Skip to Content
Rule

Standards for Privacy of Individually Identifiable Health Information

Action

Final Rule.

Summary

This rule includes standards to protect the privacy of individually identifiable health information. The rules below, which apply to health plans, health care clearinghouses, and certain health care providers, present standards with respect to the rights of individuals who are the subjects of this information, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information.

The use of these standards will improve the efficiency and effectiveness of public and private health programs and health care services by providing enhanced protections for individually identifiable health information. These protections will begin to address growing public concerns that advances in electronic technology and evolution in the health care industry are resulting, or may result, in a substantial erosion of the privacy surrounding individually identifiable health information maintained by health care providers, health plans and their administrative contractors. This rule implements the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996.

 

Table of Contents Back to Top

Tables Back to Top

DATES: Back to Top

The final rule is effective on February 26, 2001.

FOR FURTHER INFORMATION CONTACT: Back to Top

Kimberly Coleman, 1-866-OCR-PRIV (1-866-627-7748) or TTY 1-866-788-4989.

SUPPLEMENTARY INFORMATION: Back to Top

Availability of copies, and electronic access.

Copies: To order copies of the Federal Register containing this document, send your request to: New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date of the issue requested and enclose a check or money order payable to the Superintendent of Documents, or enclose your Visa or Master Card number and expiration date. Credit card orders can also be placed by calling the order desk at (202) 512-1800 or by fax to (202) 512-2250. The cost for each copy is $8.00. As an alternative, you can view and photocopy the Federal Register document at most libraries designated as Federal Depository Libraries and at many other public and academic libraries throughout the country that receive the Federal Register.

Electronic Access: This document is available electronically at http://aspe.hhs.gov/admnsimp/ as well as at the web site of the Government Printing Office at http://www.access.gpo.gov/su_docs/aces/aces140.html.

I. Background Back to Top

Purpose of the Administrative Simplification Regulations

This regulation has three major purposes: (1) To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information; (2) to improve the quality of health care in the U.S. by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care; and (3) to improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.

This regulation is the second final regulation to be issued in the package of rules mandated under title II subtitle F section 261-264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, titled “Administrative Simplification.” Congress called for steps to improve “the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.” To achieve that end, Congress required the Department to promulgate a set of interlocking regulations establishing standards and protections for health information systems. The first regulation in this set, Standards for Electronic Transactions 65 FR 50312, was published on August 17, 2000 (the “Transactions Rule”). This regulation establishing Standards for Privacy of Individually Identifiable Health Information is the second final rule in the package. A rule establishing a unique identifier for employers to use in electronic health care transactions, a rule establishing a unique identifier for providers for such transactions, and a rule establishing standards for the security of electronic information systems have been proposed. See 63 FR 25272 and 25320 (May 7, 1998); 63 FR 32784 (June 16, 1998); 63 FR 43242 (August 12, 1998). Still to be proposed are rules establishing a unique identifier for health plans for electronic transactions, standards for claims attachments, and standards for transferring among health plans appropriate standard data elements needed for coordination of benefits. (See section C, below, for a more detailed explanation of the statutory mandate for these regulations.)

In enacting HIPAA, Congress recognized the fact that administrative simplification cannot succeed if we do not also protect the privacy and confidentiality of personal health information. The provision of high-quality health care requires the exchange of personal, often-sensitive information between an individual and a skilled practitioner. Vital to that interaction is the patient's ability to trust that the information shared will be protected and kept confidential. Yet many patients are concerned that their information is not protected. Among the factors adding to this concern are the growth of the number of organizations involved in the provision of care and the processing of claims, the growing use of electronic information technology, increased efforts to market health care and other products to consumers, and the increasing ability to collect highly sensitive information about a person's current and future health status as a result of advances in scientific research.

Rules requiring the protection of health privacy in the United States have been enacted primarily by the states. While virtually every state has enacted one or more laws to safeguard privacy, these laws vary significantly from state to state and typically apply to only part of the health care system. Many states have adopted laws that protect the health information relating to certain health conditions such as mental illness, communicable diseases, cancer, HIV/AIDS, and other stigmatized conditions. An examination of state health privacy laws and regulations, however, found that “state laws, with a few notable exceptions, do not extend comprehensive protections to people's medical records.” Many state rules fail to provide such basic protections as ensuring a patient's legal right to see a copy of his or her medical record. See Health Privacy Project, “The State of Health Privacy: An Uneven Terrain,” Institute for Health Care Research and Policy, Georgetown University (July 1999) (http://www.healthprivacy.org) (the “Georgetown Study”).

Until now, virtually no federal rules existed to protect the privacy of health information and guarantee patient access to such information. This final rule establishes, for the first time, a set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care. The rule sets a floor of ground rules for health care providers, health plans, and health care clearinghouses to follow, in order to protect patients and encourage them to seek needed care. The rule seeks to balance the needs of the individual with the needs of the society. It creates a framework of protection that can be strengthened by both the federal government and by states as health information systems continue to evolve.

Need for a National Health Privacy Framework

The Importance of Privacy

Privacy is a fundamental right. As such, it must be viewed differently than any ordinary economic good. The costs and benefits of a regulation must, of course, be considered as a means of identifying and weighing options. At the same time, it is important not to lose sight of the inherent meaning of privacy: it speaks to our individual and collective freedom.

A right to privacy in personal information has historically found expression in American law. All fifty states today recognize in tort law a common law or statutory right to privacy. Many states specifically provide a remedy for public revelation of private facts. Some states, such as California and Tennessee, have a right to privacy as a matter of state constitutional law. The multiple historical sources for legal rights to privacy are traced in many places, including Chapter 13 of Alan Westin's Privacy and Freedom and in Ellen Alderman Caroline Kennedy, The Right to Privacy (1995).

Throughout our nation's history, we have placed the rights of the individual at the forefront of our democracy. In the Declaration of Independence, we asserted the “unalienable right” to “life, liberty and the pursuit of happiness.” Many of the most basic protections in the Constitution of the United States are imbued with an attempt to protect individual privacy while balancing it against the larger social purposes of the nation.

To take but one example, the Fourth Amendment to the United States Constitution guarantees that “the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated.” By referring to the need for security of “persons” as well as “papers and effects” the Fourth Amendment suggests enduring values in American law that relate to privacy. The need for security of “persons” is consistent with obtaining patient consent before performing invasive medical procedures. The need for security in “papers and effects” underscores the importance of protecting information about the person, contained in sources such as personal diaries, medical records, or elsewhere. As is generally true for the right of privacy in information, the right is not absolute. The test instead is what constitutes an “unreasonable” search of the papers and effects.

The United States Supreme Court has upheld the constitutional protection of personal health information. In Whalen v. Roe, 429 U.S. 589 (1977), the Court analyzed a New York statute that created a database of persons who obtained drugs for which there was both a lawful and unlawful market. The Court, in upholding the statute, recognized at least two different kinds of interests within the constitutionally protected “zone of privacy.” “One is the individual interest in avoiding disclosure of personal matters,” such as this regulation principally addresses. This interest in avoiding disclosure, discussed in Whalen in the context of medical information, was found to be distinct from a different line of cases concerning “the interest in independence in making certain kinds of important decisions.”

Individuals' right to privacy in information about themselves is not absolute. It does not, for instance, prevent reporting of public health information on communicable diseases or stop law enforcement from getting information when due process has been observed. But many people believe that individuals should have some right to control personal and sensitive information about themselves. Among different sorts of personal information, health information is among the most sensitive. Many people believe that details about their physical self should not generally be put on display for neighbors, employers, and government officials to see. Informed consent laws place limits on the ability of other persons to intrude physically on a person's body. Similar concerns apply to intrusions on information about the person.

Moving beyond these facts of physical treatment, there is also significant intrusion when records reveal details about a person's mental state, such as during treatment for mental health. If, in Justice Brandeis' words, the “right to be let alone” means anything, then it likely applies to having outsiders have access to one's intimate thoughts, words, and emotions. In the recent case of Jaffee v. Redmond, 116 S.Ct. 1923 (1996), the Supreme Court held that statements made to a therapist during a counseling session were protected against civil discovery under the Federal Rules of Evidence. The Court noted that all fifty states have adopted some form of the psychotherapist-patient privilege. In upholding the federal privilege, the Supreme Court stated that it “serves the public interest by facilitating the appropriate treatment for individuals suffering the effects of a mental or emotional problem. The mental health of our citizenry, no less than its physical health, is a public good of transcendent importance.”

Many writers have urged a philosophical or common-sense right to privacy in one's personal information. Examples include Alan Westin, Privacy and Freedom (1967) and Janna Malamud Smith, Private Matters: In Defense of the Personal Life (1997). These writings emphasize the link between privacy and freedom and privacy and the “personal life,” or the ability to develop one's own personality and self-expression. Smith, for instance, states:

The bottom line is clear. If we continually, gratuitously, reveal other people's privacies, we harm them and ourselves, we undermine the richness of the personal life, and we fuel a social atmosphere of mutual exploitation. Let me put it another way: Little in life is as precious as the freedom to say and do things with people you love that you would not say or do if someone else were present. And few experiences are as fundamental to liberty and autonomy as maintaining control over when, how, to whom, and where you disclose personal material. Id. at 240-241.

In 1890, Louis D. Brandeis and Samuel D. Warren defined the right to privacy as “the right to be let alone.” See L. Brandeis, S. Warren, “The Right To Privacy,” 4 Harv.L.Rev. 193. More than a century later, privacy continues to play an important role in Americans' lives. In their book, The Right to Privacy, (Alfred A. Knopf, New York, 1995) Ellen Alderman and Caroline Kennedy describe the importance of privacy in this way:

Privacy covers many things. It protects the solitude necessary for creative thought. It allows us the independence that is part of raising a family. It protects our right to be secure in our own homes and possessions, assured that the government cannot come barging in. Privacy also encompasses our right to self-determination and to define who we are. Although we live in a world of noisy self-confession, privacy allows us to keep certain facts to ourselves if we so choose. The right to privacy, it seems, is what makes us civilized.

Or, as Cavoukian and Tapscott observed the right of privacy is: “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated.” See A. Cavoukian, D. Tapscott, “Who Knows: Safeguarding Your Privacy in a Networked World,” Random House (1995).

Increasing Public Concern About Loss of Privacy

Today, it is virtually impossible for any person to be truly “let alone.” The average American is inundated with requests for information from potential employers, retail shops, telephone marketing firms, electronic marketers, banks, insurance companies, hospitals, physicians, health plans, and others. In a 1998 national survey, 88 percent of consumers said they were “concerned” by the amount of information being requested, including 55 percent who said they were “very concerned.” See Privacy and American Business, 1998 Privacy Concerns Consumer Choice Survey (http://www.pandab.org). These worries are not just theoretical. Consumers who use the Internet to make purchases or request “free” information often are asked for personal and financial information. Companies making such requests routinely promise to protect the confidentiality of that information. Yet several firms have tried to sell this information to other companies even after promising not to do so.

Americans' concern about the privacy of their health information is part of a broader anxiety about their lack of privacy in an array of areas. A series of national public opinion polls conducted by Louis Harris Associates documents a rising level of public concern about privacy, growing from 64 percent in 1978 to 82 percent in 1995. Over 80 percent of persons surveyed in 1999 agreed with the statement that they had “lost all control over their personal information.” See Harris Equifax, Health Information Privacy Study (1993) (http://www.epic.org/privacy/medical/polls.html). A Wall Street Journal/ABC poll on September 16, 1999 asked Americans what concerned them most in the coming century. “Loss of personal privacy” was the first or second concern of 29 percent of respondents. All other issues, such a terrorism, world war, and global warming had scores of 23 percent or less.

This growing concern stems from several trends, including the growing use of interconnected electronic media for business and personal activities, our increasing ability to know an individual's genetic make-up, and, in health care, the increasing complexity of the system. Each of these trends brings the potential for tremendous benefits to individuals and society generally. At the same time, each also brings new potential for invasions of our privacy.

Increasing Use of Interconnected Electronic Information Systems

Until recently, health information was recorded and maintained on paper and stored in the offices of community-based physicians, nurses, hospitals, and other health care professionals and institutions. In some ways, this imperfect system of record keeping created a false sense of privacy among patients, providers, and others. Patients' health information has never remained completely confidential. Until recently, however, a breach of confidentiality involved a physical exchange of paper records or a verbal exchange of information. Today, however, more and more health care providers, plans, and others are utilizing electronic means of storing and transmitting health information. In 1996, the health care industry invested an estimated $10 billion to $15 billion on information technology. See National Research Council, Computer Science and Telecommunications Board, “For the Record: Protecting Electronic Health Information,” (1997). The electronic information revolution is transforming the recording of health information so that the disclosure of information may require only a push of a button. In a matter of seconds, a person's most profoundly private information can be shared with hundreds, thousands, even millions of individuals and organizations at a time. While the majority of medical records still are in paper form, information from those records is often copied and transmitted through electronic means.

This ease of information collection, organization, retention, and exchange made possible by the advances in computer and other electronic technology affords many benefits to individuals and to the health care industry. Use of electronic information has helped to speed the delivery of effective care and the processing of billions of dollars worth of health care claims. Greater use of electronic data has also increased our ability to identify and treat those who are at risk for disease, conduct vital research, detect fraud and abuse, and measure and improve the quality of care delivered in the U.S. The National Research Council recently reported that “the Internet has great potential to improve Americans” health by enhancing communications and improving access to information for care providers, patients, health plan administrators, public health officials, biomedical researchers, and other health professionals.” See “Networking Health: Prescriptions for the Internet,” National Academy of Sciences (2000).

At the same time, these advances have reduced or eliminated many of the financial and logistical obstacles that previously served to protect the confidentiality of health information and the privacy interests of individuals. And they have made our information available to many more people. The shift from paper to electronic records, with the accompanying greater flows of sensitive health information, thus strengthens the arguments for giving legal protection to the right to privacy in health information. In an earlier period where it was far more expensive to access and use medical records, the risk of harm to individuals was relatively low. In the potential near future, when technology makes it almost free to send lifetime medical records over the Internet, the risks may grow rapidly. It may become cost-effective, for instance, for companies to offer services that allow purchasers to obtain details of a person's physical and mental treatments. In addition to legitimate possible uses for such services, malicious or inquisitive persons may download medical records for purposes ranging from identity theft to embarrassment to prurient interest in the life of a celebrity or neighbor. The comments to the proposed privacy rule indicate that many persons believe that they have a right to live in society without having these details of their lives laid open to unknown and possibly hostile eyes. These technological changes, in short, may provide a reason for institutionalizing privacy protections in situations where the risk of harm did not previously justify writing such protections into law.

The growing level of trepidation about privacy in general, noted above, has tracked the rise in electronic information technology. Americans have embraced the use of the Internet and other forms of electronic information as a way to provide greater access to information, save time, and save money. For example, 60 percent of Americans surveyed in 1999 reported that they have a computer in their home; 82 percent reported that they have used a computer; 64 percent say they have used the Internet; and 58 percent have sent an e-mail. Among those who are under the age of 60, these percentages are even higher. See “National Survey of Adults on Technology,” Henry J. Kaiser Family Foundation (February, 2000). But 59 percent of Americans reported that they worry that an unauthorized person will gain access to their information. A recent survey suggests that 75 percent of consumers seeking health information on the Internet are concerned or very concerned about the health sites they visit sharing their personal health information with a third party without their permission. Ethics Survey of Consumer Attitudes about Health Web Sites, California Health Care Foundation, at 3 (January, 2000).

Unless public fears are allayed, we will be unable to obtain the full benefits of electronic technologies. The absence of national standards for the confidentiality of health information has made the health care industry and the population in general uncomfortable about this primarily financially-driven expansion in the use of electronic data. Many plans, providers, and clearinghouses have taken steps to safeguard the privacy of individually identifiable health information. Yet they must currently rely on a patchwork of State laws and regulations that are incomplete and, at times, inconsistent. States have, to varying degrees, attempted to enhance confidentiality by establishing laws governing at least some aspects of medical record privacy. This approach, though a step in the right direction, is inadequate. These laws fail to provide a consistent or comprehensive legal foundation of health information privacy. For example, there is considerable variation among the states in the type of information protected and the scope of the protections provided. See Georgetown Study, at Executive Summary; Lawrence O. Gostin, Zita Lazzarrini, Kathleen M. Flaherty, Legislative Survey of State Confidentiality Laws, with Specific Emphasis on HIV and Immunization, Report to Centers for Disease Control, Council of State and Territorial Epidemiologists, and Task Force for Child Survival and Development, Carter Presidential Center (1996) (Gostin Study).

Moreover, electronic health data is becoming increasingly “national”; as more information becomes available in electronic form, it can have value far beyond the immediate community where the patient resides. Neither private action nor state laws provide a sufficiently comprehensive and rigorous legal structure to allay public concerns, protect the right to privacy, and correct the market failures caused by the absence of privacy protections (see discussion below of market failure under section V.C). Hence, a national policy with consistent rules is necessary to encourage the increased and proper use of electronic information while also protecting the very real needs of patients to safeguard their privacy.

Advances in Genetic Sciences

Recently, scientists completed nearly a decade of work unlocking the mysteries of the human genome, creating tremendous new opportunities to identify and prevent many of the leading causes of death and disability in this country and around the world. Yet the absence of privacy protections for health information endanger these efforts by creating a barrier of distrust and suspicion among consumers. A 1995 national poll found that more than 85 percent of those surveyed were either “very concerned” or “somewhat concerned” that insurers and employers might gain access to and use genetic information. See Harris Poll, 1995 #34. Sixty-three percent of the 1,000 participants in a 1997 national survey said they would not take genetic tests if insurers and employers could gain access to the results. See “Genetic Information and the Workplace,” Department of Labor, Department of Health and Human Services, Equal Employment Opportunity Commission, January 20, 1998. “In genetic testing studies at the National Institutes of Health, thirty-two percent of eligible people who were offered a test for breast cancer risk declined to take it, citing concerns about loss of privacy and the potential for discrimination in health insurance.” Sen. Leahy's comments for March 10, 1999 Introduction of the Medical Information Privacy and Security Act.

The Changing Health Care System

The number of entities who are maintaining and transmitting individually identifiable health information has increased significantly over the last 10 years. In addition, the rapid growth of integrated health care delivery systems requires greater use of integrated health information systems. The health care industry has been transformed from one that relied primarily on one-on-one interactions between patients and clinicians to a system of integrated health care delivery networks and managed care providers. Such a system requires the processing and collection of information about patients and plan enrollees (for example, in claims files or enrollment records), resulting in the creation of databases that can be easily transmitted. This dramatic change in the practice of medicine brings with it important prospects for the improvement of the quality of care and reducing the cost of that care. It also, however, means that increasing numbers of people have access to health information. And, as health plan functions are increasingly outsourced, a growing number of organizations not affiliated with our physicians or health plans also have access to health information.

According to the American Health Information Management Association (AHIMA), an average of 150 people “from nursing staff to x-ray technicians, to billing clerks” have access to a patient's medical records during the course of a typical hospitalization. While many of these individuals have a legitimate need to see all or part of a patient's records, no laws govern who those people are, what information they are able to see, and what they are and are not allowed to do with that information once they have access to it. According to the National Research Council, individually identifiable health information frequently is shared with:

  • Consulting physicians;
  • Managed care organizations;
  • Health insurance companies
  • Life insurance companies;
  • Self-insured employers;
  • Pharmacies;
  • Pharmacy benefit managers;
  • Clinical laboratories;
  • Accrediting organizations;
  • State and Federal statistical agencies; and
  • Medical information bureaus.

Much of this sharing of information is done without the knowledge of the patient involved. While many of these functions are important for smooth functioning of the health care system, there are no rules governing how that information is used by secondary and tertiary users. For example, a pharmacy benefit manager could receive information to determine whether an insurance plan or HMO should cover a prescription, but then use the information to market other products to the same patient. Similarly, many of us obtain health insurance coverage though our employer and, in some instances, the employer itself acts as the insurer. In these cases, the employer will obtain identifiable health information about its employees as part of the legitimate health insurance functions such as claims processing, quality improvement, and fraud detection activities. At the same time, there is no comprehensive protection prohibiting the employer from using that information to make decisions about promotions or job retention.

Public concerns reflect these developments. A 1993 Lou Harris poll found that 75 percent of those surveyed worry that medical information from a computerized national health information system will be used for many non-health reasons, and 38 percent are very concerned. This poll, taken during the health reform efforts of 1993, showed that 85 percent of respondents believed that protecting the confidentiality of medical records is “absolutely essential” or “very essential” in health care reform. An ACLU Poll in 1994 also found that 75 percent of those surveyed are concerned a “great deal” or a “fair amount”' about insurance companies putting medical information about them into a computer information bank to which others have access. Harris Equifax, Health Information Privacy Study 2,33 (1993) http://www.epic.org/privacy/medical/poll.html. Another survey found that 35 percent of Fortune 500 companies look at people's medical records before making hiring and promotion decisions. Starr, Paul. “Health and the Right to Privacy,” American Journal of Law and Medicine, 1999. Vol 25, pp. 193-201.

Concerns about the lack of attention to information privacy in the health care industry are not merely theoretical. In the absence of a national legal framework of health privacy protections, consumers are increasingly vulnerable to the exposure of their personal health information. Disclosure of individually identifiable information can occur deliberately or accidentally and can occur within an organization or be the result of an external breach of security. Examples of recent privacy breaches include:

  • A Michigan-based health system accidentally posted the medical records of thousands of patients on the Internet (The Ann Arbor News, February 10, 1999).
  • A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its owner, a drug store (Kiplingers, February 2000).
  • An employee of the Tampa, Florida, health department took a computer disk containing the names of 4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 1996).
  • The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in East Hartford, Connecticut (The Hartford Courant, May 14, 1999).
  • A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital's employees (The Boston Globe, August 1, 2000).
  • A Nevada woman who purchased a used computer discovered that the computer still contained the prescription records of the customers of the pharmacy that had previously owned the computer. The pharmacy data base included names, addresses, social security numbers, and a list of all the medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997).
  • A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the businessman's uses of the purchased records was selling them back to the former patients. (New York Times, August 14, 1991).
  • In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and addresses of elderly incontinent women. (ACLU Legislative Update, April 1998).
  • A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30, 1997).

No matter how or why a disclosure of personal information is made, the harm to the individual is the same. In the face of industry evolution, the potential benefits of our changing health care system, and the real risks and occurrences of harm, protection of privacy must be built into the routine operations of our health care system.

Privacy Is Necessary To Secure Effective, High Quality Health Care

While privacy is one of the key values on which our society is built, it is more than an end in itself. It is also necessary for the effective delivery of health care, both to individuals and to populations. The market failures caused by the lack of effective privacy protections for health information are discussed below (see section V.C below). Here, we discuss how privacy is a necessary foundation for delivery of high quality health care. In short, the entire health care system is built upon the willingness of individuals to share the most intimate details of their lives with their health care providers.

The need for privacy of health information, in particular, has long been recognized as critical to the delivery of needed medical care. More than anything else, the relationship between a patient and a clinician is based on trust. The clinician must trust the patient to give full and truthful information about their health, symptoms, and medical history. The patient must trust the clinician to use that information to improve his or her health and to respect the need to keep such information private. In order to receive accurate and reliable diagnosis and treatment, patients must provide health care professionals with accurate, detailed information about their personal health, behavior, and other aspects of their lives. The provision of health information assists in the diagnosis of an illness or condition, in the development of a treatment plan, and in the evaluation of the effectiveness of that treatment. In the absence of full and accurate information, there is a serious risk that the treatment plan will be inappropriate to the patient's situation.

Patients also benefit from the disclosure of such information to the health plans that pay for and can help them gain access to needed care. Health plans and health care clearinghouses rely on the provision of such information to accurately and promptly process claims for payment and for other administrative functions that directly affect a patient's ability to receive needed care, the quality of that care, and the efficiency with which it is delivered.

Accurate medical records assist communities in identifying troubling public health trends and in evaluating the effectiveness of various public health efforts. Accurate information helps public and private payers make correct payments for care received and lower costs by identifying fraud. Accurate information provides scientists with data they need to conduct research. We cannot improve the quality of health care without information about which treatments work, and which do not.

Individuals cannot be expected to share the most intimate details of their lives unless they have confidence that such information will not be used or shared inappropriately. Privacy violations reduce consumers' trust in the health care system and institutions that serve them. Such a loss of faith can impede the quality of the health care they receive, and can harm the financial health of health care institutions.

Patients who are worried about the possible misuse of their information often take steps to protect their privacy. Recent studies show that a person who does not believe his privacy will be protected is much less likely to participate fully in the diagnosis and treatment of his medical condition. A national survey conducted in January 1999 found that one in five Americans believe their health information is being used inappropriately. See California HealthCare Foundation, “National Survey: Confidentiality of Medical Records” (January, 1999) (http://www.chcf.org). More troubling is the fact that one in six Americans reported that they have taken some sort of evasive action to avoid the inappropriate use of their information by providing inaccurate information to a health care provider, changing physicians, or avoiding care altogether. Similarly, in its comments on our proposed rule, the Association of American Physicians and Surgeons reported 78 percent of its members reported withholding information from a patient's record due to privacy concerns and another 87 percent reported having had a patient request to withhold information from their records. For an example of this phenomenon in a particular demographic group, see Drs. Bearman, Ford, and Moody, “Foregone Health Care among Adolescents,” JAMA, vol. 282, no. 23 (999); Cheng, T.L., et al., “Confidentiality in Health Care: A Survey of Knowledge, Perceptions, and Attitudes among High School Students,” JAMA, vol. 269, no. 11 (1993), at 1404-1407.

The absence of strong national standards for medical privacy has widespread consequences. Health care professionals who lose the trust of their patients cannot deliver high-quality care. In 1999, a coalition of organizations representing various stakeholders including health plans, physicians, nurses, employers, disability and mental health advocates, accreditation organizations as well as experts in public health, medical ethics, information systems, and health policy adopted a set of “best principles” for health care privacy that are consistent with the standards we lay out here. (See the Health Privacy Working Group, “Best Principles for Health Privacy” (July, 1999) (Best Principles Study). The Best Principles Study states that—

To protect their privacy and avoid embarrassment, stigma, and discrimination, some people withhold information from their health care providers, provide inaccurate information, doctor-hop to avoid a consolidated medical record, pay out-of-pocket for care that is covered by insurance, and—in some cases—avoid care altogether.

Best Principles Study, at 9. In their comments on our proposed rule, numerous organizations representing health plans, health providers, employers, and others acknowledged the value of a set of national privacy standards to the efficient operation of their practices and businesses.

Breaches of Health Privacy Harm More Than Our Health Status

A breach of a person's health privacy can have significant implications well beyond the physical health of that person, including the loss of a job, alienation of family and friends, the loss of health insurance, and public humiliation. For example:

  • A banker who also sat on a county health board gained access to patients' records and identified several people with cancer and called in their mortgages. See the National Law Journal, May 30, 1994.
  • A physician was diagnosed with AIDS at the hospital in which he practiced medicine. His surgical privileges were suspended. See Estate of Behringer v. Medical Center at Princeton, 249 N.J. Super. 597.
  • A candidate for Congress nearly saw her campaign derailed when newspapers published the fact that she had sought psychiatric treatment after a suicide attempt. See New York Times, October 10, 1992, Section 1, page 25.
  • A 30-year FBI veteran was put on administrative leave when, without his permission, his pharmacy released information about his treatment for depression. (Los Angeles Times, September 1, 1998) Consumer Reports found that 40 percent of insurers disclose personal health information to lenders, employers, or marketers without customer permission. “Who's reading your Medical Records,” Consumer Reports, October 1994, at 628, paraphrasing Sweeny, Latanya, “Weaving Technology and Policy Together to Maintain Confidentiality,” The Journal Of Law Medicine and Ethics (Summer Fall 1997) Vol. 25, Numbers 2,3.

The answer to these concerns is not for consumers to withdraw from society and the health care system, but for society to establish a clear national legal framework for privacy. By spelling out what is and what is not an allowable use of a person's identifiable health information, such standards can help to restore and preserve trust in the health care system and the individuals and institutions that comprise that system. As medical historian Paul Starr wrote: “Patients have a strong interest in preserving the privacy of their personal health information but they also have an interest in medical research and other efforts by health care organizations to improve the medical care they receive. As members of the wider community, they have an interest in public health measures that require the collection of personal data.” (P. Starr, “Health and the Right to Privacy,” American Journal of Law Medicine, 25, nos. 23 (1999) 193-201). The task of society and its government is to create a balance in which the individual's needs and rights are balanced against the needs and rights of society as a whole.

National standards for medical privacy must recognize the sometimes competing goals of improving individual and public health, advancing scientific knowledge, enforcing the laws of the land, and processing and paying claims for health care services. This need for balance has been recognized by many of the experts in this field. Cavoukian and Tapscott described it this way: “An individual's right to privacy may conflict with the collective rights of the public * * *. We do not suggest that privacy is an absolute right that reigns supreme over all other rights. It does not. However, the case for privacy will depend on a number of factors that can influence the balance—the level of harm to the individual involved versus the needs of the public.”

The Federal Response

There have been numerous federal initiatives aimed at protecting the privacy of especially sensitive personal information over the past several years—and several decades. While the rules below are likely the largest single federal initiative to protect privacy, they are by no means alone in the field. Rather, the rules arrive in the context of recent legislative activity to grapple with advances in technology, in addition to an already established body of law granting federal protections for personal privacy.

In 1965, the House of Representatives created a Special Subcommittee on Invasion of Privacy. In 1973, this Department's predecessor agency, the Department of Health, Education and Welfare issued The Code of Fair Information Practice Principles establishing an important baseline for information privacy in the U.S. These principles formed the basis for the federal Privacy Act of 1974, which regulates the government's use of personal information by limiting the disclosure of personally-identifiable information, allows consumers access to information about them, requires federal agencies to specify the purposes for collecting personal information, and provides civil and criminal penalties for misuse of information.

In the last several years, with the rapid expansion in electronic technology—and accompanying concerns about individual privacy—laws, regulations, and legislative proposals have been developed in areas ranging from financial privacy to genetic privacy to the safeguarding of children on-line. For example, the Children's Online Privacy Protection Act was enacted in 1998, providing protection for children when interacting at web-sites. In February, 2000, President Clinton signed Executive Order 13145, banning the use of genetic information in federal hiring and promotion decisions. The landmark financial modernization bill, signed by the President in November, 1999, likewise contained financial privacy protections for consumers. There also has been recent legislative activity on establishing legal safeguards for the privacy of individuals' Social Security numbers, and calls for regulation of on-line privacy in general.

These most recent laws, regulations, and legislative proposals come against the backdrop of decades of privacy-enhancing statutes passed at the federal level to enact safeguards in fields ranging from government data files to video rental records. In the 1970s, individual privacy was paramount in the passage of the Fair Credit Reporting Act (1970), the Privacy Act (1974), the Family Educational Rights and Privacy Act (1974), and the Right to Financial Privacy Act (1978). These key laws were followed in the next decade by another series of statutes, including the Privacy Protection Act (1980), the Electronic Communications Privacy Act (1986), the Video Privacy Protection Act (1988), and the Employee Polygraph Protection Act (1988). In the last ten years, Congress and the President have passed additional legal privacy protection through, among others, the Telephone Consumer Protection Act (1991), the Driver's Privacy Protection Act (1994), the Telecommunications Act (1996), the Children's Online Privacy Protection Act (1998), the Identity Theft and Assumption Deterrence Act (1998), and Title V of the Gramm-Leach-Bliley Act (1999) governing financial privacy.

In 1997, a Presidential advisory commission, the Advisory Commission on Consumer Protection and Quality in the Health Care Industry, recognized the need for patient privacy protection in its recommendations for a Consumer Bill of Rights and Responsibilities (November 1997). In 1997, Congress enacted the Balanced Budget Act (Public Law 105-34), which added language to the Social Security Act (18 U.S.C. 1852) to require Medicare+Choice organizations to establish safeguards for the privacy of individually identifiable patient information. Similarly, the Veterans Benefits section of the U.S. Code provides for confidentiality of medical records in cases involving drug abuse, alcoholism or alcohol abuse, HIV infection, or sickle cell anemia (38 U.S.C. 7332).

As described in more detail in the next section, Congress recognized the importance of protecting the privacy of health information by enacting the Health Insurance Portability and Accountability Act of 1996. The Act called on Congress to enact a medical privacy statute and asked the Secretary of Health and Human Services to provide Congress with recommendations for protecting the confidentiality of health care information. The Congress further recognized the importance of such standards by providing the Secretary with authority to promulgate regulations on health care privacy in the event that lawmakers were unable to act within the allotted three years.

Finally, it also is important for the U.S. to join the rest of the developed world in establishing basic medical privacy protections. In 1995, the European Union (EU) adopted a Data Privacy Directive requiring its 15 member states to adopt consistent privacy laws by October 1998. The EU urged all other nations to do the same or face the potential loss of access to information from EU countries.

Statutory Background

History of the Privacy Component of the Administrative Simplification Provisions

The Congress addressed the opportunities and challenges presented by the rapid evolution of health information systems in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which was enacted on August 21, 1996. Sections 261 through 264 of HIPAA are known as the Administrative Simplification provisions. The major part of these Administrative Simplification provisions are found at section 262 of HIPAA, which enacted a new part C of title XI of the Social Security Act (hereinafter we refer to the Social Security Act as the “Act” and we refer to all other laws cited in this document by their names).

In section 262, Congress primarily sought to facilitate the efficiencies and cost savings for the health care industry that the increasing use of electronic technology affords. Thus, section 262 directs HHS to issue standards to facilitate the electronic exchange of information with respect to financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers who transmit information electronically in connection with such transactions.

At the same time, Congress recognized the challenges to the confidentiality of health information presented by the increasing complexity of the health care industry, and by advances in health information systems technology and communications. Section 262 thus also directs HHS to develop standards to protect the security, including the confidentiality and integrity, of health information.

Congress has long recognized the need for protection of health information privacy generally, as well as the privacy implications of electronic data interchange and the increased ease of transmitting and sharing individually identifiable health information. Congress has been working on broad health privacy legislation for many years and, as evidenced by the self-imposed three year deadline included in the HIPAA, discussed below, believes it can and should enact such legislation. A significant portion of the first Administrative Simplification section debated on the floor of the Senate in 1994 (as part of the Health Security Act) consisted of privacy provisions. In the version of the HIPAA passed by the House of Representatives in 1996, the requirement for the issuance of privacy standards was located in the same section of the bill (section 1173) as the requirements for issuance of the other HIPAA Administrative Simplification standards. In conference, the requirement for privacy standards was moved to a separate section in the same part of HIPAA, section 264, so that Congress could link the Privacy standards to Congressional action.

Section 264(b) requires the Secretary of HHS to develop and submit to the Congress recommendations for:

  • The rights that an individual who is a subject of individually identifiable health information should have.
  • The procedures that should be established for the exercise of such rights.
  • The uses and disclosures of such information that should be authorized or required.

The Secretary's Recommendations were submitted to the Congress on September 11, 1997. Section 264(c)(1) provides that:

If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by [August 21, 1999], the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than [February 21, 2000]. Such regulations shall address at least the subjects described in subsection (b).

As the Congress did not enact legislation regarding the privacy of individually identifiable health information prior to August 21, 1999, HHS published proposed rules setting forth such standards on November 3, 1999, 64 FR 59918, and is now publishing the mandated final regulation.

These privacy standards have been, and continue to be, an integral part of the suite of Administrative Simplification standards intended to simplify and improve the efficiency of the administration of our health care system.

The Administrative Simplification Provisions, and Regulatory Actions to Date

Part C of title XI consists of sections 1171 through 1179 of the Act. These sections define various terms and impose several requirements on HHS, health plans, health care clearinghouses, and health care providers who conduct the identified transactions electronically.

The first section, section 1171 of the Act, establishes definitions for purposes of part C of title XI for the following terms: code set, health care clearinghouse, health care provider, health information, health plan, individually identifiable health information, standard, and standard setting organization.

Section 1172 of the Act makes the standard adopted under part C applicable to: (1) Health plans, (2) health care clearinghouses, and (3) health care providers who transmit health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act (hereinafter referred to as the “covered entities”). Section 1172 also contains procedural requirements concerning the adoption of standards, including the role of standard setting organizations and required consultations, summarized in subsection F and section VI, below.

Section 1173 of the Act requires the Secretary to adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically. Section 1173(a)(1) describes the transactions to be promulgated, which include the nine transactions listed in section 1173(a)(2) and other transactions determined appropriate by the Secretary. The remainder of section 1173 sets out requirements for the specific standards the Secretary is to adopt: Unique health identifiers, code sets, security standards, electronic signatures, and transfer of information among health plans. Of particular relevance to this proposed rule is section 1173(d), the security standard provision. The security standard authority applies to both the transmission and the maintenance of health information, and requires the entities described in section 1172(a) to maintain reasonable and appropriate safeguards to ensure the integrity and confidentiality of the information, protect against reasonably anticipated threats or hazards to the security or integrity of the information or unauthorized uses or disclosures of the information, and to ensure compliance with part C by the entity's officers and employees.

In section 1174 of the Act, the Secretary is required to establish standards for all of the above transactions, except claims attachments, by February 21, 1998. The statutory deadline for the claims attachment standard is February 21, 1999.

As noted above, a proposed rule for most of the transactions was published on May 7, 1998, and the final Transactions Rule was promulgated on August 17, 2000. The delay was caused by the deliberate consensus building process, working with industry, and the large number of comments received (about 17,000). In addition, in a series of Notices of Proposed Rulemakings, HHS published other proposed standards, as described above. Each of these steps was taken in concert with the affected professions and industries, to ensure rapid adoption and compliance.

Generally, after a standard is established, it may not be changed during the first year after adoption except for changes that are necessary to permit compliance with the standard. Modifications to any of these standards may be made after the first year, but not more frequently than once every 12 months. The Secretary also must ensure that procedures exist for the routine maintenance, testing, enhancement, and expansion of code sets and that there are crosswalks from prior versions.

Section 1175 of the Act prohibits health plans from refusing to process, or from delaying processing of, a transaction that is presented in standard format. It also establishes a timetable for compliance: each person to whom a standard or implementation specification applies is required to comply with the standard within 24 months (or 36 months for small health plans) of its adoption. A health plan or other entity may, of course, comply voluntarily before the effective date. The section also provides that compliance with modifications to standards or implementation specifications must be accomplished by a date designated by the Secretary, which date may not be earlier than 180 days from the notice of change.

Section 1176 of the Act establishes civil monetary penalties for violation of the provisions in part C of title XI of the Act, subject to several limitations. Penalties may not be more than $100 per person per violation and not more than $25,000 per person for violations of a single standard for a calendar year. The procedural provisions of section 1128A of the Act apply to actions taken to obtain civil monetary penalties under this section.

Section 1177 establishes penalties for any person that knowingly uses a unique health identifier, or obtains or discloses individually identifiable health information in violation of the part. The penalties include: (1) A fine of not more than $50,000 and/or imprisonment of not more than 1 year; (2) if the offense is “under false pretenses,” a fine of not more than $100,000 and/or imprisonment of not more than 5 years; and (3) if the offense is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years.

Under section 1178 of the Act, the requirements of part C, as well as any standards or implementation specifications adopted thereunder, preempt contrary state law. There are three exceptions to this general rule of preemption: State laws that the Secretary determines are necessary for certain purposes set forth in the statute; state laws that the Secretary determines address controlled substances; and state laws relating to the privacy of individually identifiable health information that are contrary to and more stringent than the federal requirements. There also are certain areas of state law (generally relating to public health and oversight of health plans) that are explicitly carved out of the general rule of preemption and addressed separately.

Section 1179 of the Act makes the above provisions inapplicable to financial institutions (as defined by section 1101 of the Right to Financial Privacy Act of 1978) or anyone acting on behalf of a financial institution when “authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution.”

Finally, as explained above, section 264 requires the Secretary to issue standards with respect to the privacy of individually identifiable health information. Section 264 also contains a preemption provision that provides that contrary provisions of state laws that are more stringent than the federal standards, requirements, or implementation specifications will not be preempted.

Our Approach to This Regulation

Balance

A number of facts informed our approach to this regulation. Determining the best approach to protecting privacy depends on where we start, both with respect to existing legal expectations and also with respect to the expectations of individuals, health care providers, payers and other stakeholders. From the comments we received on the proposed rule, and from the extensive fact finding in which we engaged, a confused picture developed. We learned that stakeholders in the system have very different ideas about the extent and nature of the privacy protections that exist today, and very different ideas about appropriate uses of health information. This leads us to seek to balance the views of the different stakeholders, weighing the varying interests on each particular issue with a view to creating balance in the regulation as a whole.

For example, we received hundreds of comments explaining the legitimacy of various uses and disclosure of health information. We agree that many uses and disclosures of health information are “legitimate,” but that is not the end of the inquiry. Neither privacy, nor the important social goals described by the commenters, are absolutes. In this regulation, we are asking health providers and institutions to add privacy into the balance, and we are asking individuals to add social goals into the balance.

The vast difference among regulated entities also informed our approach in significant ways. This regulation applies to solo practitioners, and multi-national health plans. It applies to pharmacies and information clearinghouses. These entities differ not only in the nature and scope of their businesses, but also in the degree of sophistication of their information systems and information needs. We therefore designed the core requirements of this regulation to be flexible and “scalable.” This is reflected throughout the rule, particularly in the implementation specifications for making the minimum necessary uses and disclosures, and in the administrative policies and procedures requirements.

We also are informed by the rapid evolution in industry organization and practice. Our goal is to enhance privacy protections in ways that do not impede this evolution. For example, we received many comments asking us to assign a status under this regulation based on a label or title. For example, many commenters asked whether “disease management” is a “health care operation,” or whether a “pharmacy benefits manager” is a covered entity. From the comments and our fact-finding, however, we learned that these terms do not have consistent meanings today; rather, they encompass diverse activities and information practices. Further, the statutory definitions of key terms such as health care provider and health care clearinghouse describe functions, not specific types of persons or entities. To respect both the Congressional approach and industry evolution, we design the rule to follow activities and functions, not titles and labels.

Similarly, many comments asked whether a particular person would be a “business associate” under the rule, based on the nature of the person's business. Whether a business associate arrangement must exist under the rule, however, depends on the relationship between the entities and the services being performed, not on the type of persons or companies involved.

Our approach is also significantly informed by the limited jurisdiction conferred by HIPAA. In large part, we have the authority to regulate those who create and disclose health information, but not many key stakeholders who receive that health information from a covered entity. Again, this led us to look to the balance between the burden on covered entities and need to protect privacy in determining our approach to such disclosures. In some instances, we approach this dilemma by requiring covered entities to obtain a representation or documentation of purpose from the person requesting information. While there would be advantages to legislation regulating such third persons directly, we cannot justify abandoning any effort to enhance privacy.

It also became clear from the comments and our fact-finding that we have expectations as a society that conflict with individuals' views about the privacy of health information. We expect the health care industry to develop treatment protocols for the delivery of high quality health care. We expect insurers and the government to reduce fraud in the health care system. We expect to be protected from epidemics, and we expect medical research to produce miracles. We expect the police to apprehend suspects, and we expect to pay for our care by credit card. All of these activities involve disclosure of health information to someone other than our physician.

While most commenters support the concept of health privacy in general, many go on to describe activities that depend on the disclosure of health information and urge us to protect those information flows. Section III, in which we respond to the comments, describes our approach to balancing these conflicting expectations.

Finally, we note that many commenters were concerned that this regulation would lessen current privacy protections. It is important to understand this regulation as a new federal floor of privacy protections that does not disturb more protective rules or practices. Nor do we intend this regulation to describe a set of a “best practices.” Rather, this regulation describes a set of basic consumer protections and a series of regulatory permissions for use and disclosure of health information. The protections are a mandatory floor, which other governments and any covered entity may exceed. The permissions are just that, permissive—the only disclosures of health information required under this rule are to the individual who is the subject of the information or to the Secretary for enforcement of this rule. We expect covered entities to rely on their professional ethics and use their own best judgements in deciding which of these permissions they will use.

Combining Workability With New Protections

This rule establishes national minimum standards to protect the privacy of individually identifiable health information in prescribed settings. The standards address the many varied uses and disclosures of individually identifiable health information by health plans, certain health care providers and health care clearinghouses. The complexity of the standards reflects the complexity of the health care marketplace to which they apply and the variety of subjects that must be addressed. The rule applies not only to the core health care functions relating to treating patients and reimbursing health care providers, but also to activities that range from when individually identifiable health information should be available for research without authorization to whether a health care provider may release protected health information about a patient for law enforcement purposes. The number of discrete provisions, and the number of commenters requesting that the rule recognize particular activities, is evidence of the significant role that individually identifiable health information plays in many vital public and private concerns.

At the same time, the large number of comments from individuals and groups representing individuals demonstrate the deep public concern about the need to protect the privacy of individually identifiable health information. The discussion above is rich with evidence about the importance of protecting privacy and the potential adverse consequences to individuals and their health if such protections are not extended.

The need to balance these competing interests—the necessity of protecting privacy and the public interest in using identifiable health information for vital public and private purposes—in a way that is also workable for the varied stakeholders causes much of the complexity in the rule. Achieving workability without sacrificing protection means some level of complexity, because the rule must track current practices and current practices are complex. We believe that the complexity entailed in reflecting those practices is better public policy than a perhaps simpler rule that disturbed important information flows.

Although the rule taken as a whole is complicated, we believe that the standards are much less complex as they apply to particular actors. What a health plan or covered health care provider must do to comply with the rule is clear, and the two-year delayed implementation provides a substantial period for trade and professional associations, working with their members, to assess the effects of the standards and develop policies and procedures to come into compliance with them. For individuals, the system may look substantially more complicated because, for the first time, we are ensuring that individuals will receive detailed information about how their individually identifiable health information may be used and disclosed. We also provide individuals with additional tools to exercise some control over those uses and disclosures. The additional complexity for individuals is the price of expanding their understanding and their rights.

The Department will work actively with members of the health care industry, representatives of individuals and others during the implementation of this rule. As stated elsewhere, our focus is to develop broader understanding of how the standards work and to facilitate compliance. We intend to provide guidance and check lists as appropriate, particularly to small businesses affected by the rule. We also will work with trade and professional associations to develop guidance and provide technical assistance so that they can help their members understand and comply with these new standards. If this effort is to succeed, the various public and private participants inside and outside of the health care system will need to work together to assure that the competing interests described above remain in balance and that an ethic that recognizes their importance is established.

Enforcement

The Secretary has decided to delegate her responsibility under this regulation to the Department's Office for Civil Rights (OCR). OCR will be responsible for enforcement of this regulation. Enforcement activities will include working with covered entities to secure voluntary compliance through the provision of technical assistance and other means; responding to questions regarding the regulation and providing interpretations and guidance; responding to state requests for exception determinations; investigating complaints and conducting compliance reviews; and, where voluntary compliance cannot be achieved, seeking civil monetary penalties and making referrals for criminal prosecution.

Consent

Current Law and Practice

The issue that drew the most comments overall is the question of when individuals' permission should be obtained prior to use or disclosure of their health information. We learned that individuals' views and the legal view of “consent” for use and disclosure of health information are different and in many ways incompatible. Comments from individuals revealed a common belief that, today, people must be asked permission for each and every release of their health information. Many believe that they “own” the health records about them. However, current law and practice do not support this view.

Current privacy protection practices are determined in part by the standards and practices that the professional associations have adopted for their members. Professional codes of conduct for ethical behavior generally can be found as opinions and guidelines developed by organizations such as the American Medical Association, American Nurses' Association, the American Hospital Association, the American Psychiatric Association, and the American Dental Association. These are generally issued though an organization's governing body. The codes do not have the force of law, but providers often recognize them as binding rules.

Our review of professional codes of ethics revealed partial, but loose, support for individuals' expectations of privacy. For example, the American Medical Association's Code of Ethics recognizes both the right to privacy and the need to balance it against societal needs. It reads in part: “conflicts between a patient's right to privacy and a third party's need to know should be resolved in favor of the patient, except where that would result in serious health hazard or harm to the patient or others.” AMA Policy No 140.989. See also, Mass. Med. Society, Patient Privacy and Confidentiality (1996), at 14:

Patients enter treatment with the expectation that the information they share will be used exclusively for their clinical care. Protection of our patients' confidences is an integral part of our ethical training.

These codes, however, do not apply to many who obtain information from providers. For example, the National Association of Insurance Commissioners model code, “Health Information Privacy Model Act” (1998), applies to insurers but has not been widely adopted. Codes of ethics are also often written in general terms that do not provide guidance to providers and plans confronted with specific questions about protecting health information.

State laws are a crucial means of protecting health information, and today state laws vary dramatically. Some states defer to the professional codes of conduct, others provide general guidelines for privacy protection, and others provide detailed requirements relating to the protection of information relating to specific diseases or to entire classes of information. Cf., D.C. Code Ann. § 2-3305.14(16) and Haw. Rev. Stat. 323C, et seq. In general, state statutes and case law addressing consent to use of health information do not support the public's strong expectations regarding consent for use and disclosure of health information. Only about half of the states have a general law that prohibits disclosure of health information without patient authorization and some of these are limited to hospital medical records.

Even when a state has a law limiting disclosure of health information, the law typically exempts many types of disclosure from the authorization requirement. Georgetown Study, Key Findings; Lisa Dahm, “50-State Survey on Patient Health Care Record Confidentiality,” American Health Lawyers Association (1999). One of the most common exemptions from a consent requirement is disclosure of health information for treatment and related purposes. See, e.g., Wis.Stat. § 164.82; Cal. Civ. Code 56:10; National Conference of Commissioners on Uniform State Laws, Uniform Health-Care Information Act, Minneapolis, MN, August 9, 1985. Some states include utilization review and similar activities in the exemption. See, e.g., Ariz. Rev. Stat. § 12-2294. Another common exemption from consent is disclosure of health information for purposes of obtaining payment. See, e.g., Fla. Stat. Ann. § 455.667; Tex. Rev. Civ. Stat. Art. 4495, § 5.08(h); 410 Ill. Comp. Stat. 50/3(d). Other common exemptions include disclosures for emergency care, and for disclosures to government authorities (such as a department of public health). See Gostin Study, at 1-2; 48-51. Some states also exempt disclosure to law enforcement officials (e.g., Massachusetts, Ch. 254 of the Acts of 2000), coroners (Wis. Stat. § 146.82), and for such purposes as business operations, oversight, research, and for directory information. Under these exceptions, providers can disclose health information without any consent or authorization from the patient. When states require specific, written authorization for disclosure of health information, the authorizations are usually only required for certain types of disclosures or certain types of information, and one authorization can suffice for multiple disclosures over time.

The states that do not have laws prohibiting disclosure of health information impose no specific requirements for consent or authorization prior to release of health information. There may, however, be other controls on release of health information. For instance, most health care professional licensure laws include general prohibitions against “breaches of confidentiality.” In some states, patients can hold providers accountable for some unauthorized disclosures of health information about them under various tort theories, such as invasion of privacy and breach of a confidential relationship. While these controls may affect certain disclosure practices, they do not amount to a requirement that a provider obtain authorization for each and every disclosure of health information.

Further, patients are typically not given a choice; they must sign the “consent” in order to receive care. As the Georgetown Study points out, “In effect, the authorization may function more as a waiver of consent—the patient may not have an opportunity to object to any disclosures.” Georgetown Study, Key Findings.

In the many cases where neither state law nor professional ethical standards exist, the only privacy protection individuals have is limited to the policies and procedures that the health care entity adopts. Corporate privacy policies are often proprietary. While several professional associations attached their privacy principles to their comments, health care entities did not. One study we found indicates that these policies are not adequate to provide appropriate privacy protections and alleviate public concern. The Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure made multiple findings highlighting the need for heightened privacy and security, including:

Finding 5: The greatest concerns regarding the privacy of health information derives from widespread sharing of patient information throughout the health care industry and the inadequate federal and state regulatory framework for systematic protection of health information.

For the Record: Protecting Electronic Health Information, National Academy Press, Washington DC, 1997.

Consent Under This Rule

In the NPRM, we expressed concern about the coercive nature of consents currently obtained by providers and plans relating to the use and disclosure of health information. We also expressed concern about the lack of information available to the patient during the process, and the fact that patients often were not even presented with a copy of the consent that they have signed. These and other concerns led us to propose that covered entities be permitted to use and disclose protected health information for treatment, payment and health care operations without the express consent of the subject individual.

In the final rule, we alter our proposed approach and require, in most instances, that health care providers who have a direct treatment relationship with their patients obtain the consent of their patients to use and disclose protected health information for treatment, payment and health care operations. While our concern about the coerced nature of these consents remains, many comments that we received from individuals, health care professionals, and organizations that represent them indicated that both patients and practitioners believe that patient consent is an important part of the current health care system and should be retained.

Providing and obtaining consent clearly has meaning for patients and practitioners. Patient advocates argued that the act of signing focuses the patient's attention on the substance of the transaction and provides an opportunity for the patient to ask questions about or seek modifications in the provider's practices. Many health care practitioners and their representatives argued that seeking a patient's consent to disclose confidential information is an ethical requirement that strengthens the physician-patient relationship. Both practitioners and patients argued that the approach proposed in the NPRM actually reduced patient protections by eliminating the opportunity for patients to agree to how their confidential information would be used and disclosed.

While we believe that the provisions in the NPRM that provided for detailed notice to the patient and the right to request restrictions would have provided an opportunity for patients and providers to discuss and negotiate over information practices, it is clear from the comments that many practitioners and patients believe the approach proposed in the NPRM is not an acceptable replacement for the patient providing consent.

To encourage a more informed interaction between the patient and the provider during the consent process, the final rule requires that the consent form that is presented to the patient be accompanied by a notice that contains a detailed discussion of the provider's health information practices. The consent form must reference the notice and also must inform the patient that he or she has the right to ask the health care provider to request certain restrictions as to how the information of the patient will be used or disclosed. Our goal is to provide an opportunity for and to encourage more informed discussions between patients and providers about how protected health information will be used and disclosed within the health care system.

We considered and rejected other approaches to consent, including those that involved individuals providing a global consent to uses and disclosures when they sign up for insurance. While such approaches do require the patient to provide consent, it is not really an informed one or a voluntary one. It is also unclear how a consent obtained at the enrollment stage would be meaningfully communicated to the many providers who create the health information in the first instance. The ability to negotiate restrictions or otherwise have a meaningful discussion with the front-line provider would be independent of, and potentially in conflict with, the consent obtained at the enrollment stage. In addition, employers today are moving toward simplified enrollment forms, using check-off boxes and similar devices. The opportunity for any meaningful consideration or interaction at that point is slight. For these and other reasons, we decided that, to the extent a consent can accomplish the goal sought by individuals and providers, it must be focused on the direct interaction between an individual and provider.

The comments and fact-finding indicate that our approach will not significantly change the administrative aspect of consent as it exists today. Most direct treatment providers today obtain some type of consent for some uses and disclosures of health information. Our regulation will ensure that those consents cover the routine uses and disclosures of health information, and provide an opportunity for individuals to obtain further information and have further discussion, should they so desire.

Administrative Costs

Section 1172(b) of the Act provides that “[a]ny standard adopted under this part [part C of title XI of the Act] shall be consistent with the objective of reducing the administrative costs of providing and paying for health care.” The privacy and security standards are the platform on which the remaining standards rest; indeed, the design of part C of title XI makes clear that the various standards are intended to function together. Thus, the costs of privacy and security are properly attributable to the suite of administrative simplification regulations as a whole, and the cost savings realized should likewise be calculated on an aggregated basis, as is done below. Because the privacy standards are an integral and necessary part of the suite of Administrative Simplification standards, and because that suite of standards will result in substantial administrative cost savings, the privacy standards are “consistent with the objective of reducing the administrative costs of providing and paying for health care.”

As more fully discussed in the Regulatory Impact and Regulatory Flexibility analyses below, we recognize that these privacy standards will entail substantial initial and ongoing administrative costs for entities subject to the rules. It is also the case that the privacy standards, like the security standards authorized by section 1173(d) of the Act, are necessitated by the technological advances in information exchange that the remaining Administrative Simplification standards facilitate for the health care industry. The same technological advances that make possible enormous administrative cost savings for the industry as a whole have also made it possible to breach the security and privacy of health information on a scale that was previously inconceivable. The Congress recognized that adequate protection of the security and privacy of health information is a sine qua non of the increased efficiency of information exchange brought about by the electronic revolution, by enacting the security and privacy provisions of the law. Thus, as a matter of policy as well as law, the administrative standards should be viewed as a whole in determining whether they are “consistent with” the objective of reducing administrative costs.

Consultations

The Congress required the Secretary to consult with specified groups in developing the standards under sections 262 and 264. Section 264(d) of HIPAA specifically requires the Secretary to consult with the National Committee on Vital and Health Statistics (NCVHS) and the Attorney General in carrying out her responsibilities under the section. Section 1172(b)(3) of the Act, which was enacted by section 262, requires that, in developing a standard under section 1172 for which no standard setting organization has already developed a standard, the Secretary must, before adopting the standard, consult with the National Uniform Billing Committee (NUBC), the National Uniform Claim Committee (NUCC), the Workgroup for Electronic Data Interchange (WEDI), and the American Dental Association (ADA). Section 1172(f) also requires the Secretary to rely on the recommendations of the NCVHS and consult with other appropriate federal and state agencies and private organizations.

We engaged in the required consultations including the Attorney General, NUBC, NUCC, WEDI and the ADA. We consulted with the NCVHS in developing the Recommendations, upon which this proposed rule is based. We continued to consult with this committee by requesting the committee to review the proposed rule and provide comments prior to its publication, and by reviewing transcripts of its public meeting on privacy and related topics. We consulted with representatives of the National Congress of American Indians, the National Indian Health Board, and the self governance tribes. We also met with representatives of the National Governors' Association, the National Conference of State Legislatures, the National Association of Public Health Statistics and Information Systems, and a number of other state organizations to discuss the framework for the proposed rule, issues of special interests to the states, and the process for providing comments on the proposed rule.

Many of these groups submitted comments to the proposed rule, and those were taken into account in developing the final regulation.

In addition to the required consultations, we met with numerous individuals, entities, and agencies regarding the regulation, with the goal of making these standards as compatible as possible with current business practices, while still enhancing privacy protection. During the open comment period, we met with dozens of groups.

Relevant federal agencies participated in the interagency working groups that developed the NPRM and the final regulation, with additional representatives from all operating divisions and many staff offices of HHS. The following federal agencies and offices were represented on the interagency working groups: the Department of Justice, the Department of Commerce, the Social Security Administration, the Department of Defense, the Department of Veterans Affairs, the Department of Labor, the Office of Personnel Management, and the Office of Management and Budget.

II. Section-by-Section Description of Rule Provisions Back to Top

Part 160—Subpart A—General Provisions Back to Top

Part 160 applies to all the administrative simplification regulations. We include the entire regulation text in this rule, not just those provisions relevant to this Privacy regulation. For example, the term “trading partner” is defined here, for use in the Health Insurance Reform: Standards for Electronic Transactions regulation, published at 65 FR 50312, August 17, 2000 (the “Transactions Rule”). It does not appear in the remainder of this Privacy rule.

Sections 160.101 and 160.104 of Subpart A of part 160 were promulgated in the Transactions Rule, and we do not change them here. We do, however, make changes and additions to § 160.103, the definitions section of Subpart A. The definitions that were promulgated in the Transactions Rule and that remain unchanged here are: Act, ANSI, covered entity, compliance date, group health plan, HCFA, HHS, health care provider, health information, health insurance issuer, health maintenance organization, modify or modification, Secretary, small health plan, standard setting organization, and trading partner agreement. Of these terms, we discuss further in this preamble only covered entity and health care provider.

Section 160.102—Applicability Back to Top

The proposed rule stated that the subchapter (Parts 160, 162, and 164) applies to the entities set out at section 1172(a) of the Act: Health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction covered by the subchapter. The final rule adds a provision (§ 160.102(b)) clarifying that to the extent required under section 201(a)(5) of HIPAA, nothing in the subchapter is to be construed to diminish the authority of any Inspector General. This was done in response to comment, to clarify that the administrative simplification rules, including the rules below, do not conflict with the cited provision of HIPAA.

Section 160.103—Definitions Back to Top

Business Associate

We proposed to define the term “business partner” to mean, with respect to a covered entity, a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. “Business partner” would have included contractors or other persons who receive protected health information from the covered entity (or from another business partner of the covered entity) for the purposes described in the previous sentence, including lawyers, auditors, consultants, third-party administrators, health care clearinghouses, data processing firms, billing firms, and other covered entities. “Business partner” would have excluded persons who are within the covered entity's workforce, as defined in this section.

