered entity regardless of how much time 
is devoted to carrying out health care-related functions, or regardless 
of what percentage of their total business applies to health care-
related functions.
    Comment: Several commenters sought to distinguish a health care 
provider from a business partner as proposed in the NPRM. For example, 
a number of commenters argued that disease managers that provide 
services ``on behalf of'' health plans and health care providers, and 
case managers (a variation of a disease management service) are 
business partners and not ``health care providers.'' Another commenter 
argued that a disease manager should be recognized (presumably as a 
covered entity) because of its involvement from the physician-patient 
level through complex interactions with health care providers.
    Response: To the extent that a disease or case manager provides 
services on behalf of or to a covered entity as described in the rule's 
definition of business associate, the disease or case manager is a 
business associate for purposes of this rule. However, if services 
provided by the disease or case manager meet the definition of 
treatment and the person otherwise meets the definition of ``health 
care provider,'' such a person is a health care provider for purposes 
of this rule.
    Comment: One commenter argued that pharmacy employees who assist 
pharmacists, such as technicians and cashiers, are not business 
partners.
    Response: We agree. Employees of a pharmacy that is a covered 
entity are workforce members of that covered entity for purposes of 
this rule.
    Comment: A number of commenters requested that we clarify the 
definition of health care provider (``* * * who furnishes, bills, or is 
paid for health care services or supplies in the normal course of 
business'') by defining the various terms ``furnish'', ``supply'', and 
``in the normal course of business.'' For instance, it was stated that 
this would help employers recognize when services such as an employee 
assistance program constituted health care covered by the rule.
    Response: Although we understand the concern expressed by the 
commenters, we decline to follow their suggestion to define terms at 
this level of specificity. These terms are in common use today, and an 
attempt at specific definition would risk the inadvertent creations of 
conflict with industry practices. There is a significant variation in 
the way employers structure their employee assistance programs (EAPs) 
and the type of services that they provide. If the EAP provides direct 
treatment to individuals, it may be a health care provider.

[[Page 82576]]

Health Information

    The response to comments on health information is included in the 
response to comments on individually identifiable health information, 
in the preamble discussion of Sec. 164.501.

Health Plan

    Comment: One commenter suggested that to eliminate any ambiguity, 
the Secretary should clarify that the catch-all category under the 
definition of health plan includes ``24-hour coverage plans'' (whether 
insured or self-insured) that integrate traditional employee health 
benefits coverage and workers' compensation coverage for the treatment 
of on-the-job injuries and illnesses under one program. It was stated 
that this clarification was essential if the Secretary persisted in 
excluding workers' compensation from the final rule.
    Response: We understand concerns that such plans may use and 
disclose individually identifiable health information. We therefore 
clarify that to the extent that 24-hour coverage plans have a health 
care component that meets the definition of ``health plan'' in the 
final rule, such components must abide by the provisions of the final 
rule. In the final rule, we have added a new provision to Sec. 164.512 
that permits covered entities to disclose information under workers' 
compensation and similar laws. A health plan that is a 24-hour plan is 
permitted to make disclosures as necessary to comply with such laws.
    Comment: A number of commenters urged that certain types of 
insurance entities, such as workers' compensation and automobile 
insurance carriers, property and casualty insurance health plans, and 
certain forms of limited benefits coverage, be included in the 
definition of ``health plan.'' It was argued that consumers deserve the 
same protection with respect to their health information, regardless of 
the entity using it, and that it would be inequitable to subject health 
insurance carriers to more stringent standards than other types of 
insurers that use individually identifiable health information.
    Response: The Congress did not include these programs in the 
definition of a ``health plan'' under section 1171 of the Act. Further, 
HIPAA's legislative history shows that the House Report's (H. Rep. 104-
496) definition of ``health plan'' originally included certain benefit 
programs, such as workers' compensation and liability insurance, but 
was later amended to clarify the definition and remove these programs. 
Thus, since the statutory definition of a health plan both on its face 
and through legislative history evidence Congress' intention to exclude 
such programs, we do not have the authority to require that these 
programs comply with the standards. We have added explicit language to 
the final rule which excludes the excepted benefit programs, as defined 
in section 2971(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1).
    Comment: Some commenters urged HHS to include entities such as stop 
loss insurers and reinsurers in the definition of ``health plan.'' It 
was observed that such entities have come to play important roles in 
managed care delivery systems. They asserted that increasingly, 
capitated health plans and providers contract with their reinsurers and 
stop loss carriers to medically manage their high cost outlier cases 
such as organ and bone marrow transplants, and therefore should be 
specifically cited as subject to the regulations.
    Response: Stop-loss and reinsurers do not meet the statutory 
definition of health plan. They do not provide or pay for the costs of 
medical care, as described in the statute, but rather insure health 
plans and providers against unexpected losses. Therefore, we cannot 
include them as health plans in the regulation.
    Comment: A commenter asserted that there is a significant 
discrepancy between the effect of the definition of ``group health 
plan'' as proposed in Sec. 160.103, and the anticipated impact in the 
cost estimates of the proposed rule at 64 FR 60014. Paragraph (1) of 
the proposed definition of ``health plan'' defined a ``group health 
plan'' as an ERISA-defined employee welfare benefit plan that provides 
medical care and that: ``(i) Has 50 or more participants, or (ii) Is 
administered by an entity other than the employer that established and 
maintains the plan[.]'' (emphasis added) According to this commenter, 
under this definition, the only insured or self-insured ERISA plans 
that would not be regulated ``health plans'' would be those that have 
less than 50 participants and are self administered.
    The commenter presumed that the we had intended to exclude from the 
definition of ``health plan'' (and from coverage under the proposed 
rule) all ERISA plans that are small (less than 50 participants) or are 
administered by a third party, whether large or small, based on the 
statement at 64 FR 60014, note 18. That footnote stated that the 
Department had ``not included the 3.9 million `other' employer-health 
plans listed in HCFA's administrative simplification regulations 
because these plans are administered by a third party. The proposed 
regulation will not regulate the employer plans but will regulate the 
third party administrators of the plan.'' The commenter urged us not to 
repeat the statutory definition, and to adopt the policy implied in the 
footnote.
    Response: We agree with the commenter's observation that footnote 
18 (64 FR 60014) was inconsistent with the proposed definition. We 
erred in drafting that note. The definition of ``group health plan'' is 
adopted from the statutory definition at section 1171(5)(A), and 
excludes from the rule as ``health plans'' only the few insured or 
self-insured ERISA plans that have less than 50 participants and are 
self administered. We reject the commenter's proposed change to the 
definition as inconsistent with the statute.
    Comment: A number of insurance companies asked that long term care 
insurance policies be excluded from the definition of ``health plan.'' 
It was argued that such policies do not provide sufficiently 
comprehensive coverage of the cost of medical care, and are limited 
benefit plans that provide or pay for the cost of custodial and other 
related services in connection with a long term, chronic illness or 
disability.
    These commenters asserted that HIPAA recognizes this nature of long 
term care insurance, observing that, with respect to HIPAA's 
portability requirements, Congress enacted a series of exclusions for 
certain defined types of health plan arrangements that do not typically 
provide comprehensive coverage. They maintained that Congress 
recognized that long term care insurance is excluded, so long as it is 
not a part of a group health plan. Where a long term care policy is 
offered separately from a group health plan it is considered an 
excepted benefit and is not subject to the portability and guarantee 
issue requirements of HIPAA. Although this exception does not appear in 
the Administrative Simplification provisions of HIPAA, it was asserted 
that it is guidance with respect to the treatment of long term care 
insurance as a limited benefit coverage and not as coverage that is so 
``sufficiently comprehensive'' that it is to be treated in the same 
manner as a typical, comprehensive major medical health plan 
arrangement.
    Another commenter offered a different perspective observing that 
there are some long-term care policies--that do not pay for medical 
care and therefore are not ``health plans.'' It was noted that most 
long-term care policies are reimbursement policies--that is,

[[Page 82577]]

they reimburse the policyholder for the actual expenses that the 
insured incurs for long-term care services. To the extent that these 
constitute ``medical care,'' this commenter presumed that these 
policies would be considered ``health plans.'' Other long-term care 
policies, they pointed out, simply pay a fixed dollar amount when the 
insured becomes chronically ill, without regard to the actual cost of 
any long-term care services received, and thus are similar to fixed 
indemnity critical illness policies. The commenter suggested that while 
there was an important distinction between indemnity based long-term 
care policies and expenses based long-term care policies, it may be 
wise to exclude all long-term care policies from the scope of the rule 
to achieve consistency with HIPAA.
    Response: We disagree. The statutory language regarding long-term 
care policies in the portability title of HIPAA is different from the 
statutory language regarding long-term care policies in the 
Administrative Simplification title of HIPAA. Section 1171(5)(G) of the 
Act means that issuers of long-term care policies are considered health 
plans for purposes of administrative simplification. We also interpret 
the statute as authorizing the Secretary to exclude nursing home fixed-
indemnity policies, not all long-term care policies, from the 
definition of ``health plan,'' if she determines that these policies do 
not provide ``sufficiently comprehensive coverage of a benefit'' to be 
treated as a health plan (see section 1171 of the Act). We interpret 
the term ``comprehensive'' to refer to the breadth or scope of coverage 
of a policy. ``Comprehensive'' policies are those that cover a range of 
possible service options. Since nursing home fixed indemnity policies 
are, by their own terms, limited to payments made solely for nursing 
facility care, we have determined that they should not be included as 
health plans for the purposes of the HIPAA regulations. The Secretary, 
therefore, explicitly excluded nursing home fixed-indemnity policies 
from the definition of ``health plan'' in the Transactions Rule, and 
this exclusion is thus reflected in this final rule. Issuers of other 
long-term care policies are considered to be health plans under this 
rule and the Transactions Rule.
    Comment: One commenter was concerned about the potential impact of 
the proposed regulations on ``unfunded health plans,'' which the 
commenter described as programs used by smaller companies to provide 
their associates with special employee discounts or other membership 
incentives so that they can obtain health care, including prescription 
drugs, at reduced prices. The commenter asserted that if these discount 
and membership incentive programs were covered by the regulation, many 
smaller employers might discontinue offering them to their employees, 
rather than deal with the administrative burdens and costs of complying 
with the rule.
    Response: Only those special employee discounts or membership 
incentives that are ``employee welfare benefit plans'' as defined in 
section 3(1) of the Employee Retirement Income Security Act of 1974, 29 
U.S.C. 1002(1), and provide ``medical care'' (as defined in section 
2791(a)(2) of the Public Health Service Act, 42 U.S.C. 300gg-91(a)(2)), 
are health plans for the purposes of this rule. Discount or membership 
incentive programs that are not group health plans are not covered by 
the rule.
    Comment: Several commenters agreed with the proposal to exclude 
``excepted benefits'' such as disability income insurance policies, 
fixed indemnity critical illness policies, and per diem long-term care 
policies from the definition of ``health plan,'' but were concerned 
that the language of the proposed rule did not fully reflect this 
intent. They asserted that clarification was necessary in order to 
avoid confusion and costs to both consumers and insurers.
    One commenter stated that, while HHS did not intend for the rule to 
apply to every type of insurance coverage that paid for medical care, 
the language of the proposed rule did not bear this out. The problem, 
it was asserted, is that under the proposed rule any insurance policy 
that pays for ``medical care'' would technically be a ``health plan.'' 
It was argued that despite the statements in the narrative, there are 
no provisions that would exempt any of the ``excepted benefits'' from 
the definition of ``health care.'' It was stated that:

    Although (with the exception of long-term care insurance), the 
proposed rule does not include the `excepted benefits' in its list 
of sixteen examples of a health plan (proposed 45 CFR 160.104), it 
does not explicitly exclude them either. Because these types of 
policies in some instances pay benefits that could be construed as 
payments for medical care, we are concerned by the fact that they 
are not explicitly excluded from the definition of `health plan' or 
the requirements of the proposed rule.''

    Several commenters proposed that HHS adopt the same list of 
``excepted benefits'' contained in 29 U.S.C. 1191b, suggesting that 
they could be adopted either as exceptions to the definition of 
``health plan'' or as exceptions to the requirements imposed on 
``health plans.'' They asserted that this would promote consistency in 
the federal regulatory structure for health plans.
    It was suggested that HHS clarify whether the definition of health 
plan, particularly the ``group health plan'' and ``health insurance 
issuer'' components, includes a disability plan or disability insurer. 
It was noted that a disability plan or disability insurer may cover 
only income lost from disability and, as mentioned above, some 
rehabilitation services, or a combination of lost income, 
rehabilitation services and medical care. The commenter suggested that 
in addressing this coverage issue, it may be useful to refer to the 
definitions of group health plan, health insurance issuer and medical 
care set forth in Part I of HIPAA, which the statutory provisions of 
the Administrative Simplification subtitle expressly reference. See 42 
U.S.C. 1320d(5)(A) and (B).
    Response: We agree that the NPRM may have been ambiguous regarding 
the types of plans the rule covers. To remedy this confusion, we have 
added language that specifically excludes from the definition any 
policy, plan, or program providing or paying the cost of the excepted 
benefits, as defined in section 2971(c)(1) of the PHS Act, 42 U.S.C. 
300gg-91(c)(1). As defined in the statute, this includes but is not 
limited to benefits under one or more (or any combination thereof) of 
the following: coverage only for accident, or disability income 
insurance, or any combination thereof; liability insurance, including 
general liability insurance and automobile liability insurance; and 
workers' compensation or similar insurance.
    However, the other excepted benefits as defined in section 
2971(c)(2) of the PHS Act, 42 U.S.C. 300gg-91(c)(2), such as limited 
scope dental or vision benefits, not explicitly excepted from the 
regulation could be considered ``health plans'' under paragraph 
(1)(xvii) of the definition of ``health plan'' in the final rule if and 
to the extent that they meet the criteria for the definition of 
``health plan.'' Such plans, unlike the programs and plans listed at 
section 2971(c)(1), directly and exclusively provide health insurance, 
even if limited in scope.
    Comment: One commenter recommended that the Secretary clarify that 
``health plan'' does not include property and casualty benefit 
providers. The commenter stated that the clarifying language is needed 
given the ``catchall'' category of entities defined as ``any other 
individual plan or group health plan, or combination thereof, that

[[Page 82578]]

provides or pays for the cost of medical care,'' and asserted that 
absent clarification there could be serious confusion as to whether 
property and casualty benefit providers are ``health plans'' under the 
rule.
    Response: We agree and as described above have added language to 
the final rule to clarify that the ``excepted benefits'' as defined 
under 42 U.S.C. 300gg-91(c)(1), which includes liability programs such 
as property and casualty benefit providers, are not health plans for 
the purposes of this rule.
    Comment: Some commenters recommended that the Secretary replace the 
term ``medical care'' with ``health care.'' It was observed that 
``health care'' was defined in the proposal, and that this definition 
was used to define what a health care provider does. However, they 
observed that the definition of ``health plan'' refers to the provision 
of or payment for ``medical care,'' which is not defined. Another 
commenter recommended that HHS add the parenthetical phrase ``as such 
term is defined in section 2791 of the Public Health Service Act'' 
after the phrase ``medical care.''
    Response: We disagree with the first recommendation. We understand 
that the term ``medical care'' can be easily confused with the term 
``health care.'' However, the two terms are not synonymous. The term 
``medical care'' is a statutorily defined term and its use is critical 
in making a determination as to whether a health plan is considered a 
``health plan'' for purposes of administrative simplification. In 
addition, since the term ``medical care'' is used in the regulation 
only in the context of the definition of ``health plan'' and we believe 
that its inclusion in the regulatory text may cause confusion, we did 
not add a definition of ``medical care'' in the final rule. However, 
consistent with the second recommendation above, the statutory cite for 
``medical care'' was added to the definition of ``health plan'' in the 
Transactions Rule, and thus is reflected in this final rule.
    Comment: A number of commenters urged that the Secretary define 
more narrowly what characteristics would make a government program that 
pays for specific health care services a ``health plan.'' Commenters 
argued that there are many ``payment'' programs that should not be 
included, as discussed below, and that if no distinctions were made, 
``health plan'' would mean the same as ``purchaser'' or even ``payor.''
    Commenters asserted that there are a number of state programs that 
pay for ``health care'' (as defined in the rule) but that are not 
health plans. They said that examples include the WIC program (Special 
Supplemental Nutrition Program for Women, Infants, and Children) which 
pays for nutritional assessment and counseling, among other services; 
the AIDS Client Services Program (including AIDS prescription drug 
payment) under the federal Ryan White Care Act and state law; the 
distribution of federal family planning funds under Title X of the 
Public Health Services Act; and the breast and cervical health program 
which pays for cancer screening in targeted populations. Commenters 
argued that these are not insurance plans and do not fall within the 
``health plan'' definition's list of examples, all of which are either 
insurance or broad-scope programs of care under a contract or statutory 
entitlement. However, paragraph (16) in that list opens the door to 
broader interpretation through the catchall phrase, ``any other 
individual or group plan that provides or pays for the cost of medical 
care.'' Commenters assert that clarification is needed.
    A few commenters stated that other state agencies often work in 
partnership with the state Medicaid program to implement certain 
Medicaid benefits, such as maternity support services and prenatal 
genetics screening. They concluded that while this probably makes parts 
of the agency the ``business partner'' of a covered entity, they were 
uncertain whether it also makes the same agency parts a ``health plan'' 
as well.
    Response: We agree with the commenters that clarification is needed 
as to the rule's application to government programs that pay for health 
care services. Accordingly, in the final rule we have excepted from the 
definition of ``health plan'' a government funded program which does 
not have as its principal purpose the provision of, or payment for, the 
cost of health care or which has as its principal purpose the 
provision, either directly or by grant, of health care. For example, 
the principal purpose of the WIC program is not to provide or pay for 
the cost of health care, and thus, the WIC program is not a health plan 
for purposes of this rule. The program of health care services for 
individuals detained by the INS provides health care directly, and so 
is not a health plan. Similarly, the family planning program authorized 
by Title X of the Public Health Service Act pays for care exclusively 
through grants, and so is not a health plan under this rule. These 
programs (the grantees under the Title X program) may be or include 
health care providers and may be covered entities if they conduct 
standard transactions.
    We further clarify that, where a public program meets the 
definition of ``health plan,'' the government agency that administers 
the program is the covered entity. Where two agencies administer a 
program jointly, they are both a health plan. For example, both the 
Health Care Financing Administration and the insurers that offers a 
Medicare+Choice plan are ``health plans'' with respect to Medicare 
beneficiaries. An agency that does not administer a program but which 
provides services for such a program is not a covered entity by virtue 
of providing such services. Whether an agency providing services is a 
business associate of the covered entity depends on whether its 
functions for the covered entity meet the definition of business 
associate in Sec. 164.501 and, in the example described by this 
comment, in particular on whether the arrangement falls into the 
exception in Sec. 164.504(e)(1)(ii)(C) for government agencies that 
collect eligibility or enrollment information for covered government 
programs.
    Comment: Some commenters expressed support for retaining the 
category in paragraph (16) of the proposal's definition: ``Any other 
individual or group health plan, or combination thereof, that provides 
or pays for the cost of medical care.'' Others asked that the Secretary 
clarify this category. One commenter urged that the final rule clearly 
define which plans would meet the criteria for this category.
    Response: As described in the proposed rule, this category 
implements the language at the beginning of the statutory definition of 
the term ``health plan'': ``The term `health plan' means an individual 
or group plan that provides, or pays the cost of, medical care * * * 
Such term includes the following, and any combination thereof * * *'' 
This statutory language is general, not specific, and as such, we are 
leaving it general in the final rule. However, as described above, we 
add explicit language which excludes certain ``excepted benefits'' from 
the definition of ``health plan'' in an effort to clarify which plans 
are not health plans for the purposes of this rule. Therefore, to the 
extent that a certain benefits plan or program otherwise meets the 
definition of ``health plan'' and is not explicitly excepted, that 
program or plan is considered a ``health plan'' under paragraph 
(1)(xvii) of the final rule.
    Comment: A commenter explained that HIPAA defines a group health 
plan by expressly cross-referencing the statutory sections in the PHS 
Act and the Employee Retirement Income

