[Federal Register Volume 78, Number 110 (Friday, June 7, 2013)]
[Rules and Regulations]
[Pages 34264-34266]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-13472]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0945-AA03


Technical Corrections to the HIPAA Privacy, Security, and 
Enforcement Rules

AGENCY: Office for Civil Rights, Department of Health and Human 
Services.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: These technical corrections address certain inadvertent errors 
and omissions in the HIPAA Privacy, Security, and Enforcement Rules 
that are located at 45 CFR parts 160 and 164.

[[Page 34265]]


DATES: This final rule is effective on June 7, 2013.

FOR FURTHER INFORMATION CONTACT: Andra Wicks 202-205-2292.

SUPPLEMENTARY INFORMATION: 

I. Executive Summary and Background

    On January 25, 2013, the Department of Health and Human Services 
(HHS or ``the Department'') published a final rule to implement changes 
to the HIPAA Privacy, Security, Enforcement, and Breach Notification 
Rules (``the HIPAA Rules'') pursuant to statutory amendments under the 
Health Information Technology for Economic and Clinical Health Act 
(``the HITECH Act''), pursuant to section 105 of Title I of the Genetic 
Information Nondiscrimination Act of 2008, to address public comment 
received on the interim final Breach Notification Rule, and to make 
certain other modifications to the HIPAA Rules to improve their 
workability and effectiveness and to increase flexibility for and 
decrease burden on the regulated entities. See 78 FR 5566. Since then, 
HHS has discovered a number of minor inadvertent errors and omissions 
in citations, and one typographical error, in several provisions of the 
HIPAA Rules. As explained below, with one exception, the errors and 
omissions are related to the modifications made in the final rule 
published on January 25, 2013. This final rule contains technical 
corrections to the HIPAA Rules to revise these errors and omissions, 
which are discussed below.

II. Discussion of Technical Corrections to 45 CFR Part 160

    a. Section 160.508(c)(5) should be corrected to refer to Sec.  
160.410(b)(2)(ii)(B) and 42 U.S.C. 1320d-5(b)(2)(B) instead of Sec.  
160.410(b)(3)(ii)(B) and 42 U.S.C. 1320d-5(b)(3)(B), respectively, as 
Sec.  160.410(b)(3)(ii)(B) and 42 U.S.C. 1320d-5(b)(3)(B) were 
previously amended and became Sec.  160.410(b)(2)(ii)(B) and 42 U.S.C. 
1320d-5(b)(2)(B) as a result. Also, Sec.  160.508(c)(5) should include 
a reference to Sec.  160.410(c)(2)(ii) after the reference to Sec.  
160.410(b)(2)(ii)(B), so that there is a corresponding regulatory 
reference for the grant of an extension of time pursuant to the 
Secretary's discretion for violations occurring on or after February 
18, 2009, as there is for violations occurring prior to February 18, 
2009.
    b. Section 160.548(e) references an affirmative defense by which 
the Secretary may not impose a civil money penalty on a covered entity 
if the violation falls under the HIPAA criminal provisions at 42 U.S.C. 
1320d-6 and cites Sec.  160.410(b)(1) as the regulatory reference for 
this affirmative defense. However, Sec.  160.410(b)(1) was changed to 
be Sec.  160.410(a)(1) and (2). Thus, Sec.  160.548(e) should be 
corrected to refer to Sec.  160.410(a)(1) or (2) instead of Sec.  
160.410(b)(1).

III. Discussion of Technical Corrections to 45 CFR Part 164

    a. The definition of health care component found at Sec.  164.103 
references Sec.  164.105(a)(2)(iii)(C), but that reference should be 
corrected to be Sec.  164.105(a)(2)(iii)(D), as Sec.  
164.105(a)(2)(iii)(D) now contains the hybrid entity designation 
requirements referenced by the definition of health care component.
    b. The definition of hybrid entity found at Sec.  164.103 
references Sec.  164.105(a)(2)(iii)(C), but that reference should be 
corrected to be Sec.  164.105(a)(2)(iii)(D), as Sec.  
164.105(a)(2)(iii)(D) now contains the hybrid entity designation 
requirements referenced by the definition of hybrid entity.
    c. Section 164.314(a)(1), in discussing business associate 
contracts or other arrangements, refers to the requirements for such 
contracts or other arrangements found at Sec.  164.308(b)(4). However, 
as such requirements were renumbered and are now found at Sec.  
164.308(b)(3), Sec.  164.314(a)(1) should be revised to refer to Sec.  
164.308(b)(3).
    d. Section 164.512(k)(4)(i) refers to Executive Order (``E.O.'') 
12698. However E.O. 12698 discusses pay rate adjustments and is not 
applicable to the subject of Sec.  164.512(k)(4)(i). The preamble to 
the 2000 HIPAA Privacy Final Rule refers to E.O. 12968, which discusses 
classified information and is applicable to the subject of Sec.  
164.512(k)(4)(i). See 65 FR 82707. Given that Sec.  164.512(k)(4)(i) 
relates to uses and disclosures of protected health information to the 
Department of State to determine medical suitability for the purpose of 
a required security clearance, as discussed in the preamble to the 2000 
Privacy Final Rule, Sec.  164.512(k)(4)(i) should properly refer to 
E.O. 12968.
    e. Section 164.514(f)(2)(iv), in discussing the implementation 
specifications for covered entities that make fundraising 
communications, refers to the requirements to allow an individual to 
opt out of receiving fundraising communications, and erroneously refers 
to Sec.  164.514(f)(1)(ii)(B), which does not exist. The proper 
reference for the opt out requirements is at Sec.  164.514(f)(2)(ii). 
Accordingly, Sec.  164.514(f)(2)(iv) should be revised to refer to 
Sec.  164.514(f)(2)(ii).
    f. Section 164.524(c)(4)(iv) describes the summary or explanation 
allowed by Sec.  164.524(c)(2)(iii), while incorrectly referring to 
Sec.  164.524(c)(2)(ii), which discusses the form of access requested 
by an individual. As such, Sec.  164.524(c)(4)(iv) should be revised to 
refer to Sec.  164.524(c)(2)(iii).
    g. In section 164.532(f), the ``['' should be removed before 
``January 25, 2013'' to correct a typographical error.