This rule reflects the change in the name from “business partner” to “business associate,” included in the Transactions Rule.

In the final rule, we change the definition of “business associate” to clarify the circumstances in which a person is acting as a business associate of a covered entity. The changes clarify that the business association occurs when the right to use or disclose the protected health information belongs to the covered entity, and another person is using or disclosing the protected health information (or creating, obtaining and using the protected health information) to perform a function or activity on behalf of the covered entity. We also clarify that providing specified services to a covered entity creates a business associate relationship if the provision of the service involves the disclosure of protected health information to the service provider. In the proposed rule, we had included a list of persons that were considered to be business partners of the covered entity. However, it is not always clear whether the provision of certain services to a covered entity is “for” the covered entity or whether the service provider is acting “on behalf of” the covered entity. For example, a person providing management consulting services may need protected health information to perform those services, but may not be acting “on behalf of” the covered entity. This we believe led to some general confusion among the commenters as to whether certain arrangements fell within the definition of a business partner under the proposed rule. The construction of the final rule clarifies that the provision of the specified services gives rise to a business associate relationship if the performance of the service involves disclosure of protected health information by the covered entity to the business associate. The specified services are legal, actuarial, accounting, consulting, management, administrative accreditation, data aggregation, and financial services. The list is intended to include the types of services commonly provided to covered entities where the disclosure of protected health information is routine to the performance of the service, but when the person providing the service may not always be acting “on behalf of” the covered entity.

In the final rule, we reorganize the list of examples of the functions or activities that may be conducted by business associates. We place a part of the proposed list in the portion of the definition that addresses when a person is providing functions or activities for or on behalf of a covered entity. We place other parts of the list in the portion of the definition that specifies the services that give rise to a business associate relationship, as discussed above. We also have expanded the examples to provide additional guidance and in response to questions from commenters.

We have added data aggregation to the list of services that give rise to a business associate relationship. Data aggregation, as discussed below, is where a business associate in its capacity as the business associate of one covered entity combines the protected health information of such covered entity with protected health information received by the business associate in its capacity as a business associate of another covered entity in order to permit the creation of data for analyses that relate to the health care operations of the respective covered entities. Adding this service to the business associate definition clarifies the ability of covered entities to contract with business associates to undertake quality assurance and comparative analyses that involve the protected health information of more than one contracting covered entity. For example, a state hospital association could act as a business associate of its member hospitals and could combine data provided to it to assist the hospitals in evaluating their relative performance in areas such as quality, efficiency and other patient care issues. As discussed below, however, the business associate contracts of each of the hospitals would have to permit the activity, and the protected health information of one hospital could not be disclosed to another hospital unless the disclosure is otherwise permitted by the rule.

The definition also states that a business associate may be a covered entity, and that business associate excludes a person who is part of the covered entity's workforce.

We also clarify in the final rule that a business association arises with respect to a covered entity when a person performs functions or activities on behalf of, or provides the specified services to or for, an organized health care health care arrangement in which the covered entity participates. This change recognizes that where covered entities participate in certain joint arrangements for the financing or delivery of health care, they often contract with persons to perform functions or to provide services for the joint arrangement. This change is consistent with changes made in the final rule to the definition of health care operations, which permits covered entities to use or disclose protected health information not only for their own health care operations, but also for the operations of an organized health care arrangement in which the covered entity participates. By making these changes, we avoid the confusion that could arise in trying to determine whether a function or activity is being provided on behalf of (or if a specified service is being provided to or for) a covered entity or on behalf of or for a joint enterprise involving the covered entity. The change clarifies that in either instance the person performing the function or activity (or providing the specified service) is a business associate.

We also add language to the final rule that clarifies that the mere fact that two covered entities participate in an organized health care arrangement does not make either of the covered entities a business associate of the other covered entity. The fact that the entities participate in joint health care operations or other joint activities, or pursue common goals through a joint activity, does not mean that one party is performing a function or activity on behalf of the other party (or is providing a specified services to or for the other party).

In general under this provision, actions relating to the protected health information of an individual undertaken by a business associate are considered, for the purposes of this rule, to be actions of the covered entity, although the covered entity is subject to sanctions under this rule only if it has knowledge of the wrongful activity and fails to take the required actions to address the wrongdoing. For example, if a business associate maintains the medical records or manages the claims system of a covered entity, the covered entity is considered to have protected health information and the covered entity must ensure that individuals who are the subject of the information can have access to it pursuant to § 164.524.

The business associate relationship does not describe all relationships between covered entities and other persons or organizations. While we permit uses or disclosures of protected health information for a variety of purposes, business associate contracts or other arrangements are only required for those cases in which the covered entity is disclosing information to someone or some organization that will use the information on behalf of the covered entity, when the other person will be creating or obtaining protected health information on behalf of the covered entity, or when the business associate is providing the specified services to the covered entity and the provision of those services involves the disclosure of protected health information by the covered entity to the business associate. For example, when a health care provider discloses protected health information to health plans for payment purposes, no business associate relationship is established. While the covered provider may have an agreement to accept discounted fees as reimbursement for services provided to health plan members, neither entity is acting on behalf of or providing a service to the other.

Similarly, where a physician or other provider has staff privileges at an institution, neither party to the relationship is a business associate based solely on the staff privileges because neither party is providing functions or activities on behalf of the other. However, if a party provides services to or for the other, such as where a hospital provides billing services for physicians with staff privileges, a business associate relationship may arise with respect to those services. Likewise, where a group health plan purchases insurance or coverage from a health insurance issuer or HMO, the provision of insurance by the health insurance issuer or HMO to the group health plan does not make the issuer a business associate. In such case, the activities of the health insurance issuer or HMO are on their own behalf and not on the behalf of the group health plan. We note that where a group health plan contracts with a health insurance issuer or HMO to perform functions or activities or to provide services that are in addition to or not directly related to the provision of insurance, the health insurance issuer or HMO may be a business associate with respect to those additional functions, activities or services. We also note that covered entities are permitted to disclose protected health information to oversight agencies that act to provide oversight of federal programs and the health care system. These oversight agencies are not performing services for or on behalf of the covered entities and so are not business associates of the covered entities. Therefore HCFA, the federal agency that administers Medicare, is not required to enter into a business associate contract in order to disclose protected health information to the Department's Office of Inspector General.

We do not require a covered entity to enter into a business associate contract with a person or organization that acts merely as a conduit for protected health information (e.g., the US Postal Service, certain private couriers and their electronic equivalents). A conduit transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.

We do not consider a financial institution to be acting on behalf of a covered entity, and therefore no business associate contract is required, when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for compensation for health care. A typical consumer-conducted payment transaction is when a consumer pays for health care or health insurance premiums using a check or credit card. In these cases the identity of the consumer is always included and some health information (e.g., diagnosis or procedure) may be implied through the name of the health care provider or health plan being paid. Covered entities that initiate such payment activities must meet the minimum necessary disclosure requirements described in the preamble to § 164.514.

Covered Entity

We provided this definition in the NPRM for convenience of reference and proposed it to mean the entities to which part C of title XI of the Act applies. These are the entities described in section 1172(a)(1): Health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction referred to in section 1173(a)(1) of the Act (a “standard transaction”).

We note that health care providers who do not submit HIPAA transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on their behalf. A provider could not circumvent these requirements by assigning the task to its business associate since the business associate would be considered to be acting on behalf of the provider. See the definition of “business associate.”

Where a public agency is required or authorized by law to administer a health plan jointly with another entity, we consider each agency to be a covered entity with respect to the health plan functions it performs. Unlike private sector health plans, public plans are often required by or expressly authorized by law to jointly administer health programs that meet the definition of “health plan” under this regulation. In some instances the public entity is required or authorized to administer the program with another public agency. In other instances, the public entity is required or authorized to administer the program with a private entity. In either circumstance, we note that joint administration does not meet the definition of “business associate” in § 164.501. Examples of joint administration include state and federal administration of the Medicaid and SCHIP program, or joint administration of a Medicare+Choice plan by the Health Care Financing Administration and the issuer offering the plan.

Health Care

We proposed to define “health care” to mean the provision of care, services, or supplies to a patient and to include any: (1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counseling, service, or procedure with respect to the physical or mental condition, or functional status, of a patient or affecting the structure or function of the body; (2) sale or dispensing of a drug, device, equipment, or other item pursuant to a prescription; or (3) procurement or banking of blood, sperm, organs, or any other tissue for administration to patients.

The final rule revises both the NPRM definition and the definition as provided in the Transactions Rule, to now mean “care, services, or supplies related to the health of an individual. Health care includes the following:

(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and

(2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

We delete the term “providing” from the definition to delineate more clearly the relationship between “treatment,” as the term is defined in § 164.501, and “health care.” Other key revisions include adding the term “assessment” in subparagraph (1) and deleting proposed subparagraph (3) from the rule. Therefore the procurement or banking of organs, blood (including autologous blood), sperm, eyes or any other tissue or human product is not considered to be health care under this rule and the organizations that perform such activities would not be considered health care providers when conducting these functions. As described in § 164.512(h), covered entities are permitted to disclose protected health information without individual authorization, consent, or agreement (see below for explanation of authorizations, consents, and agreements) as necessary to facilitate cadaveric donation.

Health Care Clearinghouse

In the NPRM, we defined “health care clearinghouse” as a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. The entity receives health care transactions from health care providers or other entities, translates the data from a given format into one acceptable to the intended payor or payors, and forwards the processed transaction to appropriate payors and clearinghouses. Billing services, repricing companies, community health management information systems, community health information systems, and “value-added” networks and switches would have been considered to be health care clearinghouses for purposes of this part, if they perform the functions of health care clearinghouses as described in the preceding sentences.

In the final regulation, we modify the definition of health care clearinghouse to reflect changes in the definition published in the Transactions Rule. The definition in the final rule is:

Health care clearinghouse means a public or private entity, including billing services, repricing companies, community health management information systems or community health information systems, and “value-added” networks and switches, that does either of the following functions:

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.

(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

We note here that the term health care clearinghouse may have other meanings and connotations in other contexts, but the regulation defines it specifically, and an entity is considered a health care clearinghouse only to the extent that it meets the criteria in this definition. Telecommunications entities that provide connectivity or mechanisms to convey information, such as telephone companies and Internet Service Providers, are not health care clearinghouses as defined in the rule unless they actually carry out the functions outlined in our definition. Value added networks and switches are not health care clearinghouses unless they carry out the functions outlined in the definition. The examples of entities in our proposed definition we continue to consider to be health care clearinghouses, as well as any other entities that meet that definition, to the extent that they perform the functions in the definition.

In order to fall within this definition of clearinghouse, the covered entity must perform the clearinghouse function on health information received from some other entity. A department or component of a health plan or health care provider that transforms nonstandard information into standard data elements or standard transactions (or vice versa) is not a clearinghouse for purposes of this rule, unless it also performs these functions for another entity. As described in more detail in § 164.504(d), we allow affiliates to perform clearinghouse functions for each other without triggering the definition of “clearinghouse” if the conditions in § 164.504(d) are met.

Health Care Provider

We proposed to define health care provider to mean a provider of services as defined in section 1861(u) of the Act, a provider of medical or health services as defined in section 1861(s) of the Act, and any other person or organization who furnishes, bills, or is paid for health care services or supplies in the normal course of business.

In the final rule, we delete the term “services and supplies,” in order to eliminate redundancy within the definition. The definition also reflects the addition of the applicable U.S.C. citations (42 U.S.C. 1395x(u) and 42 U.S.C. 1395x(s), respectively) for the referenced provisions of the Act that were promulgated in the Transactions Rule.

To assist the reader, we also provide here excerpts from the relevant sections of the Act. (Refer to the U.S.C. sections cited above for complete definitions in sections 1861(u) and 1861(s).) Section 1861(u) of the Act defines a “provider of services,” to include, for example,

a hospital, critical access hospital, skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency, hospice program, or, for purposes of section 1814(g) (42 U.S.C. 1395f(g)) and section 1835(e) (42 U.S.C. 1395n(e)), a fund.” Section 1861(s) of the Act defines the term, “medical and other health services,” and includes a list of covered items or services, as illustrated by the following excerpt:

(s) Medical and other health services. The term “medical and other health services” means any of the following items or services:

(1) Physicians' services;

(2) (A) services and supplies * * * furnished as an incident to a physician's professional service, or kinds which are commonly furnished in physicians' offices and are commonly either rendered without charge or included in the physicians' bills;

(B) hospital services * * * incident to physicians' services rendered to outpatients and partial hospitalization services incident to such services;

(C) diagnostic services which are—

(i) furnished to an individual as an outpatient by a hospital or by others under arrangements with them made by a hospital, and

(ii) ordinarily furnished by such hospital (or by others under such arrangements) to its outpatients for the purpose of diagnostic study;

(D) outpatient physical therapy services and outpatient occupational therapy services;

(E) rural health clinic services and federally qualified health center services;

(F) home dialysis supplies and equipment, self-care home dialysis support services, and institutional dialysis services and supplies;

(G) antigens * * * prepared by a physician * * * for a particular patient, including antigens so prepared which are forwarded to another qualified person * * * for administration to such patient, * * * by or under the supervision of another such physician;

(H)(i) services furnished pursuant to a contract under section 1876 (42 U.S.C. 1395mm) to a member of an eligible organization by a physician assistant or by a nurse practitioner * * * and such services and supplies furnished as an incident to his service to such a member * * * and

(ii) services furnished pursuant to a risk-sharing contract under section 1876(g) (42 U.S.C. 1395mm(g)) to a member of an eligible organization by a clinical psychologist * * * or by a clinical social worker * * * (and) furnished as an incident to such clinical psychologist's services or clinical social worker's services * * *;

(I) blood clotting factors, for hemophilia patients * * *;

(J) prescription drugs used in immunosuppressive therapy furnished, to an individual who receives an organ transplant for which payment is made under this title (42 U.S.C. 1395 et seq.), but only in the case of (certain) drugs furnished * * *

(K)(i) services which would be physicians' services if furnished by a physician * * * and which are performed by a physician assistant * * *; and

(ii) services which would be physicians' services if furnished by a physician * * * and which are performed by a nurse * * *;

(L) certified nurse-midwife services;

(M) qualified psychologist services;

(N) clinical social worker services * * *;

(O) erythropoietin for dialysis patients * * *;

(P) prostate cancer screening tests * * *;

(Q) an oral drug (which is approved by the Federal Food and Drug Administration) prescribed for use as an anti-cancer chemotherapeutic agent for a given indication, and containing an active ingredient (or ingredients) * * *;

(R) colorectal cancer screening tests * * *;

(S) diabetes outpatient self-management training services * * *; and

(T) an oral drug (which is approved by the federal Food and Drug Administration) prescribed for use as an acute anti-emetic used as part of an anti-cancer chemotherapeutic regimen * * *

(3) diagnostic X-ray tests * * * furnished in a place of residence used as the patient's home * * * ;

(4) X-ray, radium, and radioactive isotope therapy, including materials and services of technicians;

(5) surgical dressings, and splints, casts, and other devices used for reduction of fractures and dislocations;

(6) durable medical equipment;

(7) ambulance service where the use of other methods of transportation is contraindicated by the individual's condition * * * ;

(8) prosthetic devices (other than dental) which replace all or part of an internal body organ (including colostomy bags and supplies directly related to colostomy care), * * * and including one pair of conventional eyeglasses or contact lenses furnished subsequent to each cataract surgery * * * [;]

(9) leg, arm, back, and neck braces, and artificial legs, arms, and eyes, including replacements if required * * * ;

(10) (A) pneumococcal vaccine and its administration * * *; and

(B) hepatitis B vaccine and its administration * * *, and

(11) services of a certified registered nurse anesthetist * * *;

(12) * * * extra-depth shoes with inserts or custom molded shoes with inserts for an individual with diabetes, if * * *;

(13) screening mammography * * *;

(14) screening pap smear and screening pelvic exam; and

(15) bone mass measurement * * *. (etc.)

Health Plan

We proposed to define “health plan” essentially as section 1171(5) of the Act defines it. Section 1171 of the Act refers to several definitions in section 2791 of the Public Health Service Act, 42 U.S.C. 300gg-91, as added by Public Law 104-191.

As defined in section 1171(5), a “health plan” is an individual plan or group health plan that provides, or pays the cost of, medical care. We proposed that this definition include, but not be limited to the 15 types of plans (e.g., group health plan, health insurance issuer, health maintenance organization) listed in the statute, as well as any combination of them. Such term would have included, when applied to public benefit programs, the component of the government agency that administers the program. Church plans and government plans would have been included to the extent that they fall into one or more of the listed categories.

In the proposed rule, “health plan” included the following, singly or in combination:

(1) A group health plan, defined as an employee welfare benefit plan (as currently defined in section 3(1) of the Employee Retirement Income and Security Act of 1974, 29 U.S.C. 1002(1)), including insured and self-insured plans, to the extent that the plan provides medical care (as defined in section 2791(a)(2) of the Public Health Service Act, 42 U.S.C. 300gg-91(a)(2)), including items and services paid for as medical care, to employees or their dependents directly or through insurance or otherwise, that:

(i) Has 50 or more participants; or

(ii) Is administered by an entity other than the employer that established and maintains the plan.

(2) A health insurance issuer, defined as an insurance company, insurance service, or insurance organization that is licensed to engage in the business of insurance in a state and is subject to state or other law that regulates insurance.

(3) A health maintenance organization, defined as a federally qualified health maintenance organization, an organization recognized as a health maintenance organization under state law, or a similar organization regulated for solvency under state law in the same manner and to the same extent as such a health maintenance organization.

(4) Part A or Part B of the Medicare program under title XVIII of the Act.

(5) The Medicaid program under title XIX of the Act.

(6) A Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss).

(7) A long-term care policy, including a nursing home fixed-indemnity policy.

(8) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers.

(9) The health care program for active military personnel under title 10 of the United States Code.

(10) The veterans health care program under 38 U.S.C. chapter 17.

(11) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in 10 U.S.C. 1072(4).

(12) The Indian Health Service program under the Indian Health Care Improvement Act (25 U.S.C. 1601, et seq.).

(13) The Federal Employees Health Benefits Program under 5 U.S.C. chapter 89.

(14) An approved state child health plan for child health assistance that meets the requirements of section 2103 of the Act.

(15) A Medicare Plus Choice organization as defined in 42 CFR 422.2, with a contract under 42 CFR part 422, subpart K.

In addition to the 15 specific categories, we proposed that the list include any other individual plan or group health plan, or combination thereof, that provides or pays for the cost of medical care. The Secretary would determine which plans that meet these criteria would to be considered health plans for the purposes of this rule.

Consistent with the other titles of HIPAA, our proposed definition did not include certain types of insurance entities, such as workers' compensation and automobile insurance carriers, other property and casualty insurers, and certain forms of limited benefits coverage, even when such arrangements provide coverage for health care services.

In the final rule, we add two provisions to clarify the types of policies or programs that we do not consider to be a health plan. First, the rule excepts any policy, plan or program to the extent that it provides, or pays for the cost of, excepted benefits, as defined in section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1). We note that, while coverage for on-site medical clinics is excluded from definition of “health plans,” such clinics may meet the definition of “health care provider” and persons who work in the clinic may also meet the definition of health care provider.” Second, many commenters were confused by the statutory inclusion as a health plan of any “other individual or group plan that provides or pays the cost of medical care;” they questioned how the provision applied to many government programs. We therefore clarify that while many government programs (other than the programs specified in the statute) provide or pay the cost of medical care, we do not consider them to be individual or group plans and therefore, do not consider them to be health plans. Government funded programs that do not have as their principal purpose the provision of, or payment for, the cost of health care but which do incidentally provide such services are not health plans (for example, programs such as the Special Supplemental Nutrition Program for Women, Infants and Children (WIC) and the Food Stamp Program, which provide or pay for nutritional services, are not considered to be health plans). Government funded programs that have as their principal purpose the provision of health care, either directly or by grant, are also not considered to be health plans. Examples include the Ryan White Comprehensive AIDS Resources Emergency Act, government funded health centers and immunization programs. We note that some of these may meet the rule's definition of health care provider.

We note that in certain instances eligibility for or enrollment in a health plan that is a government program providing public benefits, such as Medicaid or SCHIP, is determined by an agency other than the agency that administers the program, or individually identifiable health information used to determine enrollment or eligibility in such a health plan is collected by an agency other than the agency that administers the health plan. In these cases, we do not consider an agency that is not otherwise a covered entity, such as a local welfare agency, to be a covered entity because it determines eligibility or enrollment or collects enrollment information as authorized by law. We also do not consider the agency to be a business associate when conducting these functions, as we describe further in the business associate discussion above.

The definition in the final rule also reflects the following changes promulgated in the Transactions Rule:

(1) Exclusion of nursing home fixed-indemnity policies;

(2) Addition of the word “issuer” to Medicare supplemental policy, and long-term care policy;

(3) Addition or revision of the relevant statutory cites where appropriate;

(4) Deletion of the term “or assisted” when referring to government programs;

(5) Replacement of the word “organization” with “program” when referring to Medicare + Choice;

(6) Deletion of the term “health” when referring to a group plan in subparagraph (xvi);

(7) Extraction of the definitions of “group health plan,” “health insurance issuer,” and “health maintenance organization” into Part 160 as distinct definitions;

(8) In the definition of “group health plan,” deletion of the term “currently” from the reference to the statutory cite of ERISA, addition of the relevant statutory cite for the term “participant,” and addition of the term “reimbursement;”

(9) In the definition of “health insurance issuer,” addition of the relevant statutory cite, deletion of the term “or other law” after “state law,” addition of health maintenance organizations for consistency with the statute, and clarification that the term does not include a group health plan; and

(10) In the definition of “health maintenance organization,” addition of the relevant statutory cite.

Finally, we add to this definition a high risk pool that is a mechanism established under state law to provide health insurance coverage or comparable coverage to eligible individuals. High risk pools are designed mainly to provide health insurance coverage for individuals who, due to health status or pre-existing conditions, cannot obtain insurance through the individual market or who can do so only at very high premiums. Some states use their high risk pool as an alternative mechanism under section 2744 of HIPAA. We do not reference the definition of “qualified high risk pool” in HIPAA because that definition includes the requirements for a state to use its risk pool as its alternative mechanism under HIPAA. Some states may have high risk pools, but do not use them as their alternative mechanism and therefore may not meet the definition in HIPAA. We want to make clear that state high risk pools are covered entities under this rule whether or not they meet the definition of a qualified high risk pool under section 2744. High risk pools, as described in this rule, do not include any program established under state law solely to provide excepted benefits. For example, a state program established to provide workers' compensation coverage is not considered to be a high risk pool under the rule.

Implementation Specification

This definition was adopted in the Transactions Rule and is minimally revised here. We add the words “requirements or” before the word “instructions.” The word “instructions” is appropriate in the context of the implementation specifications adopted in the Transactions Rule, which are generally a series of instructions as to how to use particular electronic forms. However, that word is not apropos in the context of the rules below. In the rules below, the implementation specifications are specific requirements for how to comply with a given standard. The change to this definition thus ties in to this regulatory framework.

Standard

This definition was adopted in the Transactions Rule and we have modified it to make it clearer. We also add language reflecting section 264 of the statute, to clarify that the standards adopted by this rule meet this definition.

State

We modify the definition of state as adopted in the Transactions Rule to clarify that this term refers to any of the several states.

Transaction

We change the term “exchange” to the term “transmission” in the definition of Transaction to clarify that these transactions may be one-way communications.

Workforce

We proposed in the NPRM to define workforce to mean employees, volunteers, trainees, and other persons under the direct control of a covered entity, including persons providing labor on an unpaid basis.

The definition in the final rule reflects one revision established in the Transactions Rule, which replaces the term “including persons providing labor on an unpaid basis” with the term “whether or not they are paid by the covered entity.” In addition, we clarify that if the assigned work station of persons under contract is on the covered entity's premises and such persons perform a substantial proportion of their activities at that location, the covered entity may choose to treat them either as business associates or as part of the workforce, as explained in the discussion of the definition of business associate. If there is no business associate contract, we assume the person is a member of the covered entity's workforce. We note that independent contractors may or may not be workforce members. However, for compliance purposes we will assume that such personnel are members of the workforce if no business associate contract exists.

Part 160—Subpart B—Preemption of State Laws Back to Top

Statutory Background

Section 1178 of the Act establishes a “general rule” that state law provisions that are contrary to the provisions or requirements of part C of title XI or the standards or implementation specifications adopted or established thereunder are preempted by the federal requirements. The statute provides three exceptions to this general rule: (1) In section 1178(a)(2)(A)(i), for state laws that the Secretary determines are necessary to prevent fraud and abuse, ensure appropriate state regulation of insurance and health plans, for state reporting on health care delivery, and other purposes; (2) in section 1178(a)(2)(A)(ii), for state laws that address controlled substances; and (3) in section 1178(a)(2)(B), for state laws relating to the privacy of individually identifiable health information that as provided for by the related provision of section 264(c)(2) of HIPAA, are contrary to and more stringent than the federal requirements. Section 1178 also carves out, in sections 1178(b) and 1178(c), certain areas of state authority that are not limited or invalidated by the provisions of part C of title XI: these areas relate to public health and state regulation of health plans.

The NPRM proposed a new Subpart B of the proposed part 160. The new Subpart B, which would apply to all standards, implementation specifications, and requirements adopted under HIPAA, would consist of four sections. Proposed § 160.201 provided that the provisions of Subpart B applied to exception determinations and advisory opinions issued by the Secretary under section 1178. Proposed § 160.202 set out proposed definitions for four terms: (1) “Contrary,” (2) “more stringent,” (3) “relates to the privacy of individually identifiable health information,” and (4) “state law.” The definition of “contrary” was drawn from case law concerning preemption. A seven-part set of specific criteria, drawn from fair information principles, was proposed for the definition of “more stringent.” The definition of “relates to the privacy of individually identifiable health information” was also based on case law. The definition of “state law” was drawn from the statutory definition of this term elsewhere in HIPAA. We note that state action having the force and effect of law may include common law. We eliminate the term “decision” from the proposed rule because it is redundant.

Proposed § 160.203 proposed a general rule reflecting the statutory general rule and exceptions that generally mirrored the statutory language of the exceptions. The one substantive addition to the statutory exception language was with respect to the statutory exception, “for other purposes.” The following language was added: “for other purposes related to improving the Medicare program, the Medicaid program, or the efficiency and effectiveness of the health care system.”

Proposed § 160.204 proposed two processes, one for the making of exception determinations, relating to determinations under section 1178(a)(2)(A) of the Act, the other for the rendering of advisory opinions, with respect to section 1178(a)(2)(B) of the Act. The processes proposed were similar in the following respects: (1) Only the state could request an exception determination or advisory opinion, as applicable; (2) both required the request to contain the same information, except that a request for an exception determination also had to set out the length of time the requested exception would be in effect, if less than three years; (3) both sets of requirements provided that requests had to be submitted to the Secretary as required by the Secretary, and until the Secretary's determination was made, the federal standard, requirement or implementation specification remained in effect; (4) both sets of requirements provided that the Secretary's decision would be effective intrastate only; (5) both sets of requirements provided that any change to either the federal or state basis for the Secretary's decision would require a new request, and the federal standard, implementation specification, or requirement would remain in effect until the Secretary acted favorably on the new request; (6) both sets of requirements provided that the Secretary could seek changes to the federal rules or urge states or other organizations to seek changes; and (7) both sets of requirements provided for annual publication of Secretarial decisions. In addition, the process for exception determinations provided for a maximum effective period of three years for such determinations.

The following changes have been made to subpart B in the final rules. First, § 160.201 now expressly implements section 1178. Second, the definition of “more stringent” has been changed by eliminating the criterion relating to penalties and by framing the criterion under paragraph (1) more generally. Also, we have clarified that the term “individual” means the person who is the subject of the individually identifiable health information, since the term “individual” is defined this way only in subpart E of part 164, not in part 160. Third, the definition of “state law” has been changed by substituting the words “statute, constitutional provision” for the word “law,” the words “common law” for the word “decision,” and adding the words “force and” before the word “effect” in the proposed definition. Fourth, in § 160.203, several criteria relating to the statutory grounds for exception determinations have been further spelled out: (1) The words “ related to the provision of or payment for health care” have been added to the exception for fraud and abuse; (2) the words “to the extent expressly authorized by statute or regulation” have been added to the exception for state regulation of health plans; (3) the words “of serving a compelling need related to public health, safety, or welfare, and, where a standard, requirement, or implementation specification under part 164 of this subchapter is at issue, where the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served” have been added to the general exception “for other purposes”; and (4) the statutory provision regarding controlled substances has been elaborated on as follows: “Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substance, as defined at 21 U.S.C. 802, or which is deemed a controlled substance by state law.”

The most extensive changes have been made to proposed § 160.204. The provision for advisory opinions has been eliminated. Section 160.204 now sets out only a process for requesting exception determinations. In most respects, this process is the same as proposed. However, the proposed restriction of the effect of exception determinations to wholly intrastate transactions has been eliminated. Section 160.204(a) has been modified to allow any person, not just a state, to submit a request for an exception determination, and clarifies that requests from states may be made by the state's chief elected official or his or her designee. Proposed § 160.204(a)(3) stated that if it is determined that the federal standard, requirement, or implementation specification in question meets the exception criteria as well as or better than the state law for which the exception is requested, the request will be denied; this language has been deleted. Thus, the criterion for granting or denying an exception request is whether the applicable exception criterion or criteria are met.

A new § 160.205 is also adopted, replacing part of what was proposed at proposed § 160.204. The new § 160.205 sets out the rules relating to the effectiveness of exception determinations. Exception determinations are effective until either the underlying federal or state laws change or the exception is revoked, by the Secretary, based on a determination that the grounds supporting the exception no longer exist. The proposed maximum of three years has been eliminated.

Relationship to Other Federal Laws

Covered entities subject to these rules are also subject to other federal statutes and regulations. For example, federal programs must comply with the statutes and regulations that govern them. Pursuant to their contracts, Medicare providers must comply with the requirements of the Privacy Act of 1974. Substance abuse treatment facilities are subject to the Substance Abuse Confidentiality provisions of the Public Health Service Act, section 543 and its regulations. And, health care providers in schools, colleges, and universities may come within the purview of the Family Educational Rights and Privacy Act. Thus, covered entities will need to determine how the privacy regulation will affect their ability to comply with these other federal laws.

Many commenters raised questions about how different federal statutes and regulations intersect with the privacy regulation. While we address specific concerns in the response to comments later in the preamble, in this section, we explore some of the general interaction issues. These summaries do not identify all possible conflicts or overlaps of the privacy regulation and other federal laws, but should provide general guidance for complying with both the privacy regulation and other federal laws. The summaries also provide examples of how covered entities can analyze other federal laws when specific questions arise. HHS may consult with other agencies concerning the interpretation of other federal laws as necessary.

Implied Repeal Analysis

When faced with the need to determine how different federal laws interact with one another, we turn to the judiciary's approach. Courts apply the implied repeal analysis to resolve tensions that appear to exist between two or more statutes. While the implication of a regulation-on-regulation conflict is unclear, courts agree that administrative rules and regulations that do not conflict with express statutory provisions have the force and effect of law. Thus, we believe courts would apply the standard rules of interpretation that apply to statutes to address questions of interpretation with regard to regulatory conflicts.

When faced with two potentially conflicting statutes, courts attempt to construe them so that both are given effect. If this construction is not possible, courts will look for express language in the later statute, or an intent in its legislative history, indicating that Congress intended the later statute to repeal the earlier one. If there is no expressed intent to repeal the earlier statute, courts will characterize the statutes as either general or specific. Ordinarily, later, general statutes will not repeal the special provisions of an earlier, specific statute. In some cases, when a later, general statute creates an irreconcilable conflict or is manifestly inconsistent with the earlier, specific statute in a manner that indicates a clear and manifest Congressional intent to repeal the earlier statute, courts will find that the later statute repeals the earlier statute by implication. In these cases, the latest legislative action may prevail and repeal the prior law, but only to the extent of the conflict.

There should be few instances in which conflicts exist between a statute or regulation and the rules below. For example, if a statute permits a covered entity to disclose protected health information and the rules below permit such a disclosure, no conflict arises; the covered entity could comply with both and choose whether or not to disclose the information. In instances in which a potential conflict appears, we would attempt to resolve it so that both laws applied. For example, if a statute or regulation permits dissemination of protected health information, but the rules below prohibit the use or disclosure without an authorization, we believe a covered entity would be able to comply with both because it could obtain an authorization under § 164.508 before disseminating the information under the other law.

Many apparent conflicts will not be true conflicts. For example, if a conflict appears to exist because a previous statute or regulation requires a specific use or disclosure of protected health information that the rules below appear to prohibit, the use or disclosure pursuant to that statute or regulation would not be a violation of the privacy regulation because § 164.512(a) permits covered entities to use or disclose protected health information as required by law.

If a statute or regulation prohibits dissemination of protected health information, but the privacy regulation requires that an individual have access to that information, the earlier, more specific statute would apply. The interaction between the Clinical Laboratory Improvement Amendments regulation is an example of this type of conflict. From our review of several federal laws, it appears that Congress did not intend for the privacy regulation to overrule existing statutory requirements in these instances.

Examples of Interaction

We have summarized how certain federal laws interact with the privacy regulation to provide specific guidance in areas deserving special attention and to serve as examples of the analysis involved. In the Response to Comment section, we have provided our responses to specific questions raised during the comment period.

The Privacy Act

The Privacy Act of 1974, 5 U.S.C. 552a, prohibits disclosures of records contained in a system of records maintained by a federal agency (or its contractors) without the written request or consent of the individual to whom the record pertains. This general rule is subject to various statutory exceptions. In addition to the disclosures explicitly permitted in the statute, the Privacy Act permits agencies to disclose information for other purposes compatible with the purpose for which the information was collected by identifying the disclosure as a “routine use” and publishing notice of it in the Federal Register. The Act applies to all federal agencies and certain federal contractors who operate Privacy Act systems of records on behalf of federal agencies.

Some federal agencies and contractors of federal agencies that are covered entities under the privacy rules are subject to the Privacy Act. These entities must comply with all applicable federal statutes and regulations. For example, if the privacy regulation permits a disclosure, but the disclosure is not permitted under the Privacy Act, the federal agency may not make the disclosure. If, however, the Privacy Act allows a federal agency the discretion to make a routine use disclosure, but the privacy regulation prohibits the disclosure, the federal agency will have to apply its discretion in a way that complies with the regulation. This means not making the particular disclosure.

The Freedom of Information Act

FOIA, 5 U.S.C. 552, provides for public disclosure, upon the request of any person, of many types of information in the possession of the federal government, subject to nine exemptions and three exclusions. For example, Exemption 6 permits federal agencies to withhold “personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” 5 U.S.C. 552(b)(6).

Uses and disclosures required by FOIA come within § 164.512(a) of the privacy regulation that permits uses or disclosures required by law if the uses or disclosures meet the relevant requirements of the law. Thus, a federal agency must determine whether it may apply an exemption or exclusion to redact the protected health information when responding to a FOIA request. When a FOIA request asks for documents that include protected health information, we believe the agency, when appropriate, must apply Exemption 6 to preclude the release of medical files or otherwise redact identifying details before disclosing the remaining information.

We offer the following analysis for federal agencies and federal contractors who operate Privacy Act systems of records on behalf of federal agencies and must comply with FOIA and the privacy regulation. If presented with a FOIA request that would result in the disclosure of protected health information, a federal agency must first determine if FOIA requires the disclosure or if an exemption or exclusion would be appropriate. We believe that generally a disclosure of protected health information, when requested under FOIA, would come within FOIA Exemption 6. We recognize, however, that the application of this exemption to information about deceased individuals requires a different analysis than that applicable to living individuals because, as a general rule, under the Privacy Act, privacy rights are extinguished at death. However, under FOIA, it is entirely appropriate to consider the privacy interests of a decedent's survivors under Exemption 6. See Department of Justice FOIA Guide 2000, Exemption 6: Privacy Considerations. Covered entities subject to FOIA must evaluate each disclosure on a case-by-case basis, as they do now under current FOIA procedures.

Federal Substance Abuse Confidentiality Requirements

The federal confidentiality of substance abuse patient records statute, section 543 of the Public Health Service Act, 42 U.S.C. 290dd-2, and its implementing regulation, 42 CFR part 2, establish confidentiality requirements for patient records that are maintained in connection with the performance of any federally-assisted specialized alcohol or drug abuse program. Substance abuse programs are generally programs or personnel that provide alcohol or drug abuse treatment, diagnosis, or referral for treatment. The term “federally-assisted” is broadly defined and includes federally conducted or funded programs, federally licensed or certified programs, and programs that are tax exempt. Certain exceptions apply to information held by the Veterans Administration and the Armed Forces.

There are a number of health care providers that are subject to both these rules and the substance abuse statute and regulations. In most cases, a conflict will not exist between these rules. These privacy rules permit a health care provider to disclose information in a number of situations that are not permitted under the substance abuse regulation. For example, disclosures allowed, without patient authorization, under the privacy rule for law enforcement, judicial and administrative proceedings, public health, health oversight, directory assistance, and as required by other laws would generally be prohibited under the substance abuse statute and regulation. However, because these disclosures are permissive and not mandatory, there is no conflict. An entity would not be in violation of the privacy rules for failing to make these disclosures.

Similarly, provisions in the substance abuse regulation provide for permissive disclosures in case of medical emergencies, to the FDA, for research activities, for audit and evaluation activities, and in response to certain court orders. Because these are permissive disclosures, programs subject to both the privacy rules and the substance abuse rule are able to comply with both rules even if the privacy rules restrict these types of disclosures. In addition, the privacy rules generally require that an individual be given access to his or her own health information. Under the substance abuse regulation, programs may provide such access, so there is no conflict.

The substance abuse regulation requires notice to patients of the substance abuse confidentiality requirements and provides for written consent for disclosure. While the privacy rules have requirements that are somewhat different, the program may use notice and authorization forms that include all the elements required by both regulations. The substance abuse rule provides a sample notice and a sample authorization form and states that the use of these forms would be sufficient. While these forms do not satisfy all of the requirements of the privacy regulation, there is no conflict because the substance abuse regulation does not mandate the use of these forms.

Employee Retirement Income Security Act of 1974

ERISA was enacted in 1974 to regulate pension and welfare employee benefit plans established by private sector employers, unions, or both, to provide benefits to their workers and dependents. Under ERISA, plans that provide “through the purchase of insurance or otherwise * * * medical, surgical, or hospital care or benefits, or benefits in the event of sickness, accident, disability, [or] death” are defined as employee welfare benefit plans. 29 U.S.C. 1002(1). In 1996, HIPAA amended ERISA to require portability, nondiscrimination, and renewability of health benefits provided by group health plans and group health insurance issuers. Numerous, although not all, ERISA plans are covered under the rules proposed below as “health plans.”

Section 514(a) of ERISA, 29 U.S.C. 1144(a), preempts all state laws that “relate to” any employee benefit plan. However, section 514(b) of ERISA, 29 U.S.C. 1144(b)(2)(A), expressly saves from preemption state laws that regulate insurance. Section 514(b)(2)(B) of ERISA, 29 U.S.C. 1144(b)(2)(B), provides that an ERISA plan is deemed not to be an insurer for the purpose of regulating the plan under the state insurance laws. Thus, under the deemer clause, states may not treat ERISA plans as insurers subject to direct regulation by state law. Finally, section 514(d) of ERISA, 29 U.S.C. 1144(d), provides that ERISA does not “alter, amend, modify, invalidate, impair, or supersede any law of the United States.”

We considered whether the preemption provision of section 264(c)(2) of HIPAA would give effect to state laws that would otherwise be preempted by section 514(a) of ERISA. As discussed above, our reading of the statutes together is that the effect of section 264(c)(2) is only to leave in place state privacy protections that would otherwise apply and that are more stringent than the federal privacy protections.

Many health plans covered by the privacy regulation are also subject to ERISA requirements. Our discussions and consultations have not uncovered any particular ERISA requirements that would conflict with the rules.

The Family Educational Rights and Privacy Act

FERPA, as amended, 20 U.S.C. 1232g, provides parents of students and eligible students (students who are 18 or older) with privacy protections and rights for the records of students maintained by federally funded educational agencies or institutions or persons acting for these agencies or institutions. We have excluded education records covered by FERPA, including those education records designated as education records under Parts B, C, and D of the Individuals with Disabilities Education Act Amendments of 1997, from the definition of protected health information. For example, individually identifiable health information of students under the age of 18 created by a nurse in a primary or secondary school that receives federal funds and that is subject to FERPA is an education record, but not protected health information. Therefore, the privacy regulation does not apply. We followed this course because Congress specifically addressed how information in education records should be protected in FERPA.

We have also excluded certain records, those described at 20 U.S.C. 1232g(a)(4)(B)(iv), from the definition of protected health information because FERPA also provided a specific structure for the maintenance of these records. These are records (1) of students who are 18 years or older or are attending post-secondary educational institutions, (2) maintained by a physician, psychiatrist, psychologist, or recognized professional or paraprofessional acting or assisting in that capacity, (3) that are made, maintained, or used only in connection with the provision of treatment to the student, and (4) that are not available to anyone, except a physician or appropriate professional reviewing the record as designated by the student. Because FERPA excludes these records from its protections only to the extent they are not available to anyone other than persons providing treatment to students, any use or disclosure of the record for other purposes, including providing access to the individual student who is the subject of the information, would turn the record into an education record. As education records, they would be subject to the protections of FERPA.

These exclusions are not applicable to all schools, however. If a school does not receive federal funds, it is not an educational agency or institution as defined by FERPA. Therefore, its records that contain individually identifiable health information are not education records. These records may be protected health information. The educational institution or agency that employs a school nurse is subject to our regulation as a health care provider if the school nurse or the school engages in a HIPAA transaction.

While we strongly believe every individual should have the same level of privacy protection for his/her individually identifiable health information, Congress did not provide us with authority to disturb the scheme it had devised for records maintained by educational institutions and agencies under FERPA. We do not believe Congress intended to amend or preempt FERPA when it enacted HIPAA.

With regard to the records described at 20 U.S.C. 1232g(a)(4)(b)(iv), we considered requiring health care providers engaged in HIPAA transactions to comply with the privacy regulation up to the point these records were used or disclosed for purposes other than treatment. At that point, the records would be converted from protected health information into education records. This conversion would occur any time a student sought to exercise his/her access rights. The provider, then, would need to treat the record in accordance with FERPA's requirements and be relieved from its obligations under the privacy regulation. We chose not to adopt this approach because it would be unduly burdensome to require providers to comply with two different, yet similar, sets of regulations and inconsistent with the policy in FERPA that these records be exempt from regulation to the extent the records were used only to treat the student.

Gramm-Leach-Bliley

In 1999, Congress passed Gramm-Leach-Bliley (GLB), Pub. L. 106-102, which included provisions, section 501 et seq., that limit the ability of financial institutions to disclose “nonpublic personal information” about consumers to non-affiliated third parties and require financial institutions to provide customers with their privacy policies and practices with respect to nonpublic personal information. In addition, Congress required seven agencies with jurisdiction over financial institutions to promulgate regulations as necessary to implement these provisions. GLB and its accompanying regulations define “financial institutions” as including institutions engaged in the financial activities of bank holding companies, which may include the business of insuring. See 15 U.S.C. 6809(3); 12 U.S.C. 1843(k). However, Congress did not provide the designated federal agencies with the authority to regulate health insurers. Instead, it provided states with an incentive to adopt and have their state insurance authorities enforce these rules. See 15 U.S.C. 6805. If a state were to adopt laws consistent with GLB, health insurers would have to determine how to comply with both sets of rules.

Thus, GLB has caused concern and confusion among health plans that are subject to our privacy regulation. Although Congress remained silent as to its understanding of the interaction of GLB and HIPAA's privacy provisions, the Federal Trade Commission and other agencies implementing the GLB privacy provisions noted in the preamble to their GLB regulations that they “would consult with HHS to avoid the imposition of duplicative or inconsistent requirements.” 65 Fed. Reg. 33646, 33648 (2000). Additionally, the FTC also noted that “persons engaged in providing insurance” would be within the enforcement jurisdiction of state insurance authorities and not within the jurisdiction of the FTC. Id.

Because the FTC has clearly stated that it will not enforce the GLB privacy provisions against persons engaged in providing insurance, health plans will not be subject to dual federal agency jurisdiction for information that is both nonpublic personal information and protected health information. If states choose to adopt GLB-like laws or regulations, which may or may not track the federal rules completely, health plans would need to evaluate these laws under the preemption analysis described in subpart B of Part 160.

Federally Funded Health Programs

These rules will affect various federal programs, some of which may have requirements that are, or appear to be, inconsistent with the requirements of these regulations. These programs include those operated directly by the federal government (such as health programs for military personnel and veterans) as well as programs in which health services or benefits are provided by the private sector or by state or local governments, but which are governed by various federal laws (such as Medicare, Medicaid, and ERISA).

Congress explicitly included some of these programs in HIPAA, subjecting them directly to the privacy regulation. Section 1171 of the Act defines the term “health plan” to include the following federally conducted, regulated, or funded programs: Group plans under ERISA that either have 50 or more participants or are administered by an entity other than the employer who established and maintains the plan; federally qualified health maintenance organizations; Medicare; Medicaid; Medicare supplemental policies; the health care program for active military personnel; the health care program for veterans; the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS); the Indian health service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et seq.; and the Federal Employees Health Benefits Program. There also are many other federally conducted, regulated, or funded programs in which individually identifiable health information is created or maintained, but which do not come within the statutory definition of “health plan.” While these latter types of federally conducted, regulated, or assisted programs are not explicitly covered by part C of title XI in the same way that the programs listed in the statutory definition of “health plan” are covered, the statute may nonetheless apply to transactions and other activities conducted under such programs. This is likely to be the case when the federal entity or federally regulated or funded entity provides health services; the requirements of part C may apply to such an entity as a “health care provider.” Thus, the issue of how different federal requirements apply is likely to arise in numerous contexts.

There are a number of authorities under the Public Health Service Act and other legislation that contain explicit confidentiality requirements, either in the enabling legislation or in the implementing regulations. Many of these are so general that there would appear to be no problem of inconsistency, in that nothing in those laws or regulations would appear to restrict the provider's ability to comply with the privacy regulation's requirements.

There may, however, be authorities under which either the requirements of the enabling legislation or of the program regulations would impose requirements that differ from these rules.

For example, regulations applicable to the substance abuse block grant program funded under section 1943(b) of the Public Health Service Act require compliance with 42 CFR part 2, and, thus, raise the issues identified above in the substance abuse confidentiality regulations discussion. There are a number of federal programs which, either by statute or by regulation, restrict the disclosure of patient information to, with minor exceptions, disclosures “required by law.” See, for example, the program of projects for prevention and control of sexually transmitted diseases funded under section 318(e)(5) of the Public Health Service Act (42 CFR 51b.404); the regulations implementing the community health center program funded under section 330 of the Public Health Service Act (42 CFR 51c.110); the regulations implementing the program of grants for family planning services under title X of the Public Health Service Act (42 CFR 59.15); the regulations implementing the program of grants for black lung clinics funded under 30 U.S.C. 437(a) (42 CFR 55a.104); the regulations implementing the program of maternal and child health projects funded under section 501 of the Act (42 CFR 51a.6); the regulations implementing the program of medical examinations of coal miners (42 CFR 37.80(a)). These legal requirements would restrict the grantees or other entities providing services under the programs involved from making many of the disclosures that §§ 164.510 or 164.512 would permit. In some cases, permissive disclosures for treatment, payment, or health care operations would also be limited. Because §§ 164.510 and 164.512 are merely permissive, there would not be a conflict between the program requirements, because it would be possible to comply with both. However, entities subject to both sets of requirements would not have the total range of discretion that they would have if they were subject only to this regulation.

Food, Drug, and Cosmetic Act

The Food, Drug, and Cosmetic Act, 21 U.S.C. 301, et seq., and its accompanying regulations outline the responsibilities of the Food and Drug Administration with regard to monitoring the safety and effectiveness of drugs and devices. Part of the agency's responsibility is to obtain reports about adverse events, track medical devices, and engage in other types of post marketing surveillance. Because many of these reports contain protected health information, the information within them may come within the purview of the privacy rules. Although some of these reports are required by the Food, Drug, and Cosmetic Act or its accompanying regulations, other types of reporting are voluntary. We believe that these reports, while not mandated, play a critical role in ensuring that individuals receive safe and effective drugs and devices. Therefore, in § 164.512(b)(1)(iii), we have provided that covered entities may disclose protected health information to a person subject to the jurisdiction of the Food and Drug Administration for specified purposes, such as reporting adverse events, tracking medical devices, or engaging in other post marketing surveillance. We describe the scope and conditions of such disclosures in more detail in § 164.512(b).

Clinical Laboratory Improvement Amendments

CLIA, 42 U.S.C. 263a, and the accompanying regulations, 42 CFR part 493, require clinical laboratories to comply with standards regarding the testing of human specimens. This law requires clinical laboratories to disclose test results or reports only to authorized persons, as defined by state law. If a state does not define the term, the federal law defines it as the person who orders the test.

We realize that the person ordering the test is most likely a health care provider and not the individual who is the subject of the protected health information included within the result or report. Under this requirement, therefore, a clinical laboratory may be prohibited by law from providing the individual who is the subject of the test result or report with access to this information.

Although we believe individuals should be able to have access to their individually identifiable health information, we recognize that in the specific area of clinical laboratory testing and reporting, the Health Care Financing Administration, through regulation, has provided that access may be more limited. To accommodate this requirement, we have provided at § 164.524(1)(iii) that covered entities maintaining protected health information that is subject to the CLIA requirements do not have to provide individuals with a right of access to or a right to inspect and obtain a copy of this information if the disclosure of the information to the individual would be prohibited by CLIA.

Not all clinical laboratories, however, will be exempted from providing individuals with these rights. If a clinical laboratory operates in a state in which the term “authorized person” is defined to include the individual, the clinical laboratory would have to provide the individual with these rights. Similarly, if the individual was the person who ordered the test and an authorized person included such a person, the laboratory would be required to provide the individual with these rights.

Additionally, CLIA regulations exempt the components or functions of “research laboratories that test human specimens but do not report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients” from the CLIA regulatory scheme. 42 CFR 493.3(a)(2). If subject to the access requirements of this regulation, such entities would be forced to meet the requirements of CLIA from which they are currently exempt. To eliminate this additional regulatory burden, we have also excluded covered entities that are exempt from CLIA under that rule from the access requirement of this regulation.

Although we are concerned about the lack of immediate access by the individual, we believe that, in most cases, individuals who receive clinical tests will be able to receive their test results or reports through the health care provider who ordered the test for them. The provider will receive the information from the clinical laboratory. Assuming that the provider is a covered entity, the individual will have the right of access and right to inspect and copy this protected health information through his or her provider.

Other Mandatory Federal or State Laws

Many federal laws require covered entities to provide specific information to specific entities in specific circumstances. If a federal law requires a covered entity to disclose a specific type of information, the covered entity would not need an authorization under § 164.508 to make the disclosure because the final rule permits covered entities to make disclosures that are required by law under § 164.512(a). Other laws, such as the Social Security Act (including its Medicare and Medicaid provisions), the Family and Medical Leave Act, the Public Health Service Act, Department of Transportation regulations, the Environmental Protection Act and its accompanying regulations, the National Labor Relations Act, the Federal Aviation Administration, and the Federal Highway Administration rules, may also contain provisions that require covered entities or others to use or disclose protected health information for specific purposes.

When a covered entity is faced with a question as to whether the privacy regulation would prohibit the disclosure of protected health information that it seeks to disclose pursuant to a federal law, the covered entity should determine if the disclosure is required by that law. In other words, it must determine if the disclosure is mandatory rather than merely permissible. If it is mandatory, a covered entity may disclose the protected health information pursuant to § 164.512(a), which permits covered entities to disclose protected health information without an authorization when the disclosure is required by law. If the disclosure is not required (but only permitted) by the federal law, the covered entity must determine if the disclosure comes within one of the other permissible disclosures. If the disclosure does not come within one of the provisions for permissible disclosures, the covered entity must obtain an authorization from the individual who is the subject of the information or de-identify the information before disclosing it.

If another federal law prohibits a covered entity from using or disclosing information that is also protected health information, but the privacy regulation permits the use or disclosure, a covered entity will need to comply with the other federal law and not use or disclose the information.

Federal Disability Nondiscrimination Laws

The federal laws barring discrimination on the basis of disability protect the confidentiality of certain medical information. The information protected by these laws falls within the larger definition of “health information” under this privacy regulation. The two primary disability nondiscrimination laws are the Americans with Disabilities Act (ADA), 42 U.S.C. 12101 et seq., and the Rehabilitation Act of 1973, as amended, 29 U.S.C. 701 et seq., although other laws barring discrimination on the basis of disability (such as the nondiscrimination provisions of the Workforce Investment Act of 1988, 29 U.S.C. 2938) may also apply. Federal disability nondiscrimination laws cover two general categories of entities relevant to this discussion: employers and entities that receive federal financial assistance.

Employers are not covered entities under the privacy regulation. Many employers, however, are subject to the federal disability nondiscrimination laws and, therefore, must protect the confidentiality of all medical information concerning their applicants and employees.

The employment provisions of the ADA, 42 U.S.C. 12111 et seq., expressly cover employers of 15 or more employees, employment agencies, labor organizations, and joint labor-management committees. Since 1992, employment discrimination complaints arising under sections 501, 503, and 504 of the Rehabilitation Act also have been subject to the ADA's employment nondiscrimination standards. See “Rehabilitation Act Amendments,” Pub. L. No. 102-569, 106 Stat. 4344. Employers subject to ADA nondiscrimination standards have confidentiality obligations regarding applicant and employee medical information. Employers must treat such medical information, including medical information from voluntary health or wellness programs and any medical information that is voluntarily disclosed as a confidential medical record, subject to limited exceptions.

Transmission of health information by an employer to a covered entity, such as a group health plan, is governed by the ADA confidentiality restrictions. The ADA, however, has been interpreted to permit an employer to use medical information for insurance purposes. See 29 CFR part 1630 App. at § 1630.14(b) (describing such use with reference to 29 CFR 1630.16(f), which in turn explains that the ADA regulation “is not intended to disrupt the current regulatory structure for self-insured employers * * * or current industry practices in sales, underwriting, pricing, administrative and other services, claims and similar insurance related activities based on classification of risks as regulated by the states”). See also, “Enforcement Guidance on Disability-Related Inquiries and Medical Examinations of Employees under the Americans with Disabilities Act,” 4, n.10 (July 26, 2000), __ FEP Manual (BNA) __ (“Enforcement Guidance on Employees”). See generally, “ADA Enforcement Guidance on Preemployment Disability-Related Questions and Medical Examinations”- (October 10, 1995), 8 FEP Manual (BNA) 405:7191 (1995) (also available at http://www.eeoc.gov). Thus, use of medical information for insurance purposes may include transmission of health information to a covered entity.

If an employer-sponsored group health plan is closely linked to an employer, the group health plan may be subject to ADA confidentiality restrictions, as well as this privacy regulation. See Carparts Distribution Center, Inc. v. Automotive Wholesaler's Association of New England, Inc., 37 F.3d 12 (1st Cir. 1994)(setting forth three bases for ADA Title I jurisdiction over an employer-provided medical reimbursement plan, in a discrimination challenge to the plan's HIV/AIDS cap). Transmission of applicant or employee health information by the employer's management to the group health plan may be permitted under the ADA standards as the use of medical information for insurance purposes. Similarly, disclosure of such medical information by the group health plan, under the limited circumstances permitted by this privacy regulation, may involve use of the information for insurance purposes as broadly described in the ADA discussion above.

Entities that receive federal financial assistance, which may also be covered entities under the privacy regulation, are subject to section 504 of the Rehabilitation Act (29 U.S.C. 794) and its implementing regulations. Each federal agency has promulgated such regulations that apply to entities that receive financial assistance from that agency (“recipients”). These regulations may limit the disclosure of medical information about persons who apply to or participate in a federal financially assisted program or activity. For example, the Department of Labor's section 504 regulation (found at 29 CFR part 32), consistent with the ADA standards, requires recipients that conduct employment-related programs, including employment training programs, to maintain confidentiality regarding any information about the medical condition or history of applicants to or participants in the program or activity. Such information must be kept separate from other information about the applicant or participant and may be provided to certain specified individuals and entities, but only under certain limited circumstances described in the regulation. See 29 CFR 32.15(d). Apart from those circumstances, the information must be afforded the same confidential treatment as medical records, id. Also, recipients of federal financial assistance from the Department of Health and Human Services, such as hospitals, are subject to the ADA's employment nondiscrimination standards. They must, accordingly, maintain confidentiality regarding the medical condition or history of applicants for employment and employees.

The statutes and implementing regulations under which the federal financial assistance is provided may contain additional provisions regulating collection and disclosure of medical, health, and disability-related information. See, e.g., section 188 of the Workforce Investment Act of 1988 (29 U.S.C. 2938) and 29 CFR 37.3(b). Thus, covered entities that are subject to this privacy regulation, may also be subject to the restrictions in these laws as well.

U.S. Safe Harbor Privacy Principles (European Union Directive on Data Protection)

The E.U. Directive became effective in October 1998 and prohibits European Union Countries from permitting the transfer of personal data to another country without ensuring that an “adequate level of protection,” as determined by the European Commission, exists in the other country or pursuant to one of the Directive's derogations of this rule, such as pursuant to unambiguous consent or to fulfill a contract with the individual. In July 2000, the European Commission concluded that the U.S. Safe Harbor Privacy Principles [1] constituted “adequate protection.” Adherence to the Principles is voluntary. Organizations wishing to engage in the exchange of personal data with E.U. countries may assert compliance with the Principles as one means of obtaining data from E.U. countries.

The Department of Commerce, which negotiated these Principles with the European Commission, has provided guidance for U.S. organizations seeking to adhere to the guidelines and comply with U.S. law. We believe this guidance addresses the concerns covered entities seeking to transfer personal data from E.U. countries may have. When “U.S. law imposes a conflicting obligation, U.S. organizations whether in the safe harbor or not must comply with the law.” An organization does not need to comply with the Principles if a conflicting U.S. law “explicitly authorizes” the particular conduct. The organization's non-compliance is “limited to the extent necessary to meet the overriding legitimate interests further[ed] by such authorization.” However, if only a difference exists such that an “option is allowable under the Principles and/or U.S. law, organizations are expected to opt for the higher protection where possible.” Questions regarding compliance and interpretation will be decided based on U.S. law. See Department of Commerce, Memorandum on Damages for Breaches of Privacy, Legal Authorizations and Mergers and Takeovers in U.S. Law 5 (July 17, 2000); Department of Commerce, Safe Harbor Privacy Principles Issued by the U.S. Department of Commerce on July 21, 2000, 65 FR 45666 (2000). The Principles and our privacy regulation are based on common principles of fair information practices. We believe they are essentially consistent and that an organization complying with our privacy regulation can fairly and correctly self-certify that it complies with the Principles. If a true conflict arises between the privacy regulation and the Principles, the Department of Commerce's guidance provides that an entity must comply with the U.S. law.

Part 160—Subpart C—Compliance and Enforcement Back to Top

Proposed § 164.522 included five paragraphs addressing activities related to the Secretary's enforcement of the rule. These provisions were based on procedures and requirements in various civil rights regulations. Proposed § 164.522(a) provided that the Secretary would, to the extent practicable, seek the cooperation of covered entities in obtaining compliance, and could provide technical assistance to covered entities to help them comply voluntarily. Proposed § 164.522(b) provided that individuals could file complaints with the Secretary. However, where the complaint related to the alleged failure of a covered entity to amend or correct protected health information as proposed in the rule, the Secretary would not make certain determinations such as whether protected health information was accurate or complete. This paragraph also listed the requirements for filing complaints and indicated that the Secretary may investigate such complaints and what might be reviewed as part of such investigation.

Under proposed § 164.522(c), the Secretary would be able to conduct compliance reviews. Proposed § 164.522(d) described the responsibilities that covered entities keep records and reports as prescribed by the Secretary, cooperate with compliance reviews, permit the Secretary to have access to their facilities, books, records, and other sources of information during normal business hours, and seek records held by other persons. This paragraph also stated that the Secretary would maintain the confidentiality of protected health information she collected and prohibit covered entities from taking retaliatory action against individuals for filing complaints or for other activities. Proposed § 164.522(e) provided that the Secretary would inform the covered entity and the individual complainant if an investigation or review indicated a failure to comply and would seek to resolve the matter informally if possible. If the matter could not be resolved informally, the Secretary would be able to issue written findings, be required to inform the covered entity and the complainant, and be able to pursue civil enforcement action or make a criminal referral. The Secretary would also be required to inform the covered entity and the individual complainant if no violation was found.