[[Page 82579]]

Security Act of 1974 (ERISA), 29 U.S.C. 1001, et seq., which define the 
terms ``group health plan,'' ``employee welfare benefit plan'' and 
``participant.'' See 29 U.S.C. 1002(l) (definition of ``employee 
welfare benefit plan,'' which is the core of the definition of group 
health plan under both ERISA and the PHS Act); 29 U.S.C. 100217) 
(definition of participant); 29 U.S.C. 1193(a) (definition of ``group 
health plan,'' which is identical to that in section 2791(a) of the PHS 
Act).
    It was pointed out that the preamble and the text of the proposed 
rule both limit the definition of all three terms to their current 
definitions. The commenter reasoned that since the ERISA definitions 
may change over time through statutory amendment, Department of Labor 
regulations or judicial interpretation, it would not be clear what 
point in time is to be considered current. Therefore, they suggested 
deleting references to ``current'' or ``currently'' in the preamble and 
in the regulation with respect to these three ERISA definitions.
    In addition, the commenter stated that as the preamble to the NPRM 
correctly reflected, HIPAA expressly cross-references ERISA's 
definition of ``participant'' in section 3(7) of ERISA, 29 U.S.C. 
1002(7). 42 U.S.C. 1320d(5)(A). The text of the privacy regulation, 
however, omits this cross-reference. It was suggested that the 
reference to section 3(7) of ERISA, defining ``participant,'' be 
included in the regulation.
    Finally, HIPAA incorporates the definition of a group health plan 
as set forth in section 2791(a) of the PHS Act, 42 U.S.C. 300gg-
91(a)(l). That definition refers to the provision of medical care 
``directly or through insurance, reimbursement, or otherwise.'' The 
word ``reimbursement'' is omitted in both the preamble and the text of 
the regulation; the commenter suggested restoring it to both.
    Response: We agree. These changes were made to the definition of 
``health plan'' as promulgated in the Transactions Rule, and are 
reflected in this final rule.

Small Health Plan

    Comment: One commenter recommended that we delete the reference to 
$5 million in the definition and instead define a ``small health plan'' 
as a health plan with fewer than 50 participants. It was stated that 
using a dollar limitation to define a ``small health plan'' is not 
meaningful for self-insured plans and some other types of health plan 
coverage arrangements. A commenter pointed out that the general 
definition of a health plan refers to ``50 or more participants,'' and 
that using a dollar factor to define a ``small health plan'' would be 
inconsistent with this definition.
    Response: We disagree. The Small Business Administration (SBA) 
promulgates size standards that indicate the maximum number of 
employees or annual receipts allowed for a concern (13 CFR 121.105) and 
its affiliates to be considered ``small.'' The size standards 
themselves are expressed either in number of employees or annual 
receipts (13 CFR 121.201). The size standards for compliance with 
programs of other agencies are those for SBA programs which are most 
comparable to the programs of such other agencies, unless otherwise 
agreed by the agency and the SBA (13 CFR 121.902). With respect to the 
insurance industry, the SBA has specified that annual receipts of $5 
million is the maximum allowed for a concern and its affiliates to be 
considered small (13 CFR 121.201). Consequently, we retain the 
proposal's definition in the final rule to be consistent with SBA 
requirements.
    We understand there may be some confusion as to the meaning of 
``annual receipts'' when applied to a health plan. For our purposes, 
therefore, we consider ``pure premiums'' to be equivalent to ``annual 
receipts.''

Workforce

    Comment: Some commenters requested that we exclude ``volunteers'' 
from the definition of workforce. They stated that volunteers are 
important contributors within many covered entities, and in particular 
hospitals. They argued that it was unfair to ask that these people 
donate their time and at the same time subject them to the penalties 
placed upon the paid employees by these regulations, and that it would 
discourage people from volunteering in the health care setting.
    Response: We disagree. We believe that differentiating those 
persons under the direct control of a covered entity who are paid from 
those who are not is irrelevant for the purposes of protecting the 
privacy of health information, and for a covered entity's management of 
its workforce. In either case, the person is working for the covered 
entity. With regard to implications for the individual, persons in a 
covered entity's workforce are not held personally liable for violating 
the standards or requirements of the final rule. Rather, the Secretary 
has the authority to impose civil monetary penalties and in some cases 
criminal penalties for such violations on only the covered entity.
    Comment: One commenter asked that the rule clarify that employees 
administering a group health or other employee welfare benefit plan on 
their employers' behalf are considered part of the covered entity's 
workforce.
    Response: As long as the employees have been identified by the 
group health plan in plan documents as performing functions related to 
the group health plan (consistent with the requirements of 
Sec. 164.504(f)), those employees may have access to protected health 
information. However, they are not permitted to use or disclose 
protected health information for employment-related purposes or in 
connection with any other employee benefit plan or employee benefit of 
the plan sponsor.

Part 160--Subpart B--Preemption of State Law

    We summarize and respond below to comments received in the 
Transactions rulemaking on the issue of preemption, as well as those 
received on this topic in the Privacy rulemaking. Because no process 
was proposed in the Transactions rulemaking for granting exceptions 
under section 1178(a)(2)(A), a process for making exception 
determinations was not adopted in the Transactions Rule. Instead, since 
a process for making exception determinations was proposed in the 
Privacy rulemaking, we decided that the comments received in the 
Transactions rulemaking should be considered and addressed in 
conjunction with the comments received on the process proposed in the 
Privacy rulemaking. See 65 FR 50318 for a fuller discussion. 
Accordingly, we discuss the preemption comments received in the 
Transactions rulemaking where relevant below.
    Comment: The majority of comments on preemption addressed the 
subject in general terms. Numerous comments, particularly from plans 
and providers, argued that the proposed preemption provisions were 
burdensome, ineffective, or insufficient, and that complete federal 
preemption of the ``patchwork'' of state privacy laws is needed. They 
also argued that the proposed preemption provisions are likely to 
invite litigation. Various practical arguments in support of this 
position were made. Some of these comments recognized that the 
Secretary's authority under section 1178 of the Act is limited and 
acknowledged that the Secretary's proposals were within her statutory 
authority. One commenter suggested that the exception determination 
process would result in a very costly and laborious and sometimes 
inconsistent analysis of the occasions in which state law would

[[Page 82580]]

survive federal preemption, and thus suggested the final privacy 
regulations preempt state law with only limited exceptions, such as 
reporting child abuse. Many other comments, however, recommended 
changing the proposed preemption provisions to preempt state privacy 
laws on as blanket a basis as possible.
    One comment argued that the assumption that more stringent privacy 
laws are better is not necessarily true, citing a 1999 GAO report 
finding evidence that the stringent state confidentiality laws of 
Minnesota halted the collection of comparative information on health 
care quality.
    Several comments in this vein were also received in the 
Transactions rulemaking. The majority of these comments took the 
position that exceptions to the federal standards should either be 
prohibited or discouraged. It was argued that granting exceptions to 
the standards, particularly the transactions standards, would be 
inconsistent with the statute's objective of promoting administrative 
simplification through the use of uniform transactions.
    Many other commenters, however, endorsed the ``federal floor'' 
approach of the proposed rules. (These comments were made in the 
context of the proposed privacy regulations.) These comments argued 
that this approach was preferable because it would not impair the 
effectiveness of state privacy laws that are more protective of 
privacy, while raising the protection afforded medical information in 
states that do not enact laws that are as protective as the rules 
below. Some comments argued, however, that the rules should give even 
more deference to state law, questioning in particular the definitions 
and the proposed addition to the ``other purposes'' criterion for 
exception determinations in this regard.
    Response: With respect to the exception process provided for by 
section 1178(a)(2)(A), the contention that the HIPAA standards should 
uniformly control is an argument that should be addressed to the 
Congress, not this agency. Section 1178 of the Act expressly gives the 
Secretary authority to grant exceptions to the general rule that the 
HIPAA standards preempt contrary state law in the circumstances she 
determines come within the provisions at section 1178(a)(2)(A). We 
agree that the underlying statutory goal of standardizing financial and 
administrative health care transactions dictates that exceptions should 
be granted only on narrow grounds. Nonetheless, Congress clearly 
intended to accommodate some state laws in these areas, and the 
Department is not free to disregard this Congressional choice. As is 
more fully explained below, we have interpreted the statutory criteria 
for exceptions under section 1178(a)(2)(A) to balance the need for 
relative uniformity with respect to the HIPAA standards with state 
needs to set certain policies in the statutorily defined areas.
    The situation is different with respect to state laws relating to 
the privacy of protected health information. Many of the comments 
arguing for uniform standards were particularly concerned with 
discrepancies between the federal privacy standards and various state 
privacy requirements. Unlike the situation with respect to the 
transactions standards, where states have generally not entered the 
field, all states regulate the privacy of some medical information to a 
greater or lesser extent. Thus, we understand the private sector's 
concern at having to reconcile differing state and federal privacy 
requirements.
    This is, however, likewise an area where the policy choice has been 
made by Congress. Under section 1178(a)(2)(B) of the Act and section 
264(c)(2) of HIPAA, provisions of state privacy laws that are contrary 
to and more stringent than the corresponding federal standard, 
requirement, or implementation specification are not preempted. The 
effect of these provisions is to let the law that is most protective of 
privacy control (the ``federal floor'' approach referred to by many 
commenters), and this policy choice is one with which we agree. Thus, 
the statute makes it impossible for the Secretary to accommodate the 
requests to establish uniformly controlling federal privacy standards, 
even if doing so were viewed as desirable.
    Comment: Numerous comments stated support for the proposal at 
proposed Subpart B to issue advisory opinions with respect to the 
preemption of state laws relating to the privacy of individually 
identifiable health information. A number of these comments appeared to 
assume that the Secretary's advisory opinions would be dispositive of 
the issue of whether or not a state law was preempted. Many of these 
commenters suggested what they saw as improvements to the proposed 
process, but supported the proposal to have the Department undertake 
this function.
    Response: Despite the general support for the advisory opinion 
proposal, we decided not to provide specifically for the issuance of 
such opinions. The following considerations led to this decision. 
First, the assumption by commenters that an advisory opinion would 
establish what law applied in a given situation and thereby simplify 
the task of ascertaining what legal requirements apply to a covered 
entity or entities is incorrect. Any such opinion would be advisory 
only. Although an advisory opinion issued by the Department would 
indicate to covered entities how the Department would resolve the legal 
conflict in question and would apply the law in determining compliance, 
it would not bind the courts. While we assume that most courts would 
give such opinions deference, the outcome could not be guaranteed.
    Second, the thousands of questions raised in the public comment 
about the interpretation, implications, and consequences of all of the 
proposed regulatory provisions have led us to conclude that significant 
advice and technical assistance about all of the regulatory 
requirements will have to be provided on an ongoing basis. We recognize 
that the preemption concerns that would have been addressed by the 
proposed advisory opinions were likely to be substantial. However, 
there is no reason to assume that they will be the most substantial or 
urgent of the questions that will most likely need to be addressed. It 
is our intent to provide as much technical advice and assistance to the 
regulated community as we can with the resources available. Our concern 
is that setting up an advisory opinion process for just one of the many 
types of issues that will have to be addressed will lead to a non-
optimal allocation of those resources. Upon careful consideration, 
therefore, we have decided that we will be better able to prioritize 
our workload and be better able to be responsive to the most urgent and 
substantial questions raised to the Department, if we do not provide 
for a formal advisory opinion process on preemption as proposed.
    Comment: A few commenters argued that the Privacy Rule should 
preempt state laws that would impose more stringent privacy 
requirements for the conduct of clinical trials. One commenter asserted 
that the existing federal regulations and guidelines for patient 
informed consent, together with the proposed rule, would adequately 
protect patient privacy.
    Response: The Department does not have the statutory authority 
under HIPAA to preempt state laws that would impose more stringent 
privacy requirements on covered entities. HIPAA provides that the rule 
promulgated by the Secretary may not preempt state laws that are in 
conflict

[[Page 82581]]

with the regulatory requirements and that provide greater privacy 
protections.

Section 160.201--Applicability

    Comment: Several commenters indicated that the guidance provided by 
the definitions at proposed Sec. 160.202 would be of substantial 
benefit both to regulated entities and to the public. However, these 
commenters argued that the applicability of such definitions would be 
too limited as drafted, since proposed Sec. 160.201 provided that the 
definitions applied only to ``determinations and advisory opinions 
issued by the Secretary pursuant to 42 U.S.C. 1320d-7.'' The commenters 
stated that it would be far more helpful to make the definitions in 
proposed Sec. 160.202 more broadly applicable, to provide general 
guidance on the issue of preemption.
    Response: We agree with the comments on this issue, and have 
revised the applicability provision of subpart B below accordingly. 
Section 160.201 below sets out that Subpart B implements section 1178. 
This means, in our view, that the definitions of the statutory terms at 
Sec. 160.202 are legislative rules that apply when those statutory 
terms are employed, whether by HHS, covered entities, or the courts.

Section 160.202--Definitions

Contrary

    Comment: Some commenters asserted that term ``contrary'' as defined 
at Sec. 160.202 was overly broad and that its application would be 
time-consuming and confusing for states. These commenters argued that, 
under the proposed definition, a state would be required to examine all 
of its laws relating to health information privacy in order to 
determine whether or not its law were contrary to the requirements 
proposed. It was also suggested that the definition contain examples of 
how it would work in practical terms.
    A few commenters, however, argued that the definition of 
``contrary'' as proposed was too narrow. One commenter argued that the 
Secretary erred in her assessment of the case law analyzing what is 
known as ``conflict preemption'' and which is set forth in shorthand in 
the tests set out at Sec. 160.202.
    Response: We believe that the definition proposed represents a 
policy that is as clear as is feasible and which can be applied 
nationally and uniformly. As was noted in the preamble to the proposed 
rules (at 64 FR 59997), the tests in the proposed definition of 
``contrary'' are adopted from the jurisprudence of ``conflict 
preemption.'' Since preemption is a judicially developed doctrine, it 
is reasonable to interpret this term as indicating that the statutory 
analysis should tie in to the analytical formulations employed by the 
courts. Also, while the court-developed tests may not be as clear as 
commenters would like, they represent a long-term, thoughtful 
consideration of the problem of defining when a state/federal conflict 
exists. They will also, we assume, generally be employed by the courts 
when conflict issues arise under the rules below. We thus see no 
practical alternative to the proposed definition and have retained it 
unchanged. With respect to various suggestions for shorthand versions 
of the proposed tests, such as the arguably broader term ``inconsistent 
with,'' we see no operational advantages to such terms.
    Comment: One comment asked that the Department clarify that if 
state law is not preempted, then the federal law would not also apply.
    Response: This comment raises two issues, both of which deserve 
discussion. First, a state law may not be preempted because there is no 
conflict with the analogous federal requirement; in such a situation, 
both laws can, and must, be complied with. We thus do not accept this 
suggestion, to the extent that it suggests that the federal law would 
give way in this situation. Second, a state law may also not be 
preempted because it comes within section 1178(a)(2)(B), section 
1178(b), or section 1178(c); in this situation, a contrary federal law 
would give way.
    Comment: One comment urged the Department to take the position that 
where state law exists and no analogous federal requirement exists, the 
state requirement would not be ``contrary to'' the federal requirement 
and would therefore not trigger preemption.
    Response: We agree with this comment.
    Comment: One commenter criticized the definition as unhelpful in 
the multi-state transaction context. For example, it was asked whether 
the issue of whether a state law was ``contrary to'' should be 
determined by the law of the state where the treatment is provided, 
where the claim processor is located, where the payment is issued, or 
the data maintained, assuming all are in different states.
    Response: This is a choice of law issue, and, as is discussed more 
fully below, is a determination that is routinely made today in 
connection with multi-state transactions. See discussion below under 
Exception Determinations (Criteria for Exception Determinations).