IV. Inapplicability of Notice and Delayed Effective Date

    Under the Administrative Procedure Act, an agency may waive the 
normal notice and comment procedures if it finds, for good cause, that 
they are impracticable, unnecessary, or contrary to the public 
interest. The Department has determined that the corrections in this 
final rule are minor, routine determinations in which the public would 
not be particularly interested, or about which the public has already 
been put on notice, given the context of the errors or omissions to be 
corrected. Therefore, the Department finds that good cause exists for 
waiving the notice and public comment procedures as unnecessary under 5 
U.S.C. 553(b)(B). For the same reasons, pursuant to 5 U.S.C. 553(d)(3), 
a delayed effective date is not required.

V. Regulatory Flexibility Act

    Because this document is not subject to the notice and public 
procedure requirements of 5 U.S.C. 553, it is not subject to the 
provisions of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.).

VI. Executive Order 12866

    These technical corrections do not meet the criteria for a 
``significant regulatory action'' as specified in Executive Order 
12866, as supplemented by Executive Order 13563.

List of Subjects

45 CFR Part 160

    Administrative practice and procedure, Computer technology, 
Electronic information system, Electronic transactions, Employer 
benefit plan, Health, Health care, Health facilities, Health insurance, 
Health records, Hospitals, Investigations, Medicaid, Medical research, 
Medicare, Penalties, Privacy, Reporting and recordkeeping requirements, 
Security.

45 CFR Part 164

    Administrative practice and procedure, Computer technology,

[[Page 34266]]

Electronic information system, Electronic transactions, Employer 
benefit plan, Health, Health care, Health facilities, Health insurance, 
Health records, Hospitals, Medicaid, Medical research, Medicare, 
Privacy, Reporting and recordkeeping requirements, Security.
    For the reasons set forth in the preamble, the Department amends 45 
CFR Subtitle A, Subchapter C, parts 160 and 164, as set forth below:

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

0
1. The authority citation for part 160 continues to read as follows:

    Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, 
Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); 5 
U.S.C. 552; secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279; and 
sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.


Sec.  160.508  [Amended]

0
2. Amend Sec.  160.508(c)(5) by correcting ``Sec.  
160.410(b)(3)(ii)(B)'' to read ``Sec.  160.410(b)(2)(ii)(B) or 
(c)(2)(ii)'' and by correcting ``42 U.S.C. 1320d-5(b)(3)(B)'' to read 
``42 U.S.C. 1320d-5(b)(2)(B)''.


Sec.  160.548  [Amended]

0
3. Amend Sec.  160.548(e) by correcting ``Sec.  160.410(b)(1)'' to read 
``Sec.  160.410(a)(1) or (2)''.

PART 164--SECURITY AND PRIVACY

0
4. The authority citation for part 164 continues to read as follows:

    Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, 
Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); and 
secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.


Sec.  164.103  [Amended]

0
5. Amend Sec.  164.103 as follows:
0
a. In the definition of health care component, by correcting ``Sec.  
164.105(a)(2)(iii)(C)'' to read ``Sec.  164.105(a)(2)(iii)(D)''.
0
b. In the definition of hybrid entity, by correcting ``Sec.  
164.105(a)(2)(iii)(C)'' to read ``Sec.  164.105(a)(2)(iii)(D)''.


Sec.  164.314  [Amended]

0
6. Amend Sec.  164.314(a)(1) by correcting ``Sec.  164.308(b)(4)'' to 
read ``Sec.  164.308(b)(3)''.


Sec.  164.512  [Amended]

0
7. Amend Sec.  164.512(k)(4)(i) by correcting ``12698'' to read 
``12968''.


Sec.  164.514  [Amended]

0
8. Amend Sec.  164.514(f)(2)(iv) by correcting ``paragraph 
(f)(1)(ii)(B)'' to read ``paragraph (f)(2)(ii)''.


Sec.  164.524  [Amended]

0
9. Amend Sec.  164.524(c)(4)(iv) by correcting ``paragraph (c)(2)(ii)'' 
to read ``paragraph (c)(2)(iii)''.


Sec.  164.532  [Amended]

0
10. Amend the introductory text of Sec.  164.532(f) by correcting 
``[January 25, 2013'' to read ``January 25, 2013''.

    Dated: May 31, 2013.
Jennifer M. Cannistra,
Executive Secretary to the Department.
[FR Doc. 2013-13472 Filed 6-6-13; 8:45 am]
BILLING CODE 4153-01-P