We make the following changes and additions to proposed § 164.522 in the final rule. First, we have moved this section to part 160, as a new subpart C, “Compliance and Enforcement.” Second, we add new sections that explain the applicability of these provisions and incorporate certain definitions. Accordingly, we change the proposed references to violations to “this subpart” to violations of “the applicable requirements of part 160 and the applicable standards, requirements, and implementation specifications of subpart E of part 164 of this subchapter.” Third, the final rule at § 160.306(a) provides that any person, not just an “individual” (the person who is the subject of the individually identifiable health information) may file a complaint with the Secretary. Other references in this subpart to an individual have been changed accordingly. Fourth, we delete the proposed § 164.522(a) language that indicated that the Secretary would not determine whether information was accurate or complete, or whether errors or omissions might have an adverse effect on the individual. While the policy is not changed in that the Secretary will not make such determinations, we believe the language is unnecessary and may suggest that we would make all other types of determinations, such as all determinations in which the regulation defers to the professional judgment of the covered entity. Fifth, § 160.306(b)(3) requires that complaints be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown. Sixth, § 160.310(b) requires cooperation with investigations as well as compliance reviews. Seventh, § 160.310 (c)(1) provides that the Secretary must be provided access to a covered entity's facilities, books, records, accounts, and other sources of information, including protected health information, at any time and without notice where exigent circumstances exist, such as where documents might be hidden or destroyed. Eighth, the provision proposed at § 164.522(d) that would prohibit covered entities from taking retaliatory action against individuals for filing a complaint with the Secretary or for certain other actions has been changed and moved to § 164.530. Ninth, § 160. 312(a)(2) deletes the reference in the proposed rule to using violation findings as a basis for initiating action to secure penalties. This deletion is not a substantive change. This language was removed because penalties will be addressed in the enforcement regulation. As in the NPRM, the Secretary may promulgate alternative procedures for complaints relating to national security. For example, to protect classified information, we may promulgate rules that would allow an intelligence community agency to create a separate body within that agency to receive complaints.

The Department plans to issue an Enforcement Rule that applies to all of the regulations that the Department issues under the Administrative Simplification provisions of HIPAA. This regulation will address the imposition of civil monetary penalties and the referral of criminal cases where there has been a violation of this rule. Penalties are provided for under section 262 of HIPAA. The Enforcement Rule would also address the topics covered by Subpart C below. It is expected that this Enforcement Rule would replace Subpart C.

Part 164—Subpart A—General Provisions Back to Top

Section 164.102—Statutory Basis Back to Top

In the NPRM, we provided that the provisions of this part are adopted pursuant to the Secretary's authority to prescribe standards, requirements, and implementation standards under part C of title XI of the Act and section 264 of Public Law 104-191. The final rule adopts this language.

Section 164.104—Applicability Back to Top

In the NPRM, we provided that except as otherwise provided, the provisions of this part apply to covered entities: health plans, health care clearinghouses, and health care providers who transmit health information in electronic form in connection with any transaction referred to in section 1173(a)(1) of the Act. The final rule adopts this language.

Section 164.106—Relationship to Other Parts Back to Top

The final rule adds a new provision stating that in complying with the requirements of this part, covered entities are required to comply with the applicable provisions of parts 160 and 162 of this subchapter. This language references Subchapter C in this regulation, Administrative Data Standards and Related Requirements; Part 160, General Administrative Requirements; and Part 162, Administrative Requirements. Part 160 includes requirements such as keeping records and submitting compliance reports to the Secretary and cooperating with the Secretary's complaint investigations and compliance reviews. Part 162 includes requirements such as requiring a covered entity that conducts an electronic transaction, adopted under this part, with another covered entity to conduct the transaction as a standard transaction as adopted by the Secretary.

Part 164—Subpart B-D—Reserved Back to Top

Part 164—Subpart E—Privacy Back to Top

Section 164.500—Applicability Back to Top

The discussion below describes the entities and the information that are subject to the final regulation.

Many of the provisions of the regulation are presented as “standards.” Generally, the standards indicate what must be accomplished under the regulation and implementation specifications describe how the standards must be achieved.

Covered Entities

We proposed in the NPRM to apply the standards in the regulation to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act. The proposal referred to these entities as “covered entities.”

We have revised § 164.500 to clarify the applicability of the rule to health care clearinghouses. As we stated in the preamble to the NPRM, we believe that in most instances health care clearinghouses will receive protected health information as a business associate to another covered entity. This understanding was confirmed by the comments and by our fact finding. Clearinghouses rarely have direct contact with individuals, and usually will not be in a position to create protected health information or to receive it directly from them. Unlike health plans and providers, clearinghouses usually convey and repackage information and do not add materially to the substance of protected health information of an individual.

The revised language provides that clearinghouses are not subject to certain requirements in the rule when acting as business associates of other covered entities. As revised, a clearinghouse acting as a business associate is subject only to the provisions of this section, to the definitions, to the general rules for uses and disclosures of protected health information (subject to limitations), to the provision relating to health care components, to the provisions relating to uses and disclosures for which consent, individual authorization or an opportunity to agree or object is not required (subject to limitations), to the transition requirements and to the compliance date. With respect to the uses and disclosures authorized under § 164.502 or § 164.512, a clearinghouse acting as a business associate is not authorized by the rule to make any use or disclosure not permitted by its business associate contract. Clearinghouses acting as business associates are not subject to the other requirements of this rule, which include the provisions relating to procedural requirements, requirements for obtaining consent, individual authorization or agreement, provision of a notice, individual rights to request privacy protection, access and amend information and receive an accounting of disclosures and the administrative requirements.

We note that, even as business associates, clearinghouses remain covered entities. Clearinghouses, like other covered entities, are responsible under this regulation for abiding by the terms of business associate contracts. For example, while the provisions regarding individuals' access to and right to request corrections to protected health information about them apply only to health plans and covered health care providers, clearinghouses may have some responsibility for providing such access under their business associate contracts. A clearinghouse (or any other covered entity) that violates the terms of a business associate contract also is in direct violation of this rule and, as a covered entity, is subject to compliance and enforcement action.

We clarify that a covered entity is only subject to these rules to the extent that they possess protected health information. Moreover, these rules only apply with regard to protected health information. For example, if a covered entity does not disclose or receive from its business associate any protected health information and no protected health information is created or received by its business associate on behalf of the covered entity, then the business associate requirements of this rule do not apply.

We clarify that the Department of Defense or any other federal agency and any non-governmental organization acting on its behalf, is not subject to this rule when it provides health care in another country to foreign national beneficiaries. The Secretary believes that this exemption is warranted because application of the rule could have the unintended effect of impeding or frustrating the conduct of such activities, such as interfering with the ability of military command authorities to obtain protected health information on prisoners of war, refugees, or detainees for whom they are responsible under international law. See the preamble to the definition of “individual” for further discussion.

Covered Information

We proposed in the NPRM to apply the requirements of the rule to individually identifiable health information that is or has been electronically transmitted or maintained by a covered entity. The provisions would have applied to the information itself, referred to as protected health information in the rule, and not to the particular records in which the information is contained. We proposed that once information was maintained or transmitted electronically by a covered entity, the protections would follow the information in whatever form, including paper records, in which it exists while held by a covered entity. The proposal would not have applied to information that was never electronically maintained or transmitted by a covered entity.

In the final rule, we extend the scope of protections to all individually identifiable health information in any form, electronic or non-electronic, that is held or transmitted by a covered entity. This includes individually identifiable health information in paper records that never has been electronically stored or transmitted. (See § 164.501, definition of “protected health information,” for further discussion.)

Section 164.501—Definitions Back to Top

Correctional Institution

The proposed rule did not define the term correctional institution. The final rule defines correctional institution as any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by, or under contract to, the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. Other persons held in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial. This language was necessary to explain the privacy rights and protections of inmates in this regulation.

Covered Functions

We add a new term, “covered functions,” as a shorthand way of expressing and referring to the functions that the entities covered by section 1172(a) of the Act perform. Section 1171 defines the terms “health plan”, “health care provider”, and “health care clearinghouse” in functional terms. Thus, a “health plan” is an individual or group plan “that provides, or pays the cost of, medical care * * *”, a “health care provider” “furnish[es] health care services or supplies,” and a “health care clearinghouse” is an entity “that processes or facilitates the processing of * * * data elements of health information * * *”. Covered functions, therefore, are the activities that any such entity engages in that are directly related to operating as a health plan, health care provider, or health care clearinghouse; that is, they are the functions that make it a health plan, health care provider, or health care clearinghouse.

The term “covered functions” is not intended to include various support functions, such as computer support, payroll and other office support, and similar support functions, although we recognize that these support functions must occur in order for the entity to carry out its health care functions. Because such support functions are often also performed for parts of an organization that are not doing functions directly related to the health care functions and may involve access to and/or use of protected health information, the rules below describe requirements for ensuring that workforce members who perform these support functions do not impermissibly use or disclose protected health information. See § 164.504.

Data Aggregation

The NPRM did not include a definition of data aggregation. In the final rule, data aggregation is defined, with respect to protected health information received by a business associate in its capacity as the business associate of a covered entity, as the combining of such protected health information by the business associate with protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit the creation of data for analyses that relate to the health care operations of the respective covered entities. The definition is included in the final rule to help describe how business associates can assist covered entities to perform health care operations that involve comparative analysis of protected health information from otherwise unaffiliated covered entities. Data aggregation is a service that gives rise to a business associate relationship if the performance of the service involves disclosure of protected health information by the covered entity to the business associate.

Designated Record Set

In the proposed rule, we defined designated record set as “a group of records under the control of a covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual and which is used by the covered entity to make decisions about the individual.” We defined a “record” as “any item, collection, or grouping of protected health information maintained, collected, used, or disseminated by a covered entity.”

In the final rule, we modify the definition of designated record set to specify certain records maintained by or for a covered entity that are always part of a covered entity's designated record sets and to include other records that are used to make decisions about individuals. We do not use the means of retrieval of a record as a defining criteria.

For health plans, designated record sets include, at a minimum, the enrollment, payment, claims adjudication, and case or medical management record systems of the plan. For covered health care providers, designated record sets include, at a minimum, the medical record and billing record about individuals maintained by or for the provider. In addition to these records, designated record sets include any other group of records that are used, in whole or in part, by or for a covered entity to make decisions about individuals. We note that records that otherwise meet the definition of designated record set and which are held by a business associate of the covered entity are part of the covered entity's designated record sets. Although we do not specify particular types of records that are always included in the designated record sets of clearinghouses when they are not acting as business associates, this definition includes a group of records that such a clearinghouse uses, in whole or in part, to make decisions about individuals.

For the most part we retain, with slight modifications, the definition of “record,” defining it as any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated.

Direct Treatment Relationship

This term was not included in the proposed rule. Direct treatment relationship means a relationship between a health care provider and an individual that is not an indirect treatment relationship (see definition of indirect treatment relationship, below). For example, outpatient pharmacists and Web-based providers generally have direct treatment relationships with patients. Outpatient pharmacists fill prescriptions written by other providers, but they furnish the prescription and advice about the prescription directly to the patient, not through another treating provider. Web-based providers generally deliver health care independently, without the orders of another provider.

A provider may have direct treatment relationships with some patients and indirect treatment relationships with others. In some provisions of the final rule, providers with indirect treatment relationships are excepted from requirements that apply to other providers. See § 164.506 regarding consent for uses and disclosures of protected health information for treatment, payment, and health care operations, and § 164.520 regarding notice of information practices. These exceptions apply only with respect to the individuals with whom the provider has an indirect treatment relationship.

Disclosure

We proposed to define “disclosure” to mean the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. The final rule is unchanged. We note that the transfer of protected health information from a covered entity to a business associate is a disclosure for purposes of this regulation.

Health Care Operations

The preamble to the proposed rule explained that in order for treatment and payment to occur, protected health information must be used within entities and shared with business partners. In the proposed rule we provided a definition for “health care operations” to clarify the activities we considered to be “compatible with and directly related to” treatment and payment and for which protected health information could be used or disclosed without individual authorization. These activities included conducting quality assessment and improvement activities, reviewing the competence or qualifications and accrediting/licensing of health care professionals and plans, evaluating health care professional and health plan performance, training future health care professionals, insurance activities relating to the renewal of a contract for insurance, conducting or arranging for medical review and auditing services, and compiling and analyzing information in anticipation of or for use in a civil or criminal legal proceeding. Recognizing the dynamic nature of the health care industry, we acknowledged that the specified categories may need to be modified as the industry evolves.

The preamble discussion of the proposed general rules listed certain activities that would not be considered health care operations because they were sufficiently unrelated to treatment and payment to warrant requiring an individual to authorize such use or disclosure. Those activities included: marketing of health and non-health items and services; disclosure of protected health information for sale, rent or barter; use of protected health information by a non-health related division of an entity; disclosure of protected health information for eligibility, enrollment, underwriting, or risk rating determinations prior to an individuals' enrollment in a health plan; disclosure to an employer for employment determinations; and fundraising.

In the final rule, we do not change the general approach of defining health care operations: health care operations are the listed activities undertaken by the covered entity that maintains the protected health information (i.e., one covered entity may not disclose protected health information for the operations of a second covered entity); a covered entity may use any protected health information it maintains for its operations (e.g., a plan may use protected health information about former enrollees as well as current enrollees); we expand the proposed list to reflect many changes requested by commenters.

We modify the proposal that health care operations represent activities “in support of” treatment and payment functions. Instead, in the final rule, health care operations are the enumerated activities to the extent that the activities are related to the covered entity's functions as a health care provider, health plan or health care clearinghouse, i.e., the entity's “covered functions.” We make this change to clarify that health care operations includes general administrative and business functions necessary for the covered entity to remain a viable business. While it is possible to draw a connection between all the enumerated activities and “treatment and payment,” for some general business activities (e.g., audits for financial disclosure statements) that connection may be tenuous. The proposed concept also did not include the operations of those health care clearinghouses that may be covered by this rule outside their status as business associate to a covered entity. We expand the definition to include disclosures for the enumerated activities of organized health care arrangements in which the covered entity participates. See also the definition of organized health care arrangements, below.

In addition, we make the following changes and additions to the enumeratedsubparagraphs:

(1) We add language to clarify that the primary purpose of the studies encompassed by “quality assessment and improvement activities” must not be to obtain generalizable knowledge. A study with such a purpose would meet the rule's definition of research, and use or disclosure of protected health information would have to meet the requirements of §§ 164.508 or 164.512(i). Thus, studies may be conducted as a health care operation if development of generalizable knowledge is not the primary goal. However, if the study changes and the covered entity intends the results to be generalizable, the change should be documented by the covered entity as proof that, when initiated, the primary purpose was health care operations.

We add population-based activities related to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives, and related functions that do not entail direct patient care. Many commenters recommended adding the term “disease management” to health care operations. We were unable, however, to find a generally accepted definition of the term. Rather than rely on this label, we include many of the functions often included in discussions of disease management in this definition or in the definition of treatment. This topic is discussed further in the comment responses below.

(2) We have deleted “undergraduate and graduate” as a qualifier for “students,” to make the term more general and inclusive. We add the term “practitioners.” We expand the purposes encompassed to include situations in which health care providers are working to improve their skills. The rule also adds the training of non-health care professionals.

(3) The rule expands the range of insurance related activities to include those related to the creation, renewal or replacement of a contract for health insurance or health benefits, as well as ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss and excess of loss insurance). For these activities, we also eliminate the proposed requirement that these uses and disclosures apply only to protected health information about individuals already enrolled in a health plan. Under this provision, a group health plan that wants to replace its insurance carrier may disclose certain protected health information to insurance issuers in order to obtain bids on new coverage, and an insurance carrier interested in bidding on new business may use protected health information obtained from the potential new client to develop the product and pricing it will offer. For circumstances in which no new contract is issued, we add a provision in § 164.514(g) restricting the recipient health plan from using or disclosing protected health information obtained for this purpose, other than as required by law. Uses and disclosures in these cases come within the definition of “health care operations,” provided that the requirements of § 164.514(g) are met, if applicable. See § 164.504(f) for requirements for such disclosures by group health plans, as well as specific restrictions on the information that may be disclosed to plan sponsors for such purposes. We note that a covered health care provider must obtain an authorization under § 164.508 in order to disclose protected health information about an individual for purposes of pre-enrollment underwriting; the underwriting is not an “operation” of the provider and that disclosure is not otherwise permitted by a provision of this rule.

(4) We delete reference to the “compiling and analyzing information in anticipation of or for use in a civil or criminal legal proceeding” and replace it with a broader reference to conducting or arranging for “legal services.”

We add two new categories of activities:

(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies.

(6) Business management activities and general administrative functions, such as management activities relating to implementation of and compliance with the requirements of this subchapter, fundraising for the benefit of the covered entity to the extent permitted without authorization under § 164.514(f), and marketing of certain services to individuals served by the covered entity, to the extent permitted without authorization under § 164.514(e) (see discussion in the preamble to that section, below). For example, under this category we permit uses or disclosures of protected health information to determine from whom an authorization should be obtained, for example to generate a mailing list of individuals who would receive an authorization request.

We add to the definition of health care operations disclosure of protected health information for due diligence to a covered entity that is a potential successor in interest. This provision includes disclosures pursuant to the sale of a covered entity's business as a going concern, mergers, acquisitions, consolidations, and other similar types of corporate restructuring between covered entities, including a division of a covered entity, and to an entity that is not a covered entity but will become a covered entity if the transfer or sale is completed. Other types of sales of assets, or disclosures to organizations that are not and would not become covered entities, are not included in the definition of health care operations and could only occur if the covered entity obtained valid authorization for such disclosure in accordance with § 164.508, or if the disclosure is otherwise permitted under this rule.

We also add to health care operations disclosure of protected health information for resolution of internal grievances. These uses and disclosures include disclosure to an employee and/or employee representative, for example when the employee needs protected health information to demonstrate that the employer's allegations of improper conduct are untrue. We note that such employees and employee representatives are not providing services to or for the covered entity, and, therefore, no business associate contract is required. Also included are resolution of disputes from patients or enrollees regarding the quality of care and similar matters.

We also add use for customer service, including the provision of data and statistical analyses for policyholders, plan sponsors, or other customers, as long as the protected health information is not disclosed to such persons. We recognize that part of the general management of a covered entity is customer service. We clarify that customer service may include the use of protected health information to provide data and statistical analyses. For example, a plan sponsor may want to understand why its costs are rising faster than average, or why utilization in one plant location is different than in another location. An association that sponsors an insurance plan for its members may want information on the relative costs of its plan in different areas. Some plan sponsors may want more detailed analyses that attempt to identify health problems in a work site. We note that when a plan sponsor has several different group health plans, or when such plans provide insurance or coverage through more than one health insurance issuer or HMO, the covered entities may jointly engage in this type of analysis as a health care operation of the organized health care arrangement.

This activity qualifies as a health care operation only if it does not result in the disclosure of protected health information to the customer. The results of the analyses must be presented in a way that does not disclose protected health information. A disclosure of protected health information to the customer as a health care operation under this provision violates this rule. This provision is not intended to permit covered entities to circumvent other provisions in this rule, including requirements relating to disclosures of protected health information to plan sponsors or the requirements relating to research. See § 164.504(f) and § 164.512(i).

We use the term customer to provide flexibility to covered entities. We do not intend the term to apply to persons with whom the covered entity has no other business; this provision is intended to permit covered entities to provide service to their existing customer base.

We note that this definition, either alone or in conjunction with the definition of “organized health care arrangement,” allows an entity such as an integrated staff model HMO, whether legally integrated or whether a group of associated entities, that hold themselves out as an organized arrangement to share protected health information under § 164.506. In these cases, the sharing of protected health information will be either for the operations of the disclosing entity or for the organized health care arrangement in which the entity is participating.

Whether a disclosure is allowable for health care operations under this provision is determined separately from whether a business associate contract is required. These provisions of the rule operate independently. Disclosures for health care operations may be made to an entity that is neither a covered entity nor a business associate of the covered entity. For example, a covered academic medical center may disclose certain protected health information to community health care providers who participate in one of its continuing medical education programs, whether or not such providers are covered health care providers under this rule. A provider attending a continuing education program is not thereby performing services for the covered entity sponsoring the program and, thus, is not a business associate for that purpose. Similarly, health plans may disclose for due diligence purposes to another entity that may or may not be a covered entity or a business associate.

Health Oversight Agency

The proposed rule would have defined “health oversight agency” as “an agency, person, or entity, including the employees or agents thereof, (1) That is: (i) A public agency; or (ii) A person or entity acting under grant of authority from or contract with a public agency; and (2) Which performs or oversees the performance of any audit; investigation; inspection; licensure or discipline; civil, criminal, or administrative proceeding or action; or other activity necessary for appropriate oversight of the health care system, of government benefit programs for which health information is relevant to beneficiary eligibility, or of government regulatory programs for which health information is necessary for determining compliance with program standards.” The proposed rule also described the functions of health oversight agencies in the proposed health oversight section (§ 164.510(c)) by repeating much of this definition.

In the final rule, we modify the definition of health oversight agency by eliminating from the definition the language in proposed § 164.510(c) (now § 164.512(d)). In addition, the final rule clarifies this definition by specifying that a “health oversight agency” is an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or grantees, that is authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

The preamble to the proposed rule listed the following as examples of health oversight agencies that conduct oversight activities relating to the health care system: state insurance commissions, state health professional licensure agencies, Offices of Inspectors General of federal agencies, the Department of Justice, state Medicaid fraud control units, Defense Criminal Investigative Services, the Pension and Welfare Benefit Administration, the HHS Office for Civil Rights, and the FDA. The proposed rule listed the Social Security Administration and the Department of Education as examples of health oversight agencies that conduct oversight of government benefit programs for which health information is relevant to beneficiary eligibility. The proposed rule listed the Occupational Health and Safety Administration and the Environmental Protection Agency as examples of oversight agencies that conduct oversight of government regulatory programs for which health information is necessary for determining compliance with program standards.

In the final rule, we include the following as additional examples of health oversight activities: (1) The U.S. Department of Justice's civil rights enforcement activities, and in particular, enforcement of the Civil Rights of Institutionalized Persons Act (42 U.S.C. 1997-1997j) and the Americans with Disabilities Act (42 U.S.C. 12101 et seq.), as well as the EEOC's civil rights enforcement activities under titles I and V of the ADA; (2) the FDA's oversight of food, drugs, biologics, devices, and other products pursuant to the Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.) and the Public Health Service Act (42 U.S.C. 201 et seq.); and (3) data analysis —performed by a public agency or by a person or entity acting under grant of authority from or under contract with a public agency —to detect health care fraud.

“Overseeing the health care system,” which is included in the definition of health oversight, encompasses activities such as: oversight of health care plans; oversight of health benefit plans; oversight of health care providers; oversight of health care and health care delivery; oversight activities that involve resolution of consumer complaints; oversight of pharmaceuticals, medical products and devices, and dietary supplements; and a health oversight agency's analysis of trends in health care costs, quality, health care delivery, access to care, and health insurance coverage for health oversight purposes.

We recognize that health oversight agencies, such as the U.S. Department of Labor's Pension and Welfare Benefits Administration, may perform more than one type of health oversight. For example, agencies may sometimes perform audits and investigations and at other times conduct general oversight of health benefit plans. Such entities are considered health oversight agencies under the rule for any and all of the health oversight functions that they perform.

The definition of health oversight agency does not include private organizations, such as private-sector accrediting groups. Accreditation organizations are performing health care operations functions on behalf of health plans and covered health care providers. Accordingly, in order to obtain protected health information without individuals' authorizations, accrediting groups must enter into business associate agreements with health plans and covered health care providers for these purposes. Similarly, private entities, such as coding committees, that help government agencies that are health plans make coding and payment decisions are performing health care payment functions on behalf the government agencies and, therefore, must enter into business associate agreements in order to receive protected health information from the covered entity (absent individuals' authorization for such disclosure).

Indirect Treatment Relationship

This term was not included in the proposed rule. An “indirect treatment relationship” is a relationship between a health care provider and an individual in which the provider delivers health care to the individual based on the orders of another health care provider and the health care services, products, diagnoses, or results are typically furnished to the patient through another provider, rather than directly. For example, radiologists and pathologists generally have indirect treatment relationships with patients because they deliver diagnostic services based on the orders of other providers and the results of those services are furnished to the patient through the direct treating provider. This definition is necessary to clarify the relationships between providers and individuals in the regulation. For example, see the consent discussion at § 164.506.

Individual

We proposed to define “individual” to mean the person who is the subject of the protected health information. We proposed that the term include, with respect to the signing of authorizations and other rights (such as access, copying, and correction), the following types of legal representatives:

(1) With respect to adults and emancipated minors, legal representatives (such as court-appointed guardians or persons with a power of attorney), to the extent to which applicable law permits such legal representatives to exercise the person's rights in such contexts.

(2) With respect to unemancipated minors, a parent, guardian, or person acting in loco parentis, provided that when a minor lawfully obtains a health care service without the consent of or notification to a parent, guardian, or other person acting in loco parentis, the minor shall have the exclusive right to exercise the rights of an individual with respect to the protected health information relating to such care.

(3) With respect to deceased persons, an executor, administrator, or other person authorized under applicable law to act on behalf of the decedent's estate.

In addition, we proposed to exclude from the definition:

(1) Foreign military and diplomatic personnel and their dependents who receive health care provided by or paid for by the Department of Defense or other federal agency or by an entity acting on its behalf, pursuant to a country-to-country agreement or federal statute.

(2) Overseas foreign national beneficiaries of health care provided by the Department of Defense or other federal agency or by a non-governmental organization acting on its behalf.

In the final rule, we eliminate from the definition of “individual” the provisions designating a legal representative as the “individual” for purposes of exercising certain rights with regard to protected health information. Instead, we include in the final rule a separate standard for “personal representatives.” A covered entity must treat a personal representative of an individual as the individual except under specified circumstances. See discussion in § 164.502(g) regarding personal representatives.

In addition, we eliminate from the definition of “individual” the above exclusions for foreign military and diplomatic personnel and overseas foreign national beneficiaries. We address the special circumstances for use and disclosure of protected health information about individuals who are foreign military personnel in § 164.512(k). We address overseas foreign national beneficiaries in § 164.500, “Applicability.” The protected health information of individuals who are foreign diplomatic personnel and their dependents are not subject to special treatment under the final rule.

Individually identifiable health information about one individual may exist in the health records of another individual; health information about one individual may include health information about a second person. For example, a patient's medical record may contain information about the medical conditions of the patient's parents, children, and spouse, as well as their names and contact information. For the purpose of this rule, if information about a second person is included within the protected health information of an individual, the second person is not the person who is the subject of the protected health information. The second person is not the “individual” with regard to that protected health information, and under this rule thus does not have the individual's rights (e.g., access and amendment) with regard to that information.

Individually Identifiable Health Information

We proposed to define “individually identifiable health information” to mean information that is a subset of health information, including demographic information collected from an individual, and that:

(1) Is created by or received from a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and

(i) Which identifies the individual, or

(ii) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

In the final rule, we change “created by or received from a health care provider * * *” to “created or received by a health care provider * * * “in order to conform to the statute. We otherwise retain the definition of “individually identifiable health information” without change in the final rule.

Inmate

The proposed rule did not define the term inmate. In the final rule, it is defined as a person incarcerated in or otherwise confined to a correctional institution. The addition of this definition is necessary to explain the privacy rights and protections of inmates in this regulation.

Law Enforcement Official

The proposed rule would have defined a “law enforcement official” as “an official of an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, who is empowered by law to conduct: (1) An investigation or official proceeding inquiring into a violation of, or failure to comply with, any law; or (2) a criminal, civil, or administrative proceeding arising from a violation of, or failure to comply with, any law.”

The final rule modifies this definition slightly. The definition in the final rule recognizes that law enforcement officials are empowered to prosecute cases as well as to conduct investigations and civil, criminal, or administrative proceedings. In addition, the definition in the final rule reflects the fact that when investigations begin, often it is not clear that law has been violated. Thus, the final rule describes law enforcement investigations and official proceedings as inquiring into a potential violation of law. In addition, it describes law enforcement-related civil, criminal, or administrative proceedings as arising from alleged violation of law.

Marketing

The proposed rule did not include a definition of “marketing.” The proposed rule generally required that a covered entity would need an authorization from an individual to use or disclose protected health information for marketing.

In the final rule we define marketing as a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service. The definition does not limit the type or means of communication that are considered marketing.

The definition of marketing contains three exceptions. If a covered entity receives direct or indirect remuneration from a third party for making a written communication otherwise described in an exception, then the communication is not excluded from the definition of marketing. The activities we except from the definition of marketing are encompassed by the definitions of treatment, payment, and health care operations. Covered entities may therefore use and disclose protected health information for these excepted activities without authorization under § 164.508 and pursuant to any applicable consent obtained under § 164.506.

The first exception applies to communications made by a covered entity for the purpose of describing the entities participating in a provider network or health plan network. It also applies to communications made by a covered entity for the purpose of describing if and the extent to which a product or service, or payment for a product or service, is provided by the covered entity or included in a benefit plan. This exception permits covered entities to use or disclose protected health information when discussing topics such as the benefits and services available under a health plan, the payment that may be made for a product or service, which providers offer a particular product or service, and whether a provider is part of a network or whether (and what amount of) payment will be provided with respect to the services of particular providers. This exception expresses our intent not to interfere with communications made to individuals about their health benefits.

The second exception applies to communications tailored to the circumstances of a particular individual, made by a health care provider to an individual as part of the treatment of the individual, and for the purpose of furthering the treatment of that individual. This exception leaves health care providers free to use or disclose protected health information as part of a discussion of its products and services, or the products and services of others, and to prescribe, recommend, or sell such products or services, as part of the treatment of an individual. This exception includes activities such as referrals, prescriptions, recommendations, and other communications that address how a product or service may relate to the individual's health. This exception expresses our intent not to interfere with communications made to individuals about their treatment.

The third exception applies to communications tailored to the circumstances of a particular individual and made by a health care provider or health plan to an individual in the course of managing the treatment of that individual or for the purpose of directing or recommending to that individual alternative treatments, therapies, providers, or settings of care. As with the previous exception, this exception permits covered entities to discuss freely their products and services and the products and services of third parties, in the course of managing an individual's care or providing or discussing treatment alternatives with an individual, even when such activities involve the use or disclose protected health information.

Section 164.514 contains provisions governing use or disclosure of protected health information in marketing communications, including a description of certain marketing communications that may use or include protected health information but that may be made by a covered entity without individual authorization. The definition of health care operations includes those marketing communications that may be made without an authorization pursuant to § 164.514. Covered entities may therefore use and disclose protected health information for these activities pursuant to any applicable consent obtained under § 164.506, or, if they are not required to obtain a consent under § 164.506, without one.

Organized Health Care Arrangement

This term was not used in the proposed rule. We define the term in order to describe certain arrangements in which participants need to share protected health information about their patients to manage and benefit the common enterprise. To allow uses and disclosures of protected health information for these arrangements, we also add language to the definition of “health care operations.” See discussion of that term above.

We include five arrangements within the definition of organized health care arrangement. The arrangements involve clinical or operational integration among legally separate covered entities in which it is often necessary to share protected health information for the joint management and operations of the arrangement. They may range in legal structure, but a key component of these arrangements is that individuals who obtain services from them have an expectation that these arrangements are integrated and that they jointly manage their operations. We include within the definition a clinically integrated care setting in which individuals typically receive health care from more than one health care provider. Perhaps the most common example of this type of organized health care arrangement is the hospital setting, where a hospital and a physician with staff privileges at the hospital together provide treatment to the individual. Participants in such clinically integrated settings need to be able to share health information freely not only for treatment purposes, but also to improve their joint operations. For example, any physician with staff privileges at a hospital must be able to participate in the hospital's morbidity and mortality reviews, even when the particular physician's patients are not being discussed. Nurses and other hospital personnel must also be able to participate. These activities benefit the common enterprise, even when the benefits to a particular participant are not evident. While protected health information may be freely shared among providers for treatment purposes under other provisions of this rule, some of these joint activities also support the health care operations of one or more participants in the joint arrangement. Thus, special rules are needed to ensure that this rule does not interfere with legitimate information sharing among the participants in these arrangements.

We also include within the definition an organized system of health care in which more than one covered entity participates, and in which the participating covered entities hold themselves out to the public as participating in a joint arrangement, and in which the joint activities of the participating covered entities include at least one of the following: utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf; quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or payment activities, if the financial risk for delivering health care is shared in whole or in part by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk. A common example of this type of organized health care arrangement is an independent practice association formed by a large number of physicians. They may advertise themselves as a common enterprise (e.g., Acme IPA), whether or not they are under common ownership or control, whether or not they practice together in an integrated clinical setting, and whether or not they share financial risk.

If such a group engages jointly in one or more of the listed activities, the participating covered entities will need to share protected health information to undertake such activities and to improve their joint operations. In this example, the physician participants in the IPA may share financial risk through common withhold pools with health plans or similar arrangements. The IPA participants who manage the financial arrangements need protected health information about all the participants' patients in order to manage the arrangement. (The participants may also hire a third party to manage their financial arrangements.) If the participants in the IPA engage in joint quality assurance or utilization review activities, they will need to share protected health information about their patients much as participants in an integrated clinical setting would. Many joint activities that require the sharing of protected health information benefit the common enterprise, even when the benefits to a particular participant are not evident.

We include three relationships related to group health plans as organized health care arrangements. First, we include a group health plan and an issuer or HMO with respect to the group health plan within the definition, but only with respect to the protected health information of the issuer or HMO that relates to individuals who are or have been participants or beneficiaries in the group health plan. We recognize that many group health plans are funded partially or fully through insurance, and that in some cases the group health plan and issuer or HMO need to coordinate operations to properly serve the enrollees. Second, we include a group health plan and one or more other group health plans each of which are maintained by the same plan sponsor. We recognize that in some instances plan sponsors provide health benefits through a combination of group health plans, and that they may need to coordinate the operations of such plans to better serve the participants and beneficiaries of the plans. Third, we include a combination of group health plans maintained by the same plan sponsor and the health insurance issuers and HMOs with respect to such plans, but again only with respect to the protected health information of such issuers and HMOs that relates to individuals who are or have been enrolled in such group health plans. We recognize that is some instances a plan sponsor may provide benefits through more than one group health plan, and that such plans may fund the benefits through one or more issuers or HMOs. Again, coordinating health care operations among these entities may be necessary to serve the participants and beneficiaries in the group health plans. We note that the necessary coordination may necessarily involve the business associates of the covered entities and may involve the participation of the plan sponsor to the extent that it is providing plan administration functions and subject to the limits in § 164.504.

Payment

We proposed the term payment to mean:

(1) The activities undertaken by or on behalf of a covered entity that is:

(i) A health plan, or by a business partner on behalf of a health plan, to obtain premiums or to determine or fulfill its responsibility for coverage under the health plan and for provision of benefits under the health plan; or

(ii) A health care provider or health plan, or a business partner on behalf of such provider or plan, to obtain reimbursement for the provision of health care.

(2) Activities that constitute payment include:

(i) Determinations of coverage, adjudication or subrogation of health benefit claims;

(ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics;

(iii) Billing, claims management, and medical data processing;

(iv) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; and

(v) Utilization review activities, including precertification and preauthorization of services.

In the final rule, we maintain the general approach of defining of payment: payment activities are described generally in the first clause of the definition, and specific examples are given in the second clause. Payment activities relate to the covered entity that maintains the protected health information (i.e., one covered entity may not disclose protected health information for the payment activities of a second covered entity). A covered entity may use or disclose only the protected health information about the individual to whom care was rendered, for its payment activities (e.g., a provider may disclose protected health information only about the patient to whom care was rendered in order to obtain payment for that care, or only the protected health information about persons enrolled in the particular health plan that seeks to audit the provider's records). We expand the proposed list to reflect many changes requested by commenters.

We add eligibility determinations as an activity included in the definition of payment. We expand coverage determinations to include the coordination of benefits and the determination of a specific individual's cost sharing amounts. The rule deletes activities related to the improvement of methods of paying or coverage policies from this definition and instead includes them in the definition of health care operations. We add to the definition “collection activities.” We replace “medical data processing” activities with health care data processing related to billing, claims management, and collection activities. We add activities for the purpose of obtaining payment under a contract for reinsurance (including stop-loss and excess of loss insurance). Utilization review activities now include concurrent and retrospective review of services.

In addition, we modify this definition to clarify that the activities described in section 1179 of the Act are included in the definition of “payment.” We add new subclause (vi) allowing covered entities to disclose to consumer reporting agencies an individual's name, address, date of birth, social security number and payment history, account number, as well as the name and address of the individual's health care provider and/or health plan, as appropriate. Covered entities may make disclosure of this protected health information to consumer reporting agencies for purposes related to collection of premiums or reimbursement. This allows reporting not just of missed payments and overdue debt but also of subsequent positive payment experience (e.g., to expunge the debt). We consider such positive payment experience to be “related to” collection of premiums or reimbursement.

The remaining activities described in section 1179 are included in other language in this definition. For example, “authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health care” are covered by paragraph (2)(iii) of the definition, which allows use and disclosure of protected health information for “billing, claims management, collection activities and related health care data processing.” “Claims management” also includes auditing payments, investigating and resolving payment disputes and responding to customer inquiries regarding payments. Disclosure of protected health information for compliance with civil or criminal subpoenas, or with other applicable laws, are covered under § 164.512 of this regulation. (See discussion above regarding the interaction between 1179 and this regulation.)

We modify the proposed regulation text to clarify that payment includes activities undertaken to reimburse health care providers for treatment provided to individuals.

Covered entities may disclose protected health information for payment purposes to any other entity, regardless of whether it is a covered entity. For example, a health care provider may disclose protected health information to a financial institution in order to cash a check or to a health care clearinghouse to initiate electronic transactions. However, if a covered entity engages another entity, such as a billing service or a financial institution, to conduct payment activities on its behalf, the other entity may meet the definition of “business associate” under this rule. For example, an entity is acting as a business associate when it is operating the accounts receivable system on behalf of a health care provider.

Similarly, payment includes disclosure of protected health information by a health care provider to an insurer that is not a “health plan” as defined in this rule, to obtain payment. For example, protected health information may be disclosed to obtain reimbursement from a disability insurance carrier. We do not interpret the definition of “payment” to include activities that involve the disclosure of protected health information by a covered entity, including a covered health care provider, to a plan sponsor for the purpose of obtaining payment under a group health plan maintained by such plan sponsor, or for the purpose of obtaining payment from a health insurance issuer or HMO with respect to a group health plan maintained by such plan sponsor, unless the plan sponsor is performing plan administration pursuant to § 164.504(f).

The Transactions Rule adopts standards for electronic health care transactions, including two for processing payments. We adopted the ASC X12N 835 transaction standard for “Health Care Payment and Remittance Advice” transactions between health plans and health care providers, and the ASC X12N 820 standard for “Health Plan Premium Payments” transactions between entities that arrange for the provision of health care or provide health care coverage payments and health plans. Under these two transactions, information to effect funds transfer is transmitted in a part of the transaction separable from the part containing any individually identifiable health information.

We note that a covered entity may conduct the electronic funds transfer portion of the two payment standard transactions with a financial institution without restriction, because it contains no protected health information. The protected health information contained in the electronic remittance advice or the premium payment enrollee data portions of the transactions is not necessary either to conduct the funds transfer or to forward the transactions. Therefore, a covered entity may not disclose the protected health information to a financial institution for these purposes. A covered entity may transmit the portions of the transactions containing protected health information through a financial institution if the protected health information is encrypted so it can be read only by the intended recipient. In such cases no protected health information is disclosed and the financial institution is acting solely as a conduit for the individually identifiable data.

Plan Sponsor

In the final rule we add a definition of “plan sponsor.” We define plan sponsor by referencing the definition of the term provided in (3)(16)(B) of the Employee Retirement Income Security Act (ERISA). The plan sponsor is the employer or employee organization, or both, that establishes and maintains an employee benefit plan. In the case of a plan established by two or more employers, it is the association, committee, joint board of trustees, or other similar group or representative of the parties that establish and maintain the employee benefit plan. This term includes church health plans and government health plans. Group health plans may disclose protected health information to plan sponsors who conduct payment and health care operations activities on behalf of the group health plan if the requirements for group health plans in § 164.504 are met.

The preamble to the Transactions Rule noted that plan sponsors of group health plans are not covered entities and, therefore, are not required to use the standards established in that regulation to perform electronic transactions, including enrollment and disenrollment transactions. We do not change that policy through this rule. Plan sponsors that perform enrollment functions are doing so on behalf of the participants and beneficiaries of the group health plan and not on behalf of the group health plan itself. For purposes of this rule, plan sponsors are not subject to the requirements of § 164.504 regarding group health plans when conducting enrollment activities.

Protected Health Information

We proposed to define “protected health information” to mean individually identifiable health information that is or has been electronically maintained or electronically transmitted by a covered entity, as well as such information when it takes any other form. For purposes of this definition, we proposed to define “electronically transmitted” as including information exchanged with a computer using electronic media, such as the movement of information from one location to another by magnetic or optical media, transmissions over the Internet, Extranet, leased lines, dial-up lines, private networks, telephone voice response, and “faxback” systems. We proposed that this definition not include “paper-to-paper” faxes, or person-to-person telephone calls, video teleconferencing, or messages left on voice-mail.

Further, “electronically maintained” was proposed to mean information stored by a computer or on any electronic medium from which the information may be retrieved by a computer, such as electronic memory chips, magnetic tape, magnetic disk, or compact disc optical media.

The proposal's definition explicitly excluded:

(1) Individually identifiable health information that is part of an “education record” governed by the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. 1232g.

(2) Individually identifiable health information of inmates of correctional facilities and detainees in detention facilities.

In this final rule we expand the definition of protected health information to encompass all individually identifiable health information transmitted or maintained by a covered entity, regardless of form. Specifically, we delete the conditions for individually identifiable health information to be “electronically maintained” or “electronically transmitted” and the corresponding definitions of those terms. Instead, the final rule defines protected health information to be individually identifiable health information that is:

(1) Transmitted by electronic media;

(2) Maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or

(3) Transmitted or maintained in any other form or medium.

We refer to electronic media, as defined in § 162.103, which means the mode of electronic transmission. It includes the Internet (wide-open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media.

The definition of protected health information is set out in this form to emphasize the severability of this provision. As discussed below, we believe we have ample legal authority to cover all individually identifiable health information transmitted or maintained by covered entities. We have structured the definition this way so that, if a court were to disagree with our view of our authority in this area, the rule would still be operational, albeit with respect to a more limited universe of information.

Other provisions of the rules below may also be severable, depending on their scope and operation. For example, if the rule itself provides a fallback, as it does with respect to the various discretionary uses and disclosures permitted under § 164.512, the provisions would be severable under case law.

The definition in the final rule retains the exception relating to individually identifiable health information in “education records” governed by FERPA. We also exclude the records described in 20 U.S.C. 1232g(a)(4)(B)(iv). These are records of students held by post-secondary educational institutions or of students 18 years of age or older, used exclusively for health care treatment and which have not been disclosed to anyone other than a health care provider at the student's request. (See discussion of FERPA above.)

We have removed the exception for individually identifiable health information of inmates of correctional facilities and detainees in detention facilities. Individually identifiable health information about inmates is protected health information under the final rule, and special rules for use and disclosure of the protected health information about inmates and their ability to exercise the rights granted in this rule are described below.

Psychotherapy Notes

Section 164.508(a)(3)(iv)(A) of the proposed rule defined psychotherapy notes as notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session. The proposed definition excluded medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis and progress. Furthermore, we stated in the preamble of the proposed rule that psychotherapy notes would have to be maintained separately from the medical record.

In this final rule, we retain the definition of psychotherapy notes that we had proposed, but add to the regulation text the requirement that, to meet the definition of psychotherapy notes, the information must be separated from the rest of the individual's medical record.

Public Health Authority

The proposed rule would have defined “public health authority” as “an agency or authority of the United States, a state, a territory, or an Indian tribe that is responsible for public health matters as part of its official mandate.”

The final rule changes this definition slightly to clarify that a “public health authority” also includes a person or entity acting under a grant of authority from or contract with a public health agency. Therefore, the final rule defines this term as an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.

Required By Law

In the preamble to the NPRM, we did not include a definition of “required by law.” We discussed what it meant for an action to be considered to be “required” or “mandated” by law and included several examples of activities that would be considered as required by law for the purposes of the proposed rule, including a valid Inspector General subpoena, grand jury subpoena, civil investigative demand, or a statute or regulation requiring production of information justifying a claim would constitute a disclosure required by law.

In the final rule we include a new definition, move the preamble clarifications to the regulatory text and add several items to the illustrative list. For purposes of this regulation, “required by law” means a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Among the examples listed in definition are Medicare conditions of participation with respect to health care providers participating in that program, court-ordered warrants, and subpoenas issued by a court. We note that disclosures “required by law” include disclosures of protected health information required by this regulation in § 164.502(a)(2). It does not include contracts between private parties or similar voluntary arrangements. This list is illustrative only and is not intended in any way to limit the scope of this paragraph or other paragraphs in § 164.512 that permit uses or disclosures to the extent required by other laws. We note that nothing in this rule compels a covered entity to make a use or disclosure required by the legal demands or prescriptions listed in this clarification or by any other law or legal process, and a covered entity remains free to challenge the validity of such laws and processes.

Research

We proposed to define “research” as it is defined in the Federal Policy for the Protection of Human Subjects, at 45 CFR part 46, subpart A (referred to elsewhere in this rule as “Common Rule”), and in addition, elaborated on the meaning of the term “generalizable knowledge.” In § 164.504 of the proposed rule we defined research as “* * * a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. ‘Generalizable knowledge' is knowledge related to health that can be applied to populations outside of the population served by the covered entity.”

The final rule eliminates the further elaboration of “generalizable knowledge.” Therefore, the rule defines “research” as the term is defined in the Common Rule: a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.

Research Information Unrelated to Treatment

We delete this definition and the associated requirements from the final rule. Refer to § 164.508(f) for new requirements regarding authorizations for research that includes treatment of the individual.

Treatment

The proposed rule defined “treatment” as the provision of health care by, or the coordination of health care (including health care management of the individual through risk assessment, case management, and disease management) among, health care providers; the referral of a patient from one provider to another; or the coordination of health care or other services among health care providers and third parties authorized by the health plan or the individual. The preamble noted that the definition was intended to relate only to services provided to an individual and not to an entire enrolled population.

In the final rule, we do not change the general approach to defining treatment: treatment means the listed activities undertaken by any health care provider, not just a covered health care provider. A plan can disclose protected health information to any health care provider to assist the provider's treatment activities; and a health care provider may use protected health information about an individual to treat another individual. A health care provider may use any protected health information it maintains for treatment purposes (e.g., a provider may use protected health information about former patients as well as current patients). We modify the proposed list of treatment activities to reflect changes requested by commenters.

Specifically, we modify the proposed definition of “treatment” to include the management of health care and related services. Under the definition, the provision, coordination, or management of health care or related services may be undertaken by one or more health care providers. “Treatment” includes coordination or management by a health care provider with a third party and consultation between health care providers. The term also includes referral by a health care provider of a patient to another health care provider.

Treatment refers to activities undertaken on behalf of a single patient, not a population. Activities are considered treatment only if delivered by a health care provider or a health care provider working with another party. Activities of health plans are not considered to be treatment. Many services, such as a refill reminder communication or nursing assistance provided through a telephone service, are considered treatment activities if performed by or on behalf of a health care provider, such as a pharmacist, but are regarded as health care operations if done on behalf of a different type of entity, such as a health plan.

We delete specific reference to risk assessment, case management, and disease management. Activities often referred to as risk assessment, disease and case management are treatment activities only to the extent that they are services provided to a particular patient by a health care provider; population based analyses or records review for the purposes of treatment protocol development or modification are health care operations, not treatment activities. If a covered entity is licensed as both a health plan and a health care provider, a single activity could be considered to be both treatment and health care operations; for compliance purposes we would consider the purpose of the activity. Given the integration of the health care system we believe that further classification of activities into either treatment or health care operations would not be helpful. See the definition of health care operations for additional discussion.

Use

We proposed to define “use” to mean the employment, application, utilization, examination, or analysis of information within an entity that holds the information. In the final rule, we clarify that use refers to the use of individually identifiable health information. We replace the term “holds” with the term “maintains.” These changes are for clarity only, and are not intended to effect any substantive change.

Section 164.502—General Rules for Uses and Disclosures of Protected Health Information Back to Top

Section 164.502(a)—Use and Disclosure for Treatment, Payment and Health Care Operations

As a general rule, we proposed in the NPRM to prohibit covered entities from using or disclosing protected health information except as authorized by the individual who is the subject of such information or as explicitly permitted by the rule. The proposed rule explicitly would have permitted covered entities to use or disclose an individual's protected health information without authorization for treatment, payment, and health care operations. The proposal would not have restricted to whom disclosures could be made for the purposes of treatment, payment, or operations. The proposal would have allowed disclosure of the protected health information of one individual for the treatment or payment of another, as appropriate. We also proposed to prohibit covered entities from seeking individual authorization for uses and disclosures for treatment, payment, and health care operations unless required by state or other applicable law.

We proposed two exceptions to this general rule which prohibited covered entities from using or disclosing research information unrelated to treatment or psychotherapy notes for treatment, payment, or health care operations purposes unless a specific authorization was obtained from the subject of the information. In addition, we proposed that a covered entity be prohibited from conditioning treatment, enrollment in a health plan or payment decisions on a requirement that the individual provide a specific authorization for the disclosure of these two types of information (see proposed § 164.508(a)(3)(iii)).

We also proposed to permit covered entities to use or disclose an individual's protected health information for specified public and public policy-related purposes, including public health, research, health oversight, law enforcement, and use by coroners. In addition, the proposal would have permitted covered entities to use and disclose protected health information when required to do so by other law or pursuant to an authorization from the individual allowing them to use or disclose the information for purposes other than treatment, payment or health care operations.

We proposed to require covered entities to disclose protected health information for only two purposes: to permit individuals to inspect and copy protected health information about themselves and for enforcement of the rule.

We proposed not to require covered entities to vary the level of protection accorded to protected health information based on the sensitivity of such information. In addition, we proposed to require that each affected entity assess its own needs and devise, implement, and maintain appropriate privacy policies, procedures, and documentation to address its business requirements.

In the final rule, the general standard remains that covered entities may use or disclose protected health information only as permitted or required by this rule. However, we make significant changes to the conditions under which uses and disclosures are permitted.

We revise the application of the general standard to require covered health care providers who have a direct treatment relationship with an individual to obtain a general “consent” from the individual in order to use or disclose protected health information about the individual for treatment, payment and health care operations (for details on who must obtain such consents and the requirements they must meet, see § 164.506). These consents are intended to accommodate both the covered provider's need to use or disclose protected health information for treatment, payment, and health care operations, and also the individual's interest in understanding and acquiescing to such uses and disclosures. In general, other covered entities are permitted to use and disclose protected health information to carry out treatment, payment, or health care operations (as defined in this rule) without obtaining such consent, as in the proposed rule. Covered entities must, as under the proposed rule, obtain the individual's “authorization” in order to use or disclose psychotherapy notes for most purposes: see § 164.508(a)(2) for exceptions to this rule. We delete the proposed special treatment of “research information unrelated to treatment.”

We revise the application of the general standard to require all covered entities to obtain the individual's verbal “agreement” before using or disclosing protected health information for facility directories, to persons assisting in the individual's care, and for other purposes described in § 164.510. Unlike “consent” and “authorization,” verbal agreement may be informal and implied from the circumstances (for details on who must obtain such agreements and the requirements they must meet, see § 164.510). Verbal agreements are intended to accommodate situations where it is neither appropriate to remove from the individual the ability to control the protected health information nor appropriate to require formal, written permission to share such information. For the most part, these provisions reflect current practices.

As under the proposed rule, we permit covered entities to use or disclose protected health information without the individual's consent, authorization or agreement for specified public policy purposes, in compliance with the requirements in § 164.512.

We permit covered entities to disclose protected health information to the individual who is the subject of that information without any condition. We note that this may include disclosures to “personal representatives” of individuals as provided by § 164.502(g).

We permit a covered entity to use or disclose protected health information for other lawful purposes if the entity obtains a written “authorization” from the individual, consistent with the provisions of § 164.508. Unlike “consents,” these “authorizations” are specific and detailed. (For details on who must obtain such authorizations and the requirements they must meet, see § 164.508.) They are intended to provide the individuals with concrete information about, and control over, the uses and disclosures of protected health information about themselves.

The final rule retains the provision that requires a covered entity to disclose protected health information only in two instances: When individuals request access to information about themselves, and when disclosures are compelled by the Secretary for compliance and enforcement purposes.

Finally, § 164.502(a)(1) also requires covered entities to use or disclose protected health information in compliance with the other provisions of § 164.502, for example, consistent with the minimum necessary standard, to create de-identified information, or to a personal representative of an individual. These provisions are described below.

We note that a covered entity may use or disclose protected health information as permitted by and in accordance with a provision of this rule, regardless of whether that use or disclosure fails to meet the requirements for use or disclosure under another provision of this rule.

Section 164.502(b)—Minimum Necessary Uses and Disclosures

The proposed rule required a covered entity to make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure (proposed § 164.506(b)). This final rule significantly modifies the proposed requirements for implementing the minimum necessary standard. In the final rule, § 164.502(b) contains the basic standard and § 164.514 describes the requirements for implementing the standard. Therefore we discuss all aspects of the minimum necessary standard and specific requirements below in the discussion of § 164.514(d).

Section 164.502(c)—Uses and Disclosures Under a Restriction Agreement

The proposed rule would have required that covered health care providers permit individuals to request restrictions of uses and disclosures of protected health information and would have prohibited covered providers from using or disclosing protected health information in violation of any agreed-to restriction.

The final rule retains an individual's right to request restrictions on uses or disclosures for treatment, payment or health care operations and prohibits a covered entity from using or disclosing protected health information in a way that is inconsistent with an agreed upon restriction between the covered entity and the individual, but makes some changes to this right. Most significantly, under the final rule individuals have the right to request restrictions of all covered entities. This standard is set forth in § 164.522. Details about the changes to the standard are explained in the preamble discussion to § 164.522.

Section 164.502(d)—Creation of De-identified Information

In proposed § 164.506(d) of the NPRM, we proposed to permit use of protected health information for the purpose of creating de-identified information and we provided detailed mechanisms for doing so.

In § 164.502(d) of the final rule, we permit a covered entity to use protected health information to create de-identified information, whether or not the de-identified information is to be used by the covered entity. We clarify that de-identified information created in accordance with our procedures (which have been moved to § 164.514(a)) is not subject to the requirements of these privacy rules unless it is re-identified. Disclosure of a key or mechanism that could be used to re-identify such information is also defined to be disclosure of protected health information. See the preamble to § 164.514(a) for further discussion.

Section 164.502(e)—Business Associates

In the proposed rule, other than for purposes of consultation or referral for treatment, we would have allowed a covered entity to disclose protected health information to a business partner only pursuant to a written contract that would, among other specified provisions, limit the business partner's uses and disclosures of protected health information to those permitted by the contract, and would impose certain security, inspection and reporting requirements on the business partner. We proposed to define the term “business partner” to mean, with respect to a covered entity, a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity.

In the final rule, we change the term “business partner” to “business associate” and in the definition clarify the full range of circumstances in which a person is acting as a business associate of a covered entity. (See definition of “business associate” in § 160.103.) These changes mean that § 164.502(e) requires a business associate contract (or other arrangement, as applicable) not only when the covered entity discloses protected health information to a business associate, but also when the business associate creates or receives protected health information on behalf of the covered entity.

In the final rule, we modify the proposed standard and implementation specifications for business associates in a number of significant ways. These modifications are explained in the preamble discussion of § 164.504(e).

Section 164.502(f)—Deceased Individuals

We proposed to extend privacy protections to the protected health information of a deceased individual for two years following the date of death. During the two-year time frame, we proposed in the definition of “individual” that the right to control the deceased individual's protected health information would be held by an executor or administrator, or other person (e.g., next of kin) authorized under applicable law to act on behalf of the decedent's estate. The only proposed exception to this standard allowed for uses and disclosures of a decedent's protected health information for research purposes without the authorization of a legal representative and without the Institutional Review Board (IRB) or privacy board approval required (in proposed § 164.510(j)) for most other uses and disclosures for research.

In the final rule (§ 164.502(f)), we modify the standard to extend protection of protected health information about deceased individuals for as long as the covered entity maintains the information. We retain the exception for uses and disclosures for research purposes, now part of § 164.512(i), but also require that the covered entity take certain verification measures prior to release of the decedent's protected health information for such purposes (see §§ 164.514(h) and 164.512(i)(1)(iii)).

We remove from the definition of “individual” the provision related to deceased persons. Instead, we create a standard for “personal representatives” (§ 164.502(g), see discussion below) that requires a covered entity to treat a personal representative of an individual as the individual in certain circumstances, i.e., allows the representative to exercise the rights of the individual. With respect to deceased individuals, the final rule describes when a covered entity must allow a person who otherwise is permitted under applicable law to act with respect to the interest of the decedent or on behalf of the decedent's estate, to make decisions regarding the decedent's protected health information.

The final rule also adds a provision to § 164.512(g), that permits covered entities to disclose protected health information to a funeral director, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. Such disclosures are permitted both after death and in reasonable anticipation of death.

Section 164.502(g)—Personal Representatives

In the proposed rule we defined “individual” to include certain persons who were authorized to act on behalf of the person who is the subject of the protected health information. For adults and emancipated minors, the NPRM provided that “individual” includes a legal representative to the extent to which applicable law permits such legal representative to exercise the individual's rights in such contexts. With respect to unemancipated minors, we proposed that the definition of “individual” include a parent, guardian, or person acting in loco parentis, (hereinafter referred to as “parent”) except when an unemancipated minor obtained health care services without the consent of, or notification to, a parent. Under the proposed rule, if a minor obtained health care services under these conditions, the minor would have had the exclusive rights of an individual with respect to the protected health information related to such health care services.

In the final rule, the definition of “individual” is limited to the subject of the protected health information, which includes unemancipated minors and other individuals who may lack capacity to act on their own behalf. We remove from the definition of “individual” the provisions regarding legal representatives. The circumstances in which a representative must be treated as an individual for purposes of this rule are addressed in a separate standard titled “personal representatives.” (§ 164.502(g)). The standard regarding personal representatives incorporates some changes to the proposed provisions regarding legal representatives. In general, under the final regulation, the “personal representatives” provisions are directed at the more formal representatives, while § 164.510(b) addresses situations in which persons are informally acting on behalf of an individual.

With respect to adults or emancipated minors, we clarify that a covered entity must treat a person as a personal representative of an individual if such person is, under applicable law, authorized to act on behalf of the individual in making decisions related to health care. This includes a court-appointed guardian and a person with a power of attorney, as set forth in the NPRM, but may also include other persons. The authority of a personal representative under this rule is limited: the representative must be treated as the individual only to the extent that protected health information is relevant to the matters on which the personal representative is authorized to represent the individual. For example, if a person's authority to make health care decisions for an individual is limited to decisions regarding treatment for cancer, such person is a personal representative and must be treated as the individual with respect to protected health information related to the cancer treatment of the individual. Such a person is not the personal representative of the individual with respect to all protected health information about the individual, and therefore, a covered entity may not disclose protected health information that is not relevant to the cancer treatment to the person, unless otherwise permitted under the rule. We intend this provision to apply to persons empowered under state or other law to make health related decisions for an individual, whether or not the instrument or law granting such authority specifically addresses health information.

In addition, we clarify that with respect to an unemancipated minor, if under applicable law a parent may act on behalf of an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this rule with respect to protected health information relevant to such personal representation, with three exceptions. Under the general rule, in most circumstances the minor would not have the capacity to act as the individual, and the parent would be able to exercise rights and authorities on behalf of the minor. Under the exceptions to the rule on personal representatives of unemancipated minors, the minor, and not the parent, would be treated as the individual and able to exercise the rights and authorities of an individual under the rule. These exceptions occur if: (1) The minor consents to a health care service; no other consent to such health care service is required by law, regardless of whether the consent of another person has also been obtained; and the minor has not requested that such person be treated as the personal representative; (2) the minor may lawfully obtain such health care service without the consent of a parent, and the minor, a court, or another person authorized by law consents to such health care service; or (3) a parent assents to an agreement of confidentiality between a covered health care provider and the minor with respect to such health care service. We note that the definition of health care includes services, but we use “health care service” in this provision to clarify that the scope of the rights of minors under this rule is limited to the protected health information related to a particular service.