State Law

    Comment: Comments noted that the definition of ``state law'' does 
not explicitly include common law and recommended that it be revised to 
do so or to clarify that the term includes evidentiary privileges 
recognized at state law. Guidance concerning the impact of state 
privileges was also requested.
    Response: As requested, we clarify that the definition of ``state 
law'' includes common law by including the term ``common law.'' In our 
view, this phrase encompasses evidentiary privileges recognized at 
state law (which may also, we note, be embodied in state statutes).
    Comment: One comment criticized this definition as unwieldy, in 
that locating state laws pertaining to privacy is likely to be 
difficult. It was noted that Florida, for example, has more than 60 
statutes that address health privacy.
    Response: To the extent that state laws currently apply to covered 
entities, they have presumably determined what those laws require in 
order to comply with them. Thus, while determining which laws are 
``contrary'' to the federal requirements will require additional work 
in terms of comparing state law with the federal requirements, entities 
should already have acquired the knowledge of state law needed for this 
task in the ordinary course of doing business.
    Comment: The New York City Department of Health noted that in many 
cases, provisions of New York State law are inapplicable within New 
York City, because the state legislature has recognized that the local 
code is tailored to the particular needs of the City. It urged that the 
New York City Code be treated as state law, for preemption purposes.
    Response: We agree that, to the extent a state treats local law as 
substituting for state law it could be considered to be ``state law'' 
for purposes of this definition. If, however, a local law is local in 
scope and effect, and a tier of state law exists over the same subject 
matter, we do not think that the local law could or should be treated 
as ``state law'' for preemption purposes. We do not have sufficient 
information to assess the situation raised by this comment with respect 
to this principle, and so express no opinion thereon.

More Stringent

    Comment: Many commenters supported the policy in the proposed 
definition of ``individual'' at proposed Sec. 164.502, which would have 
permitted unemancipated minors to exercise, on

[[Page 82582]]

their own behalf, rights granted to individuals in cases where they 
consented to the underlying health care. Commenters stated, however, 
that the proposed preemption provision would leave in place state laws 
authorizing or prohibiting disclosure to parents of the protected 
health information of their minor children and would negate the 
proposed policy for the treatment of minors under the rule. The 
comments stated that such state laws should be treated like other state 
laws, and preempted to the extent that they are less protective of the 
privacy of minors.
    Other commenters supported the proposed preemption provision--not 
to preempt a state law to the extent it authorizes or prohibits 
disclosure of protected health information regarding a minor to a 
parent.
    Response: Laws regarding access to health care for minors and 
confidentiality of their medical records vary widely; this regulation 
recognizes and respects the current diversity of state law in this 
area. Where states have considered the balance involved in protecting 
the confidentiality of minors' health information and have explicitly 
acted, for example, to authorize disclosure, defer the decision to 
disclose to the discretion of the health care provider, or prohibit 
disclosure of minor's protected health information to a parent, the 
rule defers to these decisions to the extent that they regulate such 
disclosures.
    Comment: The proposed definition of ``more stringent'' was 
criticized as affording too much latitude to for granting exceptions 
for state laws that are not protective of privacy. It was suggested 
that the test should be ``most protective of the individual's 
privacy.''
    Response: We considered adopting this test. However, for the 
reasons set out at 64 FR 59997, we concluded that this test would not 
provide sufficient guidance. The comments did not address the concerns 
we raised in this regard in the preamble to the proposed rules, and we 
continue to believe that they are valid.
    Comment: A drug company expressed concern with what it saw as the 
expansive definition of this term, arguing that state governments may 
have less experience with the special needs of researchers than federal 
agencies and may unknowingly adopt laws that have a deleterious effect 
on research. A provider group expressed concern that allowing stronger 
state laws to prevail could result in diminished ability to get enough 
patients to complete high quality clinical trials.
    Response: These concerns are fundamentally addressed to the 
``federal floor'' approach of the statute, not to the definition 
proposed: even if the definition of ``more stringent'' were narrowed, 
these concerns would still exist. As discussed above, since the 
``federal floor'' approach is statutory, it is not within the 
Secretary's authority to change the dynamics that are of concern.
    Comment: One comment stated that the proposed rule seemed to 
indicate that the ``more stringent'' and ``contrary to'' definitions 
implied that these standards would apply to ERISA plans as well as to 
non-ERISA plans.
    Response: The concern underlying this comment is that ERISA plans, 
which are not now subject to certain state laws because of the 
``field'' preemption provision of ERISA but which are subject to the 
rules below, will become subject to state privacy laws that are ``more 
stringent'' than the federal requirements, due to the operation of 
section 1178(a)(2)(B), together with section 264(c)(2). We disagree 
that this is the case. While the courts will have the final say on 
these questions, it is our view that these sections simply leave in 
place more stringent state laws that would otherwise apply; to the 
extent that such state laws do not apply to ERISA plans because they 
are preempted by ERISA, we do not think that section 264(c)(2) 
overcomes the preemption effected by section 514(a) of ERISA. For more 
discussion of this point, see 64 FR 60001.
    Comment: The Lieutenant Governor's Office of the State of Hawaii 
requested a blanket exemption for Hawaii from the federal rules, on the 
ground that its recently enacted comprehensive health privacy law is, 
as a whole, more stringent than the proposed federal standards. It was 
suggested that, for example, special weight should be given to the 
severity of Hawaii's penalties. It was suggested that a new definition 
(``comprehensive'') be added, and that ``more stringent'' be defined in 
that context as whether the state act or code as a whole provides 
greater protection.
    An advocacy group in Vermont argued that the Vermont legislature 
was poised to enact stronger and more comprehensive privacy laws and 
stated that the group would resent a federal prohibition on that.
    Response: The premise of these comments appears to be that the 
provision-by-provision approach of Subpart B, which is expressed in the 
definition of the term ``contrary'', is wrong. As we explained in the 
preamble to the proposed rules (at 64 FR 59995), however, the statute 
dictates a provision-by-provision comparison of state and federal 
requirements, not the overall comparison suggested by these comments. 
We also note that the approach suggested would be practically and 
analytically problematic, in that it would be extremely difficult, if 
not impossible, to determine what is a legitimate stopping point for 
the provisions to be weighed on either the state side or the federal 
side of the scale in determining which set of laws was the ``more 
stringent.'' We accordingly do not accept the approach suggested by 
these comments.
    With respect to the comment of the Vermont group, nothing in the 
rules below prohibits or places any limits on states enacting stronger 
or more comprehensive privacy laws. To the extent that states enact 
privacy laws that are stronger or more comprehensive than contrary 
federal requirements, they will presumably not be preempted under 
section 1178(a)(2)(B). To the extent that such state laws are not 
contrary to the federal requirements, they will act as an overlay on 
the federal requirements and will have effect.
    Comment: One comment raised the issue of whether a private right of 
action is a greater penalty, since the proposed federal rule has no 
comparable remedy.
    Response: We have reconsidered the proposed ``penalty'' provision 
of the proposed definition of ``more stringent'' and have eliminated 
it. The HIPAA statute provides for only two types of penalties: fines 
and imprisonment. Both types of penalties could be imposed in addition 
to the same type of penalty imposed by a state law, and should not 
interfere with the imposition of other types of penalties that may be 
available under state law. Thus, we think it is unlikely that there 
would be a conflict between state and federal law in this respect, so 
that the proposed criterion is unnecessary and confusing. In addition, 
the fact that a state law allows an individual to file a lawsuit to 
protect privacy does not conflict with the HIPAA penalty provisions.

Relates to the Privacy of Individually Identifiable Health Information

    Comment: One comment criticized the definition of this term as too 
narrow in scope and too uncertain. The commenter argued that 
determining the specific purpose of a state law may be difficult and 
speculative, because many state laws have incomplete, inaccessible, or 
non-existent legislative histories. It was suggested that the 
definition be revised by deleting the word ``specific'' before the word 
``purpose.'' Another commenter argued

[[Page 82583]]

that the definition of this term should be narrowed to minimize reverse 
preemption by more stringent state laws. One commenter generally 
supported the proposed definition of this term.
    Response: We are not accepting the first comment. The purpose of a 
given state enactment should be ascertainable, if not from legislative 
history or a purpose statement, then from the statute viewed as a 
whole. The same should be true of state regulations or rulings. In any 
event, it seems appropriate to restrict the field of state laws that 
may potentially trump the federal standards to those that are clearly 
intended to establish state public policy and operate in the same area 
as the federal standards. To the extent that the definition in the 
rules below does this, we have accommodated the second comment. We 
note, however, that we do not agree that the definition should be 
further restricted to minimize ``reverse preemption,'' as suggested by 
this comment, as we believe that state laws that are more protective of 
privacy than contrary federal standards should remain, in order to 
ensure that the privacy of individuals' health information receives the 
maximum legal protection available.

Sections 160.203 and 160.204--Exception Determinations and Advisory 
Opinions

    Most of the comments received on proposed Subpart B lumped together 
the proposed process for exception determinations under section 
1178(a)(2)(A) with the proposed process for issuing advisory opinions 
under section 1178(a)(2)(B), either because the substance of the 
comment applied to both processes or because the commenters did not 
draw a distinction between the two processes. We address these general 
comments in this section.
    Comment: Numerous commenters, particularly providers and provider 
groups, recommended that exception determinations and advisory opinions 
not be limited to states and advocated allowing all covered entities 
(including individuals, providers and insurers), or private sector 
organizations, to request determinations and opinions with respect to 
preemption of state laws. Several commenters argued that limiting 
requests to states would deny third party stakeholders, such as life 
and disability income insurers, any means of resolving complex 
questions as to what rule they are subject to. One commenter noted that 
because it is an insurer who will be liable if it incorrectly analyzes 
the interplay between laws and reaches an incorrect conclusion, there 
would be little incentive for the states to request clarification. It 
would also cause large administrative burdens which, it was stated, 
would be costly and confusing. It was also suggested that the request 
for the exception be made to the applicable state's attorney general or 
chief legal officer, as well as the Secretary. Various changes to the 
language were suggested, such as adding that ``a covered entity, or any 
other entity impacted by this rule'' be allowed to submit the written 
request.
    Response: We agree, and have changed Sec. 164.204(a) below 
accordingly.
    The decision to eliminate advisory opinions makes this issue moot 
with respect to those opinions.
    Comment: Several commenters noted that it was unclear under the 
proposed rule which state officials would be authorized to request a 
determination.
    Response: We agree that the proposed rule was unclear in this 
respect. The final rule clarifies who may make the request for a state, 
with respect to exception determinations. See, Sec. 160.204(a). The 
language adopted should ensure that the Secretary receives an 
authoritative statement from the state. At the same time, this language 
provides states with flexibility, in that the governor or other chief 
elected official may choose to designate other state officials to make 
such requests.
    Comment: Many commenters recommended that a process be established 
whereby HHS performs an initial state-by-state critical analysis to 
provide guidance on which state laws will not be preempted; most 
suggested that such an analysis (alternatively referred to as a 
database or clearinghouse) should be completed before providers would 
be required to come into compliance. Many of these comments argued that 
the Secretary should bear the cost for the analyses of state law, 
disagreeing with the premise stated in the preamble to the proposed 
rules that it is more efficient for the private market to complete the 
state-by-state review. Several comments also requested that HHS 
continue to maintain and monitor the exception determination process, 
and update the database over time in order to provide guidance and 
certainty on the interaction of the federal rules with newly enacted or 
amended state laws that are produced after the final rule. Some 
comments recommended that each state be required to certify agreement 
with the HHS analyses.
    In contrast, one hospital association noted concerns that the 
Secretary would conduct a nationwide analysis of state laws. The 
comment stated that implementation would be difficult since much of the 
law is a product of common law, and such state-specific research should 
only be attempted by experienced health care attorneys in each 
jurisdiction.
    Response: These comments seem to be principally concerned with 
potential conflicts between state privacy laws and the privacy 
standards, because, as is more fully explained below, preemption of 
contrary state laws not relating to privacy is automatic unless the 
Secretary affirmatively acts under section 1178(a)(2)(A) to grant an 
exception. We recognize that the provisions of sections 1178(b) (state 
public health laws), and 1178(c) (state regulation of health plans) 
similarly preserve state laws in those areas, but very little of the 
public comment appeared to be concerned with these latter statutory 
provisions. Accordingly, we respond below to what we see as the 
commenters' main concern.
    The Department will not do the kind of global analysis requested by 
many of these comments. What these comments are in effect seeking is a 
global advisory opinion as to when the federal privacy standards will 
control and when they will not. We understand the desire for certainty 
underlying these comments. Nonetheless, the reasons set out above as 
the basis for our decision not to establish a formal advisory opinion 
process apply equally to these requests. We also do not agree that the 
task of evaluating the requirements below in light of existing state 
law is unduly burdensome or unreasonable. Rather, it is common for new 
federal requirements to necessitate an examination by the regulated 
entities of the interaction between existing state law and the federal 
requirements incident to coming into compliance.
    We agree, however, that the case is different where the Secretary 
has affirmatively acted, either through granting an exception under 
section 1178(a)(2)(A) or by making a specific determination about the 
effect of a particular state privacy law in, for example, the course of 
determining an entity's compliance with the privacy standards. As is 
discussed below, the Department intends to make notice of exception 
determinations that it makes routinely available.
    We do not agree with the comments suggesting that compliance by 
covered entities be delayed pending completion of an analysis by the 
Secretary and that states be required to certify agreement with the 
Secretary's analysis, as we are not institutionalizing the advisory 
opinion/analysis process upon which these comments are predicated.

[[Page 82584]]

Furthermore, with respect to the suggestion regarding delaying the 
compliance date, Congress provided in section 1175(b) of the Act for a 
delay in when compliance is required to accommodate the needs of 
covered entities to address implementation issues such as those raised 
by these comments. With respect to the suggestion regarding requiring 
states to certify their agreement with the Secretary's analysis, we 
have no authority to do this.
    Comment: Several commenters criticized the proposed provision for 
annual publication of determinations and advisory opinions in the 
Federal Register as inadequate. They suggested that more frequent 
notices should be made and the regulation be changed accordingly, to 
provide for publication either quarterly or within a few days of a 
determination. A few commenters suggested that any determinations made, 
or opinions issued, by the Secretary be published on the Department's 
website within 10 days or a few days of the determination or opinion.
    Response: We agree that the proposed provision for annual 
publication was inadequate and have accordingly deleted it. Subpart B 
contains no express requirement for publication, as the Department is 
free to publish its determinations absent such a requirement. It is our 
intention to publish notice of exception determinations on a periodic 
basis in the Federal Register. We will also consider other avenues of 
making such decisions publicly available as we move into the 
implementation process.
    Comment: A few commenters argued that the process for obtaining an 
exception determination or an advisory opinion from the Secretary will 
result in a period of time in which there is confusion as to whether 
state or federal law applies. The proposed regulations say that the 
federal provisions will remain effective until the Secretary makes a 
determination concerning the preemption issue. This means that, for 
example, a state law that was enacted and enforced for many years will 
be preempted by federal law for the period of time during which it 
takes the Secretary to make a determination. Then if the Secretary 
determines that the state law is not preempted, the state law will 
again become effective. Such situations will result in confusion and 
unintended violations of the law. One of the commenters suggested that 
requests for exceptions be required only when a challenge is brought 
against a particular state law, and that a presumption of validity 
should lie with state laws. Another commenter, however, urged that 
``instead of the presumption of preemption, the state laws in question 
would be presumed to be subject to the exception unless or until the 
Secretary makes a determination to the contrary.''
    Response: It is true that the effect of section 1178(a)(2)(A) is 
that the federal standards will preempt contrary state law and that 
such preemption will not be removed unless and until the Secretary acts 
to grant an exception under that section (assuming, of course, that 
another provision of section 1178 does not apply). We do not agree, 
however, that confusion should result, where the issue is whether a 
given state law has been preempted under section 1178(a)(2)(A). Because 
preemption is automatic with respect to state laws that do not come 
within the other provisions of section 1178 (i.e., sections 
1178(a)(2)(B), 1178(b), and 1178(c)), such state laws are preempted 
until the Secretary affirmatively acts to preserve them from preemption 
by granting an exception under section 1178(a)(2)(A).
    We cannot accept the suggestion that a presumption of validity 
attach to state laws, and that states not be required to request 
exceptions except in very narrow circumstances. The statutory scheme is 
the opposite: The statute effects preemption in the section 
1178(a)(2)(A) context unless the Secretary affirmatively acts to except 
the contrary state law in question.
    With respect to preemption under sections 1178(b) and 1178(c) (the 
carve-outs for state public health laws and state regulation of health 
plans), we do not agree that preemption is likely to be a major cause 
of uncertainty. We have deferred to Congressional intent by crafting 
the permissible releases for public health, abuse, and oversight 
broadly. See, Secs. 164.512(b)--(d) below. Since there must first be a 
conflict between a state law and a federal requirement in order for an 
issue of preemption to even arise, we think that, as a practical 
matter, few preemption questions should arise with respect to sections 
1178(b) and 1178(c).
    With respect to preemption of state privacy laws under section 
1178(a)(2)(B), however, we agree that the situation may be more 
difficult to ascertain, because the Secretary does not determine the 
preemption status of a state law under that section, unlike the 
situation with respect to section 1178(a)(2)(A). We have tried to 
define the term ``more stringent'' to identify and particularize the 
factors to be considered by courts to those relevant to privacy 
interests. The more specific (than the statute) definition of this term 
at Sec. 160.202 below should provide some guidance in making the 
determination as to which law prevails. Ambiguity in the state of the 
law might also be a factor to be taken into account in determining 
whether a penalty should be applied.
    Comment: Several comments recommended that exception determinations 
or advisory opinions encompass a state act or code in its entirety (in 
lieu of a provision-specific evaluation) if it is considered more 
stringent as a whole than the regulation. It was argued that since the 
provisions of a given law are typically interconnected and related, 
adopting or overriding them on a provision-by-provision basis would 
result in distortions and/or unintended consequences or loopholes. For 
example, when a state law includes authorization provisions, some of 
which are consistent with the federal requirements and some which are 
not, the cleanest approach is to view the state law as inconsistent 
with the federal requirements and thus preempted in its entirety. 
Similarly, another comment suggested that state confidentiality laws 
written to address the specific needs of individuals served within a 
discreet system of care be considered as a whole in assessing whether 
they are as stringent or more stringent than the federal requirements. 
Another comment requested explicit clarification that state laws with a 
broader scope than the regulation will be viewed as more stringent and 
be allowed to stand.
    Response: We have not adopted the approach suggested by these 
comments. As discussed above with respect to the definition of the term 
``more stringent,'' it is our view that the statute precludes the 
approach suggested. We also suggest that this approach ignores the fact 
that each separate provision of law usually represents a nuanced policy 
choice to, for example, permit this use or prohibit that disclosure; 
the aggregated approach proposed would fail to recognize and weigh such 
policy choices.
    Comment: One comment recommended that the final rule: permit 
requests for exception determinations and advisory opinions as of the 
date of publication of the final rule, require the Secretary to notify 
the requestor within a specified short period of time of all additional 
information needed, and prohibit enforcement action until the Secretary 
issues a response.
    Response: With respect to the first recommendation, we clarify that 
requests for exception determinations may be made at any time; since 
the process for issuing advisory opinions has not been adopted, this 
recommendation is moot as it pertains

[[Page 82585]]

to advisory opinions. With respect to the second recommendation, we 
will undertake to process exception requests as expeditiously as 
possible, but, for the reasons discussed below in connection with the 
comments relating to setting deadlines for those determinations, we 
cannot commit at this time to a ``specified short period of time'' 
within which the Secretary may request additional information. We see 
no reason to agree to the third recommendation. Because contrary state 
laws for which an exception is available only under section 
1178(a)(2)(A) will be preempted by operation of law unless and until 
the Secretary acts to grant an exception, there will be an 
ascertainable compliance standard for compliance purposes, and 
enforcement action would be appropriate where such compliance did not 
occur.

Sections 160.203(a) and 160.204(a)--Exception Determinations

Section 160.203(a)--Criteria for Exception Determinations

    Comment: Numerous comments criticized the proposed criteria for 
their substance or lack thereof. A number of commenters argued that the 
effectiveness language that was added to the third statutory criterion 
made the exception so massive that it would swallow the rule. These 
comments generally expressed concern that laws that were less 
protective of privacy would be granted exceptions under this language. 
Other commenters criticized the criteria generally as creating a large 
loophole that would let state laws that do not protect privacy trump 
the federal privacy standards.
    Response: We agree with these comments. The scope of the statutory 
criteria is ambiguous, but they could be read so broadly as to largely 
swallow the federal protections. We do not think that this was 
Congress's intent. Accordingly, we have added language to most of the 
statutory criteria clarifying their scope. With respect to the criteria 
at 1178(a)(2)(A)(i), this clarifying language generally ties the 
criteria more specifically to the concern with protecting and making 
more efficient the health care delivery and payment system that 
underlies the Administrative Simplification provisions of HIPAA, but, 
with respect to the catch-all provision at section 
1178(a)(2)(A)(i)(IV), also requires that privacy interests be balanced 
with such concerns, to the extent relevant. We require that exceptions 
for rules to ensure appropriate state regulation of insurance and 
health plans be stated in a statute or regulation, so that such 
exceptions will be clearly tied to statements of priorities made by 
publicly accountable bodies (e.g., through the public comment process 
for regulations, and by elected officials through statutes). With 
respect to the criterion at section 1178(a)(2)(A)(ii), we have further 
delineated what ``addresses controlled substances'' means. The language 
provided, which builds on concepts at 21 U.S.C. 821 and the Medicare 
regulations at 42 CFR 1001.2, delineates the area within which the 
government traditionally regulates controlled substances, both civilly 
and criminally; it is our view that HIPAA was not intended to displace 
such regulation.
    Comment: Several commenters urged that the request for 
determination by the Secretary under proposed Sec. 160.204(a) be 
limited to cases where an exception is absolutely necessary, and that 
in making such a determination, the Secretary should be required to 
make a determination that the benefits of granting an exception 
outweigh the potential harm and risk of disclosure in violation of the 
regulation.
    Response: We have not further defined the statutory term 
``necessary'', as requested. We believe that the determination of what 
is ``necessary'' will be fact-specific and context dependent, and 
should not be further circumscribed absent such specifics. The state 
will need to make its case that the state law in question is 
sufficiently ``necessary'' to accomplish the particular statutory 
ground for exception that it should trump the contrary federal 
standard, requirement, or implementation specification.
    Comment: One commenter noted that a state should be required to 
explain whether it has taken any action to correct any less stringent 
state law for which an exception has been requested. This commenter 
recommended that a section be added to proposed Sec. 160.204(a) stating 
that ``a state must specify what, if any, action has been taken to 
amend the state law to comply with the federal regulations.'' Another 
comment, received in the Transactions rulemaking, took the position 
that exception determinations should be granted only if the state 
standards in question exceeded the national standards.
    Response: The first and last comments appear to confuse the ``more 
stringent'' criterion that applies under section 1178(a)(2)(B) of the 
Act with the criteria that apply to exceptions under section 
1178(a)(2)(A). We are also not adopting the language suggested by the 
first comment, because we do not agree that states should necessarily 
have to try to amend their state laws as a precondition to requesting 
exceptions under section 1178(a)(2)(A). Rather, the question should be 
whether the state has made a convincing case that the state law in 
question is sufficiently necessary for one of the statutory purposes 
that it should trump the contrary federal policy.
    Comment: One commenter stated that exceptions for state laws that 
are contrary to the federal standards should not be preempted where the 
state and federal standards are found to be equal.
    Response: This suggestion has not been adopted, as it is not 
consistent with the statute. With respect to the administrative 
simplification standards in general, it is clear that the intent of 
Congress was to preempt contrary state laws except in the limited areas 
specified as exceptions or carve-outs. See, section 1178. This 
statutory approach is consistent with the underlying goal of 
simplifying health care transactions through the adoption of uniform 
national standards. Even with respect to state laws relating to the 
privacy of medical information, the statute shields such state laws 
from preemption by the federal standards only if they are ``more'' 
stringent than the related federal standard or implementation 
specification.
    Comment: One commenter noted that determinations would apply only 
to transactions that are wholly intrastate. Thus, any element of a 
health care transaction that would implicate more than one state's law 
would automatically preclude the Secretary's evaluation as to whether 
the laws were more or less stringent than the federal requirement. 
Other commenters expressed confusion about this proposed requirement, 
noting that providers and plans operate now in a multi-state 
environment.
    Response: We agree with the commenters and have dropped the 
proposed requirement. As noted by the commenters, health care entities 
now typically operate in a multi-state environment, so already make the 
choice of law judgements that are necessary in multi-state 
transactions. It is the result of that calculus that will have to be 
weighed against the federal standards, requirements, and implementation 
specifications in the preemption analysis.
    Comment: One comment received in the Transactions rulemaking 
suggested that the Department should allow exceptions to the standard 
transactions to accommodate abbreviated transactions between state 
agencies, such as claims between a public health department and the 
state Medicaid

[[Page 82586]]

agency. Another comment requested an exception for Home and Community 
Based Waiver Services from the transactions standards.
    Response: The concerns raised by these comments would seem to be 
more properly addressed through the process established for maintaining 
and modifying the transactions standards. If the concerns underlying 
these comments cannot be addressed in this manner, however, there is 
nothing in the rules below to preclude states from requesting 
exceptions in such cases. They will then have to make the case that one 
or more grounds for exception applies.

Section 160.204(a)--Process for Exception Determinations--Comments and 
Responses

    Comment: Several comments received in the Transactions rulemaking 
stated that the process for applying for and granting exception 
determinations (referred to as ``waivers'' by some) needed to be 
spelled out in the final rule.
    Response: We agree with these comments. As noted above, since no 
process was proposed in the Transactions rulemaking, a process for 
making exception determinations was not adopted in those final rules. 
Subpart B below adopts a process for making exception determinations, 
which responds to these comments.
    Comment: Comments stated that the exception process would be 
burdensome, unwieldy, and time-consuming for state agencies as well as 
the Department. One comment took the position that states should not be 
required to submit exception requests to the Department under proposed 
Sec. 160.203(a), but could provide documentation that the state law 
meets one of the conditions articulated in proposed Sec. 160.203.
    Response: We disagree that the process adopted at Sec. 164.204 
below will be burdensome, unwieldy, or time-consuming. The only thing 
the regulation describes is the showings that a requestor must make as 
part of its submission, and all are relevant to the issue to be 
determined by the Secretary. How much information is submitted is, 
generally speaking, in the requestor's control, and the regulation 
places no restrictions on how the requestor obtains it, whether by 
acting directly, by working with providers and/or plans, or by working 
with others. With respect to the suggestion that states not be required 
to submit exception requests, we disagree that this suggestion is 
either statutorily authorized or advisable. We read this comment as 
implicitly suggesting that the Secretary must proactively identify 
instances of conflict and evaluate them. This suggestion is, thus, at 
bottom the same as the many suggestions that we create a database or 
compendium of controlling law, and it is rejected for the same reasons.
    Comment: Several comments urged that all state requests for non-
preemption include a process for public participation. These comments 
believe that members of the public and other interested stakeholders 
should be allowed to submit comments on a state's request for 
exception, and that these comments should be reviewed and considered by 
the Secretary in determining whether the exception should be granted. 
One comment suggested that the Secretary at least give notice to the 
citizens of the state prior to granting an exception.
    Response: The revision to Sec. 160.204(a), to permit requests for 
exception determinations by any person, responds to these comments.
    Comment: Many commenters noted that the lack of a clear and 
reasonable time line for the Secretary to issue an exception 
determination would not provide sufficient assurance that the questions 
regarding what rules apply will be resolved in a time frame that will 
allow business to be conducted properly, and argued that this would 
increase confusion and uncertainty about which statutes and regulations 
should be followed. Timeframes of 60 or 90 days were suggested. One 
group suggested that, if a state does not receive a response from HHS 
within 60 days, the waiver should be deemed approved.
    Response: The workload prioritization and management considerations 
discussed above with respect to advisory opinions are also relevant 
here and make us reluctant to agree to a deadline for making exception 
determinations. This is particularly true at the outset, since we have 
no experience with such requests. We therefore have no basis for 
determining how long processing such requests will take, how many 
requests we will need to process, or what resources will be available 
for such processing. We agree that states and other requesters should 
receive timely responses and will make every effort to make 
determinations as expeditiously as possible, but we cannot commit to 
firm deadlines in this initial rule. Once we have experience in 
handling exception requests, we will consult with states and others in 
regard to their experiences and concerns and their suggestions for 
improving the Secretary's expeditious handling of such requests.
    We are not accepting the suggestion that requests for exception be 
deemed approved if not acted upon in some defined time period. Section 
1178(a)(2)(A) requires a specific determination by the Secretary. The 
suggested policy would not be consistent with this statutory 
requirement. It is also inadvisable from a policy standpoint, in that 
it would tend to maximize exceptions. This would be contrary to the 
underlying statutory policy in favor of uniform federal standards.
    Comment: One commenter took exception to the requirement for states 
to seek a determination from the Department that a provision of state 
law is necessary to prevent fraud and abuse or to ensure appropriate 
state regulation of insurance plans, contending that this mandate could 
interfere with the Insurance Commissioners' ability to do their jobs. 
Another commenter suggested that the regulation specifically recognize 
the broad scope of state insurance department activities, such as 
market conduct examinations, enforcement investigations, and consumer 
complaint handling.
    Response: The first comment raises an issue that lies outside our 
legal authority to address, as section 1178(a)(2)(A) clearly mandates 
that the Secretary make a determination in these areas. With respect to 
the second comment, to the extent these concerns pertain to health 
plans, we believe that the provisions at Sec. 164.512 relating to 
oversight and disclosures required by law should address the concerns 
underlying this comment.

Section 160.204(a)(4)--Period of Effectiveness of Exception 
Determinations

    Comment: Numerous commenters stated that the proposed three year 
limitation on the effectiveness of exception determinations would pose 
significant problems and should be limited to one year, since a one 
year limitation would provide more frequent review of the necessity for 
exceptions. The commenters expressed concern that state laws which 
provide less privacy protection than the federal regulation would be 
given exceptions by the Secretary and thus argued that the exceptions 
should be more limited in duration or that the Secretary should require 
that each request, regardless of duration, include a description of the 
length of time such an exception would be needed.
    One state government commenter, however, argued that the 3 year 
limit should be eliminated entirely, on the ground that requiring a 
redetermination

[[Page 82587]]

every three years would be burdensome for the states and be a waste of 
time and resources for all parties. Other commenters, including two 
state agencies, suggested that the exemption should remain effective 
until either the state law or the federal regulation is changed. 
Another commenter suggested that the three year sunset be deleted and 
that the final rule provide for automatic review to determine if 
changes in circumstance or law would necessitate amendment or deletion 
of the opinion. Other recommendations included deeming the state law as 
continuing in effect upon the submission of a state application for an 
exemption rather than waiting for a determination by the Secretary that 
may not occur for a substantial period of time.
    Response: We are persuaded that the proposed 3 year limit on 
exception determinations does not make sense where neither law 
providing the basis for the exception has changed in the interim. We 
also agree that where either law has changed, a previously granted 
exception should not continue. Section 160.205(a) below addresses these 
concerns.

Sections 160.203(b) and 160.204(b)--Advisory Opinions

Section 160.203(b)--Effect of Advisory Opinions

    Comment: Several commenters questioned whether or not DHHS has 
standing to issue binding advisory opinions and recommended that the 
Department clarify this issue before implementation of this regulation. 
One respondent suggested that the Department clarify in the final rule 
the legal issues on which it will opine in advisory opinion requests, 
and state that in responding to requests for advisory opinions the 
Department will not opine on the preemptive force of ERISA with respect 
to state laws governing the privacy of individually identifiable health 
information, since interpretations as to the scope and extent of 
ERISA's preemption provisions are outside of the Department's 
jurisdictional authority.
    One commenter asked whether a state could enforce a state law which 
the Secretary had indicated through an advisory opinion is preempted by 
federal law. This commenter also asked whether the state would be 
subject to penalties if it chose to continue to enforce its own laws.
    Response: As discussed above, in part for reasons raised by these 
comments, the Department has decided not to have a formal process for 
issuing advisory opinions, as proposed.
    Several of these concerns, however, raise issues of broader concern 
that need to be addressed. First, we disagree that the Secretary lacks 
legal authority to opine on whether or not state privacy laws are 
preempted. The Secretary is charged by law with determining compliance, 
and where state law and the federal requirements conflict, a 
determination of which law controls will have to be made in order to 
determine whether the federal standard, requirement, or implementation 
specification at issue has been violated. Thus, the Secretary cannot 
carry out her enforcement functions without making such determinations. 
It is further reasonable that, if the Secretary makes such 
determinations, she can make those determinations known, for whatever 
persuasive effect they may have.
    The questions as to whether a state could enforce, or would be 
subject to penalties if it chose to continue to enforce, its own laws 
following a denial by the Secretary of an exception request under 
Sec. 160.203 or a holding by a court of competent jurisdiction that a 
state privacy law had been preempted by a contrary federal privacy 
standard raise several issues. First, a state law is preempted under 
the Act only to the extent that it applies to covered entities; thus, a 
state is free to continue to enforce a ``preempted'' state law against 
non-covered entities to which the state law applies. If there is a 
question of coverage, states may wish to establish processes to 
ascertain which entities within their borders are covered entities 
within the meaning of these rules. Second, with respect to covered 
entities, if a state were to try to enforce a preempted state law 
against such entities, it would presumably be acting without legal 
authority in so doing. We cannot speak to what remedies might be 
available to covered entities to protect themselves against such 
wrongful state action, but we assume that covered entities could seek 
judicial relief, if all else failed. With respect to the issue of 
imposing penalties on states, we do not see this as likely. The only 
situation that we can envision in which penalties might be imposed on a 
state would be if a state agency were itself a covered entity and 
followed a preempted state law, thereby violating the contrary federal 
standard, requirement, or implementation specification.