Under this provision, we do not provide a minor with the authority to act under the rule unless the state has given them the ability to obtain health care without consent of a parent, or the parent has assented. In addition, we defer to state law where the state authorizes or prohibits disclosure of protected health information to a parent. See part 160, subpart B, Preemption of State Law. This rule does not affect parental notification laws that permit or require disclosure of protected health information to a parent. However, the rights of a minor under this rule are not otherwise affected by such notification.

In the final rule, the provision regarding personal representatives of deceased individuals has been changed to clarify the provision. The policy has not changed substantively from the NPRM.

Finally, we added a provision in the final rule to permit covered entities to elect not to treat a person as a personal representative in abusive situations. Under this provision, a covered entity need not treat a person as a personal representative of an individual if the covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative and the covered entity has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by such person, or that treating such person as the personal representative could endanger the individual.

Section 164.502(g) requires a covered entity to treat a person that meets the requirements of a personal representative as the individual (with the exceptions described above). We note that disclosure of protected health information to a personal representative is mandatory under this rule only if disclosure to the individual is mandatory. Disclosure to the individual is mandatory only under §§ 164.524 and 164.528. Further, as noted above, the personal representative's rights are limited by the scope of its authority under other law. Thus, this provision does not constitute a general grant of authority to personal representatives.

We make disclosure to personal representatives mandatory to ensure that an individual's rights under §§ 164.524 and 164.528 are preserved even when individuals are incapacitated or otherwise unable to act for themselves to the same degree as other individuals. If the covered entity were to have the discretion to recognize a personal representative as the individual, there could be situations in which no one could invoke an individual's rights under these sections.

We continue to allow covered entities to use their discretion to disclose certain protected health information to family members, relatives, close friends, and other persons assisting in the care of an individual, in accordance with § 164.510(b). We recognize that many health care decisions take place on an informal basis, and we permit disclosures in certain circumstance to permit this practice to continue. Health care providers may continue to use their discretion to address these informal situations.

Section 164.502(h)—Confidential Communications

In the NPRM, we did not directly address the issue of whether an individual could request that a covered entity restrict the manner in which it communicated with the individual. The NPRM did provide individuals with the right to request that health care providers restrict uses and disclosures of protected health information for treatment, payment and health operations, but providers were not required to agree to such a restriction.

In the final rule, we require covered providers to accommodate reasonable requests by patients about how the covered provider communicates with the individual. For example, an individual who does not want his or her family members to know about a certain treatment may request that the provider communicate with the individual at his or her place of employment, or to send communications to a designated address. Covered providers must accommodate the request unless it is unreasonable. Similarly, the final rule permits individuals to request that health plans communicate with them by alternative means, and the health plan must accommodate such a request if it is reasonable and the individual states that disclosure of the information could endanger the individual. The specific provisions relating to confidential communications are in § 164.522.

Section 164.502(i)—Uses and Disclosures Consistent with Notice

We proposed to prohibit covered entities from using or disclosing protected health information in a manner inconsistent with their notice of information practices. We retain this provision in the final rule. See § 164.520 regarding notice content and distribution requirements.

Section 164.502(j)—Disclosures by Whistleblowers and Workforce Member Crime Victims

Disclosures by Whistleblowers

In § 164.518(c)(4) of the NPRM we addressed the issue of whistleblowers by proposing that a covered entity not be held in violation of this rule because a member of its workforce or a person associated with a business associate of the covered entity used or disclosed protected health information that such person believed was evidence of a civil or criminal violation, and any disclosure was: (1) Made to relevant oversight agencies or law enforcement or (2) made to an attorney to allow the attorney to determine whether a violation of criminal or civil law had occurred or to assess the remedies or actions at law that may be available to the person disclosing the information.

We included an extensive discussion on how whistleblower actions can further the public interest, including reference to the need in some circumstances to utilize protected health information for this purpose as well as reference to the qui tam provisions of the Federal False Claims Act.

In the final rule we retitle the provision and include it in § 164.502 to reflect the fact that these disclosures are not made by the covered entity and therefore this material does not belong in the section on safeguarding information against disclosure.

We retain the basic concept in the NPRM of providing protection to a covered entity for the good faith whistleblower action of a member of its workforce or a business associate. We clarify that a whistleblower disclosure by an employee, subcontractor, or other person associated with a business associate is considered a whistleblower disclosure of the business associate under this provision. However, in the final rule, we modify the scope of circumstances under which a covered entity is protected in whistleblower situations. A covered entity is not in violation of the requirements of this rule when a member of its workforce or a business associate of the covered entity discloses protected health information to: (i) A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity; (ii) an appropriate health care accreditation organization; or (iii) an attorney, for the purpose of determining his or her legal options with respect to whistleblowing. We delete disclosures to a law enforcement official.

We expand the scope of this section to cover disclosures of protected health information to an oversight or accreditation organization for the purpose of reporting breaches of professional standards or problems with quality of care. The covered entity will not be in violation of this rule, provided that the disclosing individual believes in good faith that the covered entity has engaged in conduct which is unlawful or otherwise violates professional or clinical standards, or that the care, services or conditions provided by the covered entity potentially endanger one or more patients, workers or the public. Since these provisions only relate to whistleblower actions in relation to the covered entity, disclosure of protected health information to expose malfeasant conduct by another person, such as knowledge gained during the course of treatment about an individual's illicit drug use, would not be protected activity.

We clarify that this section only applies to protection of a covered entity, based on the whistleblower action of a member of its workforce or business associates. Since the HIPAA legislation only applies to covered entities, not their workforces, it is beyond the scope of this rule to directly regulate the whistleblower actions of members of a covered entity's workforce.

In the NPRM, we had proposed to require covered entities to apply sanctions to members of its workforce who improperly disclose protected health information. In this final rule, we retain this requirement in § 164.530(e)(1) but modify the proposed provision on sanctions to clarify that the sanctions required under this rule do not apply to workforce members of a covered entity for whistleblower disclosures.

Disclosures by Workforce Members Who Are Crime Victims

The proposed rule did not address disclosures by workforce members who are victims of a crime. In the final rule, we clarify that a covered entity is not in violation of the rule when a workforce member of a covered entity who is the victim of a crime discloses protected health information to law enforcement officials about the suspected perpetrator of the crime. We limit the amount of protected health information that may be disclosed to the limited information for identification and location described in § 164.512(f)(2).

We note that this provision is similar to the provision in § 164.512(f)(5), which permits a covered entity to disclose protected health information to law enforcement that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity. This provision differs in that it permits the disclosure even if the crime occurred somewhere other than on the premises of the covered entity. For example, if a hospital employee is the victim of an attack outside of the hospital, but spots the perpetrator sometime later when the perpetrator seeks medical care at the hospital, the workforce member who was attacked may notify law enforcement of the perpetrator's location and other identifying information. We do not permit, however, the disclosure of protected health information other than that described in § 164.512(f)(2).

Section 164.504—Uses and Disclosures—Organizational Requirements—Component Entities, Affiliated Entities, Business Associates and Group Health Plans Back to Top

Section 164.504(a)-(c)—Health Care Component (Component Entities)

In the preamble to the proposed rule we introduced the concept of a “component entity” to differentiate the health care unit of a larger organization from the larger organization. In the proposal we noted that some organizations that are primarily involved in non-health care activities do provide health care services or operate health plans or health care clearinghouses. Examples included a school with an on-site health clinic and an employer that self administers a sponsored health plan. In such cases, the proposal said that the health care component of the entity would be considered the covered entity, and any release of information from that component to another office or person in the organization would be a regulated disclosure. We would have required such entities to create barriers to prevent protected health information from being used or disclosed for activities not authorized or permitted under the proposal.

We discuss group health plans and their relationships with plan sponsors below under “Requirements for Group Health Plans.”

In the final rule we address the issue of differentiating health plan, covered health care provider and health care clearinghouse activities from other functions carried out by a single legal entity in paragraphs (a)-(c) of § 164.504. We have created a new term, “hybrid entity”, to describe the situation where a health plan, health care provider, or health care clearinghouse is part of a larger legal entity; under the definition, a “hybrid entity” is “a single legal entity that is a covered entity and whose covered functions are not its primary functions.” The term “covered functions” is discussed above under § 164.501. By “single legal entity” we mean a legal entity, such as a corporation or partnership, that cannot be further differentiated into units with their own legal identities. For example, for purposes of this rule a multinational corporation composed of multiple subsidiary companies would not be a single legal entity, but a small manufacturing firm and its health clinic, if not separately incorporated, could be a single legal entity.

The health care component rules are designed for the situation in which the health care functions of the legal entity are not its dominant mission. Because some part of the legal entity meets the definition of a health plan or other covered entity, the legal entity as a whole could be required to comply with the rules below. However, in such a situation, it makes sense not to require the entire entity to comply with the requirements of the rules below, when most of its activities may have little or nothing to do with the provision of health care; rather, as a practical matter, it makes sense for such an entity to focus its compliance efforts on the component that is actually performing the health care functions. On the other hand, where most of what the covered entity does consist of covered functions, it makes sense to require the entity as a whole to comply with the rules. The provisions at §§ 164.504(a)-(c) provide that for a hybrid entity, the rules apply only to the part of the entity that is the health care component. At the same time, the lack of corporate boundaries increases the risk that protected health information will be used in a manner that would not otherwise be permitted by these rules. Thus, we require that the covered entity erect firewalls to protect against the improper use or disclosure within or by the organization. See § 164.504(c)(2).

The term “primary functions” in the definition of “hybrid entity” is not meant to operate with mathematical precision. Rather, we intend that a more common sense evaluation take place: Is most of what the covered entity does related to its health care functions? If so, then the whole entity should be covered. Entities with different insurance lines, if not separately incorporated, present a particular issue with respect to this analysis. Because the definition of “health plan” excludes many types of insurance products (in the exclusion under paragraph (2)(i) of the definition), we would consider an entity that has one or more of these lines of insurance in addition to its health insurance lines to come within the definition of “hybrid entity,” because the other lines of business constitute substantial parts of the total business operation and are required to be separate from the health plan(s) part of the business.

An issue that arises in the hybrid entity situation is what records are covered in the case of an office of the hybrid entity that performs support functions for both the health care component of the entity and for the rest of the entity. For example, this situation could arise in the context of a company with an onsite clinic (which we will assume is a covered health care provider), where the company's business office maintains both clinic records and the company's personnel records. Under the definition of the term “health care component,” the business office is part of the health care component (in this hypothetical, the clinic) “to the extent that” it is performing covered functions on behalf of the clinic involving the use or disclosure of protected health information that it receives from, creates or maintains for the clinic. Part of the business office, therefore, is part of the health care component, and part of the business office is outside the health care component. This means that the non-health care component part of the business office is not covered by the rules below. Under our hypothetical, then, the business office would not be required to handle its personnel records in accordance with the rules below. The hybrid entity would be required to establish firewalls with respect to these record systems, to ensure that the clinic records were handled in accordance with the rules.

With respect to excepted benefits, the rules below operate as follows. (Excepted benefits include accident, disability income, liability, workers' compensation and automobile medical payment insurance.) Excepted benefit programs are excluded from the health care component (or components) through the definition of “health plan.” If a particular organizational unit performs both excepted benefits functions and covered functions, the activities associated with the excepted benefits program may not be part of the health care component. For example, an accountant who works for a covered entity with both a health plan and a life insurer would have his or her accounting functions performed for the health plan as part of the component, but not the life insurance accounting function. See § 164.504(c)(2)(iii). We require this segregation of excepted benefits because HIPAA does not cover such programs, policies and plans, and we do not permit any use or disclosure of protected health information for the purposes of operating or performing the functions of the excepted benefits without authorization from the individual, except as otherwise permitted in this rule.

In § 164.504(c)(2) we require covered entities with a health care component to establish safeguard policies and procedures to prevent any access to protected health information by its other organizational units that would not be otherwise permitted by this rule. We note that section 1173(d)(1)(B) of HIPAA requires policies and procedures to isolate the activities of a health care clearinghouse from a “larger organization” to prevent unauthorized access by the larger organization. This safeguard provision is consistent with the statutory requirement and extends to any covered entity that performs “non-covered entity functions” or operates or conducts functions of more than one type of covered entity.

Because, as noted, the covered entity in the hybrid entity situation is the legal entity itself, we state explicitly what is implicitly the case, that the covered entity (legal entity) remains responsible for compliance vis-a-vis subpart C of part 160. See § 164.504(c)(3)(i). We do this simply to make these responsibilities clear and to avoid confusion on this point. Also, in the hybrid entity situation the covered entity/legal entity has control over the entire workforce, not just the workforce of the health care component. Thus, the covered entity is in a position to implement policies and procedures to ensure that the part of its workforce that is doing mixed or non-covered functions does not impermissibly use or disclose protected health information. Its responsibility to do so is clarified in § 164.504(c)(3)(ii).

Section 164.504(d)—Affiliated Entities

Some legally distinct covered entities may share common administration of organizationally differentiated but similar activities (for example, a hospital chain). In § 164.504(d) we permit legally distinct covered entities that share common ownership or control to designate themselves, or their health care components, together to be a single covered entity. Common control exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity. Common ownership exists if an entity or entities possess an ownership or equity interest of 5 percent or more in another entity.

Such organizations may promulgate a single shared notice of information practices and a consent form. For example, a corporation with hospitals in twenty states may designate itself as a covered entity and, therefore, able to merge information for joint marketplace analyses. The requirements that apply to a covered entity also apply to an affiliated covered entity. For example, under the minimum necessary provisions, a hospital in one state could not share protected health information about a particular patient with another hospital if such a use is not necessary for treatment, payment or health care operations. The covered entities that together make up the affiliated covered entity are separately subject to liability under this rule. The safeguarding requirements for affiliated covered entities track the requirements that apply to health care components.

Section 164.504(e)—Business Associates

In the NPRM, we proposed to require a contract between a covered entity and a business associate, except for disclosures of protected health information by a covered entity that is a health care provider to another health care provider for the purposes of consultation or referral. A covered entity would have been in violation of this rule if the covered entity knew or reasonably should have known of a material breach of the contract by a business associate and it failed to take reasonable steps to cure the breach or terminate the contract. We proposed in the preamble that when a covered entity acted as a business associate to another covered entity, the covered entity that was acting as business associate also would have been responsible for any violations of the regulation.

We also proposed that covered health care providers receiving protected health information for consultation or referral purposes would still have been subject to this rule, and could not have used or disclosed such protected health information for a purpose other than the purpose for which it was received (i.e., the consultation or referral). Further, we noted that providers making disclosures for consultations or referrals should be careful to inform the receiving provider of any special limitations or conditions to which the disclosing provider had agreed to impose (e.g., the disclosing provider had provided notice to its patients that it would not make disclosures for research).

We proposed that business associates would not have been permitted to use or disclose protected health information in ways that would not have been permitted of the covered entity itself under these rules, and covered entities would have been required to take reasonable steps to ensure that protected health information disclosed to a business associate remained protected.

In the NPRM (proposed § 164.506(e)(2)) we would have required that the contractual agreement between a covered entity and a business associate be in writing and contain provisions that would:

  • Prohibit the business associate from further using or disclosing the protected health information for any purpose other than the purpose stated in the contract.
  • Prohibit the business associate from further using or disclosing the protected health information in a manner that would violate the requirements of this proposed rule if it were done by the covered entity.
  • Require the business associate to maintain safeguards as necessary to ensure that the protected health information is not used or disclosed except as provided by the contract.
  • Require the business associate to report to the covered entity any use or disclosure of the protected health information of which the business associate becomes aware that is not provided for in the contract.
  • Require the business associate to ensure that any subcontractors or agents to whom it provides protected health information received from the covered entity will agree to the same restrictions and conditions that apply to the business associate with respect to such information.
  • Require the business associate to provide access to non-duplicative protected health information to the subject of that information, in accordance with proposed § 164.514(a).
  • Require the business associate to make available its internal practices, books and records relating to the use and disclosure of protected health information received from the covered entity to the Secretary for the purposes of enforcing the provisions of this rule.
  • Require the business associate, at termination of the contract, to return or destroy all protected health information received from the covered entity that the business associate still maintains in any form to the covered entity and prohibit the business associate from retaining such protected health information in any form.
  • Require the business associate to incorporate any amendments or corrections to protected health information when notified by the covered entity that the information is inaccurate or incomplete.
  • State that individuals who are the subject of the protected health information disclosed are intended to be third party beneficiaries of the contract.
  • Authorize the covered entity to terminate the contract, if the covered entity determines that the business associate has violated a material term of the contract.

We also stated in the preamble to the NPRM that the contract could have included any additional arrangements that did not violate the provisions of this regulation.

We explained in the preamble to the NPRM that a business associate (including business associates that are covered entities) that had contracts with more than one covered entity would have had no authority to combine, aggregate or otherwise use for a single purpose protected health information obtained from more than one covered entity unless doing so would have been a lawful use or disclosure for each of the covered entities that supplied the protected health information that is being combined, aggregated or used. In addition, the business associate would have had to have been authorized through the contract or arrangement with each covered entity that supplied the protected health information to combine or aggregate the information. A covered entity would not have been permitted to obtain protected health information through a business associate that it could not otherwise obtain itself.

In the final rule we retain the overall approach proposed: covered entities may disclose protected health information to persons that meet the rule's definition of business associate, or hire such persons to obtain or create protected health information for them, only if covered entities obtain specified satisfactory assurances from the business associate that it will appropriately handle the information; the regulation specifies the elements of such satisfactory assurances; covered entities have responsibilities when such specified satisfactory assurances are violated by the business associate. We retain the requirement that specified satisfactory assurances must be obtained if a covered entity's business associate is also a covered entity. We note that a master business associate contract or MOU that otherwise meets the requirements regarding specified satisfactory assurances meets the requirements with respect to all the signatories.

A covered entity may disclose protected health information to a business associate, consistent with the other requirements of the final rule, as necessary to permit the business associate to perform functions and activities for or on behalf of the covered entity, or to provide the services specified in the business associate definition to or for the covered entity. As discussed below, a business associate may only use the protected health information it receives in its capacity as a business associate to a covered entity as permitted by its contract or agreement with the covered entity.

We do not attempt to directly regulate business associates, but pursuant to our authority to regulate covered entities we place restrictions on the flow of information from covered entities to non-covered entities. We add a provision to clarify that a violation of a business associate agreement by a covered entity that is a business associate of another covered entity constitutes a violation of this rule.

In the final rule, we make significant changes to the requirements regarding business associates. As explained below in more detail: we make significant changes to the content of the required contractual satisfactory assurances; we include exceptions for arrangements that would otherwise meet the definition of business associate; we make special provisions for government agencies that by law cannot enter into contracts with one another or that operate under other legal requirements incompatible with some aspects of the required contractual satisfactory assurances; we provide a new mechanism for covered entities to hire a third party to aggregate data.

The final rule provides several exception to the business associate requirements, where a business associate relationship would otherwise exist. We substantially expand the exception for disclosure of protected health information for treatment. Rather than allowing disclosures without business associate assurances only for the purpose of consultation or referral, in the final rule we allow covered entities to make any disclosure of protected health information for treatment purposes to a health care provider without a business associate arrangement. This provision includes all activities that fall under the definition of treatment.

We do not require a business associate contract for a group health plan to make disclosures to the plan sponsor, to the extent that the health plan meets the applicable requirements of § 164.504(f).

We also include an exception for certain jointly administered government programs providing public benefits. Where a health plan that is a government program provides public benefits, such as SCHIP and Medicaid, and where eligibility for, or enrollment in, the health plan is determined by an agency other than the agency administering the health plan, or where the protected health information used to determine enrollment or eligibility in the health plan is collected by an agency other than the agency administering the health plan, and the joint activities are authorized by law, no business associate contract is required with respect to the collection and sharing of individually identifiable health information for the performance of the authorized functions by the health plan and the agency other than the agency administering the health plan. We note that the phrase “government programs providing public benefits” refers to programs offering benefits to specified members of the public and not to programs that offer benefits only to employees or retirees of government agencies.

We note that we do not consider a financial institution to be acting on behalf of a covered entity, and therefore no business associate contract is required, when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for compensation for health care. A typical consumer-conducted payment transaction is when a consumer pays for health care or health insurance premiums using a check or credit card. In these cases, the identity of the consumer is always included and some health information (e.g., diagnosis or procedure) may be implied through the name of the health care provider or health plan being paid. Covered entities that initiate such payment activities must meet the minimum necessary disclosure requirements described in the preamble to § 164.514.

In the final rule, we reduce the extent to which a covered entity must monitor the actions of its business associate and we make it easier for covered entities to identify the circumstances that will require them to take actions to correct a business associate's material violation of the contract, in the following ways. We delete the proposed language requiring covered entities to “take reasonable steps to ensure” that each business associate complies with the rule's requirements. Additionally, we now require covered entities to take reasonable steps to cure a breach or terminate the contract for business associate behaviors only if they know of a material violation by a business associate. In implementing this standard, we will view a covered entity that has substantial and credible evidence of a violation as knowing of such violation. While this standard relieves the covered entity of the need to actively monitor its business associates, a covered entity nonetheless is expected to investigate when they receive complaints or other information that contain substantial and credible evidence of violations by a business associate, and it must act upon any knowledge of such violation that it possesses. We note that a whistleblowing disclosure by a business associate of a covered entity that meets the requirements of § 164.502(j)(1) does not put the covered entity in violation of this rule, and the covered entity has no duty to correct or cure, or to terminate the relationship.

We also qualify the requirement for terminating contracts with non-compliant business associates. The final rule still requires that the business associate contract authorize the covered entity to terminate the contract, if the covered entity determines that the business associate has violated a material term of the contract, and it requires the covered entity to terminate the contract if steps to cure such a material breach fail. The rule now stipulates, however, that if the covered entity is unable to cure a material breach of the business associate's obligation under the contract, it is expected to terminate the contract, when feasible. This qualification has been added to accommodate circumstances where terminating the contract would be unreasonably burdensome on the covered entity, such as when there are no viable alternatives to continuing a contract with that particular business associate. It does not mean, for instance, that the covered entity can choose to continue the contract with a non-compliant business associate merely because it is more convenient or less costly than contracts with other potential business associates. We also require that if a covered entity determines that it is not feasible to terminate a non-compliant business associate, the covered entity must notify the Secretary.

We retain all of the requirements for a business associate contract that were listed in proposed § 164.506(e)(2), with some modifications. See § 164.504(e)(2).

We retain the requirement that the business associate contract must provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law. We do not mean by this requirement that the business associate contract must specify each and every use and disclosure of protected health information permitted to the business associate. Rather, the contract must state the purposes for which the business associate may use and disclose protected health information, and must indicate generally the reasons and types of persons to whom the business associate may make further disclosures. For example, attorneys often need to provide information to potential witnesses, opposing counsel, and others in the course of their representation of a client. The business associate contract pursuant to which protected health information is provided to its attorney may include a general statement permitting the attorney to disclose protected health information to these types of people, within the scope of its representation of the covered entity.

We retain the requirement that a business associate contract may not authorize a business associate to use or further disclose protected health information in a manner that would violate the requirements of this subpart if done by the covered entity, but we add two exceptions. First, we permit a covered entity to authorize a business associate to use and disclose protected health information it receives in its capacity as a business associate for its proper management and administration and to carry out its legal responsibilities. The contract must limit further disclosures of the protected health information for these purposes to those that are required by law and to those for which the business associate obtains reasonable assurances that the protected health information will be held confidentially and that it will be notified by the person to whom it discloses the protected health information of any breaches of confidentiality.

Second, we permit a covered entity to authorize the business associate to provide data aggregation services to the covered entity. As discussed above in § 164.501, data aggregation, with respect to protected health information received by a business associate in its capacity as the business associate of a covered entity, is the combining of such protected health information by the business associate with protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit the creation of data for analyses that relate to the health care operations of the respective covered entities. We added this service to the business associate definition to clarify the ability of covered entities to contract with business associates to undertake quality assurance and comparative analyses that involve the protected health information of more than one contracting covered entity. We except data aggregation from the general requirement that a business associate contract may not authorize a business associate to use or further disclose protected health information in a manner that would violate the requirements of this subpart if done by the covered entity in order to permit the combining or aggregation of protected health information received in its capacity as a business associate of different covered entities when it is performing this service. In many cases, the combining of this information for the respective health care operations of the covered entities is not something that the covered entities could do—a covered entity cannot generally disclose protected health information to another covered entity for the disclosing covered entity's health care operations. However, we permit covered entities that enter into business associate contracts with a business associate for data aggregation to permit the business associate to combine or aggregate the protected health information they disclose to the business associate for their respective health care operations.

We note that there may be other instances in which a business associate may combine or aggregate protected health information received in its capacity as a business associate of different covered entities, such as when it is performing health care operations on behalf of covered entities that participate in an organized health care arrangement. A business associate that is performing payment functions on behalf of different covered entities also may combine protected health information when it is necessary, such as when the covered entities share financial risk or otherwise jointly bill for services.

In the final rule we clarify that the business associate contract must require the business associate to make available protected health information for amendment and to incorporate such amendments. The business associate contract must also require the business associate to make available the information required to provide an accounting of disclosures. We provide more flexibility to the requirement that all protected health information be returned by the business associate upon termination of the contract. The rule now stipulates that if feasible, the protected health information should be destroyed or returned at the end of a contract. Accordingly, a contract with a business associate must state that if there are reasons that the return or destruction of the information is not feasible and the information must be retained for specific reasons and uses, such as for future audits, privacy protections must continue after the contract ends, for as long as the business associate retains the information. The contract also must state that the uses of information after termination of the contract must be limited to the specific set of uses or disclosures that make it necessary for the business associate to retain the information.

We also remove the requirement that business associate contracts contain a provision stating that individuals whose protected health information is disclosed under the contract are intended third-party beneficiaries of the contract. Third party beneficiary or similar responsibilities may arise under these business associate arrangements by operation of state law; we do not intend in this rule to affect the operation of such state laws.

We modify the requirement that a business associate contract require the business associate to ensure that agents abide by the provisions of the business associate contract. We clarify that agents includes subcontractors, and we note that a business associate contract must make the business associate responsible for ensuring that any person to whom it delegates a function, activity or service which is within its business associate contract with the covered entity agrees to abide by the restrictions and conditions that apply to the business associate under the contract. We note that a business associate will need to consider the purpose for which protected health information is being disclosed in determining whether the recipient must be bound to the restrictions and conditions of the business associate contract. When the disclosure is a delegation of a function, activity or service that the business associate has agreed to perform for a covered entity, the recipient who undertakes such a function steps into the shoes of the business associate and must be bound to the restrictions and conditions. When the disclosure is to a third party who is not performing business associate functions, activities or services for on behalf of the covered entity, but is the type of disclosure that the covered entity itself could make without giving rise to a business associate relationship, the business associate is not required to ensure that the restrictions or conditions of the business associate contract are maintained.

For example, if a business associate acts as the billing agent of a health care provider, and discloses protected health information on behalf of the hospital to health plans, the business associate has no responsibility with respect to further uses or disclosures by the health plan. In the example above, where a covered entity has a business associate contract with a lawyer, and the lawyer discloses protected health information to an expert witness in preparation for litigation, the lawyer again would have no responsibility under this subpart with respect to uses or disclosures by the expert witness, because such witness is not undertaking the functions, activities or services that the business associate lawyer has agreed to perform. However, if a covered entity contracts with a third party administrator to provide claims management, and the administrator delegates management of the pharmacy benefits to a third party, the business associate third party administrator must ensure that the pharmacy manager abides by the restrictions and conditions in the business associate contract between the covered entity and the third party administrator.

We provide in § 164.504(c)(3) several methods other than a business associate contract that will satisfy the requirement for satisfactory assurances under this section. First, when a government agency is a business associate of another government agency that is a covered entity, we permit memorandum of understanding between the agencies to constitute satisfactory assurance for the purposes of this rule, if the memorandum accomplishes each of the objectives of the business associate contract. We recognize that the relationships of government agencies are often organized as a matter of law, and that it is not always feasible for one agency to contract with another for all of the purposes provided for in this section. We also recognize that it may be incorrect to view one government agency as “acting on behalf of” the other government agency; under law, each agency may be acting to fulfill a statutory mission. We note that in some instances, it may not be possible for the agencies to include the right to terminate the arrangement because the relationship may be established under law. In such instances, the covered entity government agency would need to fulfill the requirement to report known violations of the memorandum to the Secretary.

Where the covered entity is a government agency, we consider the satisfactory assurances requirement to be satisfied if other law contains requirements applicable to the business associate that accomplish each of the objectives of the business associate contract. We recognize that in some cases, covered entities that are government agencies may be able to impose the requirements of this section directly on the persons acting as their business associates. We also recognize that often one government agency is acting as a business associate of another government agency, and either party may have the legal authority to establish the requirements of this section by regulation. We believe that imposing these requirements directly on business associates provides greater protection than we can otherwise provide under this section, and so we recognize such other laws as sufficient to substitute for a business associate contract.

We also recognize that there may be some circumstances where the relationship between covered entities and business associates is otherwise mandated by law. In the final rule, we provide that where a business associate is required by law to act as a business associate to a covered entity, the covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirement to have a business associate contract (or, in the case of government agencies, a memorandum of understanding or law pertaining to the business associate) if it makes a good faith attempt the obtain satisfactory assurances required by this section and, if unable to do so, documents the attempt and the reasons that such assurances cannot be obtained. This provision addresses situations where law requires one party to act as the business associate of another party. The fact that the parties have contractual obligations that may be enforceable is not sufficient to meet the required by law test in this provision.

This provision recognizes that in some instances the law requires that a government agency act as a business associate of a covered entity. For example, the United States Department of Justice is required by law to defend tort suits brought against certain covered entities; in such circumstances, however, the United States, and not the individual covered entity, is the client and is potentially liable. In such situations, covered entities must be able to disclose protected health information needed to carry out the representation, but the particular requirements that would otherwise apply to a business associate relationship may not be possible to obtain. Subsection (iii) makes clear that, where the relationship is required by law, the covered entity complies with the rule if it attempts, in good faith, to obtain satisfactory assurances as are required by this paragraph and, if such attempt fails, documents the attempts and the reasons that such assurances cannot be obtained.

The operation of the final rule maintains the construction discussed in the preamble to the NPRM that a business associate (including a business associate that is a covered entity) that has business associate contracts with more than one covered entity generally may not use or disclose the protected health information that it creates or receives in its capacity as a business associate of one covered entity for the purposes of carrying out its responsibilities as a business associate of another covered entity, unless doing so would be a lawful use or disclosure for each of the covered entities and the business associate's contract with each of the covered entities permits the business associate to undertake the activity. For example, a business associate performing a function under health care operations on behalf of an organized health care arrangement would be permitted to combine or aggregate the protected health information obtained from covered entities participating in the arrangement to the extent necessary to carry out the authorized activity and in conformance with its business associate contracts. As described above, a business associate providing data aggregation services to different covered entities also could combine and use the protected health information of the covered entities to assist with their respective health care operations. A covered entity that is undertaking payment activities on behalf of different covered entities also may use or disclose protected health information obtained as a business associate of one covered entity when undertaking such activities as a business associate of another covered entity where the covered entities have authorized the activities and where they are necessary to secure payment for the entities. For example, when a group of providers share financial risk and contract with a business associate to conduct payment activities on their behalf, the business associate may use the protected health information received from the covered entities to assist them in managing their shared risk arrangement.

Finally, we note that the requirements imposed by this provision are intended to extend privacy protection to situations in which a covered entity discloses substantial amounts of protected health information to other persons so that those persons can perform functions or activities on its behalf or deliver specified services to it. A business associate contract basically requires the business associate to maintain the confidentiality of the protected health information that it receives and generally to use and disclose such information for the purposes for which it was provided. This requirement does not interfere with the relationship between a covered entity and business associate, or require the business associate to subordinate its professional judgment to that of a covered entity. Covered entities may rely on the professional judgment of their business associates as to the type and amount of protected health information that is necessary to carry out a permitted activity. The requirements of this provision are aimed at securing the continued confidentiality of protected health information disclosed to third parties that are serving the covered entity's interests.

Section 164.504(f)—Group Health Plans

Covered entities under HIPAA include health care clearinghouses, health care providers and health plans. Specifically included in the definition of “health plan” are group health plans (as defined in section 2791(a) of the Public Health Service Act) with 50 or more participants or those of any size that are administered by an entity other than the employer who established and maintains the plan. These group health plans may be fully insured or self-insured. Neither employers nor other group health plan sponsors are defined as covered entities. However, employers and other plan sponsors—particularly those sponsors with self-insured group health plans—may perform certain functions that are integrally related to or similar to the functions of group health plans and, in carrying out these functions, often require access to individual health information held by the group health plan.

Most group health plans are also regulated under the Employee Retirement Income Security Act of 1974 (ERISA). Under ERISA, a group health plan must be a separate legal entity from its plan sponsor. ERISA-covered group health plans usually do not have a corporate presence, in other words, they may not have their own employees and sometimes do not have their own assets (i.e., they may be fully insured or the benefits may be funded through the general assets of the plan sponsor, rather than through a trust). Often, the only tangible evidence of the existence of a group health plan is the contractual agreement that describes the rights and responsibilities of covered participants, including the benefits that are offered and the eligible recipients.

ERISA requires the group health plan to identify a “named fiduciary,” a person responsible for ensuring that the plan is operated and administered properly and with ultimate legal responsibility for the plan. If the plan documents under which the group health plan was established and is maintained permit, the named fiduciary may delegate certain responsibilities to trustees and may hire advisors to assist it in carrying out its functions. While generally the named fiduciary is an individual, it may be another entity. The plan sponsor or employees of the plan sponsor are often the named fiduciaries. These structural and operational relationships present a problem in our ability to protect health information from being used inappropriately in employment-related decisions. On the one hand, the group health plan, and any health insurance issuer or HMO providing health insurance or health coverage to the group health plan, are covered entities under the regulation and may only disclose protected health information as authorized under the regulation or with individual consent. On the other hand, plan sponsors may need access to protected health information to carry out administration functions on behalf of the plan, but under circumstances in which securing individual consent is impractical. We note that we sometimes refer in the rule and preamble to health insurance issuers and HMOs that provide health insurance or health coverage to a group health plan as health insurance issuers or HMOs with respect to a group health plan.

The proposed rule used the health care component approach for employers and other plan sponsors. Under this approach, only the component of an employer or other plan sponsor would be treated as a covered entity. The component of the plan sponsor would have been able to use protected health information for treatment, payment, and health care operations, but not for other purposes, such as discipline, hiring and firing, placement and promotions. We have modified the final rule in a number of ways.

In the final rule, we recognize plan sponsors' legitimate need for health information in certain situations while, at the same time, protecting health information from being used for employment-related functions or for other functions related to other employee benefit plans or other benefits provided by the plan sponsor. We do not attempt to directly regulate employers or other plan sponsors, but pursuant to our authority to regulate health plans, we place restrictions on the flow of information from covered entities to non-covered entities.

The final rule permits group health plans, and allows them to authorize health insurance issuers or HMOs with respect to the group health plan, to disclose protected health information to plan sponsors if the plan sponsors voluntarily agree to use and disclose the information only as permitted or required by the regulation. The information may be used only for plan administration functions performed on behalf of the group health plan which are specified in plan documents. The group health plan is not required to have a business associate contract with the plan sponsor to disclose the protected health information or allow the plan sponsor to create protected health information on its behalf, if the conditions of § 164.504(e) are met.

In order for the group health plan to disclose protected health information to a plan sponsor, the plan documents under which the plan was established and is maintained must be amended to: (1) Describe the permitted uses and disclosures of protected health information; (2) specify that disclosure is permitted only upon receipt of a certification from the plan sponsor that the plan documents have been amended and the plan sponsor has agreed to certain conditions regarding the use and disclosure of protected health information; and (3) provide adequate firewalls to: identify the employees or classes of employees who will have access to protected health information; restrict access solely to the employees identified and only for the functions performed on behalf of the group health plan; and provide a mechanism for resolving issues of noncompliance.

Any employee of the plan sponsor who receives protected health information for payment, health care operations or other matters related to the group health plan must be identified in the plan documents either by name or function. We assume that since individuals employed by the plan sponsor may change frequently, the group health plan would likely describe such individuals in a general manner. Any disclosure to employees or classes of employees not identified in the plan documents is not a permissible disclosure. To the extent a group health plan does have its own employees separate from the plan sponsor's employees, as the workforce of a covered entity (i.e. the group health plan), they also are bound by the permitted uses and disclosures of this rule.

The certification that must be given to the group health plan must state that the plan sponsor agrees to: (1) Not use or further disclose protected health information other than as permitted or required by the plan documents or as required by law; (2) ensure that any subcontractors or agents to whom the plan sponsor provides protected health information agree to the same restrictions; (3) not use or disclose the protected health information for employment-related actions; (4) report to the group health plan any use or disclosure that is inconsistent with the plan documents or this regulation; (5) make the protected health information accessible to individuals; (6) allow individuals to amend their information; (7) provide an accounting of its disclosures; (8) make its practices available to the Secretary for determining compliance; (9) return and destroy all protected health information when no longer needed, if feasible; and (10) ensure that the firewalls have been established.

We have included this certification requirement in part, as a way to reduce the burden on health insurance issuers and HMOs. Without a certification, health insurance issuers and HMOs would need to review the plan documents in order to ensure that the amendments have been made before they could disclose protected health information to plan sponsors. The certification, however, is a simple statement that the amendments have been made and that the plan sponsor has agreed to certain restrictions on the use and disclosure of protected health information. The receipt of the certification therefore, is sufficient basis for the health insurance issuer or HMO to disclose protected health information to the plan sponsor.

Many activities included in the definitions of health care operations and payment are commonly referred to as plan administration functions in the ERISA group health plan context. For purposes of this rule, plan administration activities are limited to activities that would meet the definition of payment or health care operations, but do not include functions to modify, amend, or terminate the plan or solicit bids from prospective issuers. Plan administration functions include quality assurance, claims processing, auditing, monitoring, and management of carve-out plans—such as vision and dental. Under the final rule, “plan administration” does not include any employment-related functions or functions in connection with any other benefits or benefit plans, and group health plans may not disclose information for such purposes absent an authorization from the individual. For purposes of this rule, enrollment functions performed by the plan sponsor on behalf of its employees are not considered plan administration functions.

Plan sponsors have access to protected health information only to the extent group health plans have access to protected health information and plan sponsors are permitted to use or disclose protected health information only as would be permitted by group health plans. That is, a group health plan may permit a plan sponsor to have access to or to use protected health information only for purposes allowed by the regulation.

As explained above, where a group health plan purchases insurance or coverage from a health insurance issuer or HMO, the provision of insurance or coverage by the health insurance issuer or HMO to the group health plan does not make the health insurance issuer or HMO a business associate. In such case, the activities of the health insurance issuer or HMO are on their own behalf and not on the behalf of the group health plan. We note that where a group health plan contracts with a health insurance issuer or HMO to perform functions or activities or to provide services that are in addition to or not directly related to the provision of insurance, the health insurance issuer or HMO may be a business associate with respect to those additional functions, activities, or services. In addition, group health plans that provide health benefits only through an insurance contract and do not create, maintain, or receive protected health information (except for summary information described below or information that merely states whether an individual is enrolled in or has been disenrolled from the plan) do not have to meet the notice requirements of § 164.520 or the administrative requirements of § 164.530, except for the documentation requirement in § 164.530(j), because these requirements are satisfied by the issuer or HMO that is providing benefits under the group health plan. A group health plan, however, may not permit a health insurance issuer or HMO to disclose protected health information to a plan sponsor unless the notice required in 164.520 indicate such disclosure may occur.

The final rule also permits a health plan that is providing insurance to a group health plan to provide summary information to the plan sponsor to permit the plan sponsor to solicit premium bids from other health plans or for the purpose of modifying, amending, or terminating the plan. The rule provides that summary information is information that summarizes claims history, claims expenses, or types of claims experienced by individuals for whom the plan sponsor has provided health benefits under a group health plan, provided that specified identifiers are not included. Summary information may be disclosed under this provision even if it does not meet the definition of de-identified information. As part of the notice requirements in § 164.520, health plans must inform individuals that they may disclose protected health information to plan sponsors. The provision to allow summaries of claims experience to be disclosed to plan sponsors that purchase insurance will allow them to shop for replacement coverage, and get meaningful bids from prospective issuers. It also permits a plan sponsor to get summary information as part of its consideration of whether or not to change the benefits that are offered or employees or whether or not to terminate a group health plan.

We note that a plan sponsor may perform enrollment functions on behalf of its employees without meeting the conditions above and without using the standard transactions described in the Transactions Rule.

Section 164.504(g)—Multiple Covered Function Entities

Although not addressed in the proposed rule, this final rule also recognizes that a covered entity may as a single legal entity, affiliated entity, or other arrangement combine the functions or operations of health care providers, health plans and health care clearinghouses (for example, integrated health plans and health care delivery systems may function as both health plans and health care providers). The rule permits such covered entities to use or disclose the protected health information of its patients or members for all covered entity functions, consistent with the other requirements of this rule. The health care component must meet the requirements of this rule that apply to a particular type of covered entity when it is functioning as that entity; e.g., when a health care component is operating as a health care provider it must meet the requirements of this rule applicable to a health care provider. However, such covered entities may not use or disclose the protected health information of an individual who is not involved in a particular covered entity function for that function, and such information must be segregated from any joint information systems. For example, an HMO may integrate data about health plan members and clinic services to members, but a health care system may not share information about a patient in its hospital with its health plan if the patient is not a member of the health plan.

Section 164.506—Uses and Disclosures for Treatment, Payment, and Health Care Operations Back to Top

Introduction: “Consent” versus “Authorization”

In the proposed rule, we used the term “authorization” to describe the individual's written permission for a covered entity to use and disclose protected health information, regardless of the purpose of the use or disclosure. Authorization would have been required for all uses and disclosures that were not otherwise permitted or required under the NPRM.

We proposed to permit covered entities, subject to limited exceptions for psychotherapy notes and research information unrelated to treatment, to use and disclose protected health information to carry out treatment, payment, and health care operations without authorization. See proposed § 164.506(a)(1).

We also proposed to prohibit covered entities from requiring individuals to sign authorizations for uses and disclosures of protected health information for treatment, payment, and health care operations, unless required by other applicable law. See proposed § 164.508(a)(iv). We instead proposed requiring covered entities to produce a notice describing their information practices, including practices with respect to uses and disclosures to carry out treatment, payment, and health care operations.

In the final rule, we retain the requirement for covered entities to obtain the individual's written permission (an “authorization”) for uses and disclosures of protected health information that are not otherwise permitted or required under the rule. However, under the final rule, we add a second type of written permission for use or disclosure of protected health information: a “consent” for uses and disclosures to carry out treatment, payment, and health care operations. In the final rule, we permit, and in some cases require, covered entities to obtain the individual's written permission for the covered entity to use or disclose protected health information other than psychotherapy notes to carry out treatment, payment, and health care operations. We refer to this written permission as a “consent.”

The “consent” and the “authorization” do not overlap. The requirement to obtain a “consent” applies in different circumstances than the requirement to obtain an authorization. In content, a consent and an authorization differ substantially from one another.

As described in detail below, a “consent” allows use and disclosure of protected health information only for treatment, payment, and health care operations. It is written in general terms and refers the individual to the covered entity's notice for further information about the covered entity's privacy practices. It allows use and disclosure of protected health information by the covered entity seeking the consent, not by other persons. Most persons who obtain a consent will be health care providers; health plans and health care clearinghouses may also seek a consent. The consent requirements appear in § 164.506 and are described in this section of the preamble.

With a few exceptions, an “authorization” allows use and disclosure of protected health information for purposes other than treatment, payment, and health care operations. In order to make uses and disclosures that are not covered by the consent requirements and not otherwise permitted or required under the final rule, covered entities must obtain the individual's “authorization.” An “authorization” must be written in specific terms. It may allow use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party. In some instances, a covered entity may not refuse to treat or cover individuals based on the fact that they refuse to sign an authorization. See § 164.508 and the corresponding preamble discussion regarding authorization requirements.

Section 164.506(a)—Consent Requirements

We make significant changes in the final rule with respect to uses and disclosures of protected health information to carry out treatment, payment, and health care operations. We do not prohibit covered entities from seeking an individual's written permission for use or disclosure of protected health information to carry out treatment, payment, or health care operations.

Except as described below, we instead require covered health care providers to obtain the individual's consent prior to using or disclosing protected health information to carry out treatment, payment, or health care operations. If the covered provider does not obtain the individual's consent, the provider is prohibited from using or disclosing protected health information about the individual for purposes of treating the individual, obtaining payment for health care delivered to the individual, or for the provider's health care operations. See § 164.506(a)(1).

We except two types of health care providers from this consent requirement. First, covered health care providers that have an indirect treatment relationship with an individual are not required to obtain the individual's consent prior to using or disclosing protected health information about the individual to carry out treatment, payment, and health care operations. An “indirect treatment relationship” is defined in § 164.501 and described in the corresponding preamble. These providers may use and disclose protected health information as otherwise permitted under the rule and consistent with their notice of privacy practices (see § 164.520 regarding notice requirements and § 164.502(i) regarding requirements to adhere to the notice). For example, a covered provider that provides consultation services to another provider without seeing the patient would have an indirect treatment relationship with that patient and would not be required to obtain the patient's consent to use protected health information about the patient for the consultation. These covered providers are, however, permitted to obtain consent, as described below.

Second, covered health care providers that create or receive protected health information in the course of providing health care to inmates of a correctional institution are not required to obtain the inmate's consent prior to using or disclosing protected health information about the inmate to carry out treatment, payment, and health care operations. See § 164.501 and the corresponding preamble discussion regarding the definitions of “correctional institution” and “inmate.” These providers may use and disclose protected health information as otherwise permitted under the rule. These providers are permitted, however, to obtain consent, as described below.

In addition, we permit covered health care providers to use and disclose protected health information, without consent, to carry out treatment, payment, and health care operations, if the protected health information was created or received in certain treatment situations. In the treatment situations described in § 164.506(a)(3) and immediately below, the covered health care provider must attempt to obtain the individual's consent. If the covered provider is unable to obtain consent, but documents the attempt and the reason consent was not obtained, the covered provider may, without consent, use and disclose the protected health information resulting from the treatment as otherwise permitted under the rule. All other protected health information about that individual that the covered health care provider creates or receives, however, is subject to the consent requirements.

This exception to the consent requirement applies to protected health information created or received in any of three treatment situations. First, the exception applies to protected health information created or received in emergency treatment situations. In these situations, covered providers must attempt to obtain the consent as soon as reasonably practicable after the delivery of the emergency treatment. Second, the exception applies to protected health information created or received in situations where the covered health care provider is required by law to treat the individual (for example, certain publicly funded providers) and the covered health care provider attempts to obtain such consent. Third, the exception applies to protected health information created or received in treatment situations where there are substantial barriers to communicating with the individual and, in the exercise of professional judgment, the covered provider clearly infers from the circumstances the individual's consent to receive treatment. For example, there may be situations in which a mentally incapacitated individual seeks treatment from a health care provider but is unable to provide informed consent to undergo such treatment and does not have a personal representative available to provide such consent on the individual's behalf. If the covered provider, in her professional judgment, believes she can legally provide treatment to that individual, we also permit the provider to use and disclose protected health information resulting from the treatment without the individual's consent. We intend covered health care providers that legally provide treatment without the individual's consent to that treatment to be able to use and disclose protected health information resulting from that treatment to carry out treatment, payment, or health care operations without obtaining the individual's consent for such use or disclosure. We do not intend to impose unreasonable barriers to individuals' ability to receive, and health care providers' ability to provide, health care.

Under § 164.506(a)(4), covered health care providers that have an indirect treatment relationship with an individual, as well as health plans and health care clearinghouses, may elect to seek consent for their own uses and disclosures to carry out treatment, payment, and health care operations. If such a covered entity seeks consent for these purposes, the consent must meet the minimum requirements described below.

If a covered health care provider with an indirect treatment relationship, a health plan, or a health care clearinghouse does not seek consent, the covered entity may use or disclose protected health information to carry out treatment, payment, and health care operations as otherwise permitted under the rule and consistent with its notice of privacy practices (see § 164.520 regarding notice requirements and § 164.502(i) regarding requirements to adhere to the notice).

If a covered health care provider with an indirect treatment relationship, a health plan, or a health care clearinghouse does ask an individual to sign a consent, and the individual does not do so, the covered entity is prohibited under § 164.502(a)(1) from using or disclosing protected health information for the purpose(s) included in the consent. A covered entity that seeks a consent must adhere to the individual's decision.

In § 164.506(a)(5), we specify that a consent obtained by one covered entity is not effective to permit another covered entity to use or disclose protected health information, unless the consent is a joint consent. See § 164.506(f) and the corresponding preamble discussion below regarding joint consents. A consent provides the individual's permission only for the covered entity that obtains the consent to use or disclose protected health information for treatment, payment, and health care operations. A consent under this section does not operate to authorize another covered entity to use or disclose protected health information, except where the other covered entity is operating as a business associate. We note that, where a covered entity is acting as a business associate of another covered entity, the business associate covered entity is acting for or on behalf of the principal covered entity, and its actions for or on behalf of the principal covered entity are authorized by the consent obtained by the principal covered entity. Thus, under this section, a health plan can obtain a consent that permits the health plan and its business associates to use and disclose protected health information that the health plan and its business associates create or receive. That consent cannot, however, permit another covered entity (that is not a business associate) to disclose protected health information to the health plan or to any other person.

If a covered entity wants to obtain the individual's permission for another covered entity to disclose protected health information to it for treatment, payment, or health care operations purposes, it must seek an authorization in accordance with § 164.508(e). For example, when a covered provider asks the individual for written permission to obtain the individual's medical record from another provider for treatment purposes, it must do so with an authorization, not a consent. Since the permission is for disclosure of protected health information by another person, a consent may not be used.

Section 164.506(b)—Consent General Requirements

In the final rule, we permit a covered health care provider to condition the provision of treatment on the receipt of the individual's consent for the covered provider to use and disclose protected health information to carry out treatment, payment, and health care operations. Covered providers may refuse to treat individuals who do not consent to uses and disclosures for these purposes. See § 164.506(b)(1). We note that there are exceptions to the consent requirements for covered health care providers that are required by law to treat individuals. See § 164.506(a)(3), described above.

Similarly, in the final rule, we permit health plans to condition an individual's enrollment in the health plan on the receipt of the individual's consent for the health plan to use and disclose protected health information to carry out treatment, payment, and health care operations, if the consent is sought in conjunction with the enrollment process. If the health plan seeks the individual's consent outside of the enrollment process, the health plan may not condition any services on obtaining such consent.

Under § 164.520, covered entities must produce a notice of privacy practices. A consent may not be combined in a single document with the notice of privacy practices. See § 164.506(b)(3).

Under § 164.506(b)(4), consents for uses and disclosures of protected health information to carry out treatment, payment, and health care operations may be combined in a single document covering all three types of activities and may be combined with other types of legal permission from the individual. For example, a consent to use or disclose protected health information under this rule may be combined with an informed consent to receive treatment, a consent to assign payment of benefits to a provider, or narrowly tailored consents required under state law for the use or disclosure of specific types of protected health information (e.g., state laws requiring specific consent for any sharing of information related to HIV/AIDS).

Within a single consent document, the consent for use and disclosure of protected health information required or permitted under this rule must be visually and organizationally separate from the other consents or authorizations and must be separately signed by the individual and dated.

Where research includes treatment of the individual, a consent under this rule may be combined with the authorization for the use or disclosure of protected health information created for the research, in accordance with § 164.508(f). (This is the only case in which an authorization under § 164.508 of this rule may be combined with a consent under § 164.506 of this rule. See § 164.508(b)(3).) The covered entity that is creating protected health information for the research may elect to combine the consent required under this section with the research-related authorization required under § 164.508(f). For example, a covered health care provider that provides health care to an individual for research purposes and for non-research purposes must obtain a consent under this section for all of the protected health information it maintains. In addition, it must obtain an authorization in accordance with § 164.508(f) which describes how it will use and disclose the protected health information it creates for the research for purposes of treatment, payment, and health care operations. Section 164.506(b)(4) permits the covered entity to satisfy these two requirements with a single document. See § 164.508(f) and the corresponding preamble discussion for a more detailed description of research authorization requirements.

Under § 164.506(b)(5), individuals may revoke a consent in writing at any time, except to the extent that the covered entity has taken action in reliance on the consent. Upon receipt of the written revocation, the covered entity must stop processing the information for use or disclosure, except to the extent that it has taken action in reliance on the consent. A covered health care provider may refuse, under this rule, to continue to treat an individual that revokes his or her consent. A health plan may disenroll an individual that revokes a consent that was sought in conjunction with the individual's enrollment in the health plan.

Covered entities must document and retain any signed consent as required by § 164.530(j).

Section 164.506(c)—Consent Content Requirements

Under § 164.506(c), the consent must be written in plain language. See the preamble discussion regarding notice of privacy practices for a description of plain language requirements. We do not provide a model consent in this rule. We will provide further guidance on drafting consent documents prior to the compliance date.

Under § 164.506(c)(1), the consent must inform the individual that protected health information may be used and disclosed by the covered entity to carry out treatment, payment, or health care operations. The covered entity must determine which of these elements (use and/or disclosure; treatment, payment, and/or health care operations) to include in the consent document, as appropriate for the covered entity's practices.

For covered health care providers that are required to obtain consent, the requirement applies only to the extent the covered provider uses or discloses protected health information. For example, if all of a covered provider's health care operations are conducted by members of the covered provider's own workforce, the covered provider may choose to obtain consent only for uses, not disclosures, of protected health information to carry out health care operations. If an individual pays out of pocket for all services received from the covered provider and the provider will not disclose any information about the patient to a third party payor, the provider may choose not to obtain the individual's consent to disclose information for payment purposes. In order for a covered provider to be able to use and disclose information for all three purposes, however, all three purposes must be included in the consent.

Under §§ 164.506(c)(2) and (3), the consent must refer the individual to the covered entity's notice for additional information about the uses and disclosures of information described in the consent. The consent must also indicate that the individual has the right to review the notice prior to signing the consent. If the covered entity has reserved the right to change its privacy practices in accordance with § 164.520(b)(1)(v)(C), the consent must indicate that the terms of the notice may change and must describe how the individual may obtain a revised notice. See § 164.520 and the corresponding preamble discussion regarding notice requirements.

Under § 164.506(c)(4), the consent must inform individuals that they have the right to request restrictions on uses and disclosures of protected health information for treatment, payment, and health care operations purposes. It must also state that the covered entity is not required to agree to an individual's request, but that if the covered entity does agree to the request, the restriction is binding on the covered entity. See § 164.522(a) regarding the right to request restrictions.

Under § 164.506(c)(5), the consent must indicate that the individual has the right to revoke the consent in writing, except to the extent that the covered entity has taken action in reliance on the consent.

Under § 164.506(c)(6), the consent must include the individual's signature and the date of signature. Once we adopt the standards for electronic signature, another of the required administrative simplification standards we are required to adopt under HIPAA, an electronic signature that meets those standards will be sufficient under this rule. We do not require any verification of the individual's identity or authentication of the individual's signature. We expect covered health care providers that are required to obtain consent to employ the same level of scrutiny to these signatures as they do to the signature obtained on a document regarding the individual's consent to undergo treatment by the provider.

Section 164.506(d)—Defective Consents

Under § 164.506(d), there is no “consent” within the meaning of the rule if the completed document lacks a required element or if the individual has revoked the consent in accordance with § 164.506(b)(5).

Section 164.506(e)—Resolving Conflicting Consents and Authorizations

Situations may arise where a covered entity that has obtained the individual's consent for the covered entity to use or disclose protected health information to carry out treatment, payment, or health care operations is asked to disclose protected health information pursuant to another written legal permission from the individual, such as an authorization, that was obtained by another person. Under § 164.506(e), when the terms of a covered entity's consent conflict with the terms of another written legal permission from the individual to use or disclose protected health information (such as a consent obtained under state law by another covered entity or an authorization), the covered entity must adhere to the more restrictive document. By conflict, we mean that the consent and authorization contain inconsistencies. In implementing this section, we note that the consent under this section references the notice provided to the individual and the individual's right to request restrictions. In determining whether the covered entity's consent conflicts with another written legal permission provided by the individual, the covered entity must consider any limitations on its uses or disclosures resulting from the notice provided to the individual or from restrictions to which it has agreed. For example, a covered nursing home may elect to ask the patient to sign an authorization for the patient's covered primary care physician to forward the patient's medical records to the nursing home. The physician may have previously obtained the individual's consent for disclosure for treatment purposes. If the authorization obtained by the nursing home grants permission for the physician to disclose particular types of information, such as genetic information, but the consent obtained by the physician excludes such information or the physician has agreed to a restriction on that type of information, the physician may not disclose that information. The physician must adhere to the more restrictive written legal permission from the individual.

When a conflict between a consent and another written legal permission from the individual exists, as described above, the covered entity may attempt to resolve the conflict with the individual by either obtaining a new consent from the individual or by having a discussion or otherwise communicating with the individual to determine the individual's preference regarding the use or disclosure. If the individual's preference is communicated orally, the covered entity must document the individual's preference and act in accordance with that preference. In the example described above, the primary care physician could ask the patient to sign a new consent that would permit the disclosure of the genetic information. Alternatively, the physician could ask the patient whether the patient intended for the genetic information to be disclosed to the nursing home. If the patient confirms that he or she intended for the genetic information to be shared, the physician can document that fact (e.g., by making a notation in the medical record) and disclose the information to the nursing home.

We believe covered entities will rarely be faced with conflicts between consents and other written legal permission from the individual for uses and disclosures to carry out treatment, payment, and health care operations. Under § 164.506(a)(5), we specify that a consent only permits the covered entity that obtains the consent to use or disclose protected health information. A consent obtained by one covered entity is not effective to permit another different covered entity to use or disclose protected health information. Conflicting consents obtained by covered entities, therefore, are not possible. We expect authorizations that permit another covered entity to use and disclose protected health information for treatment, payment, and health care operations purposes will rarely be necessary, because we expect covered entities that maintain protected health information to obtain consents that permit them to make anticipated uses and disclosures for these purposes. Nevertheless, covered entities are permitted under § 164.508(e) to obtain authorization for another covered entity to use or disclose protected health information to carry out treatment, payment, and health care operations. We recognize these authorizations may be useful to demonstrate an individual's intent and relationship to the intended recipient of the information. For example, these authorizations may be useful in situations where a health plan wants to obtain information from one provider in order to determine payment of a claim for services provided by a different provider (e.g., information from a primary care physician that is necessary to determine payment of services provided by a specialist) or where an individual's new physician wants to obtain the individual's medical records from prior physicians. Other persons not covered by this rule may also seek authorizations and state law may require written permission for specific types of information, such as information related to HIV/AIDS or to mental health. Because an individual may sign conflicting documents over time, we clarify that the covered entity maintaining the protected health information to be used or disclosed must adhere to the more restrictive permission the individual has granted, unless the covered entity resolves the conflict with the individual.

Section 164.506(f)—Joint Consents

Covered entities that participate in an organized health care arrangement and that develop a joint notice under § 164.520(d) may develop a joint consent in which the individual consents to the uses and disclosures of protected health information by each of the covered entities in the arrangement to carry out treatment, payment, and/or health care operations. The joint consent must identify with reasonable specificity the covered entities, or class of covered entities, to which the joint consent applies and must otherwise meet the consent requirements. If an individual revokes a joint consent, the covered entity that receives the revocation must inform the other entities covered by the joint consent of the revocation as soon as practicable.

If any one of the covered entities included in the joint consent obtains the individual's consent, as required above, the consent requirement is met for all of the other covered entities to which the consent applies. For example, a covered hospital and the clinical laboratory and emergency departments with which it participates in an organized health care arrangement may produce a joint notice and obtain a joint consent. If the covered hospital obtains the individual's joint consent upon admission, and some time later the individual is readmitted through the associated emergency department, the emergency department's consent requirement will already have been met. These joint consents are the only type of consent by which one covered entity can obtain the individual's permission for another covered entity to use or disclose protected health information to carry out treatment, payment, or health care operations.