Section 160.204(b)--Process for Advisory Opinions

    Comment: Several commenters stated that it was unclear whether a 
state would be required to submit a request for an advisory opinion in 
order for the law to be considered more stringent and thus not 
preempted. The Department should clarify whether a state law could be 
non-preempted even without such an advisory opinion. Another commenter 
requested that the final rule explicitly state that the stricter rule 
always applies, whether it be state or federal, and regardless of 
whether there is any conflict between state and federal law.
    Response: The elimination of the proposed process for advisory 
opinions renders moot the first question. Also, the preceding response 
clarifies that which law preempts in the privacy context (assuming that 
the state law and federal requirement are ``contrary'') is a matter of 
which one is the ``more stringent.'' This is not a matter which the 
Secretary will ultimately determine; rather, this is a question about 
which the courts will ultimately make the final determination. With 
respect to the second comment, we believe that Sec. 160.203(b) below 
responds to this issue, but we would note that the statute already 
provides for this.
    Comment: Several commenters supported the decision to limit the 
parties who may request advisory opinions to the state. These 
commenters did not believe that insurers should be allowed to request 
an advisory opinion and open every state law up to challenge and 
review.
    Several commenters requested that guidance on advisory opinions be 
provided in all circumstances, not only at the Secretary's discretion. 
It was suggested that proposed Sec. 160.204(b)(2)(iv) be revised to 
read as follows: ``A state may submit a written request to the 
Secretary for an advisory opinion under this paragraph. The request 
must include the following information: the reasons why the state law 
should or should not be preempted by the federal standard, requirement, 
or implementation specification, including how the state law meets the 
criteria at Sec. 160.203(b).''
    Response: The decision not to have a formal process for issuing 
advisory opinions renders these issues moot.

Sections 160.203(c) and 160.203(d)--Statutory Carve-Outs

    Comment: Several commenters asked that the Department provide more 
specific examples itemizing activities traditionally regulated by the 
state that could constitute ``carve-out'' exceptions. These commenters 
also requested that the Department include language in the regulation 
stating that if a state law falls within several different exceptions, 
the state chooses which determination exception shall apply.

[[Page 82588]]

    Response: We are concerned that itemizing examples in this way 
could leave out important state laws or create inadvertent negative 
implications that laws not listed are not included. However, as 
explained above, we have designed the types of activities that are 
permissive disclosures for public health under Sec. 164.512(b) below in 
part to come within the carve-out effected by section 1178(b); while 
the state regulatory activities covered by section 1178(c) will 
generally come within Sec. 164.512(d) below. With respect to the 
comments asking that a state get to ``choose'' which exception it comes 
under, we have in effect provided for this with respect to exceptions 
under section 1178(a)(2)(A), by giving the state the right to request 
an exception under that section. With respect to exceptions under 
section 1178(a)(2)(B), those exceptions occur by operation of law, and 
it is not within the Secretary's power to ``let'' the state choose 
whether an exception occurs under that section.
    Comment: Several commenters took the position that the Secretary 
should not limit the procedural requirements in proposed 
Sec. 160.204(a) to only those applications under proposed 
Sec. 160.203(a). They urged that the requirements of proposed 
Sec. 160.204(a) should also apply to preemption under sections 
1178(a)(2)(B), 1178(b) and 1178(c). It was suggested that the rules 
should provide for exception determinations with respect to the matters 
covered by these provisions of the statute; such additional provisions 
would provide clear procedures for states to follow and ensure that 
requests for exceptions are adequately documented.
    A slightly different approach was taken by several commenters, who 
recommended that proposed Sec. 160.204(b) be amended to clarify that 
the Secretary will also issue advisory opinions as to whether a state 
law constitutes an exception under proposed Secs. 160.203(c) and 
160.203(d). This change would, they argued, give states the same 
opportunity for guidance that they have under Sec. 160.203(a) and (b), 
and as such, avoid costly lawsuits to preserve state laws.
    Response: We are not taking either of the recommended courses of 
action. With respect to the recommendation that we expand the exception 
determination process to encompass exceptions under sections 
1178(a)(2)(B), 1178(b), and 1178(c), we do not have the authority to 
grant exceptions under these sections. Under section 1178, the 
Secretary has authority to make exception determinations only with 
respect to the matters covered by section 1178(a)(2)(A); contrary state 
laws coming within section 1178(a)(2)(B) are preempted if not more 
stringent, while if a contrary state law comes within section 1178(b) 
or section 1178(c), it is not preempted. These latter statutory 
provisions operate by their own terms. Thus, it is not within the 
Secretary's authority to establish the determination process which 
these comments seek.
    With respect to the request seeking advisory opinions in the 
section 1178(b) and 1178(c) situations, we agree that we have the 
authority to issue such opinions. However, the considerations described 
above that have led us not to adopt a formal process for issuing 
advisory opinions in the privacy context apply with equal force and 
effect here.
    Comment: One commenter argued that it would be unnecessarily 
burdensome for state health data agencies (whose focus is on the cost 
of healthcare or improving Medicare, Medicaid, or the healthcare 
system) to obtain a specific determination from the Department for an 
exception under proposed Sec. 160.203(c). States should be required 
only to notify the Secretary of their own determination that such 
collection is necessary. It was also argued that cases where the 
statutory carve-outs apply should not require a Secretarial 
determination.
    Response: We clarify that no Secretarial determination is required 
for activities that fall into one of the statutory carve-outs. With 
respect to data collections for state health data agencies, we note 
that provision has been made for many of these activities in several 
provisions of the rules below, such as the provisions relating to 
disclosures required by law (Sec. 164.512(a)), disclosures for 
oversight (Sec. 164.512(d)), and disclosures for public health 
(Sec. 164.512(b)). Some disclosures for Medicare and Medicaid purposes 
may also come within the definition of health care operations. A fuller 
discussion of this issue appears in connection with Sec. 164.512 below.

Constitutional Comments and Responses

    Comment: Several commenters suggested that as a general matter the 
rule is unconstitutional.
    Response: We disagree that the rule is unconstitutional. The 
particular grounds for this conclusion are set out with respect to 
particular constitutional issues in the responses below. With respect 
to the comments that simply made this general assertion, the lack of 
detail of the comments makes a substantive response impossible.

Article II

    Comment: One commenter contended that the Secretary improperly 
delegated authority to private entities by requiring covered entities 
to enter into contracts with, monitor, and take action for violations 
of the contract against their business partners. These comments assert 
that the selection of these entities to ``enforce'' the regulations 
violates the Executive Powers Clause and the Appointments and Take Care 
Clauses.
    Response: We reject the assertion that the business associate 
provisions constitute an improper delegation of executive power to 
private entities. HIPAA provides HHS with authority to enforce the 
regulation against covered entities. The rules below regulate only the 
conduct of the covered entity; to the extent a covered entity chooses 
to conduct its funding through a business associate, those functions 
are still functions of the covered entity. Thus, no improper delegation 
has occurred because what is being regulated are the actions of the 
covered entity, not the actions of the business associate in its 
independent capacity.
    We also reject the suggestion that the business associates 
provisions constitute an improper appointment of covered entities to 
enforce the regulation and violate the Take Care Clause. Because the 
Secretary has not delegated authority to covered entities, the 
inference that she has appointed covered entities to exercise such 
authority misses the mark.

Commerce Clause

    Comment: A few commenters suggested that the privacy regulation 
regulates activities that are not in interstate commerce and which are, 
therefore, beyond the powers the U.S. Constitution gives the federal 
government.
    Response: We disagree. Health care providers, health plans, and 
health care clearinghouses are engaged in economic and commercial 
activities, including the exchange of individually identifiable health 
information electronically across state lines. These activities 
constitute interstate commerce. Therefore, they come within the scope 
of Congress' power to regulate interstate commerce.

Nondelegation Doctrine

    Comment: Some commenters objected to the manner by which Congress 
provided the Secretary authority to promulgate this regulation. These 
comments asserted that Congress violated the nondelegation doctrine by 
(1) not providing an ``intelligible principle'' to guide the agency, 
(2) not

[[Page 82589]]

establishing ``ascertainable standards,'' and (3) improperly permitting 
the Secretary to make social policy decisions.
    Response: We disagree. HIPAA clearly delineates Congress' general 
policy to establish strict privacy protections for individually 
identifiable health information to encourage electronic transactions. 
Congress also established boundaries limiting the Secretary's 
authority. Congress established these limitations in several ways, 
including by calling for privacy standards for ``individually 
identifiable health information''; specifying that privacy standards 
must address individuals' rights regarding their individually 
identifiable health information, the procedures for exercising those 
rights, and the particular uses and disclosures to be authorized or 
required; restricting the direct application of the privacy standards 
to ``covered entities,'' which Congress defined; requiring consultation 
with the National Committee on Vital and Health Statistics and the 
Attorney General; specifying the circumstances under which the federal 
requirements would supersede state laws; and specifying the civil and 
criminal penalties the Secretary could impose for violations of the 
regulation. These limitations also serve as ``ascertainable standards'' 
upon which reviewing courts can rely to determine the validity of the 
exercise of authority.
    Although Congress could have chosen to impose expressly an 
exhaustive list of specifications that must be met in order to achieve 
the protective purposes of the HIPAA, it was entirely permissible for 
Congress to entrust to the Secretary the task of providing these 
specifications based on her experience and expertise in dealing with 
these complex and technical matters.
    We disagree with the comments that Congress improperly delegated 
Congressional policy choices to her. Congress clearly decided to create 
federal standards protecting the privacy of ``individually identifiable 
health information'' and not to preempt state laws that are more 
stringent. Congress also determined over whom the Secretary would have 
authority, the type of information protected, and the minimum level of 
regulation.

Separation of Powers

    Comment: Some commenters asserted that the federal government may 
not preempt state laws that are not as strict as the privacy regulation 
because to do so would violate the separation of powers in the U.S. 
Constitution. One comment suggested that the rules raised a substantial 
constitutional issue because, as proposed, they permitted the Secretary 
to make determinations on preemption, which is a role reserved for the 
judiciary.
    Response: We disagree. We note that this comment only pertains to 
determinations under section 1178(a)(2)(A); as discussed above, the 
rules below provide for no Secretarial determinations with respect to 
state privacy laws coming within section 1178(a)(2)(B). With respect to 
determinations under section 1178(a)(2)(A), however, the final rules, 
like the proposed rules, provide that at a state's request the 
Secretary may make certain determinations regarding the preemptive 
effect of the rules on a particular state law. As usually the case with 
any administrative decisions, these are subject to judicial review 
pursuant to the Administrative Procedure Act.

First Amendment

    Comment: Some comments suggested that the rules violated the First 
Amendment. They asserted that if the rule included Christian Science 
practitioners as covered entities it would violate the separation of 
church and state doctrine.
    Response: We disagree. The First Amendment does not always prohibit 
the federal government from regulating secular activities of religious 
organizations. However, we address concerns relating to Christian 
Science practitioners more fully in the response to comments discussion 
of the definition of ``covered entity'' in Sec. 160.103.

Fourth Amendment

    Comment: Many comments expressed Fourth Amendment concerns about 
various proposed provisions. These comments fall into two categories--
general concerns about warrantless searches and specific concerns about 
administrative searches. Several comments argued that the proposed 
regulations permit law enforcement and government officials access to 
protected health information without first requiring a judicial search 
warrant or an individual's consent. These comments rejected the 
applicability of any of the existing exceptions permitting warrantless 
searches in this context. Another comment argued that federal and state 
police should be able to obtain personal medical records only with the 
informed consent of an individual. Many of these comments also 
expressed concern that protected health information could be provided 
to government or private agencies for inclusion in a governmental 
health data system.
    Response: We disagree that the provisions of these rules that 
permit disclosures for law enforcement purposes and governmental health 
data systems generally violate the Fourth Amendment. The privacy 
regulation does not create new access rights for law enforcement. 
Rather, it refrains from placing a significant barrier in front of 
access rights that law enforcement currently has under existing legal 
authority. While the regulation may permit a covered entity to make 
disclosures in specified instances, it does not require the covered 
entity make the disclosure. Thus, because we are not modifying existing 
law regarding disclosures to law enforcement officials, except to 
strengthen the requirements related to requests already authorized 
under law, and are not requiring any such disclosures, the privacy 
regulation does not infringe upon individual's Fourth Amendment rights. 
We discuss the rationale underlying the permissible disclosures to law 
enforcement officials more fully in the preamble discussion relating to 
Sec. 164.512(f).
    We note that the proposed provision relating to disclosures to 
government health data systems has been eliminated in the final rule. 
However, to the extent that the comments can be seen as raising concern 
over disclosure of protected health information to government agencies 
for public health, health oversight, or other purposes permitted by the 
final rule, the reasoning in the previous paragraph applies.
    Comment: One commenter suggested that the rules violate the Fourth 
Amendment by requiring covered entities to provide access to the 
Secretary to their books, records, accounts, and facilities to ensure 
compliance with these rules. The commenter also suggested that the 
requirement that covered entities enter into agreements with their 
business partners to make their records available to the Secretary for 
inspection as well also violates the warrant requirement of the Fourth 
Amendment.
    Response: We disagree. These requirements are consistent with U.S. 
Supreme Court cases holding that warrantless administrative searches of 
commercial property are not per se violations of the Fourth Amendment. 
The provisions requiring that covered entities provide access to 
certain material to determine compliance with the regulation come 
within the well-settled exception regarding closely regulated 
businesses and industries to the warrant requirement. From state and 
local licensure laws to the federal fraud and abuse statutes and 
regulations, the health care industry is one of the most

[[Page 82590]]

tightly regulated businesses in the country. Because the industry has 
such an extensive history of government oversight and involvement, 
those operating within it have no reasonable expectation of privacy 
from the government such that a warrant would be required to determine 
compliance with the rules.
    In addition, the cases cited by the commenters concern unannounced 
searches of the premises and facilities of particular entities. Because 
our enforcement provisions only provide for the review of books, 
records, and other information and only during normal business hours 
with notice, except for exceptional situations, this case law does not 
apply.
    As for business associates, they voluntarily enter into their 
agreements with covered entities. This agreement, therefore, functions 
as knowing and voluntary consents to the search (even assuming it could 
be understood to be a search) and obviates the need for a warrant.

Fifth Amendment

    Comment: Several comments asserted that the proposed rules violated 
the Fifth Amendment because in the commenters' views they authorized 
the taking of privacy property without just compensation or due process 
of law.
    Response: We disagree. The rules set forth below do not address the 
issue of who owns an individual's medical record. Instead, they address 
what uses and disclosures of protected health information may be made 
by covered entities with or without a consent or authorization. As 
described in response to a similar comment, medical records have been 
the property of the health care provider or medical facility that 
created them, historically. In some states, statutes directly provide 
these entities with ownership. These laws are limited by laws that 
provide patients or their representatives with access to the records or 
that provide the patient with an ownership interest in the information 
within the records. As we discuss, the final rule is consistent with 
current state law that provides patients access to protected health 
information, but not ownership of medical records. State laws that 
provide patients with greater access would remain in effect. Therefore, 
because patients do not own their records, no taking can occur. As for 
their interest in the information, the final rule retains their rights. 
As for covered entities, the final rule does not take away their 
ownership rights or make their ownership interest in the protected 
health information worthless. Therefore, no taking has occurred in 
these situations either.

Ninth and Tenth Amendments

    Comment: Several comments asserted that the proposed rules violated 
the Ninth and Tenth Amendments. One commenter suggested that the Ninth 
Amendment prohibits long and complicated regulations. Other commenters 
suggested that the proposed rules authorized the compelled disclosure 
of individually identifiable health information in violation of State 
constitutional provisions, such as those in California and Florida. 
Similarly, a couple of commenters asserted that the privacy rules 
violate the Tenth Amendment.
    Response: We disagree. The Ninth and Tenth Amendments address the 
rights retained by the people and acknowledge that the States or the 
people are reserved the powers not delegated to the federal government 
and not otherwise prohibited by the Constitution. Because HHS is 
regulating under a delegation of authority from Congress in an area 
that affects interstate commerce, we are within the powers provided to 
Congress in the Constitution. Nothing in the Ninth Amendment, or any 
other provision of the Constitution, restricts the length or complexity 
of any law. Additionally, we do not believe the rules below 
impermissibly authorize behavior that violates State constitutions. 
This rule requires disclosure only to the individual or to the 
Secretary to enforce this rule. As noted in the preamble discussion of 
``Preemption,'' these rules do not preempt State laws, including 
constitutional provisions, that are contrary to and more stringent, as 
defined at Sec. 160.502, than these rules. See the discussion of 
``Preemption'' for further clarification. Therefore, if these State 
constitutions are contrary to the rule below and provide greater 
protection, they remain in full force; if they do not, they are 
preempted, in accordance with the Supremacy Clause of the Constitution.

Right to Privacy

    Comment: Several comments suggested that the proposed regulation 
would violate the right to privacy guaranteed by the First, Fourth, 
Fifth, and Ninth Amendments because it would permit covered entities to 
disclose protected health information without the consent of the 
individual.
    Response: These comments did not provide specific facts or legal 
basis for the claims. We are, thus, unable to provide a substantive 
response to these particular comments. However, we note that the rule 
requires disclosures only to the individual or to the Secretary to 
determine compliance with this rule. Other uses or disclosures under 
this rule are permissive, not required. Therefore, if a particular use 
or disclosure under this rule is viewed as interfering with a right 
that prohibited the use or disclosure, the rule itself is not what 
requires the use or disclosure.

Void for Vagueness

    Comment: One comment suggested that the Secretary's use of a 
``reasonableness'' standard is unconstitutionally vague. Specifically, 
this comment objected to the requirement that covered entities use 
``reasonable'' efforts to use or disclose the minimum amount of 
protected health information, to ensure that business partners comply 
with the privacy provisions of their contracts, to notify business 
partners of any amendments or corrections to protected health 
information, and to verify the identity of individuals requesting 
information, as well as charge only a ``reasonable'' fee for inspecting 
and copying health information. This comment asserted that the 
Secretary provided ``inadequate guidance'' as to what qualifies as 
``reasonable.''
    Response: We disagree with the comment's suggestion that by 
applying a ``reasonableness'' standard, the regulation has failed to 
provide for ``fair warning'' or ``fair enforcement.'' The 
``reasonableness'' standard is well-established in law; for example, it 
is the foundation of the common law of torts. Courts also have 
consistently held as constitutional statutes that rely upon a 
``reasonableness'' standard. Our reliance upon a ``reasonableness'' 
standard, thus, provides covered entities with constitutionally 
sufficient guidance.