Effect of Consent

These consents, as well as the authorizations described in § 164.508, should not be construed to waive, directly or indirectly, any privilege granted under federal, state, or local law or procedure. Consents obtained under this regulation are not appropriate for the disposition of more technical and legal proceedings and may not comport with procedures and standards of federal, state, or local judicial practice. For example, state courts and other decision-making bodies may choose to examine more closely the circumstances and propriety of such consent and may adopt more protective standards for application in their proceedings. In the judicial setting, as in the legislative and executive settings, states may provide for greater protection of privacy. Additionally, both the Congress and the Secretary have established a general approach to protecting from explicit preemption state laws that are more protective of privacy than the protections set forth in this regulation.

Section 164.508—Uses and Disclosures for Which an Authorization Is Required Back to Top

Section 164.508(a)—Standard

We proposed to require covered entities to obtain the individual's authorization for all uses and disclosures of protected health information not otherwise permitted or required under the proposed rule. Uses and disclosures that would have been permitted without individual authorization included uses and disclosures for national priority purposes such as public health, law enforcement, and research (see proposed § 164.510) and uses and disclosures of protected health information, other than psychotherapy notes and research information unrelated to treatment, for purposes of treatment, payment, and health care operations (see proposed § 164.506). We also proposed to require covered entities to disclose protected health information to the individual for inspection and copying (see proposed § 164.514) and to the Secretary as required for enforcement of the rule (see proposed § 164.522). Individual authorization would not have been required for these uses and disclosures.

We proposed to require covered entities to obtain the individual's authorization for all other uses and disclosures of protected health information. Under proposed § 164.508(a), uses and disclosures that would have required individual authorization included, but were not limited to, the following:

  • Use for marketing of health and non-health items and services by the covered entity;
  • Disclosure by sale, rental, or barter;
  • Use and disclosure to non-health related divisions of the covered entity, e.g., for use in marketing life or casualty insurance or banking services;
  • Disclosure, prior to an individual's enrollment in a health plan, to the health plan or health care provider for making eligibility or enrollment determinations relating to the individual or for underwriting or risk rating determinations;
  • Disclosure to an employer for use in employment determinations; and
  • Use or disclosure for fundraising.

In the preamble to the proposed rule, we stated that covered entities would be bound by the terms of authorizations. Uses or disclosures by the covered entity for purposes inconsistent with the statements made in the authorization would have constituted a violation of the rule.

In the final rule, under § 164.508(a), as in the proposed rule, covered entities must have authorization from individuals before using or disclosing protected health information for any purpose not otherwise permitted or required by this rule. Specifically, except for psychotherapy notes (see below), covered entities are not required to obtain the individual's authorization to use or disclose protected health information to carry out treatment, payment, and health care operations. (Covered entities may, however, be required to obtain the individual's consent for these uses and disclosures. See the preamble regarding § 164.506 for a discussion of “consent” versus “authorization”.) We also do not require covered entities to obtain the individual's authorization for uses and disclosures of protected health information permitted under §§ 164.510 or 164.512, for disclosures to the individual, or for required disclosures to the Secretary under subpart C of part 160 of this subchapter for enforcement of this rule.

In the final rule, we clarify that covered entities are bound by the statements provided on the authorization; use or disclosure by the covered entity for purposes inconsistent with the statements made in the authorization constitutes a violation of this rule.

Unlike the proposed rule, we do not include in the regulation examples of the types of uses and disclosures that require individual authorization. We eliminated two examples from the proposed list due to potential confusion as to our intent: disclosure by sale, rental, or barter and use and disclosure to non-health related divisions of the covered entity. We recognize that covered entities sometimes make these types of uses and disclosures for purposes that are permitted under the rule without authorization. For example, a covered health care provider may sell its accounts receivable to a collection agency for payment purposes and a health plan may disclose protected health information to its life insurance component for payment purposes. We do not intend to require authorization for uses and disclosures made by sale, rental, or barter or for disclosures made to non-health related divisions of the covered entity, if those uses or disclosures could otherwise be made without authorization under this rule. As with any other use or disclosure, however, uses and disclosures of protected health information for these purposes do require authorization if they are not otherwise permitted under the rule.

We also eliminated the remaining proposed examples from the final rule due to concern that these examples might be misinterpreted as an exhaustive list of all of the uses and disclosures that require individual authorization. We discuss the examples here, however, to clarify the interaction of the authorization requirements and the provisions of the rule that permit uses and disclosures without authorization and/or with consent. Uses and disclosures for which covered entities must have the individual's authorization include, but are not limited to, the following activities.

Marketing

As in the proposed rule, covered entities must obtain the individual's authorization before using or disclosing protected health information for marketing purposes. In the final rule, we add a new definition of marketing (see § 164.501). For more detail on what activities constitute marketing, see § 164.501, definition of “marketing,” and § 164.514(e).

Pre-Enrollment Underwriting

As in the proposed rule, covered entities must obtain the individual's authorization to use or disclose protected health information for the purpose of making eligibility or enrollment determinations relating to an individual or for underwriting or risk rating determinations, prior to the individual's enrollment in a health plan (that is, for purposes of pre-enrollment underwriting). For example, if an individual applies for new coverage with a health plan in the non-group market and the health plan wants to review protected health information from the individual's covered health care providers before extending an offer of coverage, the individual first must authorize the covered providers to share the information with the health plan. If the individual applies for renewal of existing coverage, however, the health plan would not need to obtain an authorization to review its existing claims records about that individual, because this activity would come within the definition of health care operations and be permissible. We also note that under § 164.504(f), a group health plan and a health insurance issuer that provides benefits with respect to a group health plan are permitted in certain circumstances to disclose summary health information to the plan sponsor for the purpose of obtaining premium bids. Because these disclosures fall within the definition of health care operations, they do not require authorization.

Employment Determinations

As in the proposed rule, covered entities must obtain the individual's authorization to use or disclose protected health information for employment determinations. For example, a covered health care provider must obtain the individual's authorization to disclose the results of a pre-employment physical to the individual's employer. The final rule provides that a covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on the provision of authorization for the disclosure of the information to the third party.

Fundraising

Under the proposed regulation, we would have required authorization before a covered entity could have used or disclosed protected health information for fundraising. In the final rule, we narrow the circumstances under which covered entities must obtain the individual's authorization to use or disclose protected health information for fundraising purposes. As provided in § 164.514(f) and described in detail in the corresponding preamble, authorization is not required when a covered entity uses or discloses demographic information and information about the dates of health care provided to an individual for the purpose of raising funds for its own benefit, nor when it discloses such information to an institutionally related foundation to raise funds for the covered entity.

Any use or disclosure for fundraising purposes that does not meet the requirements of § 164.514(f) and does not fall within the definition of health care operations (see § 164.501), requires authorization. Specifically, covered entities must obtain the individual's authorization to use or disclose protected health information to raise funds for any entity other than the covered entity. For example, a covered entity must have the individual's authorization to use protected health information about the individual to solicit funds for a non-profit organization that engages in research, education, and awareness efforts about a particular disease.

Psychotherapy Notes

In the NPRM, we proposed different rules with respect to psychotherapy notes than we proposed with respect to all other protected health information. The proposed rule would have required covered entities to obtain an authorization for any use or disclosure of psychotherapy notes to carry out treatment, payment, or health care operations, unless the use was by the person who created the psychotherapy notes. With respect to all other protected health information, we proposed to prohibit covered entities from requiring authorization for uses and disclosures for these purposes.

We significantly revise our approach to psychotherapy notes in the final rule. With a few exceptions, covered entities must obtain the individual's authorization to use or disclose psychotherapy notes to carry out treatment, payment, or health care operations. A covered entity must obtain the individual's consent, but not an authorization, for the person who created the psychotherapy notes to use the notes to carry out treatment and for the covered entity to use or disclose psychotherapy notes for conducting training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling. A covered entity may also use psychotherapy notes to defend a legal action or other proceeding brought by the individual pursuant to a consent, without a specific authorization. We note that, while this provision allows disclosure of these records to the covered entity's attorney to defend against the action or proceeding, disclosure to others in the course of a judicial or administrative proceeding is governed by § 164.512(e). This special provision is necessary because disclosure of protected health information for purposes of legal representatives may be made under the general consent as part of “health care operations.” Because we require an authorization for disclosure of psychotherapy notes for “health care operations,” an exception is needed to allow covered entities to use protected health information about an individual to defend themselves against an action threatened or brought by that individual without asking that individual for authorization to do so. Otherwise, a consent under § 164.506 is not sufficient for the use or disclosure of psychotherapy notes to carry out treatment, payment, or health care operations. Authorization is required. We anticipate these authorizations will rarely be necessary, since psychotherapy notes do not include information that covered entities typically need for treatment, payment, or other types of health care operations.

In the NPRM, we proposed to permit covered entities to use and disclose psychotherapy notes for all other purposes permitted or required under the rule without authorization. In the final rule, we specify a more limited set of uses and disclosures of psychotherapy notes that covered entities are permitted to make without authorization. An authorization is not required for use or disclosure of psychotherapy notes when required for enforcement purposes, in accordance with subpart C of part 160 of this subchapter; when mandated by law, in accordance with § 164.512(a); when needed for oversight of the health care provider who created the psychotherapy notes, in accordance with § 164.512(d); when needed by a coroner or medical examiner, in accordance with § 164.512(g)(1); or when needed to avert a serious and imminent threat to health or safety, in accordance with § 164.512(j)(1)(i). We also provide transition provisions in § 164.532 regarding the effect of express legal permission obtained from an individual prior to the compliance date of this rule.

Section 164.508(b)—Implementation Specifications for Authorizations

Valid and Defective Authorizations

We proposed to require a minimum set of elements for authorizations requested by the individual and an additional set of elements for authorizations requested by a covered entity. We would have permitted covered entities to use and disclose protected health information pursuant to authorizations containing the applicable required elements. We would have prohibited covered entities from acting on an authorization if the submitted document had any of the following defects:

  • The expiration date had passed;
  • The form had not been filled out completely;
  • The covered entity knew the authorization had been revoked;
  • The completed form lacked a required element; or
  • The covered entity knew the information on the form was false.

In § 164.508(b)(1) of the final rule, we specify that an authorization containing the applicable required elements (as described below) is a valid authorization. We clarify that a valid authorization may contain additional, non-required elements, provided that these elements are not inconsistent with the required elements. Covered entities are not required to use or disclose protected health information pursuant to a valid authorization. Our intent is to clarify that a covered entity that uses or discloses protected health information pursuant to an authorization meeting the applicable requirements will be in compliance with this rule.

We retain the provision prohibiting covered entities from acting on an authorization if the submitted document had any of the listed defects, with a few changes. First, in § 164.508(c)(1)(iv) we specify that an authorization may expire upon a certain event or on a specific date. For example, a valid authorization may state that it expires upon acceptance or rejection of an application for insurance or upon the termination of employment (for example, in an authorization for disclosure of protected health information for fitness-for-duty purposes) or similar event. The expiration event must, however, be related to the individual or the purpose of the use or disclosure. An authorization that purported to expire on the date when the stock market reached a specified level would not be valid. Under § 164.508(b)(2)(i), if the expiration event is known by the covered entity to have occurred, the authorization is defective. Second, we clarify that certain compound authorizations, as described below, are defective. We also clarify that authorizations that are not completely filled out with respect to the required elements are defective. Finally, we clarify that an authorization with information that the covered entity knows to be false is defective only if the information is material.

As under the proposed regulation, an authorization that the covered entity knows has been revoked is not a valid authorization. We note that, although an authorization must be revoked in writing, the covered entity may not always “know” that an authorization has been revoked. The writing required for an individual to revoke an authorization may not always trigger the “knowledge” required for a covered entity to consider an authorization defective. Conversely, a copy of the written revocation is not required before a provider “knows” that an authorization has been revoked.

Many authorizations will be obtained by persons other than the covered entity. If the individual revokes an authorization by writing to that other person, and neither the individual nor the other person informs the covered entity of the revocation, the covered entity will not “know” that the authorization has been revoked. For example, a government agency may obtain an individual's authorization for “all providers who have seen the individual in the past year” to disclose protected health information to the agency for purposes of determining eligibility for benefits. The individual may revoke the authorization by writing to the government agency requesting such revocation. We cannot require the agency to inform all covered entities to whom it has presented the authorization that the authorization has been revoked. If a covered entity does not know of the revocation, the covered entity will not violate this rule by acting pursuant to the authorization. At the same time, if the individual does inform the covered entity of the revocation, even orally, the covered entity “knows” that the authorization has been revoked and can no longer treat the authorization as valid under this rule. Thus, in this example, if the individual tells a covered entity that the individual has revoked the authorization, the covered entity “knows” of the revocation and must consider the authorization defective under § 164.508(b)(2).

Compound Authorizations

Except for authorizations requested in connection with a clinical trial, we proposed to prohibit covered entities from combining an authorization for use or disclosure of protected health information for purposes other than treatment, payment, or health care operations with an authorization or consent for treatment (e.g., an informed consent to receive care) or payment (e.g., an assignment of benefits).

We clarify the prohibition on compound authorizations in the final rule. Other than as described below, § 164.508(b)(3) prohibits a covered entity from acting on an authorization required under this rule that is combined with any other document, including any other written legal permission from the individual. For example, an authorization under this rule may not be combined with a consent for use or disclosure of protected health information under § 164.506, with the notice of privacy practices under § 164.520, with any other form of written legal permission for the use or disclosure of protected health information, with an informed consent to participate in research, or with any other form of consent or authorization for treatment or payment.

There are three exceptions to this prohibition. First, under § 164.508(f) (described in more detail, below), an authorization for the use or disclosure of protected health information created for research that includes treatment of the individual may be combined with a consent for the use or disclosure of that protected health information to carry out treatment, payment, or health care operations under § 164.506 and with other documents as provided in § 164.508(f). Second, authorizations for the use or disclosure of psychotherapy notes for multiple purposes may be combined in a single document, but may not be combined with authorizations for the use or disclosure of other protected health information. Third, authorizations for the use or disclosure of protected health information other than psychotherapy notes may be combined, provided that the covered entity has not conditioned the provision of treatment, payment, enrollment, or eligibility on obtaining the authorization. If a covered entity conditions any of these services on obtaining an authorization from the individual, as permitted in § 164.508(b)(4) and described below, the covered entity must not combine the authorization with any other document.

The following are examples of valid compound authorizations: an authorization for the disclosure of information created for clinical research combined with a consent for the use or disclosure of other protected health information to carry out treatment, payment, and health care operations, and the informed consent to participate in the clinical research; an authorization for disclosure of psychotherapy notes for both treatment and research purposes; and an authorization for the disclosure of the individual's demographic information for both marketing and fundraising purposes. Examples of invalid compound authorizations include: an authorization for the disclosure of protected health information for treatment, for research, and for determining payment of a claim for benefits, when the covered entity will refuse to pay the claim if the individual does not sign the authorization; or an authorization for the disclosure of psychotherapy notes combined with an authorization to disclose any other protected health information.

Prohibition on Conditioning Treatment, Payment, Eligibility, or Enrollment

We proposed to prohibit covered entities from conditioning treatment or payment on the provision by the individual of an authorization, except when the authorization was requested in connection with a clinical trial. In the case of authorization for use or disclosure of psychotherapy notes or research information unrelated to treatment, we proposed to prohibit covered entities from conditioning treatment, payment, or enrollment in a health plan on obtaining such an authorization.

We retain this basic approach but refine its application in the final rule. In addition to the general prohibition on conditioning treatment and payment, covered entities are also prohibited (with certain exceptions described below) from conditioning eligibility for benefits or enrollment in a health plan on obtaining an authorization. This prohibition extends to all authorizations, not just authorizations for use or disclosure of psychotherapy notes. This prohibition is intended to prevent covered entities from coercing individuals into signing an authorization for a use or disclosure that is not necessary to carry out the primary services that the covered entity provides to the individual. For example, a health care provider could not refuse to treat an individual because the individual refused to authorize a disclosure to a pharmaceutical manufacturer for the purpose of marketing a new product.

We clarify the proposed research exception to this prohibition. Covered entities seeking authorization in accordance with § 164.508(f) to use or disclose protected health information created for the purpose of research that includes treatment of the individual, including clinical trials, may condition the research-related treatment on the individual's authorization. Permitting use of protected health information is part of the decision to receive care through a clinical trial, and health care providers conducting such trials should be able to condition research-related treatment on the individual's willingness to authorize the use or disclosure of his or her protected health information for research associated with the trial.

In addition, we permit health plans to condition eligibility for benefits and enrollment in the health plan on the individual's authorization for the use or disclosure of protected health information for purposes of eligibility or enrollment determinations relating to the individual or for its underwriting or risk-rating determinations. We also permit health plans to condition payment of a claim for specified benefits on the individual's authorization for the disclosure of information maintained by another covered entity to the health plan, if the disclosure is necessary to determine payment of the claim. These exceptions do not apply, however, to authorization for the use or disclosure of psychotherapy notes. Health plans may not condition payment, eligibility, or enrollment on the receipt of an authorization for the use or disclosure of psychotherapy notes, even if the health plan intends to use the information for underwriting or payment purposes.

Finally, when a covered entity provides treatment for the sole purpose of providing information to a third party, the covered entity may condition the treatment on the receipt of an authorization to use or disclose protected health information related to that treatment. For example, a covered health care provider may have a contract with an employer to provide fitness-for-duty exams to the employer's employees. The provider may refuse to conduct the exam if an individual refuses to authorize the provider to disclose the results of the exam to the employer. Similarly, a covered health care provider may have a contract with a life insurer to provide pre-enrollment physicals to applicants for life insurance coverage. The provider may refuse to conduct the physical if an individual refuses to authorize the provider to disclose the results of the physical to the life insurer.

Revocation of Authorizations

We proposed to allow individuals to revoke an authorization at any time, except to the extent that the covered entity had taken action in reliance on the authorization.

We retain this provision, but specify that the individual must revoke the authorization in writing. When an individual revokes an authorization, a covered entity that knows of such revocation must stop making uses and disclosures pursuant to the authorization to the greatest extent practical. A covered entity may continue to use and disclose protected health information in accordance with the authorization only to the extent the covered entity has taken action in reliance on the authorization. For example, a covered entity is not required to retrieve information that it has already disclosed in accordance with the authorization. (See above for discussion of how written revocation of an authorization and knowledge of that revocation may differ.)

We also include an additional exception. Under § 164.508(b)(5), individuals do not have the right to revoke an authorization if the authorization was obtained as a condition of obtaining insurance coverage and other applicable law provides the insurer that obtained the authorization with the right to contest a claim under the policy. We intend this exception to permit insurers to obtain necessary protected health information during contestability periods under state law. For example, an individual may not revoke an authorization for the disclosure of protected health information to a life insurer for the purpose of investigating material misrepresentation if the individual's policy is still subject to the contestability period.

Documentation

In the final rule, we clarify that a covered entity must document and retain any signed authorization as required by § 164.530(j) (see below).

Section 164.508(c)—Core Elements and Requirements

We proposed to require authorizations requested by individuals to contain a minimum set of elements: a description of the information to be used or disclosed; the name of the covered entity, or class of entities or persons, authorized to make the use or disclosure; the name or types of recipient(s) of the information; an expiration date; the individual's signature and date of signature; if signed by a representative, a description of the representative's authority or relationship to the individual; a statement regarding the individual's right to revoke the authorization; and a statement that the information may no longer be protected by the federal privacy law. We proposed a model authorization form that entities could have used to satisfy the authorization requirements. If the model form was not used, we proposed to require covered entities to use authorization forms written in plain language.

We modify the proposed approach, by eliminating the distinction between authorizations requested by the individuals and authorizations requested by others. Instead, we prescribe a minimum set of elements for authorizations and certain additional elements when the authorization is requested by a covered entity for its own use or disclosure of protected health information it maintains or for receipt of protected health information from another covered entity to carry out treatment, payment, or health care operations.

The core elements are required for all authorizations, not just authorizations requested by individuals. Individuals seek disclosure of protected health information about them to others in many circumstances, such as when applying for life or disability insurance, when government agencies conduct suitability investigations, and in seeking certain job assignments when health status is relevant. Another common instance is tort litigation, when an individual's attorney needs individually identifiable health information to evaluate an injury claim and asks the individual to authorize disclosure of records relating to the injury to the attorney. In each of these situations, the individual may go directly to the covered entity and ask it to send the relevant information to the intended recipient. Alternatively, the intended recipient may ask the individual to complete a form, which the recipient will submit to the covered entity on the individual's behalf, that authorizes the covered entity to disclose the information. Whether the authorization is submitted to the covered entity by the individual or by another person on the individual's behalf, the covered entity maintaining protected health information may not use or disclose it pursuant to an authorization unless the authorization meets the following requirements.

First, the authorization must include a description of the information to be used or disclosed, with sufficient specificity to allow the covered entity to know which information the authorization references. For example, the authorization may include a description of “laboratory results from July 1998” or “all laboratory results” or “results of MRI performed in July 1998.” The covered entity can then use or disclose that information and only that information. If the covered entity does not understand what information is covered by the authorization, the use or disclosure is not permitted unless the covered entity clarifies the request.

There are no limitations on the information that can be authorized for disclosure. If an individual wishes to authorize a covered entity to disclose his or her entire medical record, the authorization can so specify. In order for the covered entity to disclose the entire medical record, the authorization must be specific enough to ensure that the individual has a clear understanding that the entire record will be disclosed. For example, if the Social Security Administration seeks authorization for release of all health information to facilitate the processing of benefit applications, then the description on the authorization form must specify “all health information” or the equivalent.

In some instances, a covered entity may be reluctant to undertake the effort to review the record and select portions relevant to the request (or redact portions not relevant). In such circumstances, covered entities may provide the entire record to the individual, who may then redact and release the more limited information to the requestor. This rule does not require a covered entity to disclose information pursuant to an individual's authorization.

Second, the authorization must include the name or other specific identification of the person(s) or class of persons that are authorized to use or disclose the protected health information. If an authorization permits a class of covered entities to disclose information to an authorized person, the class must be stated with sufficient specificity so that a covered entity presented with the authorization will know with reasonable certainty that the individual intended the covered entity to release protected health information. For example, a covered licensed nurse practitioner presented with an authorization for “all physicians” to disclose protected health information could not know with reasonable certainty that the individual intended for the practitioner to be included in the authorization.

Third, the authorization must include the name or other specific identification of the person(s) or class of persons to whom the covered entity is authorized to make the use or disclosure. The authorization must identify these persons with sufficient specificity to reasonably permit a covered entity responding to the authorization to identify the authorized user or recipient of the protected health information. Often, individuals provide authorizations to third parties, who present them to one or more covered entities. For example, an authorization could be completed by an individual and given to a government agency, authorizing the agency to receive medical information from any health care provider that has treated the individual within a defined period of time. Such an authorization is permissible (subject to the other requirements of this part) if it sufficiently identifies the government entity that is authorized to receive the disclosed protected health information.

Fourth, the authorization must state an expiration date or event. This expiration date or event must either be a specific date (e.g., January 1, 2001), a specific time period (e.g., one year from the date of signature), or an event directly relevant to the individual or the purpose of the use or disclosure (e.g., for the duration of the individual's enrollment with the health plan that is authorized to make the use or disclosure). We note that the expiration date or event is subject to otherwise applicable and more stringent law. For example, the National Association of Insurance Commissioners' Insurance Information and Privacy Protection Model Act, adopted in at least fifteen states, specifies that authorizations signed for the purpose of collecting information in connection with an application for a life, health, or disability insurance policy are permitted to remain valid for no longer than thirty months. In those states, the longest such an authorization may remain in effect is therefore thirty months, regardless of the expiration date or event indicated on the form.

Fifth, the authorization must state that the individual has the right to revoke an authorization in writing, except to the extent that action has been taken in reliance on the authorization or, if applicable, during a contestability period. The authorization must include instructions on how the individual may revoke the authorization. For example, the person obtaining the authorization from the individual can include an address where the individual can send a written request for revocation.

Sixth, the authorization must inform the individual that, when the information is used or disclosed pursuant to the authorization, it may be subject to re-disclosure by the recipient and may no longer be protected by this rule.

Seventh, the authorization must include the individual's signature and the date of the signature. Once we adopt the standards for electronic signature, another of the required administrative simplification standards we are required to adopt under HIPAA, an electronic signature that meets those standards will be sufficient under this rule. We do not require verification of the individual's identity or authentication of the individual's signature.

Finally, if the authorization is signed by a personal representative of the individual, the representative must indicate his or her authority to act for the individual.

As in the proposed rule, the authorization must be written in plain language. See the preamble discussion regarding notice of privacy practices (§ 164.520) for a discussion of the plain language requirement. We do not provide a model authorization in this rule. We will provide further guidance on this issue prior to the compliance date.

Section 164.508(d)—Authorizations Requested by a Covered Entity for Its Own Uses and Disclosures

We proposed to require covered entities to include additional elements in authorizations initiated by the covered entity. Before a covered entity could use or disclose protected health information of an individual pursuant to a request the covered entity made, we proposed to require the entity to obtain an authorization containing the minimum elements described above and the following additional elements: except for authorizations requested for clinical trials, a statement that the entity will not condition treatment or payment on the individual's authorization; a description of the purpose of the requested use or disclosure; a statement that the individual may inspect or copy the information to be used or disclosed and may refuse to sign the authorization; and, if the use or disclosure of the requested information will result in financial gain to the entity, a statement that such gain will result.

We additionally proposed to require covered entities, when requesting an individual's authorization, to request only the minimum amount of information necessary to accomplish the purpose for which the request was made. We also proposed to require covered entities to provide the individual with a copy of the executed authorization.

We retain the proposed approach, but apply these additional requirements when the covered entity requests the individual's authorization for the entity's own use or disclosure of protected health information maintained by the covered entity itself. For example, a health plan may ask individuals to authorize the plan to disclose protected health information to a subsidiary to market life insurance to the individual. A pharmaceutical company may also ask a covered provider to recruit patients for drug research; if the covered provider asks patients to sign an authorization for the provider to disclose protected health information to the pharmaceutical company for this research, this is also an authorization requested by a covered entity for disclosure of protected health information maintained by the covered entity. When covered entities initiate the authorization by asking individuals to authorize the entity to use or disclose protected health information that the entity maintains, the authorization must include all of the elements required above as well as several additional elements.

Authorizations requested by covered entities for the covered entity's own use or disclosure of protected health information must state, as applicable under § 164.508(b)(4), that the covered entity will not condition treatment, payment, enrollment, or eligibility on the individual's authorization for the use or disclosure. For example, if a health plan asks an individual to sign an authorization for the health plan to disclose protected health information to a non-profit advocacy group for the advocacy group's fundraising purposes, the authorization must contain a statement that the health plan will not condition treatment, payment, enrollment in the health plan, or eligibility for benefits on the individual providing the authorization.

Authorizations requested by covered entities for their own uses and disclosures of protected health information must also identify each purpose for which the information is to be used or disclosed. The required statement of purpose(s) must provide individuals with the facts they need to make an informed decision whether to allow release of the information. We prohibit the use of broad or blanket authorizations requesting the use or disclosure of protected health information for a wide range of unspecified purposes. Both the information that is to be used or disclosed and the specific purpose(s) for such uses or disclosures must be stated in the authorization.

Authorizations requested by covered entities for their own uses and disclosures must also advise individuals of certain rights available to them under this rule. The authorization must state that the individual may inspect or copy the information to be used or disclosed as provided in § 164.524 regarding access for inspection and copying and that the individual may refuse to sign the authorization.

We alter the proposed requirements with respect to authorizations for which the covered entity will receive financial gain. When the covered entity initiates the authorization and the covered entity will receive direct or indirect remuneration from a third party (rather than financial gain, as proposed) in exchange for using or disclosing the protected health information, the authorization must include a statement that such remuneration will result. For example, a health plan may wish to sell or rent its enrollee mailing list or a pharmaceutical company may offer a covered provider a discount on its products if the provider obtains authorization to disclose the demographic information of patients with certain diagnoses so that the company can market new drugs to them directly. In each case, the covered entity must obtain the individual's authorization, and the authorization must include a statement that the covered entity will receive remuneration.

In § 164.508(d)(2), we continue to require a covered entity that requests an authorization for its own use or disclosure of protected health information to provide the individual with a copy of the signed authorization. While we eliminate from this section the provision requiring covered entities to obtain authorization for use or disclosure of the minimum necessary protected health information, § 164.514(d)(4) requires covered entities to request only the minimum necessary protected health information to accomplish the purpose for which the request is made. This requirement applies to these authorizations, as well as other requests.

Section 164.508(e)—Authorizations Requested by a Covered Entity for Disclosures by Others

In the proposed rule, we would have prohibited all covered entities from requiring the individual's written legal permission (as proposed, an “authorization”) for the use or disclosure of protected health information to carry out treatment, payment, or health care operations. We generally eliminate this prohibition in the final rule, except to specify that a consent obtained by one covered entity is not effective to permit another covered entity to use or disclose protected health information. See § 164.506(a)(5) and the corresponding preamble discussion.

In the final rule, if a covered entity seeks the individual's written legal permission to obtain protected health information about the individual from another covered entity for any purpose, it must obtain the individual's authorization for the covered entity that maintains the protected health information to make the disclosure. If the authorization is for the purpose of obtaining protected health information for purposes other than treatment, payment, or health care operations, the authorization need only contain the core elements required by § 164.508(c) and described above.

If the authorization, however, is for the purpose of obtaining protected health information to carry out treatment, payment, or health care operations, the authorization must meet the requirements of § 164.508(e). We expect such authorizations will rarely be necessary, because we expect covered entities that maintain protected health information to obtain consents that permit them to make anticipated uses and disclosures for these purposes. An authorization obtained by another covered entity that authorizes the covered entity maintaining the protected health information to make a disclosure for the same purpose, therefore, would be unnecessary.

We recognize, however, that these authorizations may be useful to demonstrate an individual's intent and relationship to the intended recipient of the information when the intent or relationship is not already clear. For example, a long term care insurer may need information from an individual's health care providers about the individual's ability to perform activities of daily living in order to determine payment of a long term care claim. The providers that hold the information may not be providing the long term care and may not, therefore, be aware of the individual's coverage under the policy or that the individual is receiving long term care services. An authorization obtained by the long term care insurer will help to demonstrate these facts to the providers holding the information, which will make them more confident that the individual intends for the information to be shared. Similarly, an insurer with subrogation obligations may need health information from the enrollee's providers to assess or prosecute the claim. A patient's new physician may also need medical records from the patient's prior providers in order to treat the patient. Without an authorization that demonstrates the patient's intent for the information to be shared, the covered entity that maintains the protected health information may be reluctant to provide the information, even if that covered entity's consent permits such disclosure to occur.

These authorizations may also be useful to accomplish clinical coordination and integration among covered entities that do not meet the definitions of affiliated covered entities or organized health care arrangements. For example, safety-net providers that participate in the Community Access Program (CAP) may not qualify as organized health care arrangements but may want to share protected health information with each other in order to develop and expand integrated systems of care for uninsured people. An authorization under this section would permit such providers to receive protected health information from other CAP participants to engage in such activities.

Because of such concerns, we permit a covered entity to request the individual's authorization to obtain protected health information from another covered entity to carry out treatment, payment, and health care operations. In these situations, the authorization must contain the core elements described above and must also describe each purpose of the requested disclosure.

With one exception, the authorization must also indicate that the authorization is voluntary. It must state that the individual may refuse to sign the authorization and that the covered entity requesting the authorization will not condition the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits on obtaining the individual's authorization. If the authorization is for a disclosure of information that is necessary to determine payment of a claim for specified benefits, however, the health plan requesting the authorization may condition the payment of the claim on obtaining the authorization from the individual. See § 164.508(b)(4)(iii). In this case, the authorization does not have to state that the health plan will not condition payment on obtaining the authorization.

The covered entity requesting the authorization must provide the individual with a copy of the signed authorization. We note that the covered entity requesting the authorization is also subject to the requirements in § 164.514 to request only the minimum necessary information needed for the purpose of the authorization.

We additionally note that, when the covered entity that maintains the protected health information has already obtained a consent for disclosure of protected health information to carry out treatment, payment, and/or health care operations under § 164.506, and that consent conflicts with an authorization obtained by another covered entity under § 164.508(e), the covered entity maintaining the protected health information is bound by the more restrictive document. See § 164.506(e) and the corresponding preamble discussion for further explanation.

Section 164.508(f)—Authorizations for Uses and Disclosures of Protected Health Information Created for Research that Includes Treatment of Individuals

In the proposed rule, we would have required individual authorization for any use or disclosure of research information unrelated to treatment. In the final rule, we eliminate the special rules for this category of information and, instead, require covered entities to obtain an authorization for the use or disclosure of protected health information the covered entity creates for the purpose of research that includes treatment of individuals, except as otherwise permitted by § 164.512(i).

The intent of this provision is to permit covered entities that conduct research involving treatment to bind themselves to a more limited scope of uses and disclosures of research information than they would otherwise be permitted to make with non-research information. Rather than creating a single definition of “research information,” we allow covered entities the flexibility to define that subset of protected health information they create during clinical research that is not necessary for treatment, payment, or health care operations and that the covered entity will use or disclose under more limited circumstances than it uses or discloses other protected health information. In designing their authorizations, we expect covered entities to be mindful of the often highly sensitive nature of research information and the impact of individuals' privacy concerns on their willingness to participate in research.

Covered entities seeking authorization to use or disclose protected health information they create for the purpose of research that includes treatment of individuals, including clinical trials, must include in the authorization (in addition to the applicable elements required above) a description of the extent to which some or all of the protected health information created for the research will also be used or disclosed for purposes of treatment, payment, and health care operations. For example, if the covered entity intends to seek reimbursement from the individual's health plan for the routine costs of care associated with the research protocol, it must explain in the authorization the types of information that it will provide to the health plan for this purpose. This information, and the circumstances under which disclosures will be made for treatment, payment, and health care operations, may be more limited than the information and circumstances described in the covered entity's general consent and notice of privacy practices. To the extent the covered entity limits itself to a subset of uses or disclosures that are otherwise permissible under the rule and the covered entity's consent and notice, the covered entity is bound by the statements made in the research-related authorization. In these circumstances, the authorization must indicate that the authorization, not the general consent and notice, controls.

If the covered entity's primary interaction with the individual is through the research, the covered entity may combine the general consent for treatment, payment, and health care operations required under § 164.506 with this research authorization and need not obtain an additional consent under § 164.506. If the entity has already obtained, or intends to obtain, a separate consent as required under § 164.506, the research authorization must refer to that consent and state that the practices described in the research-related authorization are binding on the covered entity as to the information covered by the research-related authorization. The research-related authorization may also be combined in the same document as the informed consent for participation in the research. This is an exception to the general rule in § 164.508(b)(3) that an authorization under this section may not be combined with any other document (see above).

The covered entity must also include in the authorization a description of the extent to which it will not use or disclose the protected health information it obtains in connection with the research protocol for purposes that are permitted without individual authorization under this rule (under §§ 164.510 and 164.512). To the extent that the entity limits itself to a subset of uses or disclosures that are otherwise permissible under the rule and the entity's notice, the entity is bound by the statements made in the research authorization. In these circumstances, the authorization must indicate that the authorization, not the notice, controls. The covered entity may not, however, purport to preclude itself from making uses or disclosures that are required by law or that are necessary to avert a serious and imminent threat to health or safety.

In some instances, the covered entity may wish to make a use or disclosure of the research information that it did not include in its general consent or notice or for which authorization is required under this rule. To the extent the entity includes uses or disclosures in the research authorization that are otherwise not permissible under the rule and the entity's consent and notice of information practices, the entity must include all of the elements required by §§ 164.508(c) and (d) in the research-related authorization. The covered entity is bound by these statements.

Research that involves the delivery of treatment to participants sometimes relies on existing health information, such as to determine eligibility for the trial. We note that under § 164.508(b)(3)(iii), the covered entity may combine the research-related authorization required under § 164.508(f) with any other authorization for the use or disclosure of protected health information (other than psychotherapy notes), provided that the covered entity does not condition the provision of treatment on the individual signing the authorization. For example, a covered health care provider that had a treatment relationship with an individual prior to the individual's enrollment in a clinical trial, but that is now providing research-related treatment to the individual, may elect to request a compound authorization from the individual: an authorization under § 164.508(d) for the provider to use the protected health information it created prior to the initiation of the research that involves treatment, combined with an authorization under § 164.508(f) regarding use and disclosure of protected health information the covered provider will create for the purpose of the clinical trial. This compound authorization would be valid, provided the covered provider did not condition the research-related treatment on obtaining the authorization required under § 164.508(f), as permitted in § 164.508(b)(4)(i).

However, we anticipate that covered entities will almost always, if not always, condition the provision of research-related treatment on the individual signing the authorization under § 164.508(f) for the covered entity's use or disclosure of protected health information created for the research. Therefore, we expect that the vast majority of covered providers who wish to use or disclose protected health information about an individual that will be created for research that includes treatment and wish to use existing protected health information about that individual for the research that includes treatment, will be required to obtain two authorizations from the individual: (1) an authorization for the use and disclosure of protected health information to be created for the research that involves treatment of the individual (as required under § 164.508(f)), and (2) an authorization for the use of existing protected health information for the research that includes treatment of the individual (as required under § 164.508(d)).

Effect of Authorization

As noted in the discussion about consents in the preamble to § 164.506, authorizations under this rule should not be construed to waive, directly or indirectly, any privilege granted under federal, state, or local laws or procedures.

Section 164.510—Uses and Disclosures Requiring an Opportunity for the Individual To Agree or To Object Back to Top

Introduction

Section 164.510 of the NPRM proposed the uses and disclosures of protected health information that covered entities could make for purposes other than treatment, payment, or health care operations and for which an individual authorization would not have been required. These allowable uses and disclosures were designed to permit and promote key national health care priorities, and to promote the smooth operation of the health care system. In each of these areas, the proposal permitted, but would not have required, covered entities to use or disclose protected health information.

We proposed to require covered entities to obtain the individual's oral agreement before making a disclosure to a health care facility's directory or to the individual's next-of-kin or to another person involved in the individual's health care. Because there is an expectation in these two areas that individuals will have some input into a covered entity's decision to use or disclose protected health information, we decided to place disclosures to health facility directories and to persons involved in an individual's care in a separate section. In the final rule, requirements regarding disclosure of protected health information for facility directories and to others involved in an individual's care are included in § 164.510(a) and § 164.510(b), respectively. In the final rule, we include in § 164.510(b) provisions to address a type of disclosure not addressed in the NPRM: disclosures to entities providing relief and assistance in disasters such as floods, fires, and terrorist attacks. Requirements for most of the remaining categories of disclosures addressed in proposed § 164.510 of the NPRM are included in a new § 164.512 of the final rule, as discussed below.

Section 164.510 of the final rule addresses situations in which the interaction between the covered entity and the individual is relatively informal and agreements are made orally, without written authorizations for use or disclosure. In general, under the final rule, to disclose or use protected health information for these purposes, covered entities must inform individuals in advance and must provide a meaningful opportunity for the individual to prevent or restrict the disclosure. In exceptional circumstances, where even this informal discussion cannot practicably take place, covered entities are permitted to make decisions regarding disclosure or use based on the exercise of professional judgment of what is in the individual's best interest.

Section 164.510(a)—Use and Disclosure for Facility Directories

The NPRM proposed to allow covered health care providers to disclose through an inpatient facility's directory a patient's name, location in the facility, and general health condition, provided that the individual had agreed to the disclosure. The NPRM would have allowed this agreement to be oral. Pursuant to the NPRM, when making decisions about incapacitated individuals, a covered health care provider could have disclosed such information at the entity's discretion and consistent with good medical practice and any prior expressions of patient preference of which the covered entity was aware.

The preamble to the NPRM listed several factors that we encouraged covered entities to take into account when making decisions about whether to include an incapacitated patient's information in the directory. These factors included: (1) Whether disclosing that an individual is in the facility could reasonably cause harm or danger to the individual (e.g., if it appeared that an unconscious patient had been abused and disclosing the information could give the attacker sufficient information to seek out the person and repeat the abuse); (2) whether disclosing a patient's location within a facility implicitly would give information about the patient's condition (e.g., whether a patient's room number revealed that he or she was in a psychiatric ward); (3) whether it was necessary or appropriate to give information about patient status to family or friends (e.g., if giving information to a family member about an unconscious patient could help a physician administer appropriate medications); and (4) whether an individual had, prior to becoming incapacitated, expressed a preference not to be included in the directory. The preamble stated that if a covered entity learned of such a preference, it would be required to act in accordance with the preference.

The preamble to the NPRM said that when individuals entered a facility in an incapacitated state and subsequently gained the ability to make their own decisions, health facilities should ask them within a reasonable time period for permission to include their information in the facility's directory.

In the final rule, we change the NPRM's opt-in authorization requirement to an opt-out approach for inclusion of patient information in a health care facility's directory. The final rule allows covered health care providers—which in this case are health care facilities—to include patient information in their directory only if: (1) They inform incoming patients of their policies regarding the directory; (2) they give patients a meaningful opportunity to opt out of the directory listing or to restrict some or all of the uses and disclosures that can be included in the directory; and (3) the patient does not object to being included in the directory. A patient must be allowed, for example, to have his or her name and condition included in the directory while not having his or her religious affiliation included. The facility's notice and the individual's opt-out or restriction may be oral.

Under the final rule, subject to the individual's right to object, or known prior expressed preferences, a covered health care provider may disclose the following information to persons who inquire about the individual by name: (1) The individual's general condition in terms that do not communicate specific medical information about the individual (e.g., fair, critical, stable, etc.); and (2) location in the facility. This approach represents a slight change to the NPRM, which did not require members of the general public to ask for a patient by name in order to obtain directory information and which, in fact, would have allowed covered entities to disclose the individual's name as part of directory information.

Under the final rule, we also establish provisions for disclosure of directory information to clergy that are slightly different from those which apply for disclosure to the general public. Subject to the individual's right to object or restrict the disclosure, the final rule permits a covered entity to disclose to a member of the clergy: (1) The individual's name; (2) the individual's general condition in terms that do not communicate specific medical information about the individual; (3) the individual's location in the facility; and (4) the individual's religious affiliation. A disclosure of directory information may be made to members of the clergy even if they do not inquire about an individual by name. We note that the rule in no way requires a covered health care provider to inquire about the religious affiliation of an individual, nor must individuals supply that information to the facility. Individuals are free to determine whether they want their religious affiliation disclosed to clergy through facility directories.

We believe that allowing clergy to access patient information pursuant to this section does not violate the Establishment Clause of the First Amendment, which prohibits laws “respecting an establishment of religion.” Courts traditionally turn to the Lemon test when evaluating laws that might raise Establishment Clause concerns. A law does not violate the Clause if it has a secular purpose, is not primarily to advance religion, and does not cause excessive government entanglement with religion. The privacy regulation passes this test because its purpose is to protect the privacy of individuals—regardless of their religious affiliation—and it does not cause excessive government entanglement.

More specifically, although this section provides a special rule for members of the clergy, it does so as an accommodation to patients who seek to engage in religious conduct. For example, restricting the disclosure of an individual's religious affiliation, room number, and health status to a priest could cause significant delay that would inhibit the ability of a Catholic patient to obtain sacraments provided during the last rites. We believe this accommodation does not violate the Establishment Clause, because it avoids a government-imposed restriction on the disclosure of information that could disproportionately affect the practice of religion. In that way, it is no different from accommodations upheld by the U.S. Supreme Court, such as exceptions to laws banning the use of alcohol in religious ceremonies.

The final rule expands the circumstances under which health care facilities can disclose specified health information to the patient directory without the patient's agreement. Besides allowing such disclosures when patients are incapacitated, as the NPRM would have allowed, the final rule allows such disclosures in emergency treatment circumstances. For example, when a patient is conscious and capable of making a decision, but is so seriously injured that asking permission to include his or her information in the directory would delay treatment such that the patient's health would be jeopardized, health facilities can make decisions about including the patient's information in the directory according to the same rules that apply when the patient is incapacitated. The final rule modifies the NPRM requirements for cases in which an incapacitated patient is admitted to a health care facility. Whereas the NPRM would have allowed health care providers to disclose an incapacitated patient's information to the facility's directory “at its discretion and consistent with good medical practice and any prior expressions of preference of which the covered entity [was] aware,” the final rule states that in these situations (and in other emergency treatment circumstances), covered health care providers must make the decision on whether to include the patient's information in the facility's directory in accordance with professional judgment as to the patient's best interest. In addition, when making decisions involving incapacitated patients and patients in emergency situations, covered health care providers may decide to include some portions of the patient's information (such as name) but not other information (such as location in the facility) in order to protect patient interests.

As in the preamble to the NPRM, we encourage covered health care providers to take into account the four factors listed above when making decisions about whether to include patient information in a health care facility's directory when patients are incapacitated or are in an emergency treatment circumstance. In addition, we retain the requirement stated in the preamble of the NPRM that if a covered health care provider learns of an incapacitated patient's prior expression of preference not to be included in a facility's directory, the facility must not include the patient's information in the directory. For cases involving patients admitted to a health care facility in an incapacitated or emergency treatment circumstance who during the course of their stay become capable of decisionmaking, the final rule takes an approach similar to that described in the NPRM. The final rule states that when an individual who was incapacitated or in an emergency treatment circumstance upon admission to an inpatient facility and whose condition stabilizes such that he or she is capable of decisionmaking, a covered health care provider must, when it becomes practicable, inform the individual about its policies regarding the facility's directory and provide the opportunity to object to the use or disclosure of protected health information about themselves for the directory.

Section 164.510(b)—Uses and Disclosures for Involvement in the Individual's Care and Notification Purposes

In cases involving an individual with the capacity to make health care decisions, the NPRM would have allowed covered entities to disclose protected health information about the individual to a next-of-kin, to other family members, or to close personal friends of the individual if the individual had agreed orally to such disclosure. If such agreement could not practicably or reasonably be obtained (e.g., when the individual was incapacitated), the NPRM would have allowed disclosure of protected health information that was directly relevant to the person's involvement in the individual's health care, consistent with good health professional practices and ethics. The NPRM defined next-of-kin as defined under state law.

Under the final rule, we specify that covered entities may disclose to a person involved in the current health care of the individual (such as a family member, other relative, close personal friend, or any other person identified by the individual) protected health information directly related to the person's involvement in the current health care of an individual or payment related to the individual's health care. Such persons involved in care and other contact persons might include, for example: blood relatives; spouses; roommates; boyfriends and girlfriends; domestic partners; neighbors; and colleagues. Inclusion of this list is intended to be illustrative only, and it is not intended to change current practices with respect to: (1) Involvement of other persons in individuals' treatment decisions; (2) informal information-sharing among individuals involved in a person's care; or (3) sharing of protected health information to contact persons during a disaster. The final rule also includes new language stating that covered entities may use or disclose protected health information to notify or assist in notification of family members, personal representatives, or other persons responsible for an individual's care with respect to an individual's location, condition, or death. These provisions allow, for example, covered entities to notify a patient's adult child that his father has suffered a stroke and to tell the person that the father is in the hospital's intensive care unit.

The final rule includes separate provisions for situations in which the individual is present and for when the individual is not present at the time of disclosure. When the individual is present and has the capacity to make his or her own decisions, a covered entity may disclose protected health information only if the covered entity: (1) Obtains the individual's agreement to disclose to the third parties involved in their care; (2) provides the individual with an opportunity to object to such disclosure and the individual does not express an objection; or (3) reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure. Situations in which covered providers may infer an individual's agreement to disclose protected health information pursuant to option (3) include, for example, when a patient brings a spouse into the doctor's office when treatment is being discussed, and when a colleague or friend has brought the individual to the emergency room for treatment.

We proposed that when a covered entity could not practicably obtain oral agreement to disclose protected health information to next-of-kin, relatives, or those with a close personal relationship to the individual, the covered entity could make such disclosures consistent with good health professional practice and ethics. In such instances, we proposed that covered entities could disclose only the minimum information necessary for the friend or relative to provide the assistance he or she was providing. For example, health care providers could not disclose to a friend or relative simply driving a patient home from the hospital extensive information about the patient's surgery or past medical history when the friend or relative had no need for this information.

The final rule takes a similar approach. Under the final rule, when an individual is not present (for example, when a friend of a patient seeks to pick up the patient's prescription at a pharmacy) or when the opportunity to agree or object to the use or disclosure cannot practicably be provided due to the individual's incapacity or an emergency circumstance, covered entities may, in the exercise of professional judgment, determine whether the disclosure is in the individual's best interests and if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's health care. For example, this provision allows covered entities to inform relatives or others involved in a patient's care, such as the person who accompanied the individual to the emergency room, that a patient has suffered a heart attack and to provide updates on the patient's progress and prognosis when the patient is incapacitated and unable to make decisions about such disclosures. In addition, this section allows covered entities to disclose functional information to individuals assisting in a patient's care; for example, it allows hospital staff to give information about a person's mobility limitations to a friend driving the patient home from the hospital. It also allows covered entities to use professional judgment and experience with common practice to make reasonable inferences of the individual's best interest in allowing a person to act on an individual's behalf to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information. Thus, under this provision, pharmacists may release a prescription to a patient's friend who is picking up the prescription for him or her. Section 164.510(b) is not intended to disrupt most covered entities' current practices or state law with respect to these types of disclosures.

This provision is intended to allow disclosures directly related to a patient's current condition and should not be construed to allow, for example, disclosure of extensive information about the patient's medical history that is not relevant to the patient's current condition and that could prove embarrassing to the patient. In addition, if a covered entity suspects that an incapacitated patient is a victim of domestic violence and that a person seeking information about the patient may have abused the patient, covered entities should not disclose information to the suspected abuser if there is reason to believe that such a disclosure could cause the patient serious harm. In all of these situations regarding possible disclosures of protected health information about an patient who is not present or is unable to agree to such disclosures due to incapacity or other emergency circumstance, disclosures should be in accordance with the exercise of professional judgment as to the patient's best interest.

This section is not intended to provide a loophole for avoiding the rule's other requirements, and it is not intended to allow disclosures to a broad range of individuals, such as journalists who may be curious about a celebrity's health status. Rather, it should be construed narrowly, to allow disclosures to those with the closest relationships with the patient, such as family members, in circumstances when a patient is unable to agree to disclosure of his or her protected health information. Furthermore, when a covered entity cannot practicably obtain an individual's agreement before disclosing protected health information to a relative or to a person involved in the individual's care and is making decisions about such disclosures consistent with the exercise of professional judgment regarding the individual's best interest, covered entities must take into account whether such a disclosure is likely to put the individual at risk of serious harm.

Like the NPRM, the final rule does not require covered entities to verify the identity of relatives or other individuals involved in the individual's care. Rather, the individual's act of involving the other persons in his or her care suffices as verification of their identity. For example, the fact that a person brings a family member into the doctor's office when treatment information will be discussed constitutes verification of the involved person's identity for purposes of this rule. Likewise, the fact that a friend arrives at a pharmacy and asks to pick up a specific prescription for an individual effectively verifies that the friend is involved in the individual's care, and the rule allows the pharmacist to give the filled prescription to the friend.

We also clarify that the final rule does not allow covered entities to assume that an individual's agreement at one point in time to disclose protected health information to a relative or to another person assisting in the individual's care implies agreement to disclose protected health information indefinitely in the future. We encourage the exercise of professional judgment in determining the scope of the person's involvement in the individual's care and the time period for which the individual is agreeing to the other person's involvement. For example, if a friend simply picks up a patient from the hospital but has played no other role in the individual's care, hospital staff should not call the friend to disclose lab test results a month after the initial encounter with the friend. However, if a patient routinely brings a spouse into the doctor's office when treatment is discussed, a physician can infer that the spouse is playing a long-term role in the patient's care, and the rule allows disclosure of protected health information to the spouse consistent with his or her role in the patient's care, for example, discussion of treatment options.

The NPRM did not specifically address situations in which disaster relief organizations may seek to obtain protected health information from covered entities to help coordinate the individual's care, or to notify family or friends of an individual's location or general condition in a disaster situation. In the final rule, we account for disaster situations in this paragraph. Specifically, we allow covered entities to use or disclose protected health information without individual agreement to federal, state, or local government agencies engaged in disaster relief activities, as well as to private disaster relief or disaster assistance organizations (such as the Red Cross) authorized by law or by their charters to assist in disaster relief efforts, to allow these organizations to carry out their responsibilities in a specific disaster situation. Covered entities may make these disclosures to disaster relief organizations, for example, so that these organizations can help family members, friends, or others involved in the individual's care to locate individuals affected by a disaster and to inform them of the individual's general health condition. This provision also allows disclosure of information to disaster relief or disaster assistance organizations so that these organizations can help individuals obtain needed medical care for injuries or other health conditions caused by a disaster.

We encourage disaster relief organizations to protect the privacy of individual health information to the extent practicable in a disaster situation. However, we recognize that the nature of disaster situations often makes it impossible or impracticable for disaster relief organizations and covered entities to seek individual agreement or authorization before disclosing protected health information necessary for providing disaster relief. Thus, we note that we do not intend to impede disaster relief organizations in their critical mission to save lives and reunite loved ones and friends in disaster situations.

Section 164.512—Uses and Disclosures for Which Consent, an Authorization, or Opportunity To Agree or Object Is Not Required Back to Top

Introduction

The final rule's requirements regarding disclosures for directory information and to family members or others involved in an individual's care are in a section separate from that covering disclosures allowed for other national priority purposes. In the final rule, we place most of the other disclosures for national priority purposes in a new § 164.512.

As in the NPRM, in § 164.512 of the final rule, we allow covered entities to make these national priority uses and disclosures without individual authorization. As in the NPRM, these uses and disclosures are discretionary. Covered entities are free to decide whether or not to use or disclose protected health information for any or all of the permitted categories. However, as in the NPRM, nothing in the final rule provides authority for a covered entity to restrict or refuse to make a use or disclosure mandated by other law.

The new § 164.512 includes paragraphs on: Uses and disclosures required by law; uses and disclosures for public health activities; disclosures about victims of abuse, neglect, or domestic violence; uses and disclosures for health oversight activities; disclosures for judicial and administrative proceedings; disclosures for law enforcement purposes; uses and disclosures about decedents; uses and disclosures for cadaveric donation of organs, eyes, or tissues; uses and disclosures for research purposes; uses and disclosures to avert a serious threat to health or safety (which we had called “emergency circumstances” in the NPRM); uses and disclosures for specialized government functions (referred to as “specialized classes” in the NPRM); and disclosures to comply with workers' compensation laws.

Section 164.512(c) in the final rule, which addresses uses and disclosures regarding adult victims of abuse, neglect and domestic violence, is new, although it incorporates some provisions from proposed § 164.510 of the NPRM. In the final rule we also eliminate proposed § 164.510(g) on government health data systems and proposed § 164.510(i) on banking and payment processes. These changes are discussed below.

Approach to Use of Protected Health Information

Proposed § 164.510 of the NPRM included specific subparagraphs addressing uses of protected health information by covered entities that were also public health agencies, health oversight agencies, government entities conducting judicial or administrative proceedings, or government heath data systems. Such covered entities could use protected health information in all instances for which they could disclose the information for these purposes. In the final rule, as discussed below, we retain this language in the paragraphs on public health activities and health oversight. However, we eliminate this clause with respect to uses of protected health information for judicial and administrative proceedings, because we no longer believe that there would be any situations in which a covered entity would also be a judicial or administrative tribunal. Proposed § 164.510(e) of the NPRM, regarding disclosure of protected health information to coroners, did not include such a provision. In the final rule we have added it because we believe there are situations in which a covered entity, for example, a public hospital conducting post-mortem investigations, may need to use protected health information for the same purposes for which it would have disclosed the information to a coroner.

While the right to request restrictions under § 164.522 and the consents required under § 164.506 do not apply to the use and disclosure of protected health information under § 164.512, we do not intend to preempt any state or other restrictions, or any right to enforce such agreements or consents under other law.

We note that a covered entity may use or disclose protected health information as permitted by and in accordance with one of the paragraphs of § 164.512, regardless of whether that use or disclosure fails to meet the requirements for use or disclosure under a different paragraph in § 164.512 or elsewhere in the rule.

Verification for Disclosures Under § 164.512

In § 164.510(a) of the NPRM, we proposed that covered entities verify the identity and authority of persons to whom they made disclosure under the section. In the final rule, we generally have retained the proposed requirements. Verification requirements are discussed in § 164.514 of the final rule.

Section 164.512(a)—Uses and Disclosures Required by Law

In the NPRM we would have allowed covered entities to use or disclose protected health information without individual authorization where such use or disclosure was required by other law, as long as the use or disclosure met all relevant requirements of such law. However, a legally mandated use or disclosure which fell into one or more of the national priority purposes expressly identified in proposed § 164.510 of the NPRM would have been subject to the terms and conditions specified by the applicable paragraph of proposed § 164.510. Thus, a disclosure required by law would have been allowed only to the extent it was not otherwise prohibited or restricted by another provision in proposed § 164.510. For example, mandatory reporting to law enforcement officials would not have been allowed unless such disclosures conformed to the requirements of proposed § 164.510(f) of the NPRM, on uses and disclosures for law enforcement purposes. As explained in the NPRM, this provision was not intended to obstruct access to information deemed important enough by federal, state or other government authorities to require it by law.

In § 164.512(a) of the final rule, we retain the proposed approach, and we permit covered entities to comply with laws requiring the use or disclosure of protected health information, provided the use or disclosure meets and is limited to the relevant requirements of such other laws. To more clearly address where the substantive and procedural requirements of other provisions in this section apply, we have deleted the general sentence from the NPRM which stated that the provision “does not apply to uses or disclosures that are covered by paragraphs (b) through (m)” of proposed § 164.510. Instead, in § 164.512 (a)(2) we list the specific paragraphs that have additional requirements with which covered entities must comply. They are disclosures about victims of abuse, neglect or domestic violence (§ 164.512(c)), for judicial and administrative proceedings (§ 164.512(e)), and for law enforcement purposes (§ 164.512(f)). We include a new definition of “required by law.” See § 164.501. We clarify that the requirements provided for in § 164.514(h) relating to verification apply to disclosures under this paragraph. Those provisions require covered entities to verify the identity and authority of persons to whom they make disclosures. We note that the minimum necessary requirements of § 164.514(d) do not apply to disclosures made under this paragraph.

We note that this rule does not affect what is required by other law, nor does it compel a covered entity to make a use or disclosure of protected health information required by the legal demands or reporting requirements listed in the definition of “required by law.” Covered entities will not be sanctioned under this rule for responding in good faith to such legal process and reporting requirements. However, nothing in this rule affects, either by expanding or contracting, a covered entity's right to challenge such process or reporting requirements under other laws. The only disclosures of protected health information compelled by this rule are disclosures to an individual (or the personal representative of an individual) or to the Secretary for the purposes of enforcing this rule.

Uses and disclosures permitted under this paragraph must be limited to the protected health information necessary to meet the requirements of the law that compels the use or disclosure. For example, disclosures pursuant to an administrative subpoena are limited to the protected health information authorized to be disclosed on the face of the subpoena.

Section 164.512(b)—Uses and Disclosures for Public Health Activities

The NPRM would have allowed covered entities to disclose protected health information without individual authorization to: (1) A public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; (2) a public health authority or other appropriate authority authorized by law to receive reports of child abuse or neglect; (3) a person or entity other than a governmental authority that could demonstrate or demonstrated that it was acting to comply with requirements or direction of a public health authority; or (4) a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition and was authorized by law to be notified as necessary in the conduct of a public health intervention or investigation.

In the final rule, we broaden the scope of permissible disclosures pursuant to item (1) listed above. We narrow the scope of disclosures permissible under item (3) of this list, and we add language to clarify the scope of permissible disclosures with respect to item (4) on the list. We broaden the scope of allowable disclosures regarding item (1) by allowing covered entities to disclose protected health information not only to U.S. public health authorities but also, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority. For example, we allow covered entities to disclose protected health information to a foreign government agency that is collaborating with the Centers for Disease Control and Prevention to limit the spread of infectious disease.

We narrow the conditions under which covered entities may disclose protected health information to non-government entities. We allow covered entities to disclose protected health information to a person subject to the FDA's jurisdiction, for the following activities: to report adverse events (or similar reports with respect to food or dietary supplements), product defects or problems, or biological product deviations, if the disclosure is made to the person required or directed to report such information to the FDA; to track products if the disclosure is made to a person required or directed by the FDA to track the product; to enable product recalls, repairs, or replacement, including locating and notifying individuals who have received products regarding product recalls, withdrawals, or other problems; or to conduct post-marketing surveillance to comply with requirements or at the direction of the FDA.