Criminal Intent

    Comment: One comment argued that the regulation's reliance upon a 
``reasonableness'' standard criminalizes ``unreasonable efforts'' 
without requiring criminal intent or mens rea.
    Response: We reject this suggestion because HIPAA clearly provides 
the criminal intent requirement. Specifically, HIPPA provides that a 
``person who knowingly and in violation of this part--(1) uses or 
causes to be used a unique health identifier; (2) obtains individually 
identifiable health information relating to an individual; or (3) 
discloses individually identifiable health information to another 
person, shall be punished as provided in subsection (b).'' HIPAA 
section 1177 (emphasis added). Subsection (b) also relies on a 
knowledge standard in

[[Page 82591]]

outlining the three levels of criminal sanctions. Thus, Congress, not 
the Secretary, established the mens rea by including the term 
``knowingly'' in the criminal penalty provisions of HIPAA.

Data Collection

    Comment: One commenter suggested that the U.S. Constitution 
authorized the collection of data on individuals only for the purpose 
of the census.
    Response: While it might be true that the U.S. Constitution 
expressly discusses the national census, it does not forbid federal 
agencies from collecting data for other purposes. The ability of 
agencies to collect non-census data has been upheld by the courts.

Relationship to Other Federal Laws

    Comment: We received several comments that sought clarification of 
the interaction of various federal laws and the privacy regulation. 
Many of these comments simply listed federal laws and regulations with 
which the commenter currently must comply. For example, commenters 
noted that they must comply with regulations relating to safety, public 
health, and civil rights, including Medicare and Medicaid, the 
Americans with Disabilities Act, the Family and Medical Leave Act, the 
Federal Aviation Administration regulations, the Department of 
Transportation regulations, the Federal Highway Administration 
regulations, the Occupational Safety and Health Administration 
regulations, and the Environmental Protection Agency regulations, and 
alcohol and drug free workplace rules. These commenters suggested that 
the regulation state clearly and unequivocally that uses or disclosures 
of protected health information for these purposes were permissible. 
Some suggested modifying the definition of health care operations to 
include these uses specifically. Another suggestion was to add a 
section that permitted the transmission of protected health information 
to employers when reasonably necessary to comply with federal, state, 
or municipal laws and regulations, or when necessary for public or 
employee safety and health.
    Response: Although we sympathize with entities' needs to evaluate 
the existing laws with which they must comply in light of the 
requirements of the final regulation, we are unable to respond 
substantially to comments that do not pose specific questions. We 
offer, however, the following guidance: if an covered entity is 
required to disclose protected health information pursuant to a 
specific statutory or regulatory scheme, the covered entity generally 
will be permitted under Sec. 164.512(a) to make these disclosures 
without a consent or authorization; if, however, a statute or 
regulation merely suggests a disclosure, the covered entity will need 
to determine if the disclosure comes within another category of 
permissible disclosure under Secs. 164.510 or 164.512 or, 
alternatively, if the disclosure would otherwise come within 
Sec. 164.502. If not, the entity will need to obtain a consent or 
authorization for the disclosure.
    Comment: One commenter sought clarification as to when a disclosure 
is considered to be ``required'' by another law versus ``permitted'' by 
that law.
    Responses: We use these terms according to their common usage. By 
``required by law,'' we mean that a covered entity has a legal 
obligation to disclose the information. For example, if a statute 
states that a covered entity must report the names of all individuals 
presenting with gun shot wounds to the emergency room or else be fined 
$500 for each violation, a covered entity would be required by law to 
disclose the protected health information necessary to comply with this 
mandate. The privacy regulation permits this type of disclosure, but 
does not require it. Therefore, if a covered entity chose not to comply 
with the reporting statute it would violate only the reporting statute 
and not the privacy regulation.
    On the other hand, if a statute stated that a covered entity may or 
is permitted to report the names of all individuals presenting with gun 
shot wounds to the emergency room and, in turn, would receive $500 for 
each month it made these reports, a covered entity would not be 
permitted by Sec. 164.512(a) to disclose the protected health 
information. Of course, if another permissible provision applied to 
these facts, the covered entity could make the disclosure under that 
provision, but it would not be considered to be a disclosure. See 
discussion under Sec. 164.512(a) below.
    Comment: Several commenters suggested that the proposed rule was 
unnecessarily duplicative of existing regulations for federal programs, 
such as Medicare, Medicaid, and the Federal Employee Health Benefit 
Program.
    Response: Congress specifically subjected certain federal programs, 
including Medicare, Medicaid, and the Federal Employee Health Benefit 
Program to the privacy regulation by including them within the 
definition of ``health plan.'' Therefore, covered entities subject to 
requirements of existing federal programs will also have to comply with 
the privacy regulation.
    Comment: One comment asserts that the regulation would not affect 
current federal requirements if the current requirements are weaker 
than the requirements of the privacy regulation. This same commenter 
suggested that current federal requirements will trump both state law 
and the proposed regulation, even if Medicaid transactions remain 
wholly intrastate.
    Response: We disagree. As noted in our discussion of ``Relationship 
to Other Federal Laws,'' each law or regulation will need to be 
evaluated individually. We similarly disagree with the second assertion 
made by the commenter. The final rule will preempt state laws only in 
specific instances. For a more detailed analysis, see the preamble 
discussion of ``Preemption.''

Administrative Subpoenas

    Comment: One comment stated that the final rule should not impose 
new standards on administrative subpoenas that would conflict with 
existing laws or administrative or judicial rules that establish 
standards for issuing subpoenas. Nor should the final rule conflict 
with established standards for the conduct of administrative, civil, or 
criminal proceedings, including the rules regarding the discovery of 
evidence. Other comments sought further restrictions on access to 
protected health information in this context.
    Response: Section 164.512(e) below addresses disclosures for 
judicial and administrative proceedings. The final rules generally do 
not interfere with these existing processes to the extent an individual 
served with a subpoena, court order, or other similar process is able 
to raise objections already available. See the discussion below under 
Sec. 164.512(e) for a fuller response.

Americans with Disabilities Act

    Comment: Several comments discussed the intersection between the 
proposed Privacy Rule and the Americans with Disabilities Act (``ADA'') 
and sections 503 and 504 of the Rehabilitation Act of 1973. One comment 
suggested that the final rule explicitly allows disclosures authorized 
by the Americans with Disabilities Act without an individual's 
authorization, because this law, in the commenter's view, provides more 
than adequate protection for the confidentiality of medical records in 
the employment context. The comment noted that under these laws 
employers may receive information related to fitness for duty, pre-
employment physicals, routine examinations, return to work 
examinations, examinations following other types of absences, 
examinations triggered by specific events, changes in

[[Page 82592]]

circumstances, requests for reasonable accommodations, leave requests, 
employee wellness programs, and medical monitoring.
    Other commenters suggested that the ADA requires the disclosure of 
protected health information to employers so that the employee may take 
advantage of the protections of these laws. They suggested that the 
final rules clarify that employment may be conditioned on obtaining an 
authorization for disclosure of protected health information for lawful 
purposes and provide guidance concerning the interaction of the ADA 
with the final regulation's requirements. Several commenters wanted 
clarification that the privacy regulation would not permit employers to 
request or use protected health information in violation of the ADA.
    Response: We disagree with the comment that the final rule should 
allow disclosures of protected health information authorized by the ADA 
without the individual's authorization. We learned from the comments 
that access to and use of protected health information by employers is 
of particular concern to many people. With regard to employers, we do 
not have statutory authority to regulate them. Therefore, it is beyond 
the scope of this regulation to prohibit employers from requesting or 
obtaining protected health information. Covered entities may disclose 
protected health information about individuals who are members of an 
employer's workforce with an authorization. Nothing in the privacy 
regulation prohibits employers from obtaining that authorization as a 
condition of employment. We note, however, that employers must comply 
with other laws that govern them, such as nondiscrimination laws. For 
example, if an employer receives a request for a reasonable 
accommodation, the employer may require reasonable documentation about 
the employee's disability and the functional limitations that require 
the reasonable accommodation, if the disability and the limitations are 
not obvious. If the individual provides insufficient documentation and 
does not provide the missing information in a timely manner after the 
employer's subsequent request, the employer may require the individual 
to go to an appropriate health professional of the employer's choice. 
In this situation, the employee does not authorize the disclosure of 
information to substantiate the disability and the need for reasonable 
accommodation, the employer need not provide the accommodation.
    We agree that this rule does not permit employers to request or use 
protected health information in violation of the ADA or other 
antidiscrimination laws.

Appropriations Laws

    Comment: One comment suggested that the penalty provisions of 
HIPAA, if extended to the privacy regulation, would require the 
Secretary to violate ``Appropriations Laws'' because the Secretary 
could be in the position of assessing penalties against her own and 
other federal agencies in their roles as covered entities. Enforcing 
penalties on these entities would require the transfer of agency funds 
to the General Fund.
    Response: We disagree. Although we anticipate achieving voluntary 
compliance and resolving any disputes prior to the actual assessment of 
penalties, the Department of Justice's Office of Legal Counsel has 
determined in similar situations that federal agencies have authority 
to assess penalties against other federal agencies and that doing so is 
not in violation of the Anti-Deficiency Act, 31 U.S.C. 1341.

Balanced Budget Act of 1997

    Comment: One comment expressed concern that the regulation would 
place tremendous burdens on providers already struggling with the 
effects of the Balanced Budget Act of 1997.
    Response: We appreciate the costs covered entities face when 
complying with other statutory and regulatory requirements, such as the 
Balanced Budget Act of 1997. However, HHS cannot address the impact of 
the Balanced Budget Act or other statutes in the context of this 
regulation.
    Comment: Another comment stated that the regulation is in direct 
conflict with the Balanced Budget Act of 1997 (``BBA''). The comment 
asserts that the regulation's compliance date conflicts with the BBA, 
as well as Generally Acceptable Accounting Principles. According to the 
comment, covered entities that made capital acquisitions to ensure 
compliance with the year 2000 (``Y2K'') problem would not be able to 
account for the full depreciation of these systems until 2005. Because 
HIPAA requires compliance before that time, the regulation would force 
premature obsolescence of this equipment because while it is Y2K 
compliant, it may be HIPAA non-compliant.
    Response: This comment raises two distinct issues--(1) the 
investment in new equipment and (2) the compliance date. With regard to 
the first issue, we reject the comment's assertion that the regulation 
requires covered entities to purchase new information systems or 
information technology equipment, but realize that some covered 
entities may need to update their equipment. We have tried to minimize 
the costs, while responding appropriately to Congress' mandate for 
privacy rules. We have dealt with the cost issues in detail in the 
``Regulatory Impact Analysis'' section of this Preamble. With regard to 
the second issue, Congress, not the Secretary, established the 
compliance data at section 1175(b) of the Act.

Civil Rights of Institutionalized Persons Act

    Comment: A few comments expressed concern that the privacy 
regulation would inadvertently hinder the Department of Justice Civil 
Rights Divisions' investigations under the Civil Rights of 
Institutionalized Persons Act (``CRIPA''). These comments suggested 
clearly including civil rights enforcement activities as health care 
oversight.
    Response: We agree with this comment. We do not intend for the 
privacy rules to hinder CRIPA investigations. Thus, the final rule 
includes agencies that are authorized by law to ``enforce civil rights 
laws for which health information is relevant'' in the definition of 
``health oversight agency'' at Sec. 164.501. Covered entities are 
permitted to disclose protected health information to health oversight 
agencies under Sec. 164.512(d) without an authorization. Therefore, we 
do not believe the final rule should hinder the Department of Justice's 
ability to conduct investigations pursuant to its authority in CRIPA.

Clinical Laboratory Improvement Amendments

    Comment: One comment expressed concern that the proposed definition 
of health care operations did not include activities related to the 
quality control clinical studies performed by laboratories to 
demonstrate the quality of patient test results. Because the Clinical 
Laboratory Improvement Amendments of 1988 (``CLIA'') requires these 
studies that the comment asserted require the use of protected health 
information, the comment suggested including this specific activity in 
the definition of ``health care operations.''
    Response: We do not intend for the privacy regulation to impede the 
ability of laboratories to comply with the requirements of CLIA. 
Quality control activities come within the definition of ``health care 
operations'' in Sec. 164.501 because they come within the meaning of 
the term ``quality assurance activities.'' To the extent they would not 
come within health care operations, but

[[Page 82593]]

are required by CLIA, the privacy regulation permits clinical 
laboratories that are regulated by CLIA to comply with mandatory uses 
and disclosures of protected health information pursuant to 
Sec. 164.512(a).
    Comment: One comment stated that the proposed regulation's right of 
access for inspection and copying provisions were contrary to CLIA in 
that CLIA permits laboratories to disclose lab test results only to 
``authorized persons.'' This comment suggested that the final rule 
include language adopting this restriction to ensure that patients not 
obtain laboratory test results before the appropriate health care 
provider has reviewed and explained those results to the patients.
    A similar comment stated that the lack of preemption of state laws 
could create problems for clinical laboratories under CLIA. 
Specifically, this comment noted that CLIA permits clinical 
laboratories to perform tests only upon the written or electronic 
request of, and to provide the results to, an ``authorized person.'' 
State laws define who is an ``authorized person.'' The comment 
expressed concern as to whether the regulation would preempt state laws 
that only permit physicians to receive test results.
    Response: We agree that CLIA controls in these cases. Therefore, we 
have amended the right of access, Sec. 164.524(a), so that a covered 
entity that is subject to CLIA does not have to provide access to the 
individual to the extent such access would be prohibited by law. 
Because of this change, we believe the preemption concern is moot.

Controlled Substance Act

    Comment: One comment expressed concern that the privacy regulation 
as proposed would restrict the Drug Enforcement Agency's (``the DEA'') 
enforcement of the Controlled Substances Act (``CSA''). The comment 
suggested including enforcement activities in the definition of 
``health oversight agency.''
    Response: In our view, the privacy regulation should not impede the 
DEA's ability to enforce the CSA. First, to the extent the CSA requires 
disclosures to the DEA, these disclosures would be permissible under 
Sec. 164.512(a). Second, some of the DEA's CSA activities come within 
the exception for health oversight agencies which permits disclosures 
to health oversight agencies for:

    Activities authorized by law, including audits; civil, 
administrative, or criminal investigations; inspections * * * civil, 
administrative, or criminal proceedings or actions; and other 
activity necessary for appropriate oversight of the health care 
system.

    Therefore, to the extent the DEA is enforcing the CSA, disclosures 
to it in its capacity as a health oversight agency are permissible 
under Sec. 164.512(d). Alternatively, CSA required disclosures to the 
DEA for law enforcement purposes are permitted under Sec. 164.512(f). 
When acting as a law enforcement agency under the CSA, the DEA may 
obtain the information pursuant to Sec. 164.512(f). Thus, we do not 
agree that the privacy regulation will impede the DEA's enforcement of 
the CSA. See the preamble discussion of Sec. 164.512 for further 
explanation.
    Comment: One commenter suggested clarifying the provisions allowing 
disclosures that are ``required by law'' to ensure that the mandatory 
reporting requirements the CSA imposes on covered entities, including 
making available reports, inventories, and records of transactions, are 
not preempted by the regulation.
    Response: We agree that the privacy regulation does not alter 
covered entities' obligations under the CSA. Because the CSA requires 
covered entities manufacturing, distributing, and/or dispensing 
controlled substances to maintain and provide to the DEA specific 
records and reports, the privacy regulation permits these disclosures 
under Sec. 164.512(a). In addition, when the DEA seeks documents to 
determine an entity's compliance with the CSA, such disclosures are 
permitted under Sec. 164.512(d).
    Comment: The same commenter expressed concern that the proposed 
privacy regulation inappropriately limits voluntary reporting and would 
prevent or deter employees of covered entities from providing the DEA 
with information about violations of the CSA.
    Response: We agree with the general concerns expressed in this 
comment. We do not believe the privacy rules will limit voluntary 
reporting of violations of the CSA. The CSA requires certain entities 
to maintain several types of records that may include protected health 
information. Although reports that included protected health 
information may be restricted under these rules, reporting the fact 
that an entity is not maintaining proper reports is not. If it were 
necessary to obtain protected health information during the 
investigatory stages following such a voluntary report, the DEA would 
be able to obtain the information in other ways, such as by following 
the administrative procedures outlined in Sec. 164.512(e).
    We also agree that employees of covered entities who report 
violations of the CSA should not be subjected to retaliation by their 
employers. Under Sec. 164.502(j), we specifically state that a covered 
entity is not considered to have violated the regulation if a workforce 
member or business associate in good faith reports violations of laws 
or professional standards by covered entities to appropriate 
authorities. See discussion of Sec. 164.502(j) below.