The terms included in § 164.512(b)(iii) are intended to have both their commonly understood meanings, as well as any specialized meanings, pursuant to the Food, Drug, and Cosmetic Act (21 U.S.C. 321 et seq.) or the Public Health Service Act (42 U.S.C. 201 et seq.). For example, “post-marketing surveillance” is intended to mean activities related to determining the safety or effectiveness of a product after it has been approved and is in commercial distribution, as well as certain Phase IV (post-approval) commitments by pharmaceutical companies. With respect to devices, “post-marketing surveillance” can be construed to refer to requirements of section 522 of the Food, Drug, and Cosmetic Act regarding certain implanted, life-sustaining, or life-supporting devices. The term “track” includes, for example, tracking devices under section 519(e) of the Food, Drug, and Cosmetic Act, units of blood or other blood products, as well as trace-backs of contaminated food.

In § 164.512(b)(iii), the term “required” refers to requirements in statute, regulation, order, or other legally binding authority exercised by the FDA. The term “directed,” as used in this section, includes other official agency communications such as guidance documents.

We note that under this provision, a covered entity may disclose protected health information to a non-governmental organization without individual authorization for inclusion in a private data base or registry only if the disclosure is otherwise for one of the purposes described in this provision (e.g., for tracking products pursuant to FDA direction or requirements, for post-marketing surveillance to comply with FDA requirements or direction.)

To make a disclosure that is not for one of these activities, covered entities must obtain individual authorization or must meet the requirements of another provision of this rule. For example, covered entities may disclose protected health information to employers for inclusion in a workplace surveillance database only: with individual authorization; if the disclosure is required by law; if the disclosure meets the requirements of § 164.512(b)(v); or if the disclosure meets the conditions of another provision of this regulation, such as § 154.512(i) relating to research. Similarly, if a pharmaceutical company seeks to create a registry containing protected health information about individuals who had taken a drug that the pharmaceutical company had developed, covered entities may disclose protected health information without authorization to the pharmaceutical company pursuant to FDA requirements or direction. If the pharmaceutical company's registry is not for any of these purposes, covered entities may disclose protected health information to it only with patient authorization, if required by law, or if disclosure meets the conditions of another provision of this rule.

The final rule continues to permit covered entities to disclose protected health information without individual authorization directly to public health authorities, such as the Food and Drug Administration, the Occupational Safety and Health Administration, the Centers for Disease Control and Prevention, as well as state and local public health departments, for public health purposes as specified in the NPRM.

The final rule retains the NPRM provision allowing covered entities to disclose protected health information to public health authorities or other appropriate government authorities authorized by law to receive reports of child abuse or neglect. In addition, we clarify the NPRM's provision regarding disclosure of protected health information to persons who may have been exposed to a communicable disease or who may otherwise be at risk of contracting or spreading a disease or condition. Under the final rule, covered entities may disclose protected health information to such individuals when the covered entity or public health authority is authorized by law to notify these individuals as necessary in the conduct of a public health intervention or investigation.

In addition, as in the NPRM, under the final rule, a covered entity that is acting as a public health authority—for example, a public hospital conducting infectious disease surveillance in its role as an arm of the public health department—may use protected health information in all cases for which it is allowed to disclose such information for public health activities as described above.

The proposed rule did not contain a specific provision relating to disclosures by covered health care providers to employers concerning work-related injuries or illnesses or workplace medical surveillance. Under the proposed rule, a covered entity would have been permitted to disclose protected health information without individual authorization for public health purposes to private person if the person could demonstrate that it was acting to comply with requirements or at the direction of a public health authority.

As discussed above, in the final rule we narrow the scope of this paragraph as it applies to disclosures to persons other than public health authorities. To ensure that covered health care providers may make disclosures of protected health information without individual authorization to employers when appropriate under federal and state laws addressing work-related injuries and illnesses or workplace medical surveillance, we include a new provision in the final rule. The provision permits covered health care providers who provide health care as a workforce member of or at the request of an employer to disclose to that employer protected health information concerning work-related injuries or illnesses or workplace medical surveillance in situations where the employer has a duty under the Occupational Safety and Health Act, the Federal Mine Safety and Health Act, or under a similar state law, to keep records on or act on such information. For example, OSHA regulations in 29 CFR part 1904 require employers to record work-related injuries and illnesses if medical treatment is necessary; MSHA regulations at 30 CFR part 50 require mine operators to report injuries and illnesses experienced by miners. Similarly, OSHA rules require employers to monitor employees' exposure to certain substances and to remove employees from exposure when toxic thresholds have been met. To obtain the relevant health information necessary to determine whether an injury or illness should be recorded, or whether an employee must be medically removed from exposure at work, employers must refer employees to health care providers for examination and testing.

OSHA and MSHA rules do not impose duties directly upon health care providers to disclose health information pertaining to recordkeeping and medical monitoring requirements to employers. Rather, these rules operate on the presumption that health care providers who provide services at the request of an employer will be able to disclose to the employer work-related health information necessary for the employer to fulfill its compliance obligations. This new provision permits covered entities to make disclosures necessary for the effective functioning of OSHA and MSHA requirements, or those of similar state laws, by permitting a health care provider to make disclosures without the authorization of the individual concerning work-related injuries or illnesses or workplace medical surveillance in situations where the employer has a duty under OSHA and MSHA requirements, or under a similar state laws, to keep records on or act on such information.

We require health care providers who make disclosures to employers under this provision to provide notice to individuals that it discloses protected health information to employers relating to the medical surveillance of the workplace and work-related illnesses and injuries. The notice required under this provision is separate from the notice required under § 164.520. The notice required under this provision may be met giving a copy of the notice to the individual at the time it provides the health care services, or, if the health care services are provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care services are provided.

This provision applies only when a covered health care provider provides health care services as a workforce member of or at the request of an employer and for the purposes discussed above. The provision does not affect the application of this rule to other health care provided to individuals or to their relationship with health care providers that they select.

Section 164.512(c)—Disclosures About Victims of Abuse, Neglect or Domestic Violence

The NPRM included two provisions related to disclosures about persons who are victims of abuse. In the NPRM, we would have allowed covered entities to report child abuse to a public health authority or other appropriate authority authorized by law to receive reports of child abuse or neglect. In addition, under proposed § 164.510(f)(3) of the NPRM, we would have allowed covered entities to disclose protected health information about a victim of a crime, abuse or other harm to a law enforcement official under certain circumstances. The NPRM recognized that most, if not all, states had laws that mandated reporting of child abuse or neglect to the appropriate authorities. Moreover, HIPAA expressly carved out state laws on child abuse and neglect from preemption or any other interference. The NPRM further acknowledged that most, but not all, states had laws mandating the reporting of abuse, neglect or exploitation of the elderly or other vulnerable adults. We did not intend to impede reporting in compliance with these laws.

The final rule includes a new paragraph, § 164.512(c), which allows covered entities to report protected health information to specified authorities in abuse situations other than those involving child abuse and neglect. In the final rule, disclosures of protected health information related to child abuse continues to be addressed in the paragraph allowing disclosure for public health activities (§ 164.512(b)), as described above. Because HIPAA addresses child abuse specifically in connection with a state's public health activities, we believe it would not be appropriate to include child abuse-related disclosures in this separate paragraph on abuse. State laws continue to apply with respect to child abuse, and the final rule does not in any way interfere with a covered entity's ability to comply with these laws.

In the final rule, we address disclosures about other victims of abuse, neglect and domestic violence in § 164.512(c) rather than in the law enforcement paragraph. Section 164.512(c) establishes conditions for disclosure of protected health information in cases involving domestic violence other than child abuse (e.g., spousal abuse), as well as those involving abuse or neglect (e.g., abuse of nursing home residents or residents of facilities for the mentally retarded). This paragraph addresses reports to law enforcement as well as to other authorized public officials. The provisions of this paragraph supersede the provisions of § 164.512(a) and § 164.512(f)(1)(i) to the extent that those provisions address the subject matter of this paragraph.

Under the circumstances described below, the final rule allows covered entities to disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence. In this paragraph, references to “individual” should be construed to mean the individual believed to be the victim. The rule allows such disclosure to any governmental authority authorized by law to receive reports of such abuse, neglect, or domestic violence. These entities may include, for example, adult protective or social services agencies, state survey and certification agencies, ombudsmen for the aging or those in long-term care facilities, and law enforcement or oversight.

The final rule specifies three circumstances in which disclosures of protected health information is allowed in order to report abuse, neglect or domestic violence. First, this paragraph allows disclosure of protected health information related to abuse if required by law and the disclosure complies with and is limited to the relevant requirements of such law. As discussed below, the final rule requires covered entities that make such disclosures pursuant to a state's mandatory reporting law to inform the individual of the report.

Second, this paragraph allows covered entities to disclose protected health information related to abuse if the individual has agrees to such disclosure. When considering the possibility of disclosing protected health information in an abuse situation pursuant to this section, we encourage covered entities to seek the individual's agreement whenever possible.

Third, this paragraph allows covered entities to disclose protected health information about an individual without the individual's agreement if the disclosure is expressly authorized by statute or regulation and either: (1) The covered entity, in the exercise of its professional judgment, believes that the disclosure is necessary to prevent serious harm to the individual or to other potential victims; or (2) if the individual is unable to agree due to incapacity, a law enforcement or other public official authorized to received the report represents that the protected health information for which disclosure is sought is not intended to be used against the individual, and that an immediate enforcement activity that depends on the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.

We emphasize that disclosure under this third part of the paragraph also may be made only if it is expressly authorized by statute or regulation. We use this formulation, rather than the broader “required by law,” because of the heightened privacy and safety concerns in these situations. We believe it appropriate to defer to other public determinations regarding reporting of this information only where a legislative or executive body has determined the reporting to be of sufficient importance to warrant enactment of a law or promulgation of a regulation. Law and regulations reflect a clear decision to authorize the particular disclosure of protected health information, and reflect greater public accountability (e.g., through the required public comment process or because enacted by elected representatives).

For example, a Wisconsin law (Wis. Stat § 46.90(4)) states that any person may report to a county agency or state official that he or she believes that abuse or neglect has occurred. Pursuant to § 164.512(c)(1)(iii), a covered entity may make a report only if the specific type or subject matter of the report (e.g., abuse or neglect of the elderly) is included in the law authorizing the report, and such a disclosure may only be made to a public authority specifically identified in the law authorizing the report. Furthermore, we note that disclosures under this part of the paragraph are further limited to two circumstances. In the first case, a covered entity, in the exercise of professional judgment, must believe that the disclosure is necessary to prevent serious harm to the individual or to other potential victims. The second case addresses situations in which an individual who is a victim of abuse, neglect or domestic violence is unable to agree due to incapacity and a law enforcement or other public official authorized to receive the report represents that the protected health information for which disclosure is sought is not intended to be used against the individual and that an immediate law enforcement activity that depends on the disclosure would be materially and adversely affected by waiting until the individual if able to agree to the disclosure. We note that, in this second case, a covered entity may exercise discretion, consistent with professional judgment as to the patient's best interest, in deciding whether to make the requested disclosure.

The rules governing disclosure in this third set of circumstances are different from those governing disclosures pursuant to § 164.512(f)(3) regarding disclosure to law enforcement about victims of crime and other harm. We believe that in abuse situations—to a greater extent than in situations involving crime victims in general—there is clear potential for abusers to cause further serious harm to the victim or to others, such as other family members in a household or other residents of a nursing home. The provisions allowing reporting of abuse when authorized by state law, as described above, are consistent with principles articulated by the AMA's Council on Ethical and Judicial Affairs, which state that when reporting abuse is voluntary under state law, it is justified when necessary to prevent serious harm to a patient. Through the provisions of § 164.512(c), we recognize the unique circumstances surrounding abuse and domestic violence, and we seek to provide an appropriate balance between individual privacy interests and important societal interests such as preventing serious harm to other individuals. We note that here we are relying on covered entities, in the exercise of professional judgment, to determine what is in the best interests of the patient.

Finally, we require covered entities to inform the individual in all of the situations described above that the covered entity has disclosed protected health information to report abuse, neglect, or domestic violence. We allow covered entities to provide this information orally. We do not require written notification, nor do we encourage it, due to the sensitivity of abuse situations and the potential for the abuser to cause further harm to the individual if, for example, a covered entity sends written notification to the home of the individual and the abuser. Whenever possible, covered entities should inform the individual at the same time that they determine abuse has occurred and decide that the abuse should be reported. In cases involving patient incapacity, we encourage covered entities to inform the individual of such disclosures as soon as it is practicable to do so.

The rule provides two exceptions to the requirement to inform the victim about a report to a government authority, one based on concern for future harm and one based on past harm. First, a covered entity need not inform the victim if the covered entity, in the exercise of professional judgment, believes that informing the individual would place the individual at risk of serious harm. We believe that this exception is necessary to address the potential for future harm, either physical or emotional, that the individual may face from knowing that the report has been made. Second, a covered entity may choose not to meet the requirement for informing the victim, if the covered entity actually would be informing a personal representative (such as a parent of a minor) and the covered entity reasonably believes that such person is responsible for the abuse, neglect, or other injury that has already occurred and that informing that person would not be in the individual's best interests.

Section 164.512(d)—Uses and Disclosures for Health Oversight Activities

Under § 164.510(c) of the NPRM, we proposed to permit covered entities to disclose protected health information to health oversight agencies for oversight activities authorized by law, including audit, investigation, inspection, civil, criminal, or administrative proceeding or action, or other activity necessary for appropriate oversight of: (i) the health care system; (ii) government benefit programs for which health information is relevant to beneficiary eligibility; or (iii) government regulatory programs for which health information is necessary for determining compliance with program standards.

In § 164.512(d) of the final rule, we modify the proposed language to include civil and criminal investigations. In describing “other activities necessary for oversight” of particular entities, we add the phrase “entities subject to civil rights laws for which health information is necessary for determining compliance.” In addition, in the final rule, we add “licensure or disciplinary actions” to the list of oversight activities authorized by law for which covered entities may disclose protected health information to health oversight agencies. The NPRM's definition of “health oversight agency” (in proposed § 164.504) included this phrase, but it was inadvertently excluded from the regulation text at proposed § 164.510(c). We make this change in the regulation text of the final rule to conform to the NPRM's definition of health oversight agency and to reflect the full range of activities for which we intend to allow covered entities to disclose protected health information to health oversight agencies.

The NPRM would have allowed, but would not have required, covered entities to disclose protected health information to public oversight agencies and to private entities acting under grant of authority from or under contract with oversight agencies for oversight purposes without individual authorization for health oversight activities authorized by law. When a covered entity was also an oversight agency, it also would have been permitted to use protected health information in all cases in which it would have been allowed to disclose such information for health oversight purposes. The NPRM would not have established any new administrative or judicial process prior to disclosure for health oversight, nor would it have permitted disclosures forbidden by other law. The proposed rule also would not have created any new right of access to health records by oversight agencies, and it could not have been used as authority to obtain records not otherwise legally available to the oversight agency.

The final rule retains this approach to health oversight. As in the NPRM, the final rule provides that when a covered entity is also an oversight agency, it is allowed to use protected health information in all cases in which it is allowed to disclose such information for health oversight purposes. For example, if a state insurance department is acting as a health plan in operating the state's Medicaid managed care program, the final rule allows the insurance department to use protected health information in all cases for which the plan can disclose the protected health information for health oversight purposes. For example, the state insurance department in its capacity as the state Medicaid managed care plan can use protected health information in the process of investigating and disciplining a state Medicaid provider for attempting to defraud the Medicaid system. As in the NPRM, the final rule does not establish any new administrative or judicial process prior to disclosure for health oversight, nor does it prohibit covered entities from making any disclosures for health oversight that are otherwise required by law. Like the NPRM, it does not create any new right of access to health records by oversight agencies and it cannot be used as authority to obtain records not otherwise legally available to the oversight agency.

Overlap Between Law Enforcement and Oversight

Under the NPRM, the proposed definitions of law enforcement and oversight, and the rules governing disclosures for these purposes overlapped. Specifically, this overlap occurred because: (1) The NPRM preamble, but not the NPRM regulation text, indicated that agencies conducting both oversight and law enforcement activities would be subject to the oversight requirements when conducting oversight activities; and (2) the NPRM addressed some disclosures for investigations of health care fraud in the law enforcement paragraph (proposed § 164.510(f)(5)(i)), while health care fraud investigations are central to the purpose of health care oversight agencies (covered under proposed § 164.510(c)). In the final rule, we make substantial changes to these provisions, in an attempt to prevent confusion.

In § 164.512(d)(2), we include explicit decision rules indicating when an investigation is considered law enforcement and when an investigation is considered oversight under this regulation. An investigation or activity is not considered health oversight for purposes of this rule if: (1) The individual is the subject of the investigation or activity; and (2) The investigation or activity does not arise out of and is not directly related to: (a) The receipt of health care; (b) a claim for public benefits related to health; or (c) qualification for, or receipt of public benefits or services where a patient's health is integral to the claim for benefits or services. In such cases, where the individual is the subject of the investigation and the investigation does not relate to issues (a) through (c), the rules regarding disclosure for law enforcement purposes (see § 164.512(f)) apply. For the purposes of this rule, we intend for investigations regarding issues (a) through (c) above to mean investigations of health care fraud.

Where the individual is not the subject of the activity or investigation, or where the investigation or activity relates to the subject matter in (a) through (c) of the preceding sentence, a covered entity may make a disclosure pursuant to § 164.512(d)(1). For example, when the U.S. Department of Labor's Pension and Welfare Benefits Administration (PWBA) needs to analyze protected health information about health plan enrollees in order to conduct an audit or investigation of the health plan (i.e., the enrollees are not subjects of the investigation) to investigate potential fraud by the plan, the health plan may disclose protected health information to the PWBA under the health oversight rules. These rules and distinctions are discussed in greater detail in our responses to comments.

To clarify further that health oversight disclosure rules apply generally in health care fraud investigations (subject to the exception described above), in the final rule, we eliminate proposed § 164.510(f)(5)(i), which would have established requirements for disclosure related to health care fraud for law enforcement purposes. All disclosures of protected health information that would have been permitted under proposed § 164.510(f)(5)(i) are permitted under § 164.512(d).

In the final rule, we add new language (§ 164.512(d)(3)) to address situations in which health oversight activities are conducted in conjunction with an investigation regarding a claim for public benefits not related to health (e.g., claims for Food Stamps). In such situations, for example, when a state Medicaid agency is working with the Food Stamps program to investigate suspected fraud involving Medicaid and Food Stamps, covered entities may disclose protected health information to the entities conducting the joint investigation under the health oversight provisions of the rule.

In the proposed rule, the definitions of “law enforcement proceeding” and “oversight activity” both included the phrase “criminal, civil, or administrative proceeding.” For reasons explained below, the final rule retains this phrase in both definitions. The final rule does not attempt to distinguish between these activities based on the agency undertaking them or the applicable enforcement procedures. Rather, as described above, the final rule carves out certain activities which must always be considered law enforcement for purposes of disclosure of protected health information under this rule.

Additional Considerations

We note that covered entities are permitted to initiate disclosures that are permitted under this paragraph. For example, a covered entity could disclose protected health information in the course of reporting suspected health care fraud to a health oversight agency.

We delete language in the NPRM that would have allowed disclosure under this section only to law enforcement officials conducting or supervising an investigation, official inquiry, or a criminal, civil or administrative proceeding authorized by law. In some instances, a disclosure by a covered entity under this section will initiate such an investigation or proceeding, but it will not already be ongoing at the time the disclosure is made.

Section 164.512(e)—Disclosures and Uses for Judicial and Administrative Proceedings

Section 164.512(e) addresses when a covered entity is permitted to disclose protected health information in response to requests for protected health information that are made in the course of judicial and administrative proceedings—for example, when a non-party health care provider receives a subpoena (under Federal Rule of Civil Procedure Rule 45 or similar provision) for medical records from a party to a law suit. In the NPRM we would have allowed covered entities to disclose protected health information in the course of any judicial or administrative proceeding: (1) In response to an order of a court or administrative tribunal; or (2) where an individual was a party to the proceeding and his or her medical condition or history was at issue and the disclosure was pursuant to lawful process or otherwise authorized by law. Under the NPRM, if the request for disclosure of protected health information was accompanied by a court order, a covered entity could have disclosed that protected health information which the court order authorized to be disclosed. If the request for disclosure of protected health information were not accompanied by a court order, covered entities could not have disclosed the information requested unless a request authorized by law had been made by the agency requesting the information or by legal counsel representing a party to litigation, with a written statement certifying that the protected health information requested concerned a litigant to the proceeding and that the health condition of the litigant was at issue at the proceeding.

In § 164.512(e) of the final rule, we permit covered entities to disclose protected health information in a judicial or administrative proceeding if the request for such protected health information is made through or pursuant to an order from a court or administrative tribunal or in response to a subpoena or discovery request from, or other lawful process by a party to the proceeding. When a request is made pursuant to an order from a court or administrative tribunal, a covered entity may disclose the information requested without additional process. For example, a subpoena issued by a court constitutes a disclosure which is required by law as defined in this rule, and nothing in this rule is intended to interfere with the ability of the covered entity to comply with such subpoena.

However, absent an order of, or a subpoena issued by, a court or administrative tribunal, a covered entity may respond to a subpoena or discovery request from, or other lawful process by, a party to the proceeding only if the covered entity obtains either: (1) Satisfactory assurances that reasonable efforts have been made to give the individual whose information has been requested notice of the request; or (2) satisfactory assurances that the party seeking such information has made reasonable efforts to secure a protective order that will guard the confidentiality of the information. In meeting the first test, a covered entity is considered to have received satisfactory assurances from the party seeking the information if that party demonstrates that it has made a good faith effort (such as by sending a notice to the individual's last known address) to provide written notice to the individual whose information is the subject of the request, that the written notice included sufficient information about the proceeding to permit the individual to raise an objection, and that the time for the individual to raise objections to the court or administrative tribunal has elapsed and no objections were filed or any objections filed by the individual have been resolved.

Unless required to do so by other law, the covered entity is not required to explain the procedures (if any) available for the individual to object to the disclosure. Under the rule, the individual exercises the right to object before the court or other body having jurisdiction over the proceeding, and not to the covered entity. The provisions in this paragraph are not intended to disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information. In such cases, we presume that parties will have ample notice and an opportunity to object in the context of the proceeding in which the individual is a party.

As described above, in this paragraph we also permit a covered entity to disclose protected health information in response to a subpoena, discovery request, or other lawful process if the covered entity receives satisfactory assurances that the party seeking the information has made reasonable efforts to seek a qualified protective order that would protect the privacy of the information. A “qualified protective order” means an order of a court or of an administrative tribunal or a stipulation that: (1) Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which the records are requested; and (2) requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding. Satisfactory assurances of reasonable efforts to secure a qualified protective order are a statement and documentation that the parties to the dispute have agreed to a protective order and that it has been submitted to the court or administrative tribunal with jurisdiction, or that the party seeking the protected health information has requested a qualified protective order from such court or tribunal. We encourage the development of “model” protective orders that will facilitate adherence with this subpart.

In the final rule we also permit the covered entity itself to satisfy the requirement to make reasonable efforts to notify the individual whose information has been requested or to seek a qualified protective order. We intend this to be a permissible activity for covered entities: we do not require covered entities to undertake these efforts in response to a subpoena, discovery request, or similar process (other than an order from a court or administrative tribunal). If a covered entity receives such a request without receiving the satisfactory assurances described above from the party requesting the information, the covered entity is free to object to the disclosure and is not required to undertake the reasonable efforts itself.

We clarify that the provisions of this paragraph do not supersede or otherwise invalidate other provisions of this rule that permit uses and disclosures of protected health information. For example, the fact that protected health information is the subject of a matter before a court or tribunal does not prevent its disclosure under another provision of the rule, such as §§ 164.512(b), 164.512(d), or 164.512(f), even if a public agency's method of requesting the information is pursuant to an administrative proceeding. For example, where a public agency commences a disciplinary action against a health professional, and requests protected health information as part of its investigation, the disclosure made be made to the agency under paragraph (d) of this section (relating to health oversight) even if the method of making the request is through the proceeding. As with any request for disclosure under this section, the covered entity will need to verify the authority under which the request is being made, and we expect that public agencies will identify their authority when making such requests. We note that covered entities may reasonably rely on assertions of authority made by government agencies.

Additional Considerations

Where a disclosure made pursuant to this paragraph is required by law, such as in the case of an order from a court or administrative tribunal, the minimum necessary requirements in § 164.514(d) do not apply to disclosures made under this paragraph. A covered entity making a disclosure under this paragraph, however, may of course disclose only that protected health information that is within the scope of the permitted disclosure. For instance, in response to an order of a court or administrative tribunal, the covered entity may disclose only the protected health information that is expressly authorized by such an order. Where a disclosure is not considered under this rule to be required by law, the minimum necessary requirements apply, and the covered entity must make reasonable efforts to limit the information disclosed to that which is reasonably necessary to fulfill the request. A covered entity is not required to second guess the scope or purpose of the request, or take action to resist the request because they believe that it is over broad. In complying with the request, however, the covered entity must make reasonable efforts not to disclose more information than is requested. For example, a covered entity may not provide a party free access to its medical records under the theory that the party can identify the information necessary for the request. In some instances, it may be appropriate for a covered entity, presented with a relatively broad discovery request, to permit access to a relatively large amount of information in order for a party to identify the relevant information. This is permissible as long as the covered entity makes reasonable efforts to circumscribe the access as appropriate.

The NPRM indicated that when a covered entity was itself a government agency, the covered entity could use protected health information in all cases in which it would have been allowed to disclose such information in the course of any judicial or administrative proceeding. As explained above, the final rule does not include this provision.

Section 164.512(f)—Disclosure for Law Enforcement Purposes

Disclosures Pursuant to Process and as Otherwise Required by Law

In the NPRM we would have allowed covered entities to disclose protected health information without individual authorization as required by other law. However, as explained above, if a legally mandated use or disclosure fell into one or more of the national priority purposes expressly identified in other paragraphs of proposed § 164.510, the disclosure would have been subject to the terms and conditions specified by the applicable paragraph of proposed § 164.510. For example, mandatory reporting to law enforcement officials would not have been allowed unless such disclosures conformed to the requirements of proposed § 164.510(f) of the NPRM. Proposed § 164.510(f) did not explicitly recognize disclosures required by other laws, and it would not have permitted covered entities to comply with some state and other mandatory reporting laws that require covered entities to disclose protected health information to law enforcement officials, such as the reporting of gun shot wounds, stab wounds, and/or burn injuries.

We did not intend to preempt generally state and other mandatory reporting laws, and in § 164.512(f)(1)(i) of the final rule, we explicitly permit covered entities to disclose protected health information for law enforcement purposes as required by other law. This provision permits covered entities to comply with these state and other laws. Under this provision, to the extent that a mandatory reporting law falls under the provisions of § 164.512(c)(1)(i) regarding reporting of abuse, neglect, or domestic violence, the requirements of those provisions supersede.

In the final rule, we specify that covered entities may disclose protected health information pursuant to this provision in compliance with and as limited by the relevant requirements of legal process or other law. In the NPRM, for the purposes of this portion of the law enforcement paragraph, we proposed to define “law enforcement inquiry or proceeding” as an investigation or official proceeding inquiring into a violation of or failure to comply with law; or a criminal, civil or administrative proceeding arising from a violation of or failure to comply with law. In the final rule, we do not include this definition in § 164.512(f), because it is redundant with the definition of “law enforcement official” in § 164.501.

Proposed § 164.510(f)(1) of the NPRM would have authorized disclosure of protected health information to a law enforcement official conducting or supervising a law enforcement inquiry or proceeding authorized by law pursuant to process, under three circumstances.

First, we proposed to permit such disclosures pursuant to a warrant, subpoena, or other order issued by a judicial officer that documented a finding by the officer. The NPRM did not specify requirements for the nature of the finding. In the final rule, we eliminate the requirement for a “finding,” and we make changes to the list of orders in response to which covered entities may disclose under this provision. Under the final rule, covered entities may disclose protected health information in compliance with and as limited by relevant requirements of: a court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer. We made this change to the list to conform to the definition of “required by law” in § 164.501.

Second, we proposed to permit such disclosures pursuant to a state or federal grand jury subpoena. In the final rule, we leave this provision of the NPRM unchanged.

Third, we proposed to permit such disclosures pursuant to an administrative request, including an administrative subpoena or summons, a civil investigative demand, or similar process, under somewhat stricter standards than exist today for such disclosures. We proposed to permit a covered entity to disclose protected health information pursuant to an administrative request only if the request met three conditions, as follows: (i) The information sought was relevant and material to a legitimate law enforcement inquiry; (ii) the request was as specific and narrowly drawn as reasonably practicable; and (iii) de-identified information could not reasonably have been used to meet the purpose of the request.

The final rules generally adopts this provision of the NPRM. In the final rule, we modify the list of orders in response to which covered entities may disclose protected health information, to include administrative subpoenas or summons, civil or authorized investigative demands, or similar process authorized by law. We made this change to the list to conform with the definition of “required by law” in § 164.501. In addition, we slightly modify the second of the three conditions under which covered entities may respond to such requests, to allow disclosure if the request is specific and is limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought.

Limited Information for Identification and Location Purposes

The NPRM would have allowed covered entities to disclose “limited identifying information” for purposes of identifying a suspect, fugitive, material witness, or missing person, in response to a law enforcement request. We proposed to define “limited identifying information” as (i) name; (ii) address; (iii) Social Security number; (iv) date of birth; (v) place of birth; (vi) type of injury or other distinguishing characteristic; and (vii) date and time of treatment.

The final rules generally adopts this provision of the NPRM with a few modifications. In the final rule, we expand the circumstances under which limited information about suspects, fugitives, material witnesses, and missing persons may be disclosed, to include not only cases in which law enforcement officials are seeking to identify such individuals, but also cases in which law enforcement officials are seeking to locate such individuals. In addition, the final rule modifies the list of data elements that may be disclosed under this provision, in several ways. We expand the list of elements that may be disclosed under these circumstances, to include ABO blood type and Rh factor, as well as date and time of death, if applicable. We remove “other distinguishing characteristic” from the list of items that may be disclosed for the location and identification purposes described in this paragraph, and instead allow covered entities to disclose only a description of distinguishing physical characteristics, such as scars and tattoos, height, weight, gender, race, hair and eye color, and the presence or absence of facial hair such as a beard or moustache. In addition, in the final rule, protected health information associated with the following cannot be disclosed pursuant to § 164.512(f)(2): DNA data and analyses; dental records; or typing, samples or analyses of tissues or bodily fluids other than blood (e.g., saliva). If a covered entity discloses additional information under this provision, the covered entity will be out of compliance and subject to sanction.

We clarify our intent not to allow covered entities to initiate disclosures of limited identifying information to law enforcement in the absence of a law enforcement request; a covered entity may disclose protected health information under this provision only in response to a request from law enforcement. We allow a “law enforcement official's request” to be made orally or in writing, and we intend for it to include requests by a person acting on behalf of law enforcement, for example, requests by a media organization making a television or radio announcement seeking the public's assistance in identifying a suspect. Such a request also may include a “Wanted” poster and similar postings.

Disclosure About a Victim of Crime

The NPRM would have allowed covered entities to disclose protected health information about a victim of a crime, abuse or other harm to a law enforcement official, if the law enforcement official represented that: (i) The information was needed to determine whether a violation of law by a person other than the victim had occurred; and (ii) immediate law enforcement activity that depended on obtaining the information may have been necessary.

The final rule modifies the conditions under which covered entities can disclose protected health information about victims. In addition, as discussed above, the final rule includes a new § 164.512(c), which establishes conditions for disclosure of protected health information about victims of abuse, neglect or domestic violence. In addition, as discussed above, we have added § 164.512(f)(1)(i) to this paragraph to explicitly recognize that in some cases, covered entities' disclosure of protected health information is mandated by state or other law. The rule's requirements for disclosure in situations not covered under mandatory reporting laws are different from the rule's provisions regarding disclosure pursuant to a mandatory reporting law.

The final rule requires covered entities to obtain individual agreement as a condition of disclosing the protected health information about victims to law enforcement, unless the disclosure is permitted under § 164.512(b) or (c) or § 164.512(f)(1) above. The required agreement may be obtained orally, and does not need to meet the requirements of § 164.508 of this rule (regarding authorizations). The rule waives the requirement for individual agreement if the victim is unable to agree due to incapacity or other emergency circumstance and: (1) The law enforcement official represents that the protected health information is needed to determine whether a violation of law by a person other than the victim has occurred and the information is not intended to be used against the victim; (2) the law enforcement official represents that immediate law enforcement activity that depends on such disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and (3) the covered entity, in the exercise of professional judgment, determines that the disclosure is in the individual's best interests. We intend that assessing the individual's best interests includes taking into account any further risk of harm to the individual. This provision does not allow covered entities to initiate disclosures of protected health information to law enforcement; the disclosure must be in response to a request from law enforcement.

We do not intend to create a new legal duty on the part of covered entities with respect to the safety of their patients. Rather, we intend to ensure that covered entities can continue to exercise their professional judgment in these circumstances, on a case-by-case basis, as they do today.

In some cases, a victim may also be a fugitive or suspect. For example, an individual may receive a gunshot wound during a robbery and seek treatment in a hospital emergency room. In such cases, when law enforcement officials are requesting protected health information because the individual is a suspect (and thus the information may be used against the individual), covered entities may disclose the protected health information pursuant to § 164.512(f)(2) regarding suspects and not pursuant to § 164.512(f)(3) regarding victims. Thus, in these situations, covered entities may disclose only the limited identifying information listed in § 164.512(f)(2)—not all of the protected health information that may be disclosed under § 164.512(f)(3).

The proposed rule did not address whether a covered entity could disclose protected health information to a law enforcement official to alert the official of the individual's death.

Disclosures About Decedents

In the final rule, we add a new provision § 164.512(f)(4) in which we permit covered entities to disclose protected health information about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death if the covered entity has a suspicion that such death may have resulted from criminal conduct. In such circumstances consent of the individual is not available and it may be difficult to determine the identity of a personal representative and gain consent for disclosure of protected health information. Permitting disclosures in this circumstance will permit law enforcement officials to begin their investigation into the death more rapidly, increasingly the likelihood of success.

Intelligence and National Security Activities

Section 164.510(f)(4) of the NPRM would have allowed covered entities to disclose protected health information to a law enforcement official without individual authorization for the conduct of lawful intelligence activities conducted pursuant to the National Security Act of 1947 (50 U.S.C. 401 et seq.) or in connection with providing protective services to the President or other individuals pursuant to section 3056 of title 18, United States Code. In the final rule, we move provisions regarding disclosures of protected health information for intelligence and protective services activities to § 164.512(k) regarding uses and disclosures for specialized government functions.

Criminal Conduct on the Premises of a Covered Entity

The NPRM would have allowed covered entities on their own initiative to disclose to law enforcement officials protected health information that the covered entity believed in good faith constituted evidence of criminal conduct that arose out of and was directly related to: (A) The receipt of health care or payment for health care, including a fraudulent claim for health care; (B) qualification for or receipt of benefits, payments, or services based on a fraudulent statement or material misrepresentation of the health of the individual; that occurred on the covered entity's premises or was witnessed by a member of the covered entity's workforce.

In the final rule, we modify this provision substantially, by eliminating language allowing disclosures already permitted in other sections of the regulation. The proposed provision overlapped with other sections of the NPRM, in particular proposed § 164.510(c) regarding disclosure for health oversight activities. In the final regulation, we clarify that this provision applies only to disclosures to law enforcement officials of protected health information that the covered entity believes in good faith constitutes evidence of a crime committed on the premises. We eliminate proposed § 164.510(f)(5)(i) regarding health care fraud from the law enforcement section, because all disclosures that would have been allowed under that provision are allowed under § 164.512(d) of the final rule (health oversight). Similarly, in the final rule, we eliminate proposed § 164.510(f)(5)(iii) on disclosure of protected health information to law enforcement officials regarding criminal activity witnessed by a member of a health plan workforce. All disclosures that would have been permitted by that provision are included in § 164.512(f)(5), which allows disclosure of information to report a crime committed on the covered entity's premises, and by § 164.502, which provides that a covered entity is not in violation of the rule when a member of its workforce or person working for a business associate uses or discloses protected health information while acting as a “whistle blower.” Thus, § 164.512(f)(5) allows covered entities to disclose health information only on the good faith belief that it constitutes evidence of a crime on their premises. The preamble to the NPRM said that if the covered entity disclosed protected health information in good faith but was wrong in its belief that the information was evidence of a violation of law, the covered entity would not be subject to sanction under this regulation. The final rule retains this approach.

Reporting Crime in Emergencies

The proposed rule did not address disclosures by emergency medical personnel to a law enforcement official intended to alert law enforcement about the commission of a crime. Because the provisions of proposed rule were limited to individually identifiable health information that was reduced to electronic form, many communications that occur between emergency medical personnel and law enforcement officials at the scene of a crime would not have been covered by the proposed provisions.

In the final rule we include a new provision § 164.512(f)(6) that addresses “911” calls for emergency medical technicians as well as other emergency health care in response to a medical emergency. The final rule permits a covered health care provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered health care provider, to disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to (1) the commission and nature of a crime, (2) the location of such crime or of the victim(s) of such crime, and (3) the identity, description, and location of the perpetrator of such crime. A disclosure is not permitted under this section if health care provider believes that the medical emergency is the result of abuse, neglect, or domestic violence of the individual in need of emergency health care. In such cases, disclosures to law enforcement would be governed by paragraph (c) of this section.

This added provision recognizes the special role of emergency medical technicians and other providers who respond to medical emergencies. In emergencies, emergency medical personnel often arrive on the scene before or at the same time as police officers, firefighters, and other emergency response personnel. In these cases, providers may be in the best position, and sometimes be the only ones in the position, to alert law enforcement about criminal activity. For instance, providers may be the first persons aware that an individual has been the victim of a battery or an attempted murder. They may also be in the position to report in real time, through use of radio or other mechanism, information that may immediately contribute to the apprehension of a perpetrator of a crime.

We note that disclosure under this provision is at the discretion of the health care provider. Disclosures in some instances may be governed more strictly, such as by applicable ethical standards and state and local laws.

Finally, the NPRM also included a proposed § 164.510(f)(5), which duplicated proposed § 164.510(f)(3). The final rule does not include this duplicate provision.

Additional Considerations

As stated in the NPRM, this paragraph is not intended to limit or preclude a covered entity from asserting any lawful defense or otherwise contesting the nature or scope of the process when the procedural rules governing the proceeding so allow. At the same time, it is not intended to create a basis for appealing to federal court concerning a request by state law enforcement officials. Each covered entity will continue to have available legal procedures applicable in the appropriate jurisdiction to contest such requests where warranted.

As was the case with the NPRM, this rule does not create any new affirmative requirement for disclosure of protected health information. Similarly, this section is not intended to limit a covered entity from disclosing protected health information to law enforcement officials where other sections of the rule permit such disclosure, e.g., as permitted by § 164.512(j) to avert an imminent threat to health or safety, for health oversight activities, to coroners or medical examiners, and in other circumstances permitted by the rule. For additional provisions permitting covered entities to disclose protected health information to law enforcement officials, see § 164.512(j)(1)(i) and (ii).

Under the NPRM and under the final rule, to obtain protected health information, law enforcement officials must comply with whatever other law is applicable. In certain circumstances, while this provision could authorize a covered entity to disclose protected health information to law enforcement officials, there could be additional applicable statutes or rules that further govern the specific disclosure. If the preemption provisions of this regulation do not apply, the covered entity must comply with the requirements or limitations established by such other law, regulation or judicial precedent. See §§ 160.201 through 160.205. For example, if state law permits disclosure only after compulsory process with court review, a provider or payor is not allowed to disclose information to state law enforcement officials unless the officials have complied with that requirement. Similarly, disclosure of substance abuse patient records subject to, 42 U.S.C. 290dd-2, and the implementing regulations, 42 CFR part 2, continue to be governed by those provisions.

In some instances, disclosure of protected health information to law enforcement officials will be compelled by other law, for example, by compulsory judicial process or compulsory reporting laws (such as laws requiring reporting of wounds from violent crimes, suspected child abuse, or suspected theft of controlled substances). As discussed above, disclosure of protected health information under such other mandatory law is permitted under § 164.512(a).

In the responses to comments we clarify that items such as cells and tissues are not protected health information, but that analyses of them is. The same treatment would be given other physical items, such as clothing, weapons, or a bloody knife. We note, however, that while these items are not protected health information and may be disclosed, some communications that could accompany the disclosure will be protected health information under the rule. For example, if a person provides cells to a researcher, and tells the researcher that these are an identified individual's cancer cells, that accompanying statement is protected health information about that individual. Similarly, if a person provides a bullet to law enforcement, and tells law enforcement that the bullet was extracted from an identified individual, the person has disclosed the fact that the individual was treated for a wound, and the additional statement is a disclosure of protected health information.

To be able to make the additional statement accompanying the provision of the bullet, a covered entity must look to the rule to find a provision under which a disclosure may be made to law enforcement. Section 164.512(f) of the rule addresses disclosures for law enforcement purposes. Under § 164.512(f)(1), the additional statement may be disclosed to a law enforcement official if required by law or with appropriate process. Under § 164.512(f)(2), we permit covered entities to disclose limited identifying information without legal process in response to a request from a law enforcement official for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. Thus, in the case of bullet described above, the covered entity may, in response to a law enforcement request, provide the extracted bullet and such additional limited identifying information as is permitted under § 164.512(f)(2).

Section 164.512(g)—Uses and Disclosures About Decedents

In the NPRM we proposed to allow covered entities to disclose protected health information without individual authorization to coroners and medical examiners, consistent with applicable law, for identification of a deceased person or to determine cause of death.

In § 164.512(g) of the final rule, we permit covered entities to disclose protected health information to coroners, medical examiners, and funeral directors as part of a new paragraph on disclosures related to death. The final rule retains the NPRM approach regarding disclosure of protected health information to coroners and medical examiners, and it allows the information disclosed to coroners and medical examiners to include identifying information about other persons that may be included in the individual's medical record. Redaction of such names is not required prior to disclosing the individual's record to coroners or medical examiners. Since covered entities may also perform duties of a coroner or medical examiner, where a covered entity is itself a coroner or medical examiner, the final rule permits the covered entity to use protected health information in all cases in which it is permitted to disclose such information for its duties as a coroner or medical examiner.

Section 164.512(g) allows covered entities to disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to a decedent. For example, the rule allows hospitals to disclose to funeral directors the fact that an individual has donated an organ or tissue, because this information has implications for funeral home staff duties associated with embalming. When necessary for funeral directors to carry out their duties, covered entities may disclose protected health information prior to and in reasonable anticipation of the individual's death.

Whereas the NPRM did not address the issue of disclosure of psychotherapy notes without individual authorization to coroners and medical examiners, the final rule allows such disclosures.

The NPRM did not include in proposed § 164.510(e) language stating that where a covered entity was itself a coroner or medical examiner, it could use protected health information for the purposes of engaging in a coroner's or a medical examiner's activities. The final rule includes such language to address situations such as where a public hospital performs medical examiner functions. In such cases, the hospital's on-staff coroners can use protected health information while conducting post-mortem investigations, and other hospital staff can analyze any information associated with these investigations, for example, as part of the process of determining the cause of the individual's death.

Section 164.512(h)—Uses and Disclosures for Cadaveric Donation of Organs, Eyes, or Tissues

In the NPRM we proposed to include the procurement or banking of blood, sperm, organs, or any other tissue for administration to patients in the definition of “health care” (described in proposed § 160.103). The NPRM's proposed approach did not differentiate between situations in which the donor was competent to consent to the donation—for example, when an individual is donating blood, sperm, a kidney, or a liver or lung lobe—and situations in which the donor was deceased, for example, when cadaveric organs and tissues were being donated. We also proposed to allow use and disclosure of protected health information for treatment without consent.

In the final rule, we take a different approach. In § 164.512(h), we permit covered entities to disclose protected health information without individual authorization to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for donation and transplantation. This provision is intended to address situations in which an individual has not previously indicated whether he or she seeks to donate organs, eyes, or tissues (and therefore authorized release of protected health information for this purpose). In such situations, this provision is intended to allow covered entities to initiate contact with organ and tissue donation and transplantation organizations to facilitate transplantation of cadaveric organs, eyes, and tissues.

Disclosures and Uses for Government Health Data Systems

In the NPRM we proposed to permit covered entities to disclose protected health information to a government agency, or to a private entity acting on behalf of a government agency, for inclusion in a government health data system collecting health data for analysis in support of policy, planning, regulatory, or management functions authorized by law. The NPRM stated that when a covered entity was itself a government agency collecting health data for these functions, it could use protected health information in all cases for which it was permitted to disclose such information to government health data systems.

In the final rule, we eliminate the provision that would have allowed covered entities to disclose protected health information to government health data systems without authorization. Thus, under the final rule, covered entities cannot disclose protected health information without authorization to government health data systems—or to private health data systems—unless the disclosure is permissible under another provision of the rule.

Disclosures for Payment Processes

In the NPRM we proposed to permit covered entities to disclose, in connection with routine banking activities or payment by debit, credit, or other payment card, or other payment means, the minimum amount of protected health information necessary to complete a banking or payment activity to financial institutions or to entities acting on behalf of financial institutions to authorize, process, clear, settle, bill, transfer, reconcile, or collect payments for financial institutions.

The preamble to the NPRM clarified the proposed rule's intent regarding disclosure of diagnostic and treatment information along with payment information to financial institutions. The preamble to the proposed rule said that diagnostic and treatment information never was necessary to process a payment transaction. The preamble said we believed that in most cases, the permitted disclosure would include only: (1) The name and address of the account holder; (2) the name and address of the payor or provider; (3) the amount of the charge for health services; (4) the date on which health services were rendered; (5) the expiration date for the payment mechanism, if applicable; and (6) the individual's signature. The preamble noted that the proposed regulation text did not include an exclusive list of information that could lawfully be disclosed to process payments, and it solicited comments on whether more elements would be needed for banking and payment transactions and on whether including a specific list of protected health information that could be disclosed was an appropriate approach.

The preamble also noted that under section 1179 of HIPAA, certain activities of financial institutions were exempt from this rule, to the extent that these activities constituted authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums.

In the final rule, we eliminate the NPRM's provision on “banking and payment processes.” All disclosures that would have been allowed pursuant to proposed § 164.510(i) are allowed under § 164.502(a) of the final rule, regarding disclosure for payment purposes.

Section 164.512(i)—Uses and Disclosures for Research Purposes

The NPRM would have permitted covered entities to use and disclose protected health information for research—regardless of funding source—without individual authorization, provided that the covered entity obtained documentation of the following:

(1) A waiver, in whole or in part, of authorization for the use or disclosure of protected health information was approved by an Institutional Review Board (IRB) or a privacy board that was composed as stipulated in the proposed rule;

(2) The date of approval of the waiver, in whole or in part, of authorization by an IRB or privacy board;

(3) The IRB or privacy board had determined that the waiver, in whole or in part satisfied the following criteria:

(i) The use or disclosure of protected health information involves no more than minimal risk to the subjects;

(ii) The waiver will not adversely affect the rights and welfare of the subjects;

(iii) The research could not practicably be conducted without the waiver;

(iv) Whenever appropriate, the subjects will be provided with additional pertinent information after participation;

(v) The research could not practicably be conducted without access to and use of the protected health information;

(vi) The research is of sufficient importance so as to outweigh the intrusion of the privacy of the individual whose information is subject to the disclosure;

(vii) There is an adequate plan to protect the identifiers from improper use and disclosure; and

(viii) There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers; and

(4) The written documentation was signed by the chair of, as applicable, the IRB or the privacy board.

The NPRM also proposed that IRBs and privacy boards be permitted to adopt procedures for “expedited review” similar to those provided in the Common Rule (Common Rule § __.110) for records research that involved no more than minimal risk. However, this provision for expedited review was not included in the proposed regulation text.

The board that would determine whether the research protocol met the eight specified criteria for waiving the patient authorization requirements (described above), could have been an IRB constituted as required by the Common Rule, or a privacy board, whose proposed composition is described below. The NPRM proposed no requirements for the location or sponsorship of the IRB or privacy board. Under the NPRM, the covered entity could have created such a board and could have relied on it to review research proposals for uses and disclosures of protected health information for research. A covered entity also could have relied on the necessary documentation from an outside researcher's own university IRB or privacy board. In addition, a covered entity could have engaged the services of an outside IRB or privacy board to obtain the necessary documentation.

Absent documentation that the requirements described above had been met, the NPRM would have required individuals' authorization for the use or disclosure of protected health information for research, pursuant to the authorization requirements in proposed § 164.508. For research conducted with patient authorization, documentation of IRB or privacy board approval would not have been required.

The final rule retains the NPRM's proposed framework for permitting uses and disclosures of protected health information for research purposes, although we are making several important changes for the final rule. These changes are discussed below:

Documentation Requirements of IRB or Privacy Board Approval of Waiver

The final rule retains these documentation requirements, but modifies some of them and includes two additional documentation requirements. The final rule's modifications to the NPRM's proposed documentation requirements are described first, followed by a description of the three documentation requirements added in the final rule.

The final rule makes the following modifications to the NPRM's proposed documentation requirements for the waiver of individual authorization:

1. IRB and privacy board membership. The NPRM stipulated that to meet the requirements of proposed § 164.510(j), the documentation would need to indicate that the IRB had been composed as required by the Common Rule (§ __.107), and the privacy board had been composed as follows: “(A) Has members with varying backgrounds and appropriate professional competency as necessary to review the research protocol; (B) Includes at least one member who is not affiliated with the entity conducting the research, or related to a person who is affiliated with such entity; and (C) Does not have any member participating in a review of any project in which the member has a conflict of interest” (§ 164.510(j)(1)(ii)).

The final rule modifies the first of the requirements for the composition of a privacy board to focus on the effect of the research protocol on the individual's privacy rights and related interests. Therefore, under the final rule, the required documentation must indicate that the privacy board has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual's privacy rights and related interests.

In addition, the final rule further restricts the NPRM's proposed requirement that the privacy board include at least one member who was not affiliated with the entity conducting the research, or related to a person who is affiliated with such entity. Under the final rule, the board must include at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with such entities.

The other documentation requirements for the composition of an IRB and privacy board remain the same.

2. Waiver of authorization criteria. The NPRM proposed to prohibit the use or disclosure of protected health information for research without individual authorization as stipulated in proposed § 164.508 unless the covered entity had documentation indicating that an IRB or privacy board had determined that the following waiver criteria had been met:

(i) The use or disclosure of protected health information involves no more than minimal risk to the subjects;

(ii) The waiver will not adversely affect the rights and welfare of the subjects;

(iii) The research could not practicably be conducted without the waiver;

(iv) Whenever appropriate, the subjects will be provided with additional pertinent information after participation;

(v) The research could not be practicably be conducted without access to and use of the protected health information;

(vi) The research is of sufficient importance so as to outweigh the intrusion of the privacy of the individual whose information is subject to the disclosure;

(vii) There is an adequate plan to protect the identifiers from improper use and disclosure; and

(viii) There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers.

The final rule continues to permit the documentation of IRB or privacy board approval of a waiver of an authorization as required by § 164.508, to indicate that only some or all of the § 164.508 authorization requirements have been waived. In addition, the final rule clarifies that the documentation of IRB or privacy board approval may indicate that the authorization requirements have been altered. Also, for all of the proposed waiver of authorization criteria that used the term “subject,” we replace this term with the term “individual” in the final rule.

In addition, the final rule (1) eliminates proposed waiver criterion iv, (2) modifies proposed waiver criteria ii, iii, vi, and viii, and (3) adds a waiver criterion.

Proposed waiver criterion ii (waiver criterion § 164.512(i)(2)(ii)(B) in the final rule) is revised as follows to focus more narrowly on the privacy interests of individuals, and to clarify that it also pertains to alterations of individual authorization: “the alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals.” Under criterion § 164.512(i)(2)(ii)(B), the question is whether the alteration or waiver of individual authorization would adversely affect the privacy rights and the welfare of individuals, not whether the research project itself would adversely affect the privacy rights or the welfare of individuals.

Proposed waiver criterion iii (waiver criterion § 164.512(i)(2)(ii)(C) in the final rule) is revised as follows to clarify that it also pertains to alterations of individual authorization: “the research could not practicably be conducted without the alteration or waiver.”

Proposed waiver criterion vi (waiver criterion § 164.512(i)(2)(ii)(E) in the final rule) is revised as follows to be more consistent with one of the Common Rule's requirements for the approval of human subjects research (Common Rule, § __.111(a)(2)): “the privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to anticipated benefits if any to individuals, and the importance of the knowledge that may reasonably be expected to result from the research.” Under criterion § 164.512(i)(2)(ii)(E), the question is whether the risks to an individual's privacy from participating in the research are reasonable in relation to the anticipated benefits from the research. This criterion is unlike waiver criterion § 164.512(i)(2)(ii)(B) in that it focuses on the privacy risks and benefits of the research project more broadly, not on the waiver of individual authorization.

Proposed waiver criterion viii (waiver criterion § 164.512(i)(2)(ii)(G) in the final rule) is revised as follows: “there is an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law.”

In addition, the final rule includes another waiver criterion: waiver criterion § 164.512(i)(2)(ii)(H). The NPRM proposed no restriction on a researcher's further use or disclosure of protected health information that had been received under proposed § 164.510(j). The final rule requires that the covered entity obtain written agreement from the person or entity receiving protected health information under § 164.512(i) not to re-use or disclose protected health information to any other person or entity, except: (1) As required by law, (2) for authorized oversight of the research project, or (3) for other research for which the use or disclosure of protected health information would be permitted by this subpart. For instance, in assessing whether this criterion has been met, we encourage IRBs and privacy boards to obtain adequate assurances that the protected health information will not be disclosed to an individual's employer for employment decisions without the individual's authorization.

3. Required signature. The rule broadens the types of individuals who are permitted to sign the required documentation of IRB or privacy board approval. The final rule requires the documentation of the alteration or waiver of authorization to be signed by (1) the chair of, as applicable, the IRB or the privacy board, or (2) a member of the IRB or privacy board, as applicable, who is designated by the chair to sign the documentation.

Furthermore, the final rule makes the following three additions to the proposed documentation requirements for the alteration or waiver of authorization:

1. Identification of the IRB or privacy board. The NPRM did not propose that the documentation of waiver include a statement identifying the IRB or privacy board that approved the waiver of authorization. In the final rule we require that such a statement be included in the documentation of alteration or waiver of individual authorization. By this requirement we mean that the name of the IRB or privacy board must be included in such documentation, not the names of individual members of the board.

2. Description of protected health information approved for use or disclosure. The NPRM did not propose that the documentation of waiver include a description of the protected health information that the IRB or privacy board had approved for use or disclosure without individual authorization. In considering waiver of authorization criterion § 164.512(i)(2)(ii)(D), we expect the IRB or privacy board to consider the amount of information that is minimally needed for the study. The final rule requires that the documentation of IRB or privacy board approval of the alteration or waiver of authorization describe the protected health information for which use or access has been determined to be necessary for the research by the IRB or privacy board. For example, if the IRB or privacy board approves only the use or disclosure of certain information from patients' medical records, and not patients' entire medical record, this must be stated on the document certifying IRB or privacy board approval.

3. Review and approval procedures. The NPRM would not have required documentation of IRBs' or privacy boards' review and approval procedures. In the final rule, the documentation of the alteration or waiver of authorization must state that the alteration or waiver has been reviewed and approved by: (1) an IRB that has followed the voting requirements stipulated in the Common Rule (§ __.108(b)), or the expedited review procedures as stipulated in § __.110(b); or (2) a privacy board that has reviewed the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any such entities, and the alteration or waiver of authorization is approved by the majority of privacy board members present at the meeting, unless an expedited review procedure is used.

For documentation of IRB approval that used an expedited review procedure, the covered entity must ensure that the documentation indicates that the IRB followed the expedited review requirements of the Common Rule (§ __.110). For documentation of privacy board approval that used an expedited review procedure, the covered entity must ensure that the documentation indicates that the privacy board met the expedited review requirements of the privacy rule. In the final rule, a privacy board may use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the protected health information for which disclosure is being sought. If a privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair. Use of the expedited review mechanism permits review by a single member of the IRB or privacy board, but continues to require that the covered entity obtain documentation that all of the specified waiver criteria have been met.

Reviews Preparatory to Research

Under the NPRM, if a covered entity used or disclosed protected health information for research, but the researcher did not record the protected health information in a manner that persons could be identified, such an activity would have constituted a research use or disclosure that would have been subject to either the individual authorization requirements of proposed § 164.508 or the documentation of the waiver of authorization requirements of proposed § 164.510(j).

The final rule permits the use and disclosure of protected health information for research without requiring authorization or documentation of the alteration or waiver of authorization, if the research is conducted in such a manner that only de-identified protected health information is recorded by the researchers and the protected health information is not removed from the premises of the covered entity. For such uses and disclosures of protected health information, the final rule requires that the covered entity obtain from the researcher representations that use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research, no protected health information is to be removed from the covered entity by the researcher in the course of the review, and the protected health information for which use or access is sought is necessary for the research purposes. The intent of this provision is to permit covered entities to use and disclose protected health information to assist in the development of a research hypothesis and aid in the recruitment of research participants. We understand that researchers sometimes require access to protected health information to develop a research protocol, and to determine whether a specific covered entity has protected health information of prospective research participants that would meet the eligibility criteria for enrollment into a research study. Therefore, this provision permits covered entities to use and disclose protected health information for these preliminary research activities without individual authorization and without documentation that an IRB or privacy board has altered or waived individual authorization.

Research on Protected Health Information of the Deceased

The NPRM would have permitted the use and disclosure of protected health information of deceased persons for research without the authorization of a legal representative, and without the requirement for written documentation of IRB or privacy board approval in proposed § 164.510(j). In the final rule, we retain the exception for uses and disclosures for research purposes but in addition require that the covered entity take certain protective measures prior to release of the decedent's protected health information for such purposes. Specifically, the final rule requires that the covered entity obtain representation that the use or disclosure is sought solely for research on the protected health information of decedent, and representation that the protected health information for which use or disclosure is sought is necessary for the research purposes. In addition, the final rule allows covered entities to request from the researcher documentation of the death of the individuals about whom protected health information is being sought.

Good Faith Reliance

The final rule clarifies that covered entities are allowed to rely on the IRB's or privacy board's representation that the research proposal meets the documentation requirements of § 164.512(i)(1)(i) and the minimum necessary requirements of § 164.514.

In addition, when using or disclosing protected health information for reviews preparatory to research (§ 164.512(i)(1)(ii)) or for research solely on the protected health information of decedents (§ 164.512)(1)(iii)), the final rule clarifies that the covered entity may rely on the requesting researcher's representation that the purpose of the request is for one of these two purpose, and that the request meets the minimum necessary requirements of § 164.514. Therefore, the covered entity has not violated the rule if the requesting researcher misrepresents his or her intended use of the protected health information to the covered entity.

Additional Research Provisions

Research Including Treatment

To the extent that a researcher provided treatment to persons as part of a research study, the NPRM would have covered such researchers as health care providers for purposes of that treatment, and required that the researcher comply with all of the provisions of the rule that would be applicable to health care providers. The final rule retains this requirement.

Individual Access to Research Information

Under proposed § 164.514, the NPRM would have applied the proposed provision regarding individuals' access to records to research that includes the delivery of treatment. The NPRM proposed an exception to individuals' right to access protected health information for clinical trials, where (1) protected health information was obtained by a covered entity in the course of clinical trial, (2) the individual agreed to the denial of access when consenting to participate in the trial (if the individual's consent to participate was obtained), and (3) the trial was still in progress.

Section 164.524 of the final rule retains this exception to access for research that includes treatment. In addition, the final rule requires that participants in such research be informed that their right of access to protected health information about them will be reinstated once the research is complete.

Obtaining the Individual's Authorization for Research

The NPRM would have required covered entities obtaining individuals' authorization for the use or disclosure of information for research to comply with the requirements applicable to individual authorization for the release of protected health information (proposed § 164.508(a)(2)). If an individual had initiated the use or disclosure of his/her protected health information for research, or any other purpose, the covered entity would have been required to obtain a completed authorization for the use or disclosure of protected health information as proposed in § 164.508(c).

The final rule retains these requirements for research conducted with authorization, as required by § 164.508. In addition, for the use and disclosure of protected health information created by a covered entity for the purpose, in whole or in part, of research that includes treatment of the individual, the covered entity must meet the requirements of § 164.508(f).