Department of Transportation

    Comment: Several commenters stated that the Secretary should 
recognize in the preamble that it is permissible for employers to 
condition employment on an individual's delivering a consent to certain 
medical tests and/or examinations, such as drug-free workplace programs 
and Department of Transportation (``DOT'')-required physical 
examinations. These comments also suggested that employers should be 
able to receive certain information, such as pass/fail test and 
examination results, fitness-to-work assessments, and other legally 
required or permissible physical assessments without obtaining an 
authorization. To achieve this goal, these comments suggested defining 
``health information'' to exclude information such as information about 
how much weight a specific employee can lift.
    Response: We reject the suggestion to define ``health 
information,'' which Congress defined in HIPAA, so that it excludes 
individually identifiable health information that may be relevant to 
employers for these types of examinations and programs. We do not 
regulate employers. Nothing in the rules prohibit employers from 
conditioning employment on an individual signing the appropriate 
consent or authorization. By the same token, however, the rules below 
do not relieve employers from their obligations under the ADA and other 
laws that restrict the disclosure of individually identifiable health 
information.
    Comment: One commenter asserted that the proposed regulation 
conflicts with the DOT guidelines regarding positive alcohol and drug 
tests that require the employer be notified in writing of the results. 
This document contains protected health information. In addition, the 
treatment center records must be provided to the Substance Abuse 
Professional (``SAP'') and the employer must receive a report from SAP 
with random drug testing recommendations.
    Response: It is our understanding that DOT requires drug testing of 
all applicants for employment in safety-sensitive positions or 
individuals being transferred to such positions.

[[Page 82594]]

Employers, pursuant to DOT regulations, may condition an employee's 
employment or position upon first obtaining an authorization for the 
disclosure of results of these tests to the employer. Therefore, we do 
not believe the final rules conflict with the DOT requirements, which 
do not prohibit obtaining authorizations before such information is 
disclosed to employers.

Developmental Disabilities Act

    Comment: One commenter urged HHS to ensure that the regulation 
would not impede access to individually identifiable health information 
to entities that are part of the Protection and Advocacy System to 
investigate abuse and neglect as authorized by the Developmental 
Disabilities Bill of Rights Act.
    Response: The Developmental Disabilities Assistance and Bill of 
Rights Act of 2000 (``DD Act'') mandates specific disclosures of 
individually identifiable health information to Protection and Advocacy 
systems designated by the chief elected official of the states and 
Territories. Therefore, covered entities may make these disclosures 
under Sec. 164.512(a) without first obtaining an individual's 
authorization, except in those circumstances in which the DD Act 
requires the individual's authorization. Therefore, the rules below 
will not impede the functioning of the existing Protection and Advocacy 
System.

Employee Retirement Income Security Act of 1974

    Comment: Several commenters objected to the fact that the NPRM did 
not clarify the scope of preemption of state laws under the Employee 
Retirement Income Security Act of 1974 (ERISA). These commenters 
asserted that the final rule must state that ERISA preempts all state 
laws (including those relating to the privacy of individually 
identifiable health information) so that multistate employers could 
continue to administer their group health plans using a single set of 
rules. In contrast, other commenters criticized the Department for its 
analysis of the current principles governing ERISA preemption of state 
law, pointing out that the Department has no authority to interpret 
ERISA.
    Response: This Department has no authority to issue regulations 
under ERISA as requested by some of these commenters, so the rule below 
does not contain the statement requested. See the discussion of this 
point under ``Preemption'' above.
    Comment: One commenter requested that the final rule clarify that 
section 264(c)(2) of HIPAA does not save state laws that would 
otherwise be preempted by the Federal Employees Health Benefits 
Program. The commenter noted that in the NPRM this statement was made 
with respect to Medicare and ERISA, but not the law governing the 
FEHBP.
    Response: We agree with this comment. The preemption analysis set 
out above with respect to ERISA applies equally to the Federal 
Employees Health Benefit Program.
    Comment: One commenter noted that the final rule should clarify the 
interplay between state law, the preemption standards in Subtitle A of 
Title I of HIPAA (Health Care Access, Portability and Renewability), 
and the preemption standards in the privacy requirements in Subtitle F 
of Title II of HIPAA (Administrative Simplification).
    Response: The NPRM described only the preemption standards that 
apply with respect to the statutory provisions of HIPAA that were 
implemented by the proposed rule. We agree that the preemption 
standards in Subtitle A of Title I of HIPAA are different. Congress 
expressly provided that the preemption provisions of Title I apply only 
to Part 7, which addresses portability, access, and renewability 
requirements for Group Health Plans. To the extent state laws contain 
provisions regarding portability, access, or renewability, as well as 
privacy requirements, a covered entity will need to evaluate the 
privacy provisions under the Title II preemption provisions, as 
explained in the preemption provisions of the rules, and the other 
provisions under the Title I preemption requirements.

European Union Privacy Directive and U.S. Safe Harbors

    Comment: Several comments stated that the privacy regulation should 
be consistent with the European Union's Directive on Data Protection. 
Others sought guidance as to how to comply with both the E.U. Directive 
on Data Protection and the U.S. Safe Harbor Privacy Principles.
    Response: We appreciate the need for covered entities obtaining 
personal data from the European Union to understand how the privacy 
regulation intersects with the Data Protection Directive. We have 
provided guidance as to this interaction in the ``Other Federal Laws'' 
provisions of the preamble.
    Comment: A few comments expressed concern that the proposed 
definition of ``individual'' excluded foreign military and diplomatic 
personnel and their dependents, as well as overseas foreign national 
beneficiaries. They noted that the distinctions are based on 
nationality and are inconsistent with the stance of the E.U. Directive 
on Data Protection and the Department of Commerce's assurances to the 
European Commission.
    Response: We agree with the general principle that privacy 
protections should protect every person, regardless of nationality. As 
noted in the discussion of the definition of ``individual,'' the final 
regulation's definition does not exclude foreign military and 
diplomatic personnel, their dependents, or overseas foreign national 
beneficiaries from the definition of individual. As described in the 
discussion of Sec. 164.512 below, the final rule applies to foreign 
diplomatic personnel and their dependents like all other individuals. 
Foreign military personnel receive the same treatment under the final 
rule as U.S. military personnel do, as discussed with regard to 
Sec. 164.512 below. Overseas foreign national beneficiaries to the 
extent they receive care for the Department of Defense or a source 
acting on behalf of the Department of Defense remain generally excluded 
from the final rules protections. For a more detailed explanation, see 
Sec. 164.500.

Fair Credit Reporting Act

    Comment: A few commenters requested that we exclude information 
maintained, used, or disclosed pursuant to the Fair Credit Reporting 
Act (``FCRA'') from the requirements of the privacy regulation. These 
commenters noted that the protection in the privacy regulation 
duplicate those in the FCRA.
    Response: Although we realize that some overlap between FCRA and 
the privacy rules may exist, we have chosen not to remove information 
that may come within the purview of FCRA from the scope of our rules 
because FCRA's focus is not the same as our Congressional mandate to 
protect individually identifiable health information.
    To the extent a covered entity seeks to engage in collection 
activities or other payment-related activities, it may do so pursuant 
to the requirements of this rule related to payment. See discussion of 
Secs. 164.501 and 164.502 below.
    We understand that some covered entities may be part of, or contain 
components that are, entities which meet the definition of ``consumer 
reporting agencies.'' As such, these entities are subject to the FCRA. 
As described in the preamble to Sec. 164.504, covered entities must 
designate what parts of their organizations will be treated as covered 
entities for the

[[Page 82595]]

purpose of these privacy rules. The covered entity component will need 
to comply with these rules, while the components that are consumer 
reporting agencies will need to comply with FCRA.
    Comment: One comment suggested that the privacy regulation would 
conflict with the FCRA if the regulation's requirement applied to 
information disclosed to consumer reporting agencies.
    Response: To the extent a covered entity is required to disclose 
protected health information to a consumer reporting agency, it may do 
so under Sec. 164.512(a). See also discussion under the definition of 
``payment'' below.

Fair Debt Collection and Practices Act

    Comment: Several comments expressed concern that health plans and 
health care providers be able to continue using debt collectors in 
compliance with the Fair Debt Collections Practices Act and related 
laws.
    Response: In our view, health plans and health care providers will 
be able to continue using debt collectors. Using the services of a debt 
collector to obtain payment for the provision of health care comes 
within the definition of ``payment'' and is permitted under the 
regulation. Thus, so long as the use of debt collectors is consistent 
with the regulatory requirements (such as, providers obtain the proper 
consents, the disclosure is of the minimum amount of information 
necessary to collect the debt, the provider or health plan enter into a 
business associate agreement with the debt collector, etc.), relying 
upon debt collectors to obtain reimbursement for the provision of 
health care would not be prohibited by the regulation.

Family Medical Leave Act

    Comment: One comment suggested that the proposed regulation 
adversely affects the ability of an employer to determine an employee's 
entitlement to leave under the Family Medical Leave Act (``FMLA'') by 
affecting the employer's right to receive medical certification of the 
need for leave, additional certifications, and fitness for duty 
certification at the end of the leave. The commenter sought 
clarification as to whether a provider could disclose information to an 
employer without first obtaining an individual's consent or 
authorization. Another commenter suggested that the final rule 
explicitly exclude from the rule disclosures authorized by the FMLA, 
because, in the commenter's view, it provides more than adequate 
protection for the confidentiality of medical records in the employment 
context.
    Response: We disagree that the FMLA provides adequate privacy 
protections for individually identifiable health information. As we 
understand the FMLA, the need for employers to obtain protected health 
information under the statute is analogous to the employer's need for 
protected health information under the ADA. In both situations, 
employers may need protected health information to fulfill their 
obligations under these statutes, but neither statute requires covered 
entities to provide the information directly to the employer. Thus, 
covered entities in these circumstances will need an individual's 
authorizations before the disclosure is made to the employer.

Federal Common Law

    Comment: One commenter did not want the privacy rules to interfere 
with the federal common law governing collective bargaining agreements 
permitting employers to insist on the cooperation of employees with 
medical fitness evaluations.
    Response: We do not seek to interfere with legal medical fitness 
evaluations. These rules require a covered entity to have an 
individual's authorization before the information resulting from such 
evaluations is disclosed to the employer unless another provision of 
the rule applies. We do not prohibit employers from conditioning 
employment, accommodations, or other benefits, when legally permitted 
to do so, upon the individual/employee providing an authorization that 
would permit the disclosure of protected health information to 
employers by covered entities. See Sec. 164.508(b)(4) below.

Federal Educational Rights and Privacy Act

    Comment: A few commenters supported the exclusion of ``education 
records'' from the definition of ``protected health information.'' 
However, one commenter requested that ``treatment records'' of students 
who are 18 years or older attending post-secondary education 
institutions be excluded from the definition of ``protected health 
information'' as well to avoid confusion.
    Response: We agree with these commenters. See ``Relationship to 
Other Federal Laws'' for a description of our exclusion of FERPA 
``education records'' and records defined at 20 U.S.C. 
1232g(a)(4)(B)(iv), commonly referred to as ``treatment records,'' from 
the definition of ``protected health information.''
    Comment: One comment suggested that the regulation should not apply 
to any health information that is part of an ``education record'' in 
any educational agency or institution, regardless of its FERPA status.
    Response: We disagree. As noted in our discussion of ``Relationship 
of Other Federal Laws,'' we exclude education records from the 
definition of protected health information because Congress expressly 
provided privacy protections for these records and explained how these 
records should be treated in FERPA.
    Comment: One commenter suggested eliminating the preamble language 
that describes school nurses and on-site clinics as acting as providers 
and subject to the privacy regulation, noting that this language is 
confusing and inconsistent with the statements provided in the preamble 
explicitly stating that HIPAA does not preempt FERPA.
    Response: We agree that this language may have been confusing. We 
have provided a clearer expression of when schools may be required to 
comply with the privacy regulation in the ``Relationship to Other 
Federal Laws'' section of the preamble.
    Comment: One commenter suggested adding a discussion of FERPA to 
the ``Relationship to Other Federal Laws'' section of the preamble.
    Response: We agree and have added FERPA to the list of federal laws 
discussed in ``Relationship to Other Federal Laws'' section of the 
preamble.
    Comment: One commenter stated that school clinics should not have 
to comply with the ``ancillary'' administrative requirements, such as 
designating a privacy official, maintaining documentation of their 
policies and procedures, and providing the Secretary of HHS with 
access.
    Response: We disagree. Because we have excluded education records 
and records described at 20 U.S.C. 1232g(a)(4)(B)(iv) held by 
educational agencies and institutions subject to FERPA from the 
definition of protected health information, only non-FERPA schools 
would be subject to the administrative requirements. Most of these 
school clinics will also not be covered entities because they are not 
engaged in HIPAA transactions and these administrative requirements 
will not apply to them. However, to the extent a school clinic is 
within the definition of a health care provider, as Congress defined 
the term, and the school clinic is engaged in HIPAA transactions, it 
will be a covered entity and must comply with the rules below.

[[Page 82596]]

    Comment: Several commenters expressed concern that the privacy 
regulation would eliminate the parents' ability to have access to 
information in their children's school health records. Because the 
proposed regulation suggests that school-based clinics keep health 
records separate from other educational files, these comments argued 
that the regulation is contrary to the spirit of FERPA, which provides 
parents with access rights to their children's educational files.
    Response: As noted in the ``Relationship to Other Federal Laws'' 
provision of the preamble, to the extent information in school-based 
clinics is not protected health information because it is an education 
record, the FERPA access requirements apply and this regulation does 
not. For more detail regarding the rule's application to unemancipated 
minors, see the preamble discussion about ``Personal Representatives.''

Federal Employees Compensation Act

    Comment: One comment noted that the Federal Employees Compensation 
Act (``FECA'') requires claimants to sign a release form when they file 
a claim. This commenter suggested that the privacy regulation should 
not place additional restrictions on this type of release form.
    Response: We agree. In the final rule, we have added a new 
provision, Sec. 164.512(l), that permits covered entities to make 
disclosures authorized under workers' compensation and similar laws. 
This provision would permit covered entities to make disclosures 
authorized under FECA and not require a different release form.

Federal Employees Health Benefits Program

    Comment: A few comments expressed concern about the preemption 
effect on FEHBP and wanted clarification that the privacy regulation 
does not alter the existing preemptive scope of the program.
    Response: We do not intend to affect the preemptive scope of the 
FEHBP. The Federal Employee Health Benefit Act of 1998 preempts any 
state law that ``relates to'' health insurance or plans. 5 U.S.C. 
8902(m). The final rule does not attempt to alter the preemptive scope 
Congress has provided to the FEHBP.
    Comment: One comment suggested that in the context of FEHBP HHS 
should place the enforcement responsibilities of the privacy regulation 
with Office of Personnel Management, as the agency responsible for 
administering the program.
    Response: We disagree. Congress placed enforcement with the 
Secretary. See section 1176 of the Act.

Federal Rules of Civil Procedure

    Comment: A few comments suggested revising proposed Sec. 164.510(d) 
so that it is consistent with the existing discovery procedure under 
the Federal Rules of Civil Procedure or local rules.
    Response: We disagree that the rules regarding disclosures and uses 
of protected health information for judicial and administrative 
procedures should provide only those protections that exist under 
existing discovery rules. Although the current process may be 
appropriate for other documents and information requested during the 
discovery process, the current system, as exemplified by the Federal 
Rules of Civil Procedure, does not provide sufficient protection for 
protected health information. Under current discovery rules, private 
attorneys, government officials, and others who develop such requests 
make the initial determinations as to what information or documentation 
should be disclosed. Independent third-party review, such as that by a 
court, only becomes necessary if a person of whom the request is made 
refuses to provide the information. If this happens, the person seeking 
discovery must obtain a court order or move to compel discovery. In our 
view this system does not provide sufficient protections to ensure that 
unnecessary and unwarranted disclosures of protected health information 
does not occur. For a related discuss, see the preamble regarding 
``Disclosures for Judicial and Administrative Proceedings'' under 
Sec. 164.512(e).

Federal Rules of Evidence

    Comment: Many comments requested clarification that the privacy 
regulation does not conflict or interfere with the federal or state 
privileges. In particular, one of these comments suggested that the 
final regulation provide that disclosures for a purpose recognized by 
the regulation not constitute a waiver of federal or state privileges.
    Response: We do not intend for the privacy regulation to interfere 
with federal or state rules of evidence that create privileges. 
Consistent with The Uniform Health-Care Information Act drafted by the 
National Conference of Commissioners on Uniform State Laws, we do not 
view a consent or an authorization to function as a waiver of federal 
or state privileges. For further discussion of the effect of consent or 
authorization on federal or state privileges, see preamble discussions 
in Secs. 164.506 and 164.508.
    Comment: Other comments applauded the Secretary's references to 
Jaffee v. Redman, 518 U.S. 1 (1996), which recognized a 
psychotherapist-patient privilege, and asked the Secretary to 
incorporate expressly this privilege into the final regulation.
    Response: We agree that the psychotherapist-patient relationship is 
an important one that deserves protection. However, it is beyond the 
scope our mandate to create specific evidentiary privileges. It is also 
unnecessary because the United States Supreme Court has adopted this 
privilege.
    Comment: A few comments discussed whether one remedy for violating 
the privacy regulation should be to exclude or suppress evidence 
obtained in violation of the regulation. One comment supported using 
this penalty, while another opposed it.
    Response: We do not have the authority to mandate that courts apply 
or not apply the exclusionary rule to evidence obtained in violation of 
the regulation. This issue is in the purview of the courts.