Interaction with the Common Rule

The NPRM stated that the proposed rule would not override the Common Rule. Where both the NPRM and the Common Rule would have applied to research conducted by the covered entity—either with or without individuals' authorization—both sets of regulations would have needed to be followed. This statement remains true in the final rule. In addition, we clarify that FDA's human subjects regulations must also be followed if applicable.

Section 164.512(j)—Uses and Disclosures to Avert a Serious Threat to Health or Safety

In the NPRM we proposed to allow covered entities to use or disclose protected health information without individual authorization—consistent with applicable law and ethics standards—based on a reasonable belief that use or disclosure of the protected health information was necessary to prevent or lessen a serious and imminent threat to health or safety of an individual or of the public. Pursuant to the NPRM, covered entities could have used or disclosed protected health information in these emergency circumstances to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat. The NPRM stated that covered entities that made disclosures in these circumstances were presumed to have acted under a reasonable belief if the disclosure was made in good faith, based on credible representation by a person with apparent knowledge or authority. The NPRM did not include verification requirements specific to this paragraph.

In § 164.512(j) of the final rule, we retain the NPRM's approach to uses and disclosures made to prevent or lessen serious and imminent threats to health or safety, as well as its language regarding the presumption of good faith. We also clarify that: (1) Rules governing these situations, which the NPRM referred to as “emergency circumstances,” are not intended to apply to emergency care treatment, such as health care delivery in a hospital emergency room; and (2) the “presumption of good faith belief” is intended to apply only to this provision and not to all disclosures permitted without individual authorization. The final rule allows covered entities to use or disclose protected health information without an authorization on their own initiative in these circumstances, when necessary to prevent or lessen a serious and imminent threat, consistent with other applicable ethical or legal standards.

The rule's approach is consistent with the “duty to warn” third persons at risk, which has been established through case law. In Tarasoff v. Regents of the University of California (17 Cal. 3d 425 (1976)), the Supreme Court of California found that when a therapist's patient had made credible threats against the physical safety of a specific person, the therapist had an obligation to use reasonable care to protect the intended victim of his patient against danger, including warning the victim of the danger. Many states have adopted, through either statutory or case law, versions of the Tarasoff duty to warn. The rule is not intended to create a duty to warn or disclose. Rather, it permits disclosure to avert a serious and imminent threat to health or safety consistent with other applicable legal or ethical standards. If disclosure in these circumstances is prohibited by state law, this rule would not allow the disclosure.

As indicated above, in some situations (for example, when a person is both a fugitive and a victim and thus covered entities could disclose protected health information pursuant either to § 164.512(f)(2) regarding fugitives or to § 164.512(f)(3) establishing conditions for disclosure about victims), more than one section of this rule potentially could apply with respect to a covered entity's potential disclosure of protected health information. Similarly, in situations involving a serious and imminent threat to public health or safety, law enforcement officials may be seeking protected health information from covered entities to locate a fugitive. In the final rule, we clarify that if a situation fits one section of the rule (for example, § 164.512(j) on serious and imminent threats to health or safety), covered entities may disclose protected health information pursuant to that section, regardless of whether the disclosure also could be made pursuant to another section (e.g.,§ 164.512(f)), regarding disclosure to law enforcement officials).

The proposed rule did not address situations in which covered entities could make disclosures to law enforcement officials about oral statements admitting participation in violent conduct or about escapees.

In the final rule we permit, but do not require, covered entities to use or disclose protected health information, consistent with applicable law and standards of ethical conduct, in specific situations in which the covered entity, in good faith, believes the use or disclosure is necessary to permit law enforcement authorities to identify or apprehend an individual. Under paragraph (j)(1)(ii)(A) of this section, a covered entity may take such action because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have resulted in serious physical harm to the victim. The protected health information that is disclosed in this case is limited to the statement and to the protected health information included under the limited identifying and location information in § 164.512(f)(2), such as name, address, and type of injury. Under paragraph (j)(1)(ii)(B) of this section, a covered entity may take such action where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.

A disclosure may not be made under paragraph (j)(1)(ii)(A) for a statement admitting participation in a violent crime if the covered entity learns the information in the course of counseling or therapy. Similarly, such a disclosure is not permitted if the covered entity learns the information in the course of treatment to affect the propensity to commit the violent crimes that are described in the individual's statements. We do not intend to discourage individuals from speaking accurately in the course of counseling or therapy sessions, or to discourage other treatment that specifically seeks to reduce the likelihood that someone who has acted violently in the past will do so again in the future. This prohibition on disclosure is triggered once an individual has made a request to initiate or be referred to such treatment, therapy, or counseling.

The provision permitting use and disclosure has been added in light of the broadened definition in the final rule of protected health information. Under the NPRM, protected health information meant individually identifiable health information that is or has been electronically transmitted or electronically maintained by a covered entity. Under the final rule, protected health information includes information transmitted by electronic media as well as such information transmitted or maintained in any other form or medium. The new definition includes oral statements to covered entities as well as individually identifiable health information transmitted “in any other form.”

The definition of protected health information, for instance, would now apply to a statement by a patient that is overheard by a hospital security guard in a waiting room. Such a statement would have been outside the scope of the proposed rule (unless it was memorialized in an electronic record), but is within the scope of the final rule. For the example with the hospital guard, the new provision permitting disclosure of a statement by an individual admitting participation in a violent crime would have the same effect as the proposed rule—the statement could be disclosed to law enforcement, so long as the other aspects of the regulation are followed. Similarly, where it appears from all the circumstances that the individual has escaped from prison, the expanded definition of protected health information should not prevent the covered entity from deciding to report this information to law enforcement.

The disclosures that covered entities may elect to make under this paragraph are entirely at their discretion. These disclosures to law enforcement are in addition to other disclosure provisions in the rule. For example, under paragraph § 164.512(f)(2) of this section, a covered entity may disclose limited categories of protected health information in response to a request from a law enforcement official for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. Paragraph § 164.512(f)(1) of this section permits a covered entity to make disclosures that are required by other laws, such as state mandatory reporting laws, or are required by legal process such as court orders or grand jury subpoena.

Section 164.512(k)—Uses and Disclosures for Specialized Government Functions

Application to Military Services

In the NPRM we would have permitted a covered entity providing health care to Armed Forces personnel to use and disclose protected health information for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, where the appropriate military authority had published by notice in the Federal Register (In the NPRM, we proposed that the Department of Defense would publish this Federal Register notice in the future.) The final rule takes a similar approach while making some modifications to the NPRM. One modification concerns the information that will be required in the Federal Register notice. The NPRM would have required a listing of (i) appropriate military command authorities; (ii) the circumstances for which use or disclosure without individual authorization would be required; and (iii) activities for which such use or disclosure would occur in order to assure proper execution of the military mission. In the final rule, we eliminate the third category and also slightly modify language in the second category to read: “the purposes for which the protected health information may be used or disclosed.”

An additional modification concerns the rule's application to foreign military and diplomatic personnel. The NPRM would have excluded foreign diplomatic and military personnel, as well as their dependents, from the proposed definition of “individual,” thereby excluding any protected health information created about these personnel from the NPRM's privacy protections. Foreign military and diplomatic personnel affected by this provision include, for example, allied military personnel who are in the United States for training. The final rule applies a more limited exemption to foreign military personnel only (Foreign diplomatic personnel will have the same protections granted to all other individuals under the rule). Under the final rule, foreign military personnel are not excluded from the definition of “individual.” Covered entities will be able to use and disclose protected health information of foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for U.S. Armed Forces personnel under the notice to be published in the Federal Register. Foreign military personnel do have the same rights of access, notice, right to request privacy protection, copying, amendment, and accounting as do other individuals pursuant to §§ 164.520-164.526 (sections on access, notice, right to request privacy protection for protected health information, amendment, inspection, copying) of the rule.

The NPRM likewise would have exempted overseas foreign national beneficiaries from the proposed rule's requirements by excluding them from the definition of “individual.” Under the final rule, these beneficiaries no longer are exempt from the definition of “individual.” However, the rule's provisions do not apply to the individually identifiable health information of overseas foreign nationals who receive care provided by the Department of Defense, other federal agencies, or by non-governmental organizations incident to U.S. sponsored missions or operations.

The final rule includes a new provision to address separation or discharge from military service. The preamble to the NPRM noted that upon completion of individuals' military service, DOD and the Department of Transportation routinely transfer entire military service records, including protected health information to the Department of Veterans Affairs so that the file can be retrieved quickly if the individuals or their dependents apply for veterans benefits. The NPRM would have required consent for such transfers. The final rule no longer requires consent in such situations. Thus, under the final rule, a covered entity that is a component of DOD or the Department of Transportation may disclose to DVA the protected health information of an Armed Forces member upon separation or discharge from military service for the purpose of a determination by DVA of the individual's eligibility for or entitlement to benefits under laws administered by the Secretary of Veterans Affairs.

Department of Veterans Affairs

Under the NPRM, a covered entity that is a component of the Department of Veterans Affairs could have used and disclosed protected health information to other components of the Department that determine eligibility for, or entitlement to, or that provide benefits under the laws administered by the Secretary of Veterans Affairs. In the final rule, we retain this approach.

Application to Intelligence Community

The NPRM would have provided an exemption from its proposed requirements to the intelligence community. As defined in section 4 of the National Security Act, 50 U.S.C. 401a, the intelligence community includes: the Office of the Director of Central Intelligence Agency; the Office of the Deputy Director of Central Intelligence; the National Intelligence Council and other such offices as the Director may designate; the Central Intelligence Agency; the National Security Agency; the Defense Intelligence Agency; the National Imagery and Mapping Agency ; the National Reconnaissance Office; other offices within the DOD for the collection of specialized national intelligence through reconnaissance programs; the intelligence elements of the Army, the Navy, the Air Force, the Marine Corps, the Federal Bureau of Investigation, the Department of the Treasury, and the Department of Energy; the Bureau of Intelligence and Research of the Department of State; and such other elements of any other department or agency as may be designated by the President, or designated jointly by the Director of Central Intelligence and the head of the department or agency concerned, as an element of the intelligence community. It would have allowed a covered entity to use without individual authorization protected health information of employees of the intelligence community, and of their dependents, if such dependents were being considered for posting abroad. The final rule does not include such an exemption. Rather, the final rule does not except intelligence community employees and their dependents from the general rule requiring an authorization in order for protected health information to be used and disclosed.

National Security and Intelligence Activities

The NPRM included a provision, in § 164.510(f)—Disclosure for Law Enforcement Purposes—that would allow covered entities to disclose protected health information without consent for the conduct of lawful intelligence activities under the National Security Act, and in connection with providing protective services to the President or to foreign heads of state pursuant to 18 U.S.C. 3056 and 22 U.S.C. 2709(a)(3) respectively. The final rule preserves these exemptions, with slight modifications, but moves them from proposed § 164.510(f) to § 164.512(k). It also divides this area into two paragraphs—one called “National Security and Intelligence Activities” and the second called “Protective services for the President and Others.”

The final rule, with modifications, allows a covered entity to disclose protected health information to an authorized federal official for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act and implementing authority (e.g., Executive Order 1233). The references to “counter-intelligence and other national security activities” are new to the final rule. The reference to “implementing authority (e.g. Executive Order 12333)” is also new. The final rule also adds specificity to the provision on protective services. It states that a covered entity may disclose protected health information to authorized federal officials for the provision of protective services to the President or other persons as authorized by 18 U.S.C. 3056, or to foreign heads of state or other persons as authorized by 22 U.S.C. 2709(a)(3), or for the conduct of investigations authorized by 18 U.S.C. 871 and 879.

Application to the State Department

The final rule creates a narrower exemption for Department of State for uses and disclosures of protected health information (1) for purposes of a required security clearance conducted pursuant to Executive Orders 10450 and 12698; (2) as necessary to meet the requirements of determining worldwide availability or availability for mandatory service abroad under Sections 101(a)(4) and 504 of the Foreign Service Act; and (3) for a family member to accompany a Foreign Service Officer abroad, consistent with Section 101(b)(5) and 904 of the Foreign Service Act.

Regarding security clearances, nothing prevents any employer from requiring that individuals provide authorization for the purpose of obtaining a security clearance. For the Department of State, however, the final rule provides a limited exemption that allows a component of the Department of State without an authorization to (1) use protected health information to make medical suitability determinations and (2) to disclose whether or not the individual was determined to be medically suitable to authorized officials in the Department of State for the purpose of a security clearance investigation conducted pursuant to Executive Order 10450 and 12698.

Sections 101(a)(4) and 504 of the Foreign Service Act require that Foreign Service members be available to serve in assignments throughout the world. The final rule permits disclosures to officials who need protected health information to determine availability for duty worldwide.

Section 101(b)(5) of the Foreign Service Act requires the Department of State to mitigate the impact of hardships, disruptions, and other unusual conditions on families of Foreign Service Officers. Section 904 requires the Department to establish a health care program to promote and maintain the physical and mental health of Foreign Service member family members. The final rule permits disclosure of protected health information to officials who need protected health information for a family member to accompany a Foreign Service member abroad.

This exemption does not permit the disclosure of specific medical conditions, diagnoses, or other specific medical information. It permits only the disclosure of the limited information needed to determine whether the individual should be granted a security clearance or whether the Foreign Service member of his or her family members should be posted to a certain overseas assignment.

Application to Correctional Facilities

The NPRM would have excluded the individually identifiable health information of correctional facility inmates and detention facility detainees from the definition of protected health information. Thus, none of the NPRM's proposed privacy protections would have applied to correctional facility inmates or to detention facility detainees while they were in these facilities or after they had been released.

The final rule takes a different approach. First, to clarify that we are referring to individuals who are incarcerated in correctional facilities that are part of the criminal justice system or in the lawful custody of a law enforcement official—and not to individuals who are “detained” for non-criminal reasons, for example, in psychiatric institutions—§ 164.512(k) covers disclosure of protected health information to correctional institutions or law enforcement officials having such lawful custody. In addition, where a covered health care provider is also a health care component of a correctional institution, the final rule permits the covered entity to use protected health information in all cases in which it is permitted to disclose such information.

We define correctional institution as defined pursuant to 42 U.S.C. 13725(b)(1), as a “prison, jail, reformatory, work farm, detention center, or halfway house, or any other similar institution designed for the confinement or rehabilitation of criminal offenders.” The rules regarding disclosure and use of protected health information specified in § 164.512(k) cover individuals who are in transitional homes, and other facilities in which they are required by law to remain for correctional reasons and from which they are not allowed to leave. This section also covers individuals who are confined to psychiatric institutions for correctional reasons and who are not allowed to leave; however, it does not apply to disclosure of information about individuals in psychiatric institutions for treatment purposes only, who are not there due to a crime or under a mandate from the criminal justice system. The disclosure rules described in this section do not cover release of protected health information about individuals in pretrial release, probation, or on parole, such persons are not considered to be incarcerated in a correctional facility.

As described in § 164.512(k), correctional facility inmates' individually identifiable health information is not excluded from the definition of protected health information. When individuals are released from correctional facilities, they will have the same privacy rights that apply to all other individuals under this rule.

Section 164.512(k) of the final rule states that while individuals are in a correctional facility or in the lawful custody of a law enforcement official, covered entities (for example, the prison's clinic) can use or disclose protected health information about these individuals without authorization to the correctional facility or the law enforcement official having custody as necessary for: (1) The provision of health care to such individuals; (2) the health and safety of such individual or other inmates; (3) the health and safety of the officers of employees of or others at the correctional institution; and (4) the health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution or facility to another; (5) law enforcement on the premises of the correctional institution; and (6) the administration and maintenance of the safety, security, and good order of the correctional institution. This section is intended to allow, for example, a prison's doctor to disclose to a van driver transporting a criminal that the individual is a diabetic and frequently has seizures, as well as information about the appropriate action to take if the individual has a seizure while he or she is being transported.

We permit covered entities to disclose protected health information about these individuals if the correctional institution or law enforcement official represents that the protected health information is necessary for these purposes. Under 164.514(h), a covered entity may reasonably rely on the representation of such public officials.

Application to Public Benefits Programs Required to Share Eligibility Information

We create a new provision for covered entities that are a government program providing public benefits. This provision allows the following disclosures of protected health information.

First, where other law requires or expressly authorizes information relating to the eligibility for, or enrollment in more than one public program to be shared among such public programs and/or maintained in a single or combined data system, a public agency that is administering a health plan may maintain such a data base and may disclose information relating to such eligibility or enrollment in the health plan to the extent authorized by such other law.

Where another public entity has determined that the appropriate balance between the need for efficient administration of public programs and public funds and individuals' privacy interests is to allow information sharing for these limited purposes, we do not upset that determination. For example, section 1137 of the Social Security Act requires a variety of public programs, including the Social Security program, state medicaid programs, the food stamp program, certain unemployment compensation programs, and others, to participate in a joint income and eligibility verification system. Similarly, section 222 of the Social Security Act requires the Social Security Administration to provide information to certain state vocational rehabilitation programs for eligibility purposes. In some instances, it is a covered entity that first collects or creates the information that is then disclosed for these systems. We do not prohibit those disclosures.

This does not authorize these entities to share information for claims determinations or ongoing administration of these public programs. This provision is limited to the agencies and activities described above.

Second, § 164.512(k)(6) permits a covered entity that is a government agency administering a government program providing public benefits to disclose protected health information relating to the program to another covered entity that is a government agency administering a government program providing public benefits if the programs serve the same or similar populations and the disclosure of protected health information is necessary to coordinate the covered functions of such programs.

The second provision permits covered entities that are government program providing public benefits that serve the same or similar populations to share protected health information for the purposes of coordinating covered functions of the programs and for general management and administration relating to the covered functions of the programs. Often, similar government health programs are administered by different government agencies. For example, in some states, the Medicaid program and the State Children's Health Insurance Program are administered by different agencies, although they serve similar populations. Many states coordinate eligibility for these two programs, and sometimes offer services through the same delivery systems and contracts. This provision would permit the covered entities administering these programs to share protected health information of program participants to coordinate enrollment and services and to generally improve the health care operations of the programs. We note that this provision does not authorize the agencies to use or disclose the protected health information that is shared for purposes other than as provided for in this paragraph.

Section 164.512(l)—Disclosures For Workers' Compensation

The NPRM did not contain special provisions permitting covered entities to disclose protected health information for the purpose of complying with workers' compensation and similar laws. Under HIPAA, workers' compensation and certain other forms of insurance (such as automobile or disability insurance) are “excepted benefits.” Insurance carriers that provide this coverage are not covered entities even though they provide coverage for health care services. To carry out their insurance functions, these non-covered insurers typically seek individually identifiable health information from covered health care providers and group health plans. In drafting the proposed rule, the Secretary was faced with the challenge of trying to carry out the statutory mandate of safeguarding the privacy of individually identifiable health information by regulating the flow of such information from covered entities while at the same time respecting the Congressional intent to shield workers' compensation carriers and other excepted benefit plans from regulation as covered entities.

In the proposed rule we allowed covered entities to disclose protected health information without individual consent for purposes of treatment, payment or health care operations—even when the disclosure was to a non-covered entity such as a workers' compensation carrier. In addition, we allowed protected health information to be disclosed if required by state law for purposes of determining eligibility for coverage or fitness for duty. The proposed rule also required that whenever a covered entity disclosed protected health information to a non-covered entity, even though authorized under the rule, the individual who was the subject of the information must be informed that the protected health information was no longer subject to privacy protections.

Like other disclosures under the proposed rule, the information provided to workers' compensation carriers for treatment, payment or health care operations was subject to the minimum necessary standard. However, to the extent that protected health information was disclosed to the carrier because it was required by law, it was not subject to the minimum necessary standard. In addition, individuals were entitled to an accounting when protected health information was disclosed for purposes other than treatment, payment or health care operations.

In the final rule, we include a new provision in this section that clarifies the ability of covered entities to disclose protected health information without authorization to comply with workers' compensation and similar programs established by law that provide benefits for work-related illnesses or injuries without regard to fault. Although most disclosures for workers' compensation would be permissible under other provisions of this rule, particularly the provisions that permit disclosures for payment and as required by law, we are aware of the significant variability among workers' compensation and similar laws, and include this provision to ensure that existing workers' compensation systems are not disrupted by this rule. We note that the minimum necessary standard applies to disclosures under this paragraph.

Under this provision, a covered entity may disclose protected health information regarding an individual to a party responsible for payment of workers' compensation benefits to the individual, and to an agency responsible for administering and/or adjudicating the individual's claim for workers' compensation benefits. For purposes of this paragraph, workers' compensation benefits include benefits under programs such as the Black Lung Benefits Act, the federal Employees' Compensation Act, the Longshore and Harbor Workers' Compensation Act, and the Energy Employees' Occupational Illness Compensation Program Act.

Additional Considerations

We have included a general authorization for disclosures under workers' compensation systems to be consistent with the intent of Congress, which defined workers' compensation carriers as excepted benefits under HIPAA. We recognize that there are significant privacy issues raised by how individually identifiable health information is used and disclosed in workers' compensation systems, and believe that states or the federal government should enact standards that address those concerns.

Section 164.514—Other Procedural Requirements Relating To Uses and Disclosures of Protected Health Information Back to Top

Section 164.514(a)-(c)—De-identification

In § 164.506(d) of the NPRM, we proposed that the privacy standards would apply to “individually identifiable health information,” and not to information that does not identify the subject individual. The statute defines individually identifiable health information as certain health information:

(i) Which identifies the individual, or

(ii) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

As we pointed out in the NPRM, difficulties arise because, even after removing obvious identifiers (e.g., name, social security number, address), there is always some probability or risk that any information about an individual can be attributed to that individual.

The NPRM proposed two alternative methods for determining when sufficient identifying information has been removed from a record to render the information de-identified and thus not subject to the rule. First, the NPRM proposed the establishment of a “safe harbor”: if all of a list of 19 specified items of information had been removed, and the covered entity had no reason to believe that the remaining information could be used to identify the subject of the information (alone or in combination with other information), the covered entity would have been presumed to have created de-identified information. Second, the NPRM proposed an alternative method so that covered entities with sufficient statistical experience and expertise could remove or encrypt a combination of information different from the enumerated list, using commonly accepted scientific and statistical standards for disclosure avoidance. Such covered entities would have been able to include information from the enumerated list of 19 items if they (1) believed that the probability of re-identification was very low, and (2) removed additional information if they had a reasonable basis to believe that the resulting information could be used to re-identify someone.

We proposed that covered entities and their business partners be permitted to use protected health information to create de-identified health information using either of these two methods. Covered entities would have been permitted to further use and disclose such de-identified information in any way, provided that they did not disclose the key or other mechanism that would have enabled the information to be re-identified, and provided that they reasonably believed that such use or disclosure of de-identified information would not have resulted in the use or disclosure of protected health information.

A number of examples were provided of how valuable such de-identified information would be for various purposes. We expressed the hope that covered entities, their business partners, and others would make greater use of de-identified health information than they do today, when it is sufficient for the purpose, and that such practice would reduce the burden and the confidentiality concerns that result from the use of individually identifiable health information for some of these purposes.

In §§ 164.514(a)-(c) of this final rule, we make several modifications to the provisions for de-identification. First, we explicitly adopt the statutory standard as the basic regulatory standard for whether health information is individually identifiable health information under this rule. Information is not individually identifiable under this rule if it does not identify the individual, or if the covered entity has no reasonable basis to believe it can be used to identify the individual. Second, in the implementation specifications we reformulate the two ways in which a covered entity can demonstrate that it has met the standard.

One way a covered entity may demonstrate that it has met the standard is if a person with appropriate knowledge and experience applying generally accepted statistical and scientific principles and methods for rendering information not individually identifiable makes a determination that the risk is very small that the information could be used, either by itself or in combination with other available information, by anticipated recipients to identify a subject of the information. The covered entity must also document the analysis and results that justify the determination. We provide guidance regarding this standard in our responses to the comments we received on this provision.

We also include an alternate, safe harbor, method by which covered entities can demonstrate compliance with the standard. Under the safe harbor, a covered entity is considered to have met the standard if it has removed all of a list of enumerated identifiers, and if the covered entity has no actual knowledge that the information could be used alone or in combination to identify a subject of the information. We note that in the NPRM, we had proposed that to meet the safe harbor, a covered entity must have “no reason to believe” that the information remained identifiable after the enumerated identifiers were removed. In the final rule, we have changed the standard to one of actual knowledge in order to provide greater certainty to covered entities using the safe harbor approach.

In the safe harbor, we explicitly allow age and some geographic location information to be included in the de-identified information, but all dates directly related to the subject of the information must be removed or limited to the year, and zip codes must be removed or aggregated (in the form of most 3-digit zip codes) to include at least 20,000 people. Extreme ages of 90 and over must be aggregated to a category of 90+ to avoid identification of very old individuals. Other demographic information, such as gender, race, ethnicity, and marital status are not included in the list of identifiers that must be removed.

The intent of the safe harbor is to provide a means to produce some de-identified information that could be used for many purposes with a very small risk of privacy violation. The safe harbor is intended to involve a minimum of burden and convey a maximum of certainty that the rules have been met by interpreting the statutory “reasonable basis to believe that the information can be used to identify the individual” to produce an easily followed, cook book approach.

Covered entities may use codes and similar means of marking records so that they may be linked or later re-identified, if the code does not contain information about the subject of the information (for example, the code may not be a derivative of the individual's social security number), and if the covered entity does not use or disclose the code for any other purpose. The covered entity is also prohibited from disclosing the mechanism for re-identification, such as tables, algorithms, or other tools that could be used to link the code with the subject of the information.

Language to clarify that covered entities may contract with business associates to perform the de-identification has been added to the section on business associates.

Section 164.514(d)—Minimum Necessary

The proposed rule required a covered entity to make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure (proposed § 164.506(b)).

The proposed minimum necessary standard did not apply to uses or disclosures that were made by covered entities at the request of the individual, either to allow the individual access to protected health information about him or her or pursuant to an authorization initiated by the individual. The requirement also did not apply to uses and disclosures made: pursuant to the compliance and enforcement provisions of the rule; as required by law and permitted by the regulation without individual authorization; by a covered health care provider to a health plan, when the information was requested for audit and related purposes. Finally, the standard did not apply to the HIPAA administrative simplification transactions.

The proposed implementation specifications would have required a covered entity to have procedures to: (i) Identify appropriate persons within the entity to determine what information should be used or disclosed consistent with the minimum necessary standard; (ii) ensure that those persons make the minimum necessary determinations, when required; and (iii) within the limits of the entity's technological capabilities, provide for the making of such determinations individually. The proposal allowed a covered entity, when making disclosures to public officials that were permitted without individual authorization but not required by other law, to reasonably rely on the representations of such officials that the information requested was the minimum necessary for the stated purpose(s).

The preamble provided further guidance. The preamble explained that covered entities could not have general policies of approving all requests (or all requests of a particular type) without carefully considering certain criteria (see “Criteria,” below) as well as other information specific to the request. The minimum necessary determination would have needed to be consistent with and directly related to the purpose of the use or disclosure. Where there was ambiguity regarding the information to be used or disclosed, the preamble directed covered entities to interpret the “minimum necessary” standard to “require” the covered entity to make some effort to limit the amount of protected health information used/disclosed.

The proposal would have required the minimum necessary determination to take into consideration the ability of a covered entity to delimit the amount of information used or disclosed. The preamble noted that these determinations would have to be made under a reasonableness standard: covered entities would be required to make reasonable efforts and to incur reasonable expense to limit the use or disclosure. The “reasonableness” of limiting particular uses or disclosures was to be determined based on the following factors (which were not included in the regulatory text):

a. The extent to which the use or disclosure would extend the number of persons with access to the protected health information.

b. The likelihood that further uses or disclosures of the protected health information could occur.

c. The amount of protected health information that would be used or disclosed.

d. The importance of the use or disclosure.

e. The potential to achieve substantially the same purpose with de-identified information. For disclosures, each covered entity would have been required to have policies for determining when protected health information must be stripped of identifiers.

f. The technology available to limit the amount of protected health information used/disclosed.

g. The cost of limiting the use/disclosure.

h. Any other factors that the covered entity believed were relevant to the determination.

The proposal shifted the “minimum necessary” burden off of covered providers when they were being audited by a health plan. The preamble explained that the duty would have been shifted to the payor to request the minimum necessary information for the audit purpose, although the regulatory text did not include such a requirement. Outside of the audit context, the preamble stated that a health plan would be required, when requesting a disclosure, to limit its requests to the information required to achieve the purpose of the request; the regulation text did not include this requirement.

The preamble stated that disclosure of an entire medical record, in response to a request for something other than the entire medical record, would presumptively violate the minimum necessary standard.

This final rule significantly modifies the proposed requirements for implementing the minimum necessary standard. For all uses and many disclosures and requests for disclosures from other covered entities, we require covered entities to implement policies and procedures for “minimum necessary” uses and disclosures. Implementation of such policies and procedures is required in lieu of making the “minimum necessary” determination for each separate use or disclosure as discussed in the proposal. Disclosures to or requests by a health care provider for treatment purposes are not subject to the standard (see § 164.502).

Specifically (and as further described below), the proposed requirement for individual review of all uses of protected health information is replaced with a requirement for covered entities to implement policies and procedures that restrict access and uses based on the specific roles of members of the covered entity's workforce. Routine disclosures also are not subject to individual review; instead, covered entities must implement policies and procedures to limit the protected health information in routine disclosures to the minimum necessary to achieve the purpose of that type of disclosure. The proposed exclusion of disclosures to health plans for audit purposes is deleted and replaced with a general requirement that covered entities must limit requests to other covered entities for individually identifiable health information to what is reasonably necessary for the use or disclosure intended. The other exclusions from the standard are unchanged from the proposed rule (e.g., for individuals' access to information about themselves, pursuant to an authorization initiated by the individual, for enforcement of this rule, as required by law).

The language of the basic “standard” itself is largely unchanged; covered entities must make reasonable efforts to use or disclose or to request from another covered entity, only the minimum amount of protected health information required to achieve the purpose of a particular use or disclosure. We delete the word “all” from the “reasonable efforts” that covered entities must take in making a “minimum necessary” determination. The implementation specifications are significantly modified, and differ based on whether the activity is a use or disclosure.

Similarly, a “minimum necessary” disclosure for oversight purposes in accordance with § 164.512(d) could include large numbers of records to allow oversight agencies to perform statistical analyses to identify deviations in payment or billing patterns, and other data analyses.

Uses of Protected Health Information

A covered entity must implement policies and procedures to identify the persons or classes of persons in the entity's workforce who need access to protected health information to carry out their duties, the category or categories of protected health information to which such persons or classes need access, and the conditions, as appropriate, that would apply to such access. Covered entities must also implement policies and procedures to limit access to only the identified persons, and only to the identified protected health information. The policies and procedures must be based on reasonable determinations regarding the persons or classes of persons who require protected health information, and the nature of the health information they require, consistent with their job responsibilities.

For example, a hospital could implement a policy that permitted nurses access to all protected health information of patients in their ward while they are on duty. A health plan could permit its underwriting analysts unrestricted access to aggregate claims information for rate setting purposes, but require documented approval from its department manager to obtain specific identifiable claims records of a member for the purpose of determining the cause of unexpected claims that could influence renewal premium rate setting.

The “minimum necessary” standard is intended to reflect and be consistent with, not override, professional judgment and standards. For example, we expect that covered entities will implement policies that allow persons involved in treatment to have access to the entire record, as needed.

Disclosures of Protected Health Information

For any type of disclosure that is made on a routine, recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that permit only the disclosure of the minimum protected health information reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. Instead, under § 164.514(d)(3), these policies and procedures must identify the types of protected health information to be disclosed, the types of persons who would receive the protected health information, and the conditions that would apply for such access. We recognize that specific disclosures within a type may vary, and require that the policies address what is the norm for the type of disclosure involved. For example, a covered entity may decide to participate in research studies and therefore establish a protocol to minimize the information released for such purposes, e.g., by requiring researchers requesting disclosure of data contained in paper-based records to review the paper records on-site and to abstract only the information relevant to the research. Covered entities must develop policies and procedures (which may be standard protocols) to apply to disclosures to routinely hired types of business associates. For instance, a standard protocol could describe the subset of information that may be disclosed to medical transcription services.

For non-routine disclosures, a covered entity must develop reasonable criteria for determining, and limiting disclosure to, only the minimum amount of protected health information necessary to accomplish the purpose of the disclosure. They also must establish and implement procedures for reviewing such requests for disclosures on an individual basis in accordance with these criteria.

Disclosures to health care providers for treatment purposes are not subject to these requirements.

Covered entities' policies and procedures must provide that disclosure of an entire medical record will not be made except pursuant to policies which specifically justify why the entire medical record is needed. For instance, disclosure of all protected health information to an accreditation group would not necessarily violate the regulation, because the entire record may be the “minimum necessary” for its purpose; covered entities may establish policies allowing for and justifying such a disclosure. Disclosure of the entire medical record absent such documented justification is a presumptive violation of this rule.

Requests for Protected Health Information

For requests for protected health information from other covered entities made on a routine, recurring basis, the requesting covered entities' policies and procedures may establish standard protocols describing what information is reasonably necessary for the purposes and limiting their requests to only that information, in lieu of making this determination individually for each request. For all other requests, the policies and procedures must provide for review of the requests on an individualized basis. A request by a covered entity may be made in order to obtain information that will subsequently be disclosed to a third party, for example, to obtain information that will then be disclosed to a business associate for quality assessment purposes; such requests are subject to this requirement.

Covered entities' policies and procedures must provide that requests for an entire medical record will not be made except pursuant to policies which specifically justify why the entire medical record is needed. For instance, a health plan's request for all protected health information from an applicant for insurance would not necessarily violate the regulation, because the entire record may be the “minimum necessary” for its purpose. Covered entities may establish policies allowing for and justifying such a request. A request for the entire medical record absent such documented justification is a presumptive violation of this rule.

Reasonable Reliance

A covered entity may reasonably rely on the assertion of a requesting covered entity that it is requesting the minimum protected health information necessary for the stated purpose. A covered entity may also rely on the assertions of a professional (such as attorneys and accountants) who is a member of its workforce or its business associate regarding what protected health information he or she needs in order to provide professional services to the covered entity when such person represents that the information requested is the minimum necessary. As we proposed in the NPRM, covered entities making disclosures to public officials that are permitted under § 164.512 may rely on the representation of a public official that the information requested is the minimum necessary.

Uses and Disclosures for Research

In making a minimum necessary determination regarding the use or disclosure of protected health information for research purposes, a covered entity may reasonably rely on documentation from an IRB or privacy board describing the protected health information needed for research and consistent with the requirements of § 164.512(i), “Uses and Disclosures for Research Purposes.” A covered entity may also reasonably rely on a representation made by the requestor that the information is necessary to prepare a research protocol or for research on decedents. The covered entity must ensure that the representation or documentation of IRB or privacy board approval it obtains from a researcher describes with sufficient specificity the protected health information necessary for the research. Covered entities must use or disclose such protected health information in a manner that minimizes the scope of the use or disclosure.

Standards for Electronic Transactions

We clarify that under § 164.502(b)(2)(v), covered entities are not required to apply the minimum necessary standard to the required or situational data elements specified in the implementation guides for HIPAA administrative simplification standard transactions in the Transactions Rule. The standard does apply for uses or disclosures in standard transactions that are made at the option of the covered entity.

Section 164.514(e)—Marketing

In the proposed rule, we would have required covered entities to obtain the individual's authorization in order to use or disclose protected health information to market health and non-health items and services.

We have made a number of changes in the final rule that relate to marketing. In the final rule, we retain the general rule that covered entities must obtain the individual's authorization before making uses or disclosures of protected health information for marketing. However, we add a new definition of “marketing” that clarifies that certain activities, such as communications made by a covered entity for the purpose of describing the products and services it provides, are not marketing. See § 164.501 and the associated preamble regarding the definition of marketing. In the final rule we also permit covered entities to use and disclose protected health information for certain marketing activities without individual authorization, subject to conditions enumerated at § 164.514(e).

First, § 164.514(e) permits a covered entity to use or disclose protected health information without individual authorization to make a marketing communication if the communication occurs in a face-to-face encounter with the individual. This provision would permit a covered entity to discuss any services and products, including those of a third-party, without restriction during a face-to-face communication. A covered entity also could give the individual sample products or other information in this setting.

Second, we permit a covered entity to use or disclose protected health information without individual authorization to make marketing communications involving products or services of only nominal value. This provision ensures that covered entities do not violate the rule when they distribute calendars, pens and other merchandise that generally promotes the covered entity.

Third, we permit a covered entity to use or disclose protected health information without individual authorization to make marketing communications about the health- related products or services of the covered entity or of a third party if the communication: (1) Identifies the covered entity as the party making the communication; (2) to the extent that the covered entity receives direct or indirect remuneration from a third-party for making the communication, prominently states that fact; (3) except in the case of a general communication (such as a newsletter), contains instructions describing how the individual may opt-out of receiving future communications about health-related products and services; and (4) where protected health information is used to target the communication about a product or service to individuals based on their health status or health condition, explains why the individual has been targeted and how the product or service relates to the health of the individual. The final rule also requires a covered entity to make a determination, prior to using or disclosing protected health information to target a communication to individuals based on their health status or condition, that the product or service may be beneficial to the health of the type or class of individual targeted to receive the communication.

This third provision accommodates the needs of health care entities to be able to discuss their own health-related products and services, or those of third parties, as part of their everyday business and as part of promoting the health of their patients and enrollees. The provision is restricted to uses by covered entities or disclosures to their business associates pursuant to a contract that requires confidentiality, ensuring that protected health information is not distributed to third parties. To provide individuals with a better understanding of how their protected health information is being used for marketing, the provision requires that the communication identify that the covered entity is the source of the communication; a covered entity may not send out information about the product of a third party without disclosing to the individual where the communication originated. We also require covered entities to disclose any direct or indirect remuneration from third parties. This requirement permits individuals to better understand why they are receiving a communication, and to weigh the extent to which their information is being used to promote their health or to enrich the covered entity. Covered entities also are required to include in their communication (unless it is a general newsletter or similar device) how the individual may prevent further communications about health-related products and services. This provision enhances individuals' control over how their information is being used. Finally, where a covered entity targets communications to individuals on the basis of their health status or condition, we require that the entity make a determination that the product or service being communicated may be beneficial to the health of the type of individuals targeted, and that the communication to the targeted individuals explain why they have been targeted and how the product or service relates to their health. This final provision balances the advantages that accrue from health care entities informing their patients and enrollees of new or valuable health products with individuals' expectations that their protected health information will be used to promote their health.

Section 164.514(f)—Fundraising

We proposed in the NPRM to require covered entities to obtain authorization from an individual in order to use the individual's protected health information for fundraising activities.

As noted in § 164.501, in the final rule we define fundraising on behalf of a covered entity to be a health care operation. In § 164.514, we permit a covered entity to use protected health information without individual authorization for fundraising on behalf of itself, provided that it limits the information that it uses to demographic information about the individual and the dates that it has provided service to the individual (see the § 164.501 discussion of “health care operations”). In addition, we require fundraising materials to explain how the individual may opt out of any further fundraising communications, and covered entities are required to honor such requests. We permit a covered entity to disclose the limited protected health information to a business associate for fundraising on its own behalf. We also permit a covered entity to disclose the information to an institutionally related foundation.

By “institutionally related foundation,” we mean a foundation that qualifies as a nonprofit charitable foundation under section 501(c)(3) of the Internal Revenue Code and that has in its charter statement of charitable purposes an explicit linkage to the covered entity. An institutionally related foundation may, as explicitly stated in its charter, support the covered entity as well as other covered entities or health care providers in its community. For example, a covered hospital may disclose for fundraising on its own behalf the specified protected health information to a nonprofit foundation established for the specific purpose of raising funds for the hospital or to a foundation that has as its mission the support of the members of a particular hospital chain that includes the covered hospital. The term does not include an organization with a general charitable purpose, such as to support research about or to provide treatment for certain diseases, that may give money to a covered entity, because its charitable purpose is not specific to the covered entity.

Section 164.514(g)—Underwriting

As described under the definition of “health care operations” (§ 164.501), protected health information may be used or disclosed for underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits. This final rule includes a requirement, not included in the NPRM, that health plans receiving such information for these purposes may not use or disclose it for any other purpose, except as may be required by law, if the insurance or benefits contract is not placed with the health plan.

Section 164.514(h)—Verification of Identity and Authority of Persons Requesting Protected Health Information

Disclosure of Protected Health Information

We reorganize the provision regarding verification of identity of individuals requesting protected health information to improve clarity, but we retain the substance of requirements proposed in the NPRM in § 164.518(c), as follows.

The covered entity must establish and use written policies and procedures (which may be standard protocols) that are reasonably designed to verify the identity and authority of the requestor where the covered entity does not know the person requesting the protected health information. The knowledge of the person may take the form of a known place of business, address, phone or fax number, as well a known human being. Where documentation, statements or representations, whether oral or written, from the person requesting the protected health information is a condition of disclosure under this rule or other law, this verification must involve obtaining such documentation statement, or representation. In such a case, additional verification is only required where this regulation (or other law) requires additional proof of authority and identity.

The NPRM proposed that covered entities would be permitted to rely on the required documentation of IRB or privacy board approval to constitute sufficient verification that the person making the request was a researcher and that the research is authorized. The final rule retains this provision.

For most disclosures, verifying the authority for the request means taking reasonable steps to verify that the request is lawful under this regulation. Additional proof is required by other provisions of this regulation where the request is made pursuant to § 164.512 for national priority purposes. Where the person requesting the protected health information is a public official, covered entities must verify the identity of the requester by examination of reasonable evidence, such as a written statement of identity on agency letterhead, an identification badge, or similar proof of official status. Similarly, covered entities are required to verify the legal authority supporting the request by examination of reasonable evidence, such as a written request provided on agency letterhead that describes the legal authority for requesting the release. Where § 164.512 explicitly requires written evidence of legal process or other authority before a disclosure may be made, a public official's proof of identity and the official's oral statement that the request is authorized by law are not sufficient to constitute the required reasonable evidence of legal authority; under these provisions, only the required written evidence will suffice.

In some circumstances, a person or entity acting on behalf of a government agency may make a request for disclosure of protected health information under these subsections. For example, public health agencies may contract with a nonprofit agency to collect and analyze certain data. In such cases, the covered entity is required to verify the requestor's identity and authority through examination of reasonable documentation that the requestor is acting on behalf of the government agency. Reasonable evidence includes a written request provided on agency letterhead that describes the legal authority for requesting the release and states that the person or entity is acting under the agency's authority, or other documentation, including a contract, a memorandum of understanding, or purchase order that confirms that the requestor is acting on behalf of the government agency.

In some circumstances, identity or authority will be verified as part of meeting the underlying requirements for disclosure. For example, a disclosure under § 164.512(j)(1)(i) to avert an imminent threat to safety is lawful only if made in the good faith belief that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and to a person reasonably able to prevent or lessen the threat. If these conditions are met, no further verification is needed. In such emergencies, the covered entity is not required to demand written proof that the person requesting the protected health information is legally authorized. Reasonable reliance on verbal representations are appropriate in such situations.

Similarly, disclosures permitted under § 164.510(a) for facility directories may be made to the general public; the covered entity's policies and procedures do not need to address verifying the identity and authority for these disclosures. In § 164.510(b) we do not require verification of identity for persons assisting in an individual's care or for notification purposes. For disclosures when the individual is not present, such as when a friend is picking up a prescription, we allow the covered entity to use professional judgment and experience with common practice to make reasonable inferences.

Under § 164.524, a covered entity is required to give individuals access to protected health information about them (under most circumstances). Under the general verification requirements of § 164.514(h), the covered entity is required to take reasonable steps to verify the identity of the individual making the request. We do not mandate particular identification requirements (e.g., drivers licence, photo ID), but rather leave this to the discretion of the covered entity. The covered entity must also establish and document procedures for verification of identity and authority of personal representatives, if not known to the entity. For example, a health care provider can require a copy of a power of attorney, or can ask questions to determine that an adult acting for a young child has the requisite relationship to the child.

In Subpart C of Part 160, we require disclosure to the Secretary for purposes of enforcing this regulation. When a covered entity is asked by the Secretary to disclose protected health information for compliance purposes, the covered entity must verify the same information that it is required to verify for any other law enforcement or oversight request for disclosure.

Use of Protected Health Information

The proposed rule's verification requirements applied to any person requesting protected health information, whether for a use or a disclosure. In the final regulation, the verification provisions apply only to disclosures of protected health information. The requirements in § 164.514(d), for implementation of policies and procedures for “minimum necessary” uses of protected health information, are sufficient to ensure that only appropriate persons within a covered entity will have access to protected health information.

Section 164.520—Notice of Privacy Practices for Protected Health Information Back to Top

Section 164.520(a)—Right to Notice

We proposed to establish a right for individuals to receive adequate notice of how covered health care providers and health plans use and disclose protected health information, and of the individual's rights with respect to that information.

In the final regulation, we retain the general right for individuals to receive and the requirement for covered entities to produce a notice of privacy practices, with significant modifications to the content and distribution requirements.

We also modify the requirements with respect to certain covered entities. First, in § 164.500(b)(2), we clarify that a health care clearinghouse that creates or receives protected health information other than as a business associate of a covered entity must produce a notice. If a health care clearinghouse creates or receives protected health information only as a business associate of other covered entities, it is not required to produce a notice.

Second, in § 164.520(a)(2), we clarify the notice requirements with respect to group health plans. Individuals who receive health benefits under a group health plan other than through insurance are entitled to a notice from the group health plan; self-insured group health plans must maintain a notice that meets the requirements of this section and must provide the notice in accordance with the requirements of § 164.520(c). At a minimum, the self-insured group health plan's notice must describe the group health plan's privacy practices with respect to the protected health information it creates or receives through its self-insured arrangements. For example, if a group health plan maintains both fully-insured and self-insured arrangements, the group health plan must, at a minimum, maintain and provide a notice that describes its privacy practices with respect to protected health information it creates or receives through the self-insured arrangements. This notice would be distributed to all participants in the self-insured arrangements (in accordance with § 164.520(c)(1)) and would also be available on request to other persons, including participants in the fully-insured arrangements.

Individuals who receive health benefits under a group health plan through an insurance contract (i.e., a fully-insured group health plan) are entitled to a notice from the issuer or HMO through which they receive their health benefits. The health insurance issuer or HMO must maintain and provide the notice in accordance with § 164.520(c)(1). In addition, some fully-insured group health plans are required to maintain and provide a notice of the group health plan's privacy practices. If a group health plan provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and the group health plan creates or receives protected health information in addition to summary information (as defined in § 164.504(a)) and information about individuals' enrollment in or disenrollment from a health insurance issuer or HMO offered by the group health plan, the group health plan must maintain a notice that meets the requirements of this section and must provide the notice upon request of any person. The group health plan is not required to meet the other distribution requirements of § 164.520(c)(1). Individuals enrolled in such group health plans have the right to notice of the health insurance issuer or HMO's privacy practices and, on request, to notice of the group health plan's privacy practices. If the group health plan, however, provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and the only protected health information the group health plan creates or receives is summary information (as defined in § 164.504(a)) and information about individuals' enrollment in or disenrollment from a health insurance issuer or HMO offered by the group health plan, the group health plan is not required to maintain or provide a notice under this section. In this case, the individuals enrolled in the group health plan would receive notice of the health insurance issuer or HMO's privacy practices, but would not be entitled to notice of the group health plan's privacy practices.

Third, in § 164.520(a)(3), we clarify that inmates do not have a right to notice under this section and a correctional institution that is a covered entity is not required to produce a notice. No person, including a current or former inmate, has the right to notice of such a covered entity's privacy practices.

Section 164.520(b)—Content of Notice

We proposed to require the notice to be written in plain language and contain each of the following elements: a description of the uses and disclosures expected to be made without individual authorization; statements that other uses and disclosures would be made only with the individual's authorization and that the individual could revoke such authorization; descriptions of the rights to request restrictions, inspect and copy protected health information, amend or correct protected health information, and receive an accounting of disclosures of protected health information; statements about the entity's legal requirements to protect privacy, provide notice, and adhere to the notice; a statement about how individuals would be informed of changes to the entity's policies and procedures; instructions on how to make complaints with the entity or Secretary; the name and telephone number of a contact person or office; and the date the notice was produced. We provided a model notice of information policies and procedures for covered health care providers.

In § 164.520(b), and immediately below in this preamble, we describe the notice content requirements for the final rule. As described in detail, below, we make substantial changes to the uses and disclosures of protected health information that must be described in the notice. Unlike the proposed rule, we do not include a model notice. We intend to develop further guidance on notice requirements prior to the compliance date of this rule. In this section of the final rule, we also refer to the covered entity's privacy “practices,” rather than its “policies and procedures.” The purpose of this change in vocabulary is to clarify that a covered entity's “policies and procedures” is a detailed documentation of all of the entity's privacy practices as required under this rule, not just those described in the notice. For example, we require covered entities to have policies and procedures implementing the requirements for “minimum necessary” uses and disclosures of protected health information, but these policies and procedures need not be reflected in the entity's notice. Similarly, we require covered entities to have policies and procedures for assuring individuals access to protected health information about them. While such policies and procedures will need to include documentation of the designated record sets subject to access, who is authorized to determine when information will be withheld from an individual, and similar details, the notice need only explain generally that individuals have the right to inspect and copy information about them, and tell individuals how to exercise that right.

A covered entity that adopts and follows the notice content and distribution requirements described below will have provided adequate notice. However, the requirements for the content of the notice are not intended to be exclusive. As with the rest of the rule, we specify minimum requirements, not best practices. Covered entities may want to include more detail. We note that all federal agencies must still comply with the Privacy Act of 1974. This means that federal agencies that are covered entities or have covered health care components must comply with the notice requirements of the Privacy Act as well as those included in this rule.

In addition, covered entities may want or be required to produce more than one notice in order to satisfy the notice content requirements under this rule. For example, a covered entity that conducts business in multiple states with different laws regarding the uses and disclosures that the covered entity is permitted to make without authorization may be required to produce a different notice for each state. A covered entity that conducts business both as part of an organized health care arrangement or affiliated covered entity and as an independent enterprise (e.g., a physician who sees patients through an on-call arrangement with a hospital and through an independent private practice) may want to adopt different privacy practices with respect to each line of business; such a covered entity would be required to produce a different notice describing the practices for each line of business. Covered entities must produce notices that accurately describe the privacy practices that are relevant to the individuals receiving the notice.

Required Elements

Plain Language

As in the proposed rule, we require the notice to be written in plain language. A covered entity can satisfy the plain language requirement if it makes a reasonable effort to: organize material to serve the needs of the reader; write short sentences in the active voice, using “you” and other pronouns; use common, everyday words in sentences; and divide material into short sections.

We do not require particular formatting specifications, such as easy-to-read design features (e.g., lists, tables, graphics, contrasting colors, and white space), type face, and font size. However, the purpose of the notice is to inform the recipients about their rights and how protected health information collected about them may be used or disclosed. Recipients who cannot understand the covered entity's notice will miss important information about their rights under this rule and about how the covered entity is protecting health information about them. One of the goals of this rule is to create an environment of open communication and transparency with respect to the use and disclosure of protected health information. A lack of clarity in the notice could undermine this goal and create misunderstandings. Covered entities have an incentive to make their notice statements clear and concise. We believe that the more understandable the notice is, the more confidence the public will have in the covered entity's commitment to protecting the privacy of health information.

It is important that the content of the notice be communicated to all recipients and therefore we encourage the covered entity to consider alternative means of communicating with certain populations. We note that any covered entity that is a recipient of federal financial assistance is generally obligated under Title VI of the Civil Rights Act of 1964 to provide material ordinarily distributed to the public in the primary languages of persons with limited English proficiency in the recipients' service areas. Specifically, this Title VI obligation provides that, where a significant number or proportion of the population eligible to be served or likely to be directly affected by a federally assisted program needs service or information in a language other than English in order to be effectively informed of or participate in the program, the recipient shall take reasonable steps, considering the scope of the program and the size and concentration of such population, to provide information in languages appropriate to such persons. For covered entities not subject to Title VI, the Title VI standards provide helpful guidance for effectively communicating the content of their notices to non-English speaking populations.

We also encourage covered entities to be attentive to the needs of individuals who cannot read. For example, an employee of the covered entity could read the notice to individuals upon request or the notice could be incorporated into a video presentation that is played in the waiting area.

Header

Unlike the proposed rule, covered entities must include prominent and specific language in the notice that indicates the importance of the notice. This is the only specific language we require covered entities to include in the notice. The header must read, “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”

Uses and Disclosures

We proposed to require covered entities to describe in plain language the uses and disclosures of protected health information, and the covered entity's policies and procedures with respect to such uses and disclosures, that the health plan or covered provider expected to make without individual authorization. The covered provider or health plan would have had to distinguish between those uses and disclosures required by law and those permitted but not required by law.

We also proposed to require covered health care providers and health plans to state in the notice that all other uses and disclosures would be made only with the individual's authorization and that such authorization could be revoked. The notice would also have been required to state that the individual could request restrictions on certain uses and disclosures and that the covered entity would not be required to agree to such a request.

We significantly modify these requirements in the final rule. Covered entities must describe all uses and disclosures of protected health information that they are permitted or required to make under this rule without authorization, including those uses and disclosures subject to the consent requirements under § 164.506. If other applicable law prohibits or materially limits the covered entity's ability to make any uses or disclosures that would otherwise be permitted under the rule, the covered entity must describe only the uses and disclosures permitted under the more stringent law.

Covered entities must separately describe each purpose for which they are permitted to use or disclose protected health information under this rule without authorization, and must do so in sufficient detail to place the individual on notice of those uses and disclosures. With respect to uses and disclosures to carry out treatment, payment, and health care operations, the description must include at least one example of the types of uses and disclosures that the covered entity is permitted to make. This requirement is intended to inform individuals of all the uses and disclosures that the covered entity is legally required or permitted to make under applicable law, even if the covered entity does not anticipate actually making such uses and disclosures. We do not require covered entities to distinguish in their notices between those uses and disclosures required by law and those permitted but not required by law.

Unlike the proposed rule, we additionally require covered entities that wish to contact individuals for any of the following activities to list these activities in the notice: providing appointment reminders, describing or recommending treatment alternatives, providing information about health-related benefits and services that may be of interest to the individual, or soliciting funds to benefit the covered entity. If the covered entity does not include these statements in its notice, it is prohibited from using or disclosing protected health information for these activities without authorization. See § 164.502(i).

In addition, if a group health plan, or a health insurance issuer or HMO with respect to a group health plan, wants the option to disclose protected health information to a group health plan sponsor without authorization as permitted under § 164.504(f), the group health plan, health insurance issuer or HMO must describe that practice in its notice.

As in the proposed rule, the notice must state that all other uses and disclosures will be made only with the individual's authorization and that the individual has the right to revoke such authorization.

We anticipate this requirement will lead to significant standardization of the notice. This language could be the same for every covered entity of a particular type within a state, territory, or other locale. We encourage states, state professional associations, and other organizations to develop model language to assist covered entities in preparing their notices.

Individual Rights

As in the proposed rule, covered entities must describe individuals' rights under the rule and how individuals may exercise those rights with respect to the covered entity. Covered entities must describe each of the following rights, as provided under the rule: the right to request restrictions on certain uses and disclosures, including a statement that the covered entity is not required to agree to a requested restriction (§ 164.522(a)); the right to receive confidential communications of protected health information (§ 164.522(b)); the right to inspect and copy protected health information (§ 164.524); the right to amend protected health information (§ 164.526); and the right to an accounting of disclosures of protected health information (§ 164.528). We additionally require the notice to describe the right of an individual, including an individual that has agreed to receive the notice electronically, to obtain a paper copy of the notice upon request.

Covered Entity's Duties

As in the proposed rule, covered entities must state in the notice that they are required by law to maintain the privacy of protected health information, to provide a notice of their legal duties and privacy practices, and to abide by the terms of the notice currently in effect. In the final rule, we additionally require the covered entity, if it wishes to reserve the right to change its privacy practices and apply the revised practices to protected health information previously created or received, to make a statement to that effect and describe how it will provide individuals with a revised notice. (See below for a more detailed discussion of a covered entity's responsibilities when it changes its privacy practices.)

Complaints

As in the proposed rule, a covered entity's notice must inform individuals about how they can lodge complaints with the covered entity if they believe their privacy rights have been violated. See § 164.530(d) and the corresponding preamble discussion for the requirements on covered entities for receiving complaints. The notice must also state that individuals may file complaints with the Secretary. In the final rule, we additionally require the notice to include a statement that the individual will not suffer retaliation for filing a complaint.

Contact

As in the proposed rule, the notice must identify a point of contact where the individual can obtain additional information about any of the matters identified in the notice.

Effective Date

The notice must include the date the notice went into effect, rather than the proposed requirement to include the date the notice was produced. The effective date cannot be earlier than the date on which the notice was first printed or otherwise published. Covered entities may wish to highlight or otherwise emphasize any material modifications that it has made, in order to help the individual recognize such changes.

Optional Elements

As described above, we proposed to require covered entities to describe the uses and disclosures of protected health information that the covered entity in fact expected to make without the individual's authorization. We did not specify any optional elements.

While the final rule requires covered entities to describe all of the types of uses and disclosures permitted or required by law (not just those that the covered entity intends to make), we also permit and encourage covered entities to include optional elements that describe the actual, more limited, uses and disclosures they intend to make without authorization. We anticipate that some covered entities will want to distinguish themselves on the basis of their more stringent privacy practices. For example, covered health care providers who routinely treat patients with particularly sensitive conditions may wish to assure their patients that, even though the law permits them to disclose information for a wide array of purposes, the covered health care provider will only disclose information in very specific circumstances, as required by law, and to avert a serious and imminent threat to health or safety. A covered entity may not include statements in the notice that purport to limit the entity's ability to make uses or disclosures that are required by law or necessary to avert a serious and imminent threat to health or safety.

As described above, if the covered entity wishes to reserve the right to change its privacy practices with respect to the more limited uses and disclosures and apply the revised practices to protected health information previously created or received, it must make a statement to that effect and describe how it will provide individuals with a revised notice. (See below for a more detailed discussion of a covered entity's responsibilities when it changes its privacy practices.)

Revisions to the Notice

We proposed to require a covered entity to adhere to the terms of its notice, and would have permitted it to change its information policies and procedures at any time. We would have required covered health care providers and health plans to update the notice to reflect material changes to the information policies and procedures described in the notice. Changes to the notice would have applied to all protected health information held by the covered entity, including information collected under prior notices. That is, we would not have require covered entities to segregate their records according to the notice in effect at the time the record was created. We proposed to prohibit covered entities from implementing a change to an information policy or procedure described in the notice until the notice was updated to reflect the change, unless a compelling reason existed to make a use or disclosure or take other action that the notice would not have permitted. In these situations, we proposed to require covered entities to document the compelling reason and, within 30 days of the use, disclosure, or other action, change its notice to permit the action.

As in the proposed rule, covered entities are required to adhere to the terms of the notice currently in effect. See § 164.502(i). When a covered entity materially changes any of the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices described in its notice, it must promptly revise its notice accordingly. See § 164.520(b)(3). (Pursuant to § 164.530(i), it must also revise its policies and procedures.) Except when required by law, a material change to any term in the notice may not be implemented prior to the effective date of the notice in which such material change is reflected. In the final rule, however, we revise the circumstances under and extent to which the covered entity may revise the practices stated in the notice and apply the new practices to protected health information it created or received under prior notice.

Under § 164.530(i), a covered entity that wishes to change its practices over time without segregating its records according to the notice in effect at the time the records were created must reserve the right to do so in its notice. For example, a covered hospital that states in its notice that it will only make public health disclosures required by law, and that does not reserve the right to change this practice, is prohibited from making any discretionary public health disclosures of protected health information created or received during the effective period of that notice. If the covered hospital wishes at some point in the future to make discretionary disclosures for public health purposes, it must revise its notice to so state, and must segregate its records so that protected health information created or received under the prior notice is not disclosed for discretionary public health purposes. This hospital may then make discretionary public health disclosures of protected health information created or received after the effective date of the revised notice.

If a second covered hospital states in its notice that it will only make public health disclosures required by law, but does reserve the right to change its practices, it is prohibited from making any discretionary public health disclosures of protected health information created or received during the effective period of that notice. If this hospital wishes at some point in the future to make discretionary disclosures for public health purposes, it must revise its notice to so state, but need not segregate its records. As of the effective date of the revised notice, it may disclose any protected health information, including information created or received under the prior notice, for discretionary public health purposes.