Federal Tort Claims Act

    Comment: One comment contended that the proposed regulation's 
requirement mandating covered entities to name the subjects of 
protected health information disclosed under a business partner 
contract as third party intended beneficiaries under the contract would 
have created an impermissible right of action against the government 
under the Federal Tort Claims Act (``FTCA'').
    Response: Because we have deleted the third party beneficiary 
provisions from the final rules, this comment is moot.
    Comment: Another comment suggested the regulation would hamper the 
ability of federal agencies to disclose protected health information to 
their attorneys, the Department of Justice, during the initial stages 
of the claims brought under the FTCA.
    Response: We disagree. The regulation applies only to federal 
agencies that are covered entities. To the extent an agency is not a 
covered entity, it is not subject to the regulation; to the extent an 
agency is a covered entity, it must comply with the regulation. A 
covered entity that is a federal agency may disclose relevant 
information to its attorneys, who are business associates, for purposes 
of health care operations, which includes uses or disclosures for legal 
functions. See Sec. 164.501 (definitions of ``business associate'' and 
``health care operations''). The final rule provides specific 
provisions describing how federal agencies may provide

[[Page 82597]]

adequate assurances for these types of disclosures of protected health 
information. See Sec. 164.504(e)(3).

Food and Drug Administration

    Comment: A few comments expressed concerns about the use of 
protected health information for reporting activities to the Food and 
Drug Administration (``FDA''). Their concern focused on the ability to 
obtain or disclose protected health information for pre-and post-
marketing adverse event reports, device tracking, and post-marketing 
safety and efficacy evaluation.
    Response: We agree with this comment and have provided that covered 
entities may disclose protected health information to persons subject 
to the jurisdiction of the FDA, to comply with the requirements of, or 
at the direction of, the FDA with regard to reporting adverse events 
(or similar reports with respect to dietary supplements), the tracking 
of medical devices, other post-marketing surveillance, or other similar 
requirements described at Sec. 164.512(b).

Foreign Standards

    Comment: One comment asked how the regulation could be enforced 
against foreign countries (or presumably entities in foreign countries) 
that solicit medical records from entities in the United States.
    Response: We do not regulate solicitations of information. To the 
extent a covered entity wants to comply with a request for disclosure 
of protected health information to foreign countries or entities within 
foreign countries, it will need to comply with the privacy rules before 
making the disclosure. If the covered entity fails to comply with the 
rules, it will be subject to enforcement proceedings.

Freedom of Information Act

    Comment: One comment asserted that the proposed privacy regulation 
conflicts with the Freedom of Information Act (``FOIA''). The comment 
argued that the proposed restriction on disclosures by agencies would 
not come within one of the permissible exemptions to the FOIA. In 
addition, the comment noted that only in exceptional circumstances 
would the protected health information of deceased individuals come 
within an exemption because, for the most part, death extinguishes an 
individual's right to privacy.
    Response: Section 164.512(a) below permits covered entities to 
disclose protected health information when such disclosures are 
required by other laws as long as they follow the requirements of those 
laws. Therefore, the privacy regulation will not interfere with the 
ability of federal agencies to comply with FOIA, when it requires the 
disclosure.
    We disagree, however, that most protected health information will 
not come within Exemption 6 of FOIA. See the discussion above under 
``Relationship to Other Federal Laws'' for our review of FOIA. 
Moreover, we disagree with the comment's assertion that the protected 
health information of deceased individuals does not come within 
Exemption 6. Courts have recognized that a deceased individual's 
surviving relatives may have a privacy interest that federal agencies 
may consider when balancing privacy interests against the public 
interest in disclosure of the requested information. Federal agencies 
will need to consider not only the privacy interests of the subject of 
the protected health information in the record requested, but also, 
when appropriate, those of a deceased individual's family consistent 
with judicial rulings.
    If an agency receives a FOIA request for the disclosure of 
protected health information of a deceased individual, it will need to 
determine whether or not the disclosure comes within Exemption 6. This 
evaluation must be consistent with the court's rulings in this area. If 
the exemption applies, the federal agency will not have to release the 
information. If the federal agency determines that the exemption does 
not apply, may release it under Sec. 164.512(a) of this regulation.
    Comment: One commenter expressed concern that our proposal to 
protect the individually identifiable health information about the 
deceased for two years following death would impede public interest 
reporting and would be at odds with many state Freedom of Information 
laws that make death records and autopsy reports public information. 
The commenter suggested permitting medical information to be available 
upon the death of an individual or, at the very least, that an appeals 
process be permitted so that health information trustees would be 
allowed to balance the interests in privacy and in public disclosure 
and release or not release the information accordingly.
    Response: These rules permit covered entities to make disclosures 
that are required by state Freedom of Information Act (FOIA) laws under 
Sec. 164.512(a). Thus, if a state FOIA law designates death records and 
autopsy reports as public information that must be disclosed, a covered 
entity may disclose it without an authorization under the rule. To the 
extent that such information is required to be disclosed by FOIA or 
other law, such disclosures are permitted under the final rule. In 
addition, to the extent that death records and autopsy reports are 
obtainable from non-covered entities, such as state legal authorities, 
access to this information is not impeded by this rule.
    If another law does not require the disclosure of death records and 
autopsy reports generated and maintained by a covered entity, which are 
protected health information, covered entities are not allowed to 
disclose such information except as permitted or required by the final 
rule, even if another entity discloses them.
    Comment: One comment sought clarification of the relationship 
between the Freedom of Information Act, the Privacy Act, and the 
privacy rules.
    Response: We have provided this analysis in the ``Relationship to 
Other Federal Laws'' section of the preamble in our discussion of the 
Freedom of Information Act.

Gramm-Leach-Bliley

    Comments: One commenter noted that the Financial Services 
Modernization Act, also known as Gramm-Leach-Bliley (``GLB''), requires 
financial institutions to provide detailed privacy notices to 
individuals. The commenter suggested that the privacy regulation should 
not require financial institutions to provide additional notice.
    Response: We disagree. To the extent a covered entity is required 
to comply with the notice requirements of GLB and those of our rules, 
the covered entity must comply with both. We will work with the FTC and 
other agencies implementing GLB to avoid unnecessary duplication. For a 
more detailed discussion of GLB and the privacy rules, see the 
``Relationship to Other Federal Laws'' section of the preamble.
    Comment: A few commenters asked that the Department clarify that 
financial institutions, such as banks, that serve as payors are covered 
entities. The comments explained that with the enactment of the Gramm-
Leach-Bliley Act, banks are able to form holding companies that will 
include insurance companies (that may be covered entities). They 
recommended that banks be held to the rule's requirements and be 
required to obtain authorization to conduct non-payment activities, 
such as for the marketing of health and non-health items and services 
or the use and disclosure to non-health related divisions of the 
covered entity.

[[Page 82598]]

    Response: These comments did not provide specific facts that would 
permit us to provide a substantive response. An organization will need 
to determine whether it comes within the definition of ``covered 
entity.'' An organization may also need to consider whether or not it 
contains a health care component. Organizations that are uncertain 
about the application of the regulation to them will need to evaluate 
their specific facts in light of this rule.

Inspector General Act

    Comment: One comment requested the Secretary to clarify in the 
preamble that the privacy regulation does not preempt the Inspector 
General Act.
    Response: We agree that to the extent the Inspector General Act 
requires uses or disclosures of protected health information, the 
privacy regulation does not preempt it. The final rule provides that to 
the extent required under section 201(a)(5) of the Act, nothing in this 
subchapter should be construed to diminish the authority of any 
Inspector General, including the authority provided in the Inspector 
General Act of 1978. See discussion of Sec. 160.102 above.

Medicare and Medicaid

    Comment: One comment suggested possible inconsistencies between the 
regulation and Medicare/Medicaid requirements, such as those under the 
Quality Improvement System for Managed Care. This commenter asked that 
HHS expand the definition of health care operations to include health 
promotion activities and avoid potential conflicts.
    Response: We disagree that the privacy regulation would prohibit 
managed care plans operating in the Medicare or Medicaid programs from 
fulfilling their statutory obligations. To the extent a covered entity 
is required by law to use or disclose protected health information in a 
particular manner, the covered entity may make such a use or disclosure 
under Sec. 164.512(a). Additionally, quality assessment and improvement 
activities come within the definition of ``health care operations.'' 
Therefore, the specific example provided by the commenter would seem to 
be a permissible use or disclosure under Sec. 164.502, even if it were 
not a use or disclosure ``required by law.''
    Comment: One commenter stated that Medicare should not be able to 
require the disclosure of psychotherapy notes because it would destroy 
a practitioner's ability to treat patients effectively.
    Response: If the Title XVIII of the Social Security Act requires 
the disclosure of psychotherapy notes, the final rule permits, but does 
not require, a covered entity to make such a disclosure under 
Sec. 164.512(a). If, however, the Social Security Act does not require 
such disclosures, Medicare does not have the discretion to require the 
disclosure of psychotherapy notes as a public policy matter because the 
final rule provides that covered entities, with limited exceptions, 
must obtain an individual's authorization before disclosing 
psychotherapy notes. See Sec. 164.508(a)(2).

National Labor Relations Act

    Comment: A few comments expressed concern that the regulation did 
not address the obligation of covered entities to disclose protected 
health information to collective bargaining representatives under the 
National Labor Relations Act.
    Response: The final rule does not prohibit disclosures that covered 
entities must make pursuant to other laws. To the extent a covered 
entity is required by law to disclose protected health information to 
collective bargaining representatives under the NLRA, it may to so 
without an authorization. Also, the definition of ``health care 
operations'' at Sec. 164.501 permits disclosures to employee 
representatives for purposes of grievance resolution.

Organ Donation

    Comment: One commenter expressed concern about the potential impact 
of the regulation on the organ donation program under 42 CFR part 482.
    Response: In the final rule, we add provisions allowing the use or 
disclosure of protected health information to organ procurement 
organizations or other entities engaged in the procurement, banking, or 
transplantation of cadaveric organs, eyes, or tissue for the purpose of 
facilitating donation and transplantation. See Sec. 164.512(h).

Privacy Act Comments

    Comment: One comment suggested that the final rule unambiguously 
permit the continued operation of the statutorily established or 
authorized discretionary routine uses permitted under the Privacy Act 
for both law enforcement and health oversight.
    Response: We disagree. See the discussion of the Privacy Act in 
``Relationship to Other Federal Laws'' above.

Public Health Services Act

    Comment: One comment suggested that the Public Health Service Act 
places more stringent rules regarding the disclosure of information on 
Federally Qualified Health Centers than the proposed privacy regulation 
suggested. Therefore, the commenter suggested that the final rule 
exempt Federally Qualified Health Centers from the rules requirements
    Response: We disagree. Congress expressly included Federally 
Qualified Health Centers, a provider of medical or other health 
services under the Social Security Act section 1861(s), within its 
definition of health care provider in section 1171 of the Act; 
therefore, we cannot exclude them from the regulation.
    Comment: One commenter noted that no conflicts existed between the 
proposed rule and the Public Health Services Act.
    Response: As we discuss in the ``Relationship to Other Federal 
Laws'' section of the preamble, the Public Health Service Act contains 
explicit confidentiality requirements that are so general as not to 
create problems of inconsistency. We recognized, however, that in some 
cases, that law or its accompanying regulations may contain greater 
restrictions. In those situations, a covered entity's ability to make 
what are permissive disclosures under this privacy regulation would be 
limited by those laws.

Reporting Requirement

    Comment: One comment noted that federal agencies must provide 
information to certain entities pursuant to various federal statutes. 
For example, federal agencies must not withhold information from a 
Congressional oversight committee or the General Accounting Office. 
Similarly, some federal agencies must provide the Bureau of the Census 
and the National Archives and Records Administration with certain 
information. This comment expressed concern that the privacy regulation 
would conflict with these requirements. Additionally, the commenter 
asked whether the privacy notice would need to contain these uses and 
disclosures and recommended that a general statement that these federal 
agencies would disclose protected health information when required by 
law be considered sufficient to meet the privacy notice requirements.
    Response: To the extent a federal agency acting as a covered entity 
is required by federal statute to disclose protected health 
information, the regulation permits the disclosure as required by law 
under Sec. 164.512(a). The notice provisions at 
Sec. 164.520(b)(1)(ii)(B) require covered entities to provide a brief 
description of the purposes for which the covered

[[Page 82599]]

entity is permitted or required by the rules to use or disclose 
protected health information without an individual's written 
authorization. If these statutes require the disclosures, covered 
entities subject to the requirement may make the disclosure pursuant to 
Sec. 164.512(a). Thus, their notice must include a description of the 
category of these disclosures. For example, a general statement such as 
the covered entity ``will disclose your protected health information to 
comply with legal requirements'' should suffice.
    Comment: One comment stressed that the final rule should not 
inadvertently preempt mandatory reporting laws duly enacted by federal, 
state, or local legislative bodies. This commenter also suggested that 
the final rule not prevent the reporting of violations to law 
enforcement agencies.
    Response: We agree. Like the proposed rule, the final rule permits 
covered entities to disclose protected health information when required 
by law under Sec. 164.512(a). To the extent a covered entity is 
required by law to make a report to law enforcement agencies or is 
otherwise permitted to make a disclosure to a law enforcement agency as 
described in Sec. 164.512(f), it may do so without an authorization. 
Alternatively, a covered entity may always request that individuals 
authorize these disclosures.

Security Standards

    Comment: One comment called for HHS to consider the privacy 
regulation in conjunction with the other HIPAA standards. In 
particular, this comment focused on the belief that the security 
standards should be compatible with the existing and emerging health 
care and information technology industry standards.
    Response: We agree that the security standards and the privacy 
rules should be compatible with one another and are working to ensure 
that the final rules in both areas function together. Because we are 
addressing comments regarding the privacy rules in this preamble, we 
will consider the comment about the security standard as we finalize 
that set of rules.

Substance Abuse Confidentiality Statute and Regulations

    Comment: Several commenters noted that many health care providers 
are bound by the federal restrictions governing alcohol and drug abuse 
records. One commenter noted that the NPRM differed substantially from 
the substance abuse regulations and would have caused a host of 
practical problems for covered entities. Another commenter, however, 
supported the NPRM's analysis that stated that more stringent 
provisions of the substance abuse provisions would apply. This 
commenter suggested an even stronger approach of including in the text 
a provision that would preserve existing federal law. Yet, one comment 
suggested that the regulation as proposed would confuse providers by 
making it difficult to determine when they may disclose information to 
law enforcement because the privacy regulation would permit disclosures 
that the substance abuse regulations would not.
    Response: We appreciate the need of some covered entities to 
evaluate the privacy rules in light of federal requirements regarding 
alcohol and drug abuse records. Therefore, we provide a more detailed 
analysis in the ``Relationship to Other Federal Laws'' section of the 
preamble.
    Comment: Some of these commenters also noted that state laws 
contain strict confidentiality requirements. A few commenters suggested 
that HHS reassess the regulations to avoid inconsistencies with state 
privacy requirements, implying that problems exist because of conflicts 
between the federal and state laws regarding the confidentiality of 
substance abuse information.
    Response: As noted in the preamble section discussing preemption, 
the final rules do not preempt state laws that provide more privacy 
protections. For a more detailed analysis of the relationship between 
state law and the privacy rules, see the ``Preemption'' provisions of 
the preamble.

Tribal Law

    Comments: One commenter suggested that the consultation process 
with tribal governments described in the NPRM was inadequate under 
Executive Order No. 13084. In addition, the commenter expressed concern 
that the disclosures for research purposes as permitted by the NPRM 
would conflict with a number of tribal laws that offer individuals 
greater privacy rights with respect to research and reflects cultural 
appropriateness. In particular, the commenter referenced the Health 
Research Code for the Navajo Nation which creates a entity with broader 
authority over research conducted on the Navajo Nation than the local 
IRB and requires informed consent by study participants. Other laws 
mentioned by the commenter included the Navajo Nation Privacy and 
Access to Information Act and a similar policy applicable to all health 
care providers within the Navajo Nation. The commenter expressed 
concern that the proposed regulation research provisions would override 
these tribal laws.
    Response: We disagree with the comment that the consultation with 
tribal governments undertaken prior to the proposed regulation is 
inadequate under Executive Order No. 13084. As stated in the proposed 
regulation, the Department consulted with representatives of the 
National Congress of American Indians and the National Indian Health 
Board, as well as others, about the proposals and the application of 
HIPAA to the Tribes, and the potential variations based on the 
relationship of each Tribe with the IHS for the purpose of providing 
health services. In addition, Indian and tribal governments had the 
opportunity to, and did, submit substantive comments on the proposed 
rules.
    Additionally, disclosures permitted by this regulation do not 
conflict with the policies as described by this commenter. Disclosures 
for research purposes under the final rule, as in the proposed 
regulation, are permissive disclosures only. The rule describes the 
outer boundaries of permissible disclosures. A covered health care 
provider that is subject to the tribal laws of the Navajo Nation must 
continue to comply with those tribal laws. If the tribal laws impose 
more stringent privacy standards on disclosures for research, such as 
requiring informed consent in all cases, nothing in the final rule 
would preclude compliance with those more stringent privacy standards. 
The final rule does not interfere with the internal governance of the 
Navajo Nation or otherwise adversely affect the policy choices of the 
tribal government with respect to the cultural appropriateness of 
research conducted in the Navajo Nation.

TRICARE

    Comment: One comment expressed concern regarding the application of 
the ``minimum necessary'' standard to investigations of health care 
providers under the TRICARE (formerly the CHAMPUS) program. The comment 
also expressed concern that health care providers would be able to 
avoid providing their records to such investigators because the 
proposed Sec. 164.510 exceptions were not mandatory disclosures.
    Response: In our view, neither the minimum necessary standard nor 
the final Secs. 164.510 and 164.512 permissive disclosures will impede 
such investigations. The regulation requires covered entities to make 
all reasonable efforts not to disclose more than the minimum amount of 
protected health

[[Page 82600]]

information necessary to accomplish the intended purpose of the use or 
disclosure. This requirement, however, does not apply to uses or 
disclosures that are required by law. See Sec. 164.502(b)(2)(iv). Thus, 
if the disclosure to the investigators is required by law, the minimum 
necessary standard will not apply.