Section 164.530(i) and the corresponding discussion in this preamble describes requirements for revision of a covered entity's privacy policies and procedures, including the privacy practices reflected in its notice.

Section 164.520(c)—Provision of Notice

As in the proposed rule, all covered entities that are required to produce a notice must provide the notice upon request of any person. The requestor does not have to be a current patient or enrollee. We intend the notice to be a public document that people can use in choosing between covered entities.

For health plans, we proposed to require health plans to distribute the notice to individuals covered by the health plan as of the compliance date; after the compliance date, at enrollment in the health plan; after enrollment, within 60 days of a material revision to the content of the notice; and no less frequently than once every three years.

As in the proposed rule, under the final rule health plans must provide the notice to all health plan enrollees as of the compliance date. After the compliance date, health plans must provide the notice to all new enrollees at the time of enrollment and to all enrollees within 60 days of a material revision to the notice. Of course, the term “enrollees” includes participants and beneficiaries in group health plans.

Unlike the proposed rule, we do not require health plans to distribute the notice every three years. Instead, health plans must notify enrollees no less than once every three years about the availability of the notice and how to obtain a copy.

We also clarify that, in each of these circumstances, if a named insured and one or more dependents are covered by the same policy, the health plan can satisfy the distribution requirement with respect to the dependents by sending a single copy of the notice to the named insured. For example, if an employee of a firm and her three dependents are all covered under a single health plan policy, that health plan can satisfy the initial distribution requirement by sending a single copy of the notice to the employee rather than sending four copies, each addressed to a different member of the family.

We further clarify that if a health plan has more than one notice, it satisfies its distribution requirement by providing the notice that is relevant to the individual or other person requesting the notice. For example, a health insurance issuer may have contracts with two different group health plans. One contract specifies that the issuer may use and disclose protected health information about the participants in the group health plan for research purposes without authorization (subject to the requirements of this rule) and one contract specifies that the issuer must always obtain authorizations for these uses and disclosures. The issuer accordingly develops two notices reflecting these different practices and satisfies its distribution requirements by providing the relevant notice to the relevant group health plan participants.

We proposed to require covered health care providers with face-to-face contact with individuals to provide the notice to all such individuals at the first service delivery to the individual during the one year period after the compliance date. After this one year period, covered providers with face-to-face contact with individuals would have been required to distribute the notice to all new patients at the first service delivery. Covered providers without face-to-face contact with individuals would have been required to provide the notice in a reasonable period of time following first service delivery.

We proposed to require all covered providers to post the notice in a clear and prominent location where it would be reasonable to expect individuals seeking services from the covered provider to be able to read the notice. We would have required revisions to be posted promptly.

In the final rule, we vary the distribution requirements according to whether the covered health care provider has a direct treatment relationship with an individual, rather than whether the covered health care provider has face-to-face contact with an individual. See § 164.501 and the corresponding discussion in this preamble regarding the definition of indirect treatment relationship.

Covered health care providers that have direct treatment relationships with individuals must provide the notice to such individuals as of the first service delivery after the compliance date. This requirement applies whether the first service is delivered electronically or in person. Covered providers may satisfy this requirement by sending the notice to all of their patients at once, by giving the notice to each patient as he or she comes into the provider's office or facility or contacts the provider electronically, or by some combination of these approaches. Covered providers that maintain a physical service delivery site must prominently post the notice where it is reasonable to expect individuals seeking service from the provider to be able to read the notice. The notice must also be available on site for individuals to take on request. In the event of a revision to the notice, the covered provider must promptly post the revision and make it available on site.

Covered health care providers that have indirect treatment relationships with individuals are only required to produce the notice upon request, as described above.

The proposed rule was silent regarding electronic distribution of the notice. Under the final rule, a covered entity that maintains a web site describing the services and benefits it offers must make its privacy notice prominently available through the site.

A covered entity may satisfy the applicable distribution requirements described above by providing the notice to the individual electronically, if the individual agrees to receiving materials from the covered entity electronically and the individual has not withdrawn his or her agreement. If the covered entity knows that the electronic transmission has failed, the covered entity must provide a paper copy of the notice to the individual.

If an individual's first service delivery from a covered provider occurs electronically, the covered provider must provide electronic notice automatically and contemporaneously in response to the individual's first request for service. For example, the first time an individual requests to fill a prescription through a covered internet pharmacy, the pharmacy must automatically and contemporaneously provide the individual with the pharmacy's notice of privacy practices. An individual that receives a covered entity's notice electronically retains the right to request a paper copy of the notice as described above. This right must be described in the notice.

We note that the Electronic Signatures in Global and National Commerce Act (Pub. L. 106-229) may apply to documents required under this rule to be provided in writing. We do not intend to affect the application of that law to documents required under this rule.

Section 164.520(d)—Joint Notice by Separate Covered Entities

The proposed rule was silent regarding the ability of legally separate covered entities to produce a single notice.

In the final rule, we allow covered entities that participate in an organized health care arrangement to comply with this section by producing a single notice that describes their combined privacy practices. See § 164.501 and the corresponding preamble discussion regarding the definition of organized health care arrangement. (We note that, under § 164.504(d), covered entities that are under common ownership or control may designate themselves as a single affiliated covered entity. Joint notice requirements do not apply to such entities. Single affiliated covered entities must produce a single notice, consistent with the requirements described above for any other covered entity. Covered entities under common ownership or control that elect not to designate themselves as a single affiliated covered entity, however, may elect to produce a joint notice if they meet the definition of an organized health care arrangement.)

The joint notice must meet all of the requirements described above. The covered entities must agree to abide by the terms of the notice with respect to protected health information created or received by the covered entities as part of their participation in the organized health care arrangement. In addition, the joint notice must reasonably identify the covered entities, or class of covered entities, to which the joint notice applies and the service delivery sites, or classes of service delivery sites, to which the joint notice applies. If the covered entities participating in the organized health care arrangement will share protected health information with each other as necessary to carry out treatment, payment, or health care operations relating to the arrangement, that fact must be stated in the notice.

Typical examples where this policy may be useful are health care facilities where physicians and other providers who have offices elsewhere also provide services at the facility (e.g. hospital staff privileges, physicians visiting their patients at a residential facility). In these cases, a single notice may cover both the physician and the facility, if the above conditions are met. The physician is required to have a separate notice covering the privacy practices at the physician's office if those practices are different than the practices described in the joint notice.

If any one of the covered entities included in the joint notice distributes the notice to an individual, as required above, the distribution requirement is met for all of the covered entities included in the joint notice.

Section 164.520(e)—Documentation

As in the proposed rule, we establish documentation requirements for covered entities subject to this provision. In the final rule, we specify that covered entities must retain copies of the notice(s) they issue in accordance with § 164.530(j). See § 164.530(j) and the corresponding preamble discussion for further description of the documentation requirements.

Section 164.522—Rights To Request Privacy Protection for Protected Health Information Back to Top

Section 164.522(a)—Right of An Individual To Request Restriction of Uses and Disclosures

We proposed that individuals have the right to request that a covered health care provider restrict the use or disclosure of protected health information for treatment, payment, or health care operations. Providers would not have been required to agree to requested restrictions. However, a covered provider that agreed to a restriction could not use or disclose protected health information inconsistent with the restriction. The requirement would not have applied to permissible uses or disclosures under proposed § 164.510, including uses and disclosures in emergency circumstances under proposed § 164.510(k); when the health care services provided were emergency services; or to required disclosures to the Secretary under proposed § 164.522. We would have required covered providers to have procedures for individuals to request restrictions, for agreed-upon restrictions to be documented, for the provider to honor such restrictions, and for notification of the existence of a restriction to others to whom such protected health information is disclosed.

In the final rule, we retain the general right of an individual to request that uses and disclosures of protected health information be restricted and the requirement for covered entities to adhere to restrictions to which they have agreed. However, we include some significant changes and clarifications.

Under the final rule, we extend the right to request restrictions to health plans and to health care clearinghouses that create or receive protected health information other than as a business associate of another covered entity. All covered entities must permit individuals to request that uses and disclosures of protected health information to carry out treatment, payment, and health care operations be restricted and must adhere to restrictions to which they have agreed. A covered entity is not required to agree to a restriction. We note that restrictions between an individual and a covered entity for these or other purposes may be otherwise enforceable under other law.

Under § 164.522(a)(1)(i)(B), the right to request restrictions applies to disclosures to persons assisting in the individual's care under § 164.510(b). An individual may request that a covered entity agree not to disclose protected health information to persons assisting with the individual's care, even if such disclosure is permissible in accordance with § 164.510(b). For example, if an individual requests that a covered entity never disclose protected health information to a particular family member, and the covered entity agrees to that restriction, the covered entity is prohibited from disclosing protected health information to that family member, even if the disclosure would otherwise be permissible under § 164.510(b). We note that individuals additionally have the opportunity to agree or object to disclosures to persons assisting in the individual's care under § 164.510(b)(2). The individual retains the right to agree or object to such disclosures under § 164.510(b)(2), in accordance with the standards of that provision, regardless of whether the individual has requested a restriction under § 164.522(a). See § 164.510(b) and the corresponding preamble discussion regarding the individual's right to agree or object to disclosures to persons assisting in the individual's care.

In §§ 164.522(a)(1)(iii) and (iv) we clarify the requirements with respect to emergency treatment situations. In emergency treatment situations, a covered entity that has agreed to a restriction may use, or disclose to a health care provider, restricted protected health information that is necessary to provide the emergency treatment. If the covered entity discloses restricted protected health information to a health care provider for emergency treatment purposes, it must request that the provider not further use or disclose the information. We expect covered entities to consider the need for access to protected health information for treatment purposes when considering a request for a restriction, to discuss this need with the individual making the request for restriction, and to agree to restrictions that will not foreseeably impede the individual's treatment. Therefore, we expect covered entities will rarely need to use or disclose restricted protected health information in emergency treatment situations. We do not intend, however, to adversely impact the delivery of health care. We therefore provide a means for the use and disclosure of restricted protected health information in emergency treatment situations, where an unexpected need for the information could arise and there is insufficient time to secure the individual's permission to use or disclose the restricted information.

In § 164.522(a)(1)(v) we clarify that restrictions are not effective under this rule to prevent uses and disclosures required by § 164.502(a)(2)(ii) or permitted under § 164.510(a) (regarding facility directories) or § 164.512 (regarding uses and disclosures for which consent, individual authorization, or opportunity to agree or object is not required). Covered entities are permitted to agree to such restrictions, but if they do so, the restrictions are not enforceable under this rule. For example, a provider who makes a disclosure under § 164.512(j)(1)(i) relating to serious and imminent threats will not be in violation of this rule even if the disclosure is contrary to a restriction agreed to under this paragraph.

In § 164.522(a)(2) we clarify a covered entity's ability to terminate a restriction to which it has agreed. A covered entity may terminate a restriction with the individual's written or oral agreement. If the individual's agreement is obtained orally, the covered entity must document that agreement. A note in the medical record or similar notation is sufficient documentation. If the individual agrees to terminate the restriction, the covered entity may use and disclose protected health information as otherwise permitted under the rule. If the covered entity wants to terminate the restriction without the individual's agreement, it may only terminate the restriction with respect to protected health information it creates or receives after it informs the individual of the termination. The restriction continues to apply to protected health information created or received prior to informing the individual of the termination. That is, any protected health information that had been collected before the termination may not be used or disclosed in a way that is inconsistent with the restriction, but any information that is collected after informing the individual of the termination of the restriction may be used or disclosed as otherwise permitted under the rule.

In § 164.522(a)(3), we clarify that a covered entity must document a restriction to which it has agreed. We do not require a specific form of documentation; a note in the medical record or similar notation is sufficient. The documentation must be retained for six years from the date it was created or the date it was last in effect, whichever is later, in accordance with § 164.530(j).

We eliminate the requirement from the NPRM for covered entities to inform persons to whom they disclose protected health information of the existence of any restriction on that information. A restriction is only binding on the covered entity that agreed to the restriction. We encourage covered entities to inform others of the existence of a restriction when it is appropriate to do so. We note, however, that disclosure of the existence of a restriction often amounts to a de facto disclosure of the restricted information itself. If a restriction does not permit a covered entity to disclose protected health information to a particular person, the covered entity must carefully consider whether disclosing the existence of the restriction to that person would also violate the restriction.

Section 164.522(b)—Confidential Communications Requirements

In the NPRM, we did not directly address the issue of whether an individual could request that a covered entity restrict the manner in which it communicated with the individual. As described above, the NPRM would have provided individuals with the right to request that health care providers restrict uses and disclosures of protected health information for treatment, payment and health care operations, but would not have required providers to agree to such a restriction.

In the final rule, we require covered entities to permit individuals to request that the covered entity provide confidential communications of protected health information about the individual. The requirement applies to communications from the covered entity to the individual, and also communications from the covered entity that would otherwise be sent to the named insured of an insurance policy that covers the individual as a dependent of the named insured. Individuals may request that the covered entity send such communications by alternative means or at alternative locations. For example, an individual who does not want his or her family members to know about a certain treatment may request that the provider communicate with the individual about that treatment at the individual's place of employment, by mail to a designated address, or by phone to a designated phone number. Similarly, an individual may request that the provider send communications in a closed envelope rather than a post card, as an “alternative means.” Covered health care providers must accommodate all reasonable requests. Health plans must accommodate all reasonable requests, if the individual clearly states that the disclosure of all or part of the protected health information could endanger the individual. For example, if an individual requests that a health plan send explanations of benefits about particular services to the individual's work rather than home address because the individual is concerned that a member of the individual's household (e.g., the named insured) might read the explanation of benefits and become abusive towards the individual, the health plan must accommodate the request.

The reasonableness of a request made under this paragraph must be determined by a covered entity solely on the basis of the administrative difficulty of complying with the request and as otherwise provided in this section. A covered health care provider or health plan cannot refuse to accommodate a request based on its perception of the merits of the individual's reason for making the request. A covered health care provider may not require the individual to provide a reason for the request as a condition of accommodating the request. As discussed above, a health plan is not required to accommodate a request unless the individual indicates that the disclosure could endanger the individual. If the individual indicates such endangerment, however, the covered entity cannot further consider the individual's reason for making the request in determining whether it must accommodate the request.

A covered health care provider or health plan may refuse to accommodate a request, however, if the individual has not provided information as to how payment, if applicable, will be handled, or if the individual has not specified an alternative address or method of contact.

Section 164.524—Access of Individuals to Protected Health Information Back to Top

Section 164.524(a)—Right of Access

In the NPRM, we proposed to establish a right for individuals to access (i.e., inspect and obtain a copy of) protected health information about them maintained by a covered provider or health plan, or its business partners, in a designated record set.

As in the proposed rule, in the final rule we provide that individuals have a right of access to protected health information that is maintained in a designated record set. This right applies to health plans, covered health care providers, and health care clearinghouses that create or receive protected health information other than as a business associate of another covered entity (see § 164.500(b)). In the final rule, however, we modify the definition of designated record set. For a discussion of the significant changes made to the definition of designated record set, see § 164.501 and the corresponding preamble.

Under the revised definition, individuals have a right of access to any protected health information that is used, in whole or in part, to make decisions about individuals. This information includes, for example, information used to make health care decisions or information used to determine whether an insurance claim will be paid. Covered entities often incorporate the same protected health information into a variety of different data systems, not all of which will be utilized to make decisions about individuals. For example, information systems that are used for quality control or peer review analyses may not be used to make decisions about individuals. In that case, the information systems would not fall within the definition of designated record set. We do not require entities to grant an individual access to protected health information maintained in these types of information systems.

Duration of the Right of Access

As in the proposed rule, covered entities must provide access to individuals for as long as the protected health information is maintained in a designated record set.

Exceptions to the Right of Access

In the NPRM, we proposed to establish a right for individuals to access any protected health information maintained in a designated record set. Though we proposed to permit covered entities to deny access in certain situations relating to the particular individual requesting access, we did not specifically exclude any protected health information from the right of access.

In the final rule, we specify three types of information to which individuals do not have a right of access, even if the information is maintained in a designated record set. They are psychotherapy notes, information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, and certain protected health information maintained by a covered entity that is subject to or exempted from the Clinical Laboratory Improvements Amendments of 1988 (CLIA). Covered entities may, but are not required to, provide access to this information.

First, unlike the proposed rule, we specify that individuals do not have a right of access to psychotherapy notes.

Second, individuals do not have a right of access to information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. In the NPRM, we would have permitted covered entities to deny a request for access to protected health information complied in reasonable anticipation of, or for use in, a legal proceeding. We change the language in the final rule to clarify that a legal proceeding includes civil, criminal, and administrative actions and proceedings. In the final rule, we clarify that an individual does not have a right to this information by including it in the list of exceptions rather than stating that a covered entity may deny access to this information. Under this exception, the covered entity may deny access to any information that relates specifically to legal preparations but may not deny access to the individual's underlying health information. We do not intend to require covered entities to provide access to documents protected by attorney work-product privilege nor do we intend to alter rules of discovery.

Third, unlike the proposed rule, individuals do not have a right of access to protected health information held by clinical laboratories if CLIA prohibits such access. CLIA states that clinical laboratories may provide clinical laboratory test records and reports only to “authorized persons,” as defined primarily by state law. The individual who is the subject of the information is not always included in this set of authorized persons. When an individual is not an authorized person, this restriction effectively prohibits the clinical laboratory from providing an individual access to this information. We do not intend to preempt CLIA and, therefore, do not require covered clinical laboratories to provide an individual access to this information if CLIA prohibits them from doing so. We note, however, that individuals have the right of access to this information if it is maintained by a covered health care provider, clearinghouse, or health plan that is not subject to CLIA.

Finally, unlike the proposed rule, individuals do not have access to protected health information held by certain research laboratories that are exempt from the CLIA regulations. The CLIA regulations specifically exempt the components or functions of “research laboratories that test human specimens but do not report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients.” 42 CFR 493.3(a)(2). If subject to the access requirements, these laboratories, or the applicable components of them, would be forced to comply with the CLIA regulations once they provided an individual with the access under this privacy rule. Therefore, to alleviate this additional regulatory burden, we have exempted these laboratories, or the relevant components of them, from the access requirements of this regulation.

Grounds for Denial of Access

In the NPRM we proposed to permit covered health care providers and health plans to deny an individual access to inspect and copy protected health information about them for five reasons: (1) a licensed health care professional determined the inspection and copying was reasonably likely to endanger the life or physical safety of the individual or another person; (2) the information was about another person (other than a health care provider) and a licensed health care professional determined the inspection and copying was reasonably likely to cause substantial harm to that other person; (3) the information was obtained under a promise of confidentiality from someone other than a health care provider and the inspection and copying was likely to reveal the source of the information; (4) the information was obtained by a covered provider in the course of a clinical trial, the individual agreed to the denial of access in consenting to participate in the trial, and the trial was in progress; and (5) the information was compiled in reasonable anticipation of, or for use in, a legal proceeding. In the NPRM, covered entities would not have been permitted to use these grounds to deny individuals access to protected health information that was also subject to the Privacy Act.

In the final rule, we retain all of these grounds for denial, with some modifications. One of the proposed grounds for denial (regarding legal proceedings) is retained as an exception to the right of access. (See discussion above.) We also include additional grounds for denial and create a right for individuals to request review of certain denials.

There are five types of denials covered entities may make without providing the individual with a right to have the denial reviewed.

First, a covered entity may deny an individual access to any information that is excepted from the right of access under § 164.524(a)(1). (See discussion above.)

Second, we add a new provision that permits a covered entity that is a correctional institution or covered health care provider acting under the direction of a correctional institution to deny an inmate's request to obtain a copy of protected health information if obtaining a copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or other inmates or the safety of any officer, employee or other person at the correctional institution or responsible for the transporting of the inmate. This ground for denial is restricted to an inmate's request to obtain a copy of protected health information. If an inmate requests inspection of protected health information, the request must be granted unless one of the other grounds for denial applies. The purpose for this exception, and the reason that the exception is limited to denying an inmate a copy and not to denying a right to inspect, is to give correctional institutions the ability to maintain order in these facilities and among inmates without denying an inmate the right to review his or her protected health information.

Third, as in the proposed rule, a covered entity may deny an individual access to protected health information obtained by a covered provider in the course of research that includes treatment of the research participants, while such research is in progress. For this exception to apply, the individual must have agreed to the denial of access in conjunction with the individual's consent to participate in the research and the covered provider must have informed the individual that the right of access will be reinstated upon completion of the research. If either of these conditions is not met, the individual has the right to inspect and copy the information (subject to the other exceptions we provide here). In all cases, the individual has the right to inspect and copy the information after the research is complete.

As with all the grounds for denial, covered entities are not required to deny access under the research exception. We expect all researchers to maintain a high level of ethical consideration for the welfare of research participants and provide access in appropriate circumstances. For example, if a participant has a severe adverse reaction, disclosure of information during the course of the research may be necessary to give the participant adequate information for proper treatment decisions.

Fourth, we clarify the ability of a covered entity to deny individuals access to protected health information that is also subject to the Privacy Act. In the final rule, we specify that a covered entity may deny an individual access to protected health information that is contained in records that are subject to the Privacy Act if such denial is permitted under the Privacy Act. This ground for denial exists in addition to the other grounds for denial available under this rule. If an individual requests access to protected health information that is also subject to the Privacy Act, a covered entity may deny access to that information for any of the reasons permitted under the Privacy Act and for any of the reasons permitted under this rule.

Fifth, as in the proposed rule, a covered entity may deny an individual access to protected health information if the covered entity obtained the requested information from someone other than a health care provider under a promise of confidentiality and such access would be reasonably likely to reveal the source of the information. This provision is intended to preserve a covered entity's ability to maintain an implicit or explicit promise of confidentiality. A covered entity may not, however, deny access to protected health information when the information has been obtained from a health care provider. An individual is entitled to have access to all information about him or her generated by the health care system (apart from the other exceptions we provide here). Confidentiality promises to health care providers should not interfere with that access.

As in the proposed rule, a covered entity may deny access to protected health information under certain circumstances in which the access may harm the individual or others. In the final rule, we specify that a covered entity may only deny access for these reasons if the covered entity provides the individual with a right to have the denial reviewed. (See below for a discussion of the right to review.)

There are three types of denials for which covered entities must provide the individual with a right to review. A denial under these provisions requires a determination by a licensed health care professional (such as a physician, physician's assistant, or nurse) based on an assessment of the particular circumstances and current professional medical standards of harm. Therefore, when the request is made to a health plan or clearinghouse, the covered entity will need to consult with a licensed health care professional before denying access under this provision.

First, as in the proposed rule, covered entities may deny individuals access to protected health information about them if a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person. The most commonly cited example is when an individual exhibits suicidal or homicidal tendencies. If a licensed health care professional determines that an individual exhibits such tendencies and that permitting inspection or copying of some of the individual's protected health information is reasonably likely to result in the individual committing suicide, murder, or other physical violence, then the health care professional may deny the individual access to that information. Under this reason for denial, covered entities may not deny access on the basis of the sensitivity of the health information or the potential for causing emotional or psychological harm.

Second, as in the proposed rule, covered entities may deny an individual access to protected health information if the information requested makes reference to someone other than the individual (and other than a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause serious harm to that other person. On some occasions when health information about one person is relevant to the care of another, a physician may incorporate it into the latter's record, such as information from group therapy sessions and information about illnesses with a genetic component. This provision permits a covered entity to withhold information in such cases if the release of such information is reasonably likely to cause substantial physical, emotional, or psychological harm.

Third, we add a new provision regarding denial of access requested by personal representatives. Under § 164.502(g), a person that is a personal representative of an individual may exercise the rights of the individual, including the right to inspect and copy protected health information about the individual that is relevant to such person's representation. The provision permits covered entities to refuse to treat a personal representative as the individual, generally, if the covered entity has a reasonable belief that the individual has been or will be subjected to domestic violence, abuse or neglect by the personal representative, or that treating the personal representative as the individual may endanger the individual and, in its professional judgment, the covered entity decides that it is not in the best interest of the individual to treat such person as the personal representative.

In addition to that provision, we add a new provision at § 164.524(a)(3)(iii) to clarify that a covered entity may deny a request to inspect or copy protected health information if the information is requested by a personal representative of the individual and a licensed health care professional has determined that, in the exercise of professional judgment, such access is reasonably likely to cause substantial harm to the individual who is the subject of the information or to another person. The health care professional need not have a reasonable belief that the personal representative has abused or neglected the individuals and the harm that is likely to result need not be limited to the individual who is the subject of the requested protected health information. Therefore, a covered entity can recognize a person as a personal representative but deny such person access to protected health information as a personal representative.

We do not intend these provisions to create a legal duty for the covered entity to review all of the relevant protected health information before releasing it. Rather, we are preserving the flexibility and judgment of covered entities to deny access under appropriate circumstances. Denials are not mandatory; covered entities may always elect to provide requested health information to the individual. For each request by an individual, the covered entity may provide all of the information requested or evaluate the requested information, consider the circumstances surrounding the individual's request, and make a determination as to whether that request should be granted or denied, in whole or in part, in accordance with one of the reasons for denial under this rule. We intend to create narrow exceptions to the right of access and we expect covered entities to employ these exceptions rarely, if at all. Covered entities may only deny access for the reasons specifically provided in the rule.

Review of a Denial of Access

In the NPRM, we proposed to require covered entities, when denying an individual's request for access, to inform the individual of how to make a complaint to the covered entity and the Secretary.

We retain in the final rule the proposed approach (see below). In addition, if the covered entity denies the request on the basis of one of the reviewable grounds for denial described above, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny access. The covered entity must provide access in accordance with the reviewing official's determination. ( See below for further description of the covered entity's requirements under § 164.524(d)(4) if the individual requests a review of denial of access.)

Section 164.524(b)—Requests for Access and Timely Action

In the NPRM, we proposed to require covered health care providers and health plans to provide a means for individuals to request access to protected health information about them. We proposed to require covered health care providers and health plans to take action on a request for access as soon as possible, but not later than 30 days following the request.

As in the proposed rule, the final rule requires covered entities to permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. We additionally permit covered entities to require individuals to make requests for access in writing, if the individual is informed of this requirement.

In the final rule, we eliminate the requirement for the covered entity to act on a request as soon as possible. We recognize that circumstances may arise in which an individual will request access on an expedited basis. We encourage covered entities to have procedures in place for handling such requests. The time limitation is intended to be an outside deadline, rather than an expectation.

In the final rule, covered entities must act on a request for access within 30 days of receiving the request if the information is maintained or accessible on-site. Covered entities must act on a request for access within 60 days of receiving the request if the information is not maintained or accessible on-site. If the covered entity is unable to act on a request within the applicable deadline, it may extend the deadline by no more than 30 days by providing the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request. This written statement describing the extension must be provided within the standard deadline. A covered entity may only extend the deadline once per request for access. This provision permits a covered entity to take a total of up to 60 days to act on a request for access to information maintained on-site and up to 90 days to act on a request for access to information maintained off-site.

The requirements for a covered entity to comply with or deny a request for access, in whole or in part, are described below.

Section 164.524(c)—Provision of Access

In the NPRM, we proposed to require covered health care providers and health plans, upon accepting a request for access, to notify the individual of the decision and of any steps necessary to fulfill the request; to provide the information requested in the form or format requested, if readily producible in such form or format; and to facilitate the process of inspection and copying.

We generally retain the proposed approach in the final rule. If a covered entity accepts a request, in whole or in part, it must notify the individual of the decision and provide the access requested. Individuals have the right both to inspect and to copy protected health information in a designated record set. The individual may choose whether to inspect the information, to copy the information, or to do both.

In the final rule, we clarify that if the same protected health information is maintained in more than one designated record set or at more than one location, the covered entity is required to produce the information only once per request for access. We intend this provision to reduce covered entities' burden in complying with requests without reducing individuals' access to protected health information. We note that summary information and reports are not the same as the underlying information on which the summary or report was based. Individuals have the right to obtain access both to summaries and to the underlying information. An individual retains the right of access to the underlying information even if the individual requests access to, or production of, a summary. (See below regarding requests for summaries.)

The covered entity must provide the information requested in the form or format requested if it is readily producible in such form or format. For example, if the covered entity maintains health information electronically and the individual requests an electronic copy, the covered entity must accommodate such request, if possible. Additionally, we specify that if the information is not available in the form or format requested, the covered entity must produce a readily readable hard copy of the information or another form or format to which the individual and covered entity can agree. If the individual agrees, including agreeing to any associated fees (see below), the covered entity may provide access to a summary of information rather than all protected health information in designated record sets. Similarly, a covered entity may provide an explanation in addition to the protected health information, if the individual agrees in advance to the explanation and any associated fees.

The covered entity must provide the access requested in a timely manner, as described above, and arrange for a mutually convenient time and place for the individual to inspect the protected health information or obtain a copy. If the individual requests that the covered entity mail a copy of the information, the covered entity must do so, and may charge certain fees for copying and mailing. For requests to inspect information that is maintained electronically, the covered entity may print a copy of the information and allow the individual to view the print-out on-site. Covered entities may discuss the request with the individual as necessary to facilitate the timely provision of access. For example, if the individual requested a copy of the information by mail, but the covered entity is able to provide the information faster by providing it electronically, the covered entity may discuss this option with the individual.

We proposed in the NPRM to permit the covered entity to charge a reasonable, cost-based fee for copying the information.

We clarify this provision in the final rule. If the individual requests a copy of protected health information, a covered entity may charge a reasonable, cost-based fee for the copying, including the labor and supply costs of copying. If hard copies are made, this would include the cost of paper. If electronic copies are made to a computer disk, this would include the cost of the computer disk. Covered entities may not charge any fees for retrieving or handling the information or for processing the request. If the individual requests the information to be mailed, the fee may include the cost of postage. Fees for copying and postage provided under state law, but not for other costs excluded under this rule, are presumed reasonable. If such per page costs include the cost of retrieving or handling the information, such costs are not acceptable under this rule.

If the individual requests an explanation or summary of the information provided, and agrees in advance to any associated fees, the covered entity may charge for preparing the explanation or summary as well.

The inclusion of a fee for copying is not intended to impede the ability of individuals to copy their records. Rather, it is intended to reduce the burden on covered entities. If the cost is excessively high, some individuals will not be able to obtain a copy. We encourage covered entities to limit the fee for copying so that it is within reach of all individuals.

We do not intend to affect the fees that covered entities charge for providing protected health information to anyone other than the individual. For example, we do not intend to affect current practices with respect to the fees one health care provider charges for forwarding records to another health care provider for treatment purposes.

Section 164.524(d)—Denial of Access

We proposed in the NPRM to require a covered health care provider or health plan that elects to deny a request for inspection or copying to make any other protected health information requested available to the individual to the extent possible, consistent with the denial.

In the final rule, we clarify the proposed approach. A covered entity that denies access, in whole or in part, must, to the extent possible, give the individual access to any other protected health information requested after excluding the protected health information to which the covered entity has a ground to deny access. We intend covered entities to redact or otherwise exclude only the information that falls within one or more of the denial criteria described above and to permit inspection and copying of all remaining information, to the extent it is possible to do so.

We also proposed to require covered providers and health plans, upon denying a request for access in whole or in part, to provide the individual with a written statement in plain language of the basis for the denial and how the individual could make a complaint to the covered entity or the Secretary.

We retain the proposed approach. A covered entity that denies access, in whole or in part, must provide the individual with a written denial in plain language that explains the basis for the denial. The written denial could include a direct reference to the section of the regulation relied upon for the denial, but the regulatory citation alone does not sufficiently explain the reason for the denial. The written denial must also describe how the individual can complain to the covered entity and the Secretary and must include the name or title and the telephone number of the covered entity's contact person or office that is responsible for receiving complaints.

In the final rule, we impose two additional requirements when the covered entity denies access, in whole or in part. First, if a covered entity denies a request on the basis of one of the reviewable grounds for denial, the written denial must describe the individual's right to a review of the denial and how the individual may exercise this right. Second, if the covered entity denies the request because it does not maintain the requested information, and the covered entity knows where the requested information is maintained, the covered entity must inform the individual where to direct the request for access.

Finally, we specify a covered entity's responsibilities when an individual requests a review of a denial. If the individual requests a review of a denial made under § 164.524(a)(3), the covered entity must designate a licensed health care professional to act as the reviewing official. This reviewing official must not have been involved in the original decision to deny access. The covered entity must promptly refer a request for review to the designated reviewing official. The reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in § 164.524(a)(3). The covered entity must promptly provide the individual with written notice of the reviewing official's decision and otherwise carry out the decision in accordance with the requirements of this section.

Section 164.524(e)—Policies, Procedures, and Documentation

As in the proposed rule, we establish documentation requirements for covered entities that are subject to this provision. In accordance with § 164.530(j), the covered entity must retain documentation of the designated record sets that are subject to access by individuals and the titles of the persons or offices responsible for receiving and processing requests for access by individuals.

Section 164.526—Amendment of Protected Health Information Back to Top

Section 164.526(a)—Right to Amend

In proposed § 164.516, we proposed to establish the individual's right to request a covered health care provider or health plan to amend or correct protected health information about the individual for as long as the covered entity maintains the information.

In § 164.526 of the final rule, we retain the general proposed approach, but establish an individual's right to have the covered entity amend, rather than amend or correct, protected health information. This right applies to protected health information and records in a designated record set for as long as the information is maintained in the designated record set. In the final rule, covered health care providers, health plans, and health care clearinghouses that create or receive protected health information other than as a business associate must comply with these requirements.

Denial of Amendment

We proposed to permit a covered health care provider or health plan to deny a request for amendment if it determined that the protected health information that was the subject of the request was not created by the covered provider or health plan, would not be available for inspection and copying under proposed § 164.514, or was accurate and complete. A covered entity would have been permitted, but not required, to deny a request if any of these conditions were met.

As in the proposed rule, the final rule permits a covered entity to deny a request for amendment if the covered entity did not create the protected health information or record that is the subject of the request for amendment. We add one exception to this provision: if the individual provides a reasonable basis to believe that the originator of the protected health information is no longer available to act on the requested amendment, the covered entity must address the request for amendment as though the covered entity had created the information.

As in the proposed rule, a covered entity also may deny a request for amendment if the protected health information that is the subject of the request for amendment is not part of a designated record set or would not otherwise be available for inspection under § 164.524. We eliminate the ability to deny a request for amendment if the information or record that is the subject of the request would not be available for copying under the rule. Under § 164.524(a)(2)(ii), an inmate may be denied a copy of protected health information about the inmate. We intend to preserve an inmate's ability to request amendments to information, even if a copy of the information would not be available to the inmate, subject to the other exceptions provided in this section.

Finally, as in the proposed rule, a covered entity may deny a request for amendment if the covered entity determines that the information in dispute is accurate and complete. We draw this concept from the Privacy Act of 1974, governing records held by federal agencies, which permits an individual to request correction or amendment of a record “which the individual believes is not accurate, relevant, timely, or complete.” (5 U.S.C. 552a(d)(2)). We adopt the standards of “accuracy” and “completeness” and draw on the clarification and analysis of these terms that have emerged in administrative and judicial interpretations of the Privacy Act during the last 25 years. We note that for federal agencies that are also covered entities, this rule does not diminish their present obligations under the Privacy Act of 1974.

This right is not intended to interfere with medical practice or to modify standard business record keeping practices. Perfect records are not required. Instead, a standard of reasonable accuracy and completeness should be used. In addition, this right is not intended to provide a procedure for substantive review of decisions such as coverage determinations by payors. It is intended only to affect the content of records, not the underlying truth or correctness of materials recounted therein. Attempts under the Privacy Act of 1974 to use this mechanism as a basis for collateral attack on agency determinations have generally been rejected by the courts. The same results are intended here.

Section 164.526(b)—Requests for Amendment and Timely Action

We proposed to require covered health care providers and health plans to provide a means for individuals to request amendment of protected health information about them. Under the NPRM, we would have required covered health care providers and health plans to take action on a request for amendment or correction within 60 days of the request.

As in the proposed rule, covered entities must permit individuals to request that the covered entity amend protected health information about them. We also permit certain specifications for the form and content of the request. If a covered entity informs individuals of such requirements in advance, a covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment. If the covered entity imposes such a requirement and informs individuals of the requirement in advance, the covered entity is not required to act on an individual's request that does not meet the requirements.

We retain the requirement for covered entities to act on a request for amendment within 60 days of receipt of the request. In the final rule, we specify the nature of the action the covered entity must take within the time frame. The covered entity must inform the individual, as described below, that the request has been either accepted or denied, in whole or in part. It must also take certain actions pursuant to its decision to accept or deny the request, as described below. If the covered entity is unable to meet the deadline, the covered entity may extend the deadline by no more than 30 days. The covered entity must inform the individual in writing, within the initial 60-day period, of the reason for the delay and the date by which the covered entity will complete its action on the request. A covered entity may only extend the deadline one time per request for amendment.

Section 164.526(c)—Accepting the Amendment

If a covered health care provider or health plan accepted a request for amendment, in whole or in part, we proposed to require the covered entity to make the appropriate change. The covered entity would have had to identify the challenged entries as amended or corrected and indicate the location of the amended or corrected information.

We also proposed to require the covered provider or health plan to make reasonable efforts to notify certain entities of the amendment: 1) entities the individual identified as needing to be notified and 2) entities the covered provider or health plan knew had received the erroneous or incomplete information and who may have relied, or could foreseeably rely, on such information to the detriment of the individual.

The covered provider or health plan would also have been required to notify the individual of the decision to amend the information.

As in the proposed rule, if a covered entity accepts an individual's request for amendment or correction, it must make the appropriate amendment. In the final rule, we clarify that, at a minimum, the covered entity must identify the records in the designated record set that are affected by the amendment and must append or otherwise provide a link to the location of the amendment. We do not require covered entities to expunge any protected health information. Covered entities may expunge information if doing so is consistent with other applicable law and the covered entity's record keeping practices.

We alter some of the required procedures for informing the individual and others of the accepted amendment. As in the proposed rule, the covered entity must inform individuals about accepted amendments. In the final rule, the covered entity must obtain the individual's agreement to have the amended information shared with certain persons. If the individual agrees, the covered entity must make reasonable efforts to provide a copy of the amendment within a reasonable time to: (1) Persons the individual identifies as having received protected health information about the individual and needing the amendment; and (2) persons, including business associates, that the covered entity knows have the unamended information and who may have relied, or could foreseeably rely, on the information to the detriment of the individual. For example, a covered entity must make reasonable efforts to inform a business associate that uses protected health information to make decisions about individuals about amendments to protected health information used for such decisions.

Section 164.526(d)—Denying the Amendment

If a covered health care provider or health plan denied a request for amendment, in whole or in part, we proposed to require the covered entity to provide the individual with a written statement in plain language of the basis for the denial, a description of how the individual could submit a written statement of disagreement with the denial, and a description of how the individual could make a complaint with the covered entity and the Secretary.

We proposed to require covered health care providers and health plans to have procedures to permit the individual to file a written statement of disagreement with the denial and to include the covered entity's statement of denial and the individual's statement of disagreement with any subsequent disclosure of the disputed information. Covered entities would have been permitted to establish a limit to the length of the individual's statement of disagreement and to summarize the statement if necessary. We also proposed to permit covered entities to provide a rebuttal to the individual's statement with future disclosures.

As in the proposed rule, if a covered entity denies a request for amendment, it must provide the individual with a statement of denial written in plain language. The written denial must include the basis for the denial, how the individual may file a written statement disagreeing with the denial, and how the individual may make a complaint to the covered entity and the Secretary.

In the final rule, we additionally require the covered entity to inform individuals of their options with respect to future disclosures of the disputed information in order to ensure that an individual is aware of his or her rights. The written denial must state that if the individual chooses not to file a statement of disagreement, the individual may request that the covered entity include the individual's request for amendment and the covered entity's denial of the request with any future disclosures of the protected health information that is the subject of the requested amendment.

As in the proposed rule, the covered entity must permit the individual to submit a written statement disagreeing with the denial and the basis of such disagreement. The covered entity may reasonably limit the length of a statement of disagreement and may prepare a written rebuttal to the individual's statement of disagreement. If the covered entity prepares a rebuttal, it must provide a copy to the individual.

The covered entity must identify the record or protected health information that is the subject of the disputed amendment and append or otherwise link the following information to the designated record set: the individual's request for amendment, the covered entity's denial of the request, the individual's statement of disagreement (if any), and the covered entity's rebuttal (if any). If the individual submits a written statement of disagreement, all of the appended or linked information, or an accurate summary of it, must be included with any subsequent disclosure of the protected health information to which the disagreement relates. If the individual does not submit a written statement of disagreement, the covered entity must include the appended or linked information only if the individual requests that the covered entity do so.

In the final rule, we clarify that when a subsequent disclosure is a standard transaction adopted under the Transactions Rule that cannot accommodate the additional materials described above, the covered entity may separately disclose the additional material to the recipient of the transaction.

Section 164.526(e)—Actions on Notices of Amendment

We proposed to require any covered entity that received a notification of amendment to have procedures in place to make the amendment in any of its designated record sets and to notify its business associates, if appropriate, of amendments.

We retain the proposed approach in the final rule. If a covered entity receives a notification of amended protected health information from another covered entity as described above, the covered entity must make the necessary amendment to protected health information in designated record sets it maintains. In addition, covered entities must require their business associates who receive such notifications to incorporate any necessary amendments to designated record sets maintained on the covered entity's behalf. (See § 164.504 regarding business associate requirements.)

Section 164.526(f)—Policies, Procedures, and Documentation

As in the proposed rule, we establish documentation requirements for covered entities subject to this provision. In accordance with § 164.530(j), the covered entity must document the titles of the persons or offices responsible for receiving and processing requests for amendment.

§ 164.528—Accounting of Disclosures of Protected Health Information Back to Top

Right to an Accounting of Disclosures

We proposed in the NPRM to grant individuals a right to receive an accounting of all disclosures of protected health information about them by a covered entity for purposes other than treatment, payment, and health care operations. We proposed this right to exist for as long as the covered entity maintained the protected health information.

We also proposed that individuals would not have a right to an accounting of disclosures to health oversight or law enforcement agencies if the agency provided a written request for exclusion for a specified time period and the request stated that access by the individual during that time period would be reasonably likely to impede the agency's activities.

We generally retain the proposed approach in the final rule. As in the proposed rule, individuals have a right to receive an accounting of disclosures made by a covered entity, including disclosures by or to a business associate of the covered entity, for purposes other than treatment, payment, and health care operations, subject to certain exceptions as discussed below.

We revise the duration of this right under the final rule. Individuals have a right to an accounting of the applicable disclosures that have been made in the 6 year period prior to the date of a request for an accounting. We additionally clarify in § 164.528(b)(1) that an individual may request, and a covered entity may then provide, an accounting of disclosures for a period of time less than 6 years from the date of the request. For example, an individual could request an accounting only of disclosures that occurred during the year prior to the request.

In the final rule, we exclude several additional types of disclosures from the accounting requirement. Covered entities are not required to include in the accounting disclosures to the individual as provided in § 164.502; disclosures for facility directories, disclosures to persons involved in the individual's care, or other disclosures for notification purposes as provided in § 164.510; disclosures for national security or intelligence purposes as provided in § 164.512(k)(2); disclosures to correctional institutions or law enforcement officials as provided in § 164.512(k)(5); or any disclosures that were made by the covered entity prior to the compliance date of the rule for that covered entity.

We retain the time-limited exclusion for disclosures to health oversight and law enforcement agencies, but require rather than permit the exclusion for the specified time period. Covered entities must exclude disclosures to a health oversight agency or law enforcement official from the accounting for the time period specified by the applicable agency or official if the agency or official provides the covered entity with a statement that inclusion of the disclosure(s) in the accounting to the individual during that time period would be reasonably likely to impede the agency or official's activities. The agency or official's statement must specifically state how long the information must be excluded. At the expiration of that period, the covered entity is required to include the disclosure(s) in an accounting for the individual. If the agency or official's statement is made orally, the covered entity must document the identity of the agency or official who made the statement and must exclude the disclosure(s) for no longer than 30 days from the date of the oral statement, unless a written statement is provided during that time. If the agency or official provides a written statement, the covered entity must exclude the disclosure(s) for the time period specified in the written statement.

Content of the Accounting

We proposed in the NPRM to require the accounting to include all disclosures as described above, including disclosures authorized by the individual. The accounting would have been required to contain the date of each disclosure; the name and address of the organization or person who received the protected health information; a brief description of the information disclosed; and copies of all requests for disclosures. For disclosures other than those made at the request of the individual, the accounting would have also included the purpose for which the information was disclosed.

We generally retain the proposed approach in the final rule, but do not require covered entities to make copies of authorizations or other requests for disclosures available with the accounting. Instead, we require the accounting to contain a brief statement of the purpose of the disclosure. The statement must reasonably inform the individual of the basis for the disclosure. In lieu of the statement of purpose, a covered entity may include a copy of the individual's authorization under § 164.508 or a copy of a written request for disclosure, if any, under § 164.502(a)(2)(ii) or § 164.512. We also clarify that covered entities are only required to include the address of the recipient of the disclosed protected health information if the covered entity knows the address.

We add a provision allowing for a summary accounting of recurrent disclosures. For multiple disclosures to the same recipient pursuant to a single authorization under § 164.508 or for a single purpose under §§ 164.502(a)(2)(ii) or 164.512, the covered entity may provide a summary accounting addressing the series of disclosures rather than a detailed accounting of each disclosure in the series. In this circumstance, a covered entity may limit the accounting of the series of disclosures to the following information: the information otherwise required above for the first disclosure in the series during the accounting period; the frequency, periodicity, or number of disclosures made during the accounting period; and the date of the most recent disclosure in the series. For example, if under § 164.512(b), a covered entity discloses the same protected health information to a public health authority for the same purpose every month, it can account for those disclosures by including in the accounting the date of the first disclosure, the public health authority to whom the disclosures were made and the public health authority's address, a brief description of the information disclosed, a brief description of the purpose of the disclosures, the fact that the disclosures were made every month during the accounting period, and the date of the most recent disclosure.

Provision of the Accounting

We proposed in the NPRM to require covered entities to provide individuals with an accounting of disclosures as soon as possible, but not later than 30 days following receipt of the request for the accounting.

In the final rule, we eliminate the requirement for the covered entity to act as soon as possible. We recognize that circumstances may arise in which an individual will request an accounting on an expedited basis. We encourage covered entities to implement procedures for handling such requests. The time limitation is intended to be an outside deadline, rather than an expectation. We expect covered entities always to be attentive to the circumstances surrounding each request and to respond in an appropriate time frame.

In the final rule, covered entities must provide a requested accounting no later than 60 days after receipt of the request. If the covered entity is unable to meet the deadline, the covered entity may extend the deadline by no more than 30 days. The covered entity must inform the individual in writing, within the standard 60-day deadline, of the reason for the delay and the date by which the covered entity will provide the request. A covered entity may only extend the deadline one time per request for accounting.

The NPRM did not address whether a covered entity could charge a fee for the accounting of disclosures.

In the final rule, we provide that individuals have a right to receive one free accounting per 12 month period. For each additional request by an individual within the 12 month period, the covered entity may charge a reasonable, cost-based fee. If it imposes such a fee, the covered entity must inform the individual of the fee in advance and provide the individual with an opportunity to withdraw or modify the request in order to avoid or reduce the fee.

Procedures and Documentation

As in the proposed rule, we establish documentation requirements for covered entities subject to this provision. In accordance with § 164.530(j), for disclosures that are subject to the accounting requirement, the covered entity must retain documentation of the information required to be included in the accounting. The covered entity must also retain a copy of any accounting provided and must document the titles of the persons or offices responsible for receiving and processing requests for an accounting.

Section 164.530—Administrative Requirements Back to Top

Designation of a Privacy Official and Contact Person

In § 164.518(a) of the NPRM, we proposed that covered entities be required to designate an individual as the covered entity's privacy official, responsible for the implementation and development of the entity's privacy policies and procedures. We also proposed that covered entities be required to designate a contact person to receive complaints about privacy and provide information about the matters covered by the entity's notice. We indicated that the contact person could be, but was not required to be, the person designated as the privacy official. We proposed to leave implementation details to the discretion of the covered entity. We expected implementation to vary widely depending on the size and nature of the covered entity, with small offices assigning this as an additional duty to an existing staff person, and large organizations creating a full-time privacy official. In proposed § 164.512, we also proposed to require the covered plan or provider's privacy notice to include the name of a contact person for privacy matters.

The final regulation retains the requirements for a privacy official and contact person as specified in the NPRM. These designations must be documented. The designation of privacy official and contact person positions within affiliated entities will depend on how the covered entity chooses to designate the covered entity(ies) under § 164.504(b). If a subsidiary is defined as a covered entity under this regulation, then a separate privacy official and contact person is required for that covered entity. If several subsidiaries are designated as a single covered entity, pursuant to § 164.504(b), then together they need have only a single privacy officer and contact person. If several covered entities share a notice for services provided on the same premises, pursuant to § 164.520(d), that notice need designate only one privacy official and contact person for the information collected under that notice.

These requirements are consistent with the approach recommended by the Joint Commission on Accreditation of Healthcare Organizations, and the National Committee for Quality Assurance, in its paper “Protecting Personal Health Information; A framework for Meeting the Challenges in a Managed Care Environment.” This paper notes that “accountability is enhanced by having focal points who are responsible for assessing compliance with policies and procedures * * * ” (p. 29)

Training

In § 164.518(b) of the NPRM we proposed to require that covered entities provide training on the entities' policies and procedures to all members of the workforce likely to have access to protected health information. Each entity would be required to provide initial training by the date on which this rule became applicable. After that date, each covered entity would have to provide training to new members of the workforce within a reasonable time after joining the entity. In addition, we proposed that when a covered entity made material changes in its privacy policies or procedures, it would be required to retrain those members of the workforce whose duties were related to the change within a reasonable time of making the change.

The NPRM would have required that, upon completion of the training, the trainee would be required to sign a statement certifying that he or she received the privacy training and would honor all of the entity's privacy policies and procedures. Entities would determine the most effective means of achieving this training requirement for their workforce. We also proposed that, at least every three years after the initial training, covered entities would be required to have each member of the workforce sign a new statement certifying that he or she would honor all of the entity's privacy policies and procedures. The covered entity would have been required to document its policies and procedures for complying with the training requirements.

The final regulation requires covered entities to train all members of their workforce on the policies and procedures with respect to protected health information required by this rule, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. We do not change the proposed time lines for training existing and new members of the workforce, or for training due to material changes in the covered entity's policies and procedures. We eliminate both the requirement for employees to sign a certification following training and the triennial re-certification requirement. Covered entities are responsible for implementing policies and procedures to meet these requirements and for documenting that training has been provided.

Safeguards

In § 164.518(c) of the NPRM, we proposed to require covered entities to put in place administrative, technical, and physical safeguards to protect the privacy of protected health information. We made reference in the preamble to similar requirements proposed for certain electronic information in the Notice of Proposed Rulemaking entitled the Security and Electronic Signature Standards (HCFA-0049-P). We stated that we were proposing parallel and consistent requirements for safeguarding the privacy of protected health information. In § 164.518(c)(3) of the NPRM, we required covered entities to have safeguards to ensure that information was not used in violation of the requirements of this subpart or by people who did not have proper authorization to access the information.

We do not change the basic proposed requirements that covered entities have administrative, technical and physical safeguards to protect the privacy of protected health information. We combine the proposed requirements into a single standard that requires covered entities to safeguard protected health information from accidental or intentional use or disclosure that is a violation of the requirements of this rule and to protect against the inadvertent disclosure of protected health information to persons other than the intended recipient. Limitations on access to protected health information by the covered entities workforce will also be covered by the policies and procedures for “minimum necessary” use of protected health information, pursuant to § 164.514(d). We expect these provisions to work in tandem.

We do not prescribe the particular measures that covered entities must take to meet this standard, because the nature of the required policies and procedures will vary with the size of the covered entity and the type of activities that the covered entity undertakes. (That is, as with other provisions of this rule, this requirement is “scalable.”) Examples of appropriate safeguards include requiring that documents containing protected health information be shredded prior to disposal, and requiring that doors to medical records departments (or to file cabinets housing such records) remain locked and limiting which personnel are authorized to have the key or pass-code. We intend this to be a common sense, scalable, standard. We do not require covered entities to guarantee the safety of protected health information against all assaults. Theft of protected health information may or may not signal a violation of this rule, depending on the circumstances and whether the covered entity had reasonable policies to protect against theft. Organizations such as the Association for Testing and Materials (ASTM) and the American Health Information Management Association (AHIMA) have developed a body of recommended practices for handling of protected health information that covered entities may find useful.

We note that the proposed HIPAA Security Standards would require covered entities to safeguard the privacy and integrity of health information. For electronic information, compliance with both regulations will be required.

In § 164.518(c)(2) of the NPRM we proposed requirements for verification procedures to establish identity and authority for permitted disclosures of protected health information.

In the final rule, this material has been moved to § 164.514(h).

Use or Disclosure of Protected Health Information by Whistleblowers

In § 164.518(c)(4) of the NPRM, this provision was entitled “Implementation Specification: Disclosures by whistleblowers.” It is now retitled “Disclosures by whistleblowers,” with certain changes, and moved to § 164.502(j)(1).

Complaints to the Covered Entity

In § 164.518(d) of the NPRM, we proposed to require covered entities to have a mechanism for receiving complaints from individuals regarding the health plan's or provider's compliance with the requirements of this proposed rule. We did not require that the health plan or provider develop a formal appeals mechanism, nor that “due process” or any similar standard be applied. Additionally, there was no requirement to respond in any particular manner or time frame.

We proposed two basic requirements for the complaint process. First, the covered health plan or health care provider would be required to identify in the notice of information practices a contact person or office for receiving complaints. Second, the health plan or provider would be required to maintain a record of the complaints that are filed and a brief explanation of their resolution, if any.

In the final rule, we retain the requirement for an internal complaint process for compliance with this rule, including the two basic requirements of identifying a contact person and documenting complaints received and their dispositions, if any. We expand the scope of complaints that covered entities must have a means of receiving to include complaints concerning violations of the covered entity's privacy practices, not just violations of the rule. For example, a covered entity must have a mechanism for receiving a complaint that patient information is used at a nursing station in a way that it can also be viewed by visitors to the hospital, regardless of whether the practices at the nursing stations might constitute a violation of this rule.

Sanctions

In § 164.518(e) of the NPRM, we proposed to require all covered entities to develop, and apply when appropriate, sanctions against members of its workforce who failed to comply with privacy policies or procedures of the covered entity or with the requirements of the rule. Covered entities would be required to develop and impose sanctions appropriate to the nature of the violation. The preamble stated that the type of sanction applied would vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of protected health information. Sanctions could range from a warning to termination. The NPRM preamble language also stated that covered entities would be required to apply sanctions against business associates that violated the proposed rule.

In the final rule, we retain the requirement for sanctions against members of a covered entity's workforce. We also require a covered entity to have written policies and procedures for the application of appropriate sanctions for violations of this subpart and to document those sanctions. These sanctions do not apply to whistleblower activities that meet the provisions of § 164.502(j) or complaints, investigations, or opposition that meet the provisions of § 164.530(g)(2). We eliminate language regarding business associates from this section. Requirements with respect to business associates are stated in § 164.504.

Duty To Mitigate

In proposed § 164.518(f), we would have required covered entities to have policies and procedures for mitigating, to the extent practicable, any deleterious effect of a use or disclosure of protected health information in violation of the requirements of this subpart. The NPRM preamble also included specific language applying this requirement to harm caused by members of the covered entity's workforce and business associates.

With respect to business associates, the NPRM preamble but not the NPRM rule text, stated that covered entities would have a duty to take reasonable steps in response to breaches of contract terms. Covered entities generally would not be required to monitor the activities of their business associates, but would be required to take steps to address problems of which they become aware, and, where the breach was serious or repeated, would also be required to monitor the business associate's performance to ensure that the wrongful behavior had been remedied. Termination of the arrangement would be required only if it became clear that a business associate could not be relied upon to maintain the privacy of protected health information provided to it.

In the final rule, we clarify this requirement by imposing a duty for covered entities to mitigate any harmful effect of a use or disclosure of protected health information that is known to the covered entity. We apply the duty to mitigate to a violation of the covered entity's policies and procedures, not just a violation of the requirements of the subpart. We resolve the ambiguities in the NPRM by imposing this duty on covered entities for harm caused by either members of their workforce or by their business associates.

We eliminate the language regarding potential breaches of business associate contracts from this section. All other requirements with respect to business associates are stated in § 164.504.

Refraining from Intimidating or Retaliatory Acts

In § 164.522(d)(4) of the NPRM, in the Compliance and Enforcement section, we proposed that one of the responsibilities of a covered entity would be to refrain from intimidating or retaliatory acts. Specifically, the rule provided that “[a] covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the filing of a complaint under this section, for testifying, assisting, participating in any manner in an investigation, compliance review, proceeding or hearing under this Act, or opposing any act or practice made unlawful by this subpart.”

In the final rule, we continue to require that entities refrain from intimidating or retaliatory acts; however, the provisions have been moved to the Administrative Requirements provisions in § 164.530. This change is not just clerical; in making this change, we apply this provision to the privacy rule alone rather than to all the HIPAA administrative simplification rules. (The compliance and enforcement provisions that were in § 164 are now in Part 160, Subpart C.)

We continue to prohibit retaliation against individuals for filing a complaint with the Secretary, but also prohibit retaliation against any other person who files such a complaint. This is the case because the term “individual” is generally limited to the person who is the subject of the information. The final rule prohibits retaliation against persons, not just individuals, for testifying, assisting, or participating in an investigation, compliance review, proceeding or hearing under Part C of Title XI. The proposed regulation referenced the “Act,” which is defined in Part 160 as the Social Security Act. Because we only intend to protect activities such as participation in investigations and hearings under the Administrative Simplification provisions of HIPAA, the final rule references Part C of Title XI of the Social Security Act.

The proposed rule would have prohibited retaliatory actions against individuals for opposing any act or practice made unlawful by this subpart. The final rule retains this provision, but applies it to any person, only if the person “has a good faith belief that the practice opposed is unlawful, the manner of the opposition is reasonable and does not involve a disclosure of protected health information in violation of this subpart.” The final rule provides additional protections, which had been included in the preamble to the proposed rule. Specifically, we prohibit retaliatory actions against individuals who exercise any right, or participate in any process established by the privacy rule (Part 164 Subpart E), and include as an example the filing of a complaint with the covered entity.

Waiver of Rights

In the final regulation, but not in the proposed regulation, we provide that a covered entity may not require individuals to waive their rights to file a complaint with the Secretary or their other rights under this rule as a condition of the provision of treatment, payment, enrollment in a health plan or eligibility for benefits. This provision ensures that covered entities do not take away the rights that individuals have been provided in Parts 160 and 164.

Requirements for Policies and Procedures, and Documentation Requirements

In § 164.520 of the NPRM, we proposed to require covered entities to develop and document their policies and procedures for implementing the requirements of the rule. In the final regulation we retain this approach, but specify which standards must be documented in each of the relevant sections. In this section, we state the general administrative requirements applicable to all policies and procedures required throughout the regulation.

In § 164.530(i), (j), and (k) of the final rule, we amend the NPRM language in several respects. In § 164.530(i) we require that the policies and procedures be reasonably designed to comply with the standards, implementation specifications, and other requirements of the relevant part of the regulation, taking into account the size of the covered entity and the nature of the activities undertaken by the covered entity that relate to protected health information. However, we clarify that the requirements that policies and procedures be reasonably designed may not be interpreted to permit or excuse any action that violates the privacy regulation. Where the covered entity has stated in its notice that it reserves the right to change information practices, we allow the new practice to apply to information created or collected prior to the effective date of the new practice and establish requirements for making this change. We also establish the conditions for making changes if the covered entity has not reserved the right to change its practices.

We require covered entities to modify in a prompt manner their policies and procedures to comply with changes in relevant law and, where the change also affects the practices stated in the notice, to change the notice. We make clear that nothing in our requirements regarding changes to policies and procedures or changes to the notice may be used by a covered entity to excuse a failure to comply with applicable law.

In § 164.530(j), we require that the policies and procedures required throughout the regulation be maintained in writing, and that any other communication, action, activity, or designation that must be documented under this regulation be documented in writing. We note that “writing” includes electronic storage; paper records are not required. We also note that, if a covered entity is required to document the title of a person, we mean the job title or similar description of the relevant position or office.

We require covered entities to retain any documentation required under this rule for at least six years (the statute of limitations period for the civil penalties) from the date of the creation of the documentation, or the date when the document was last in effect, which ever is later. This generalizes the NPRM provision to cover all documentation required under the rule. The language on “last was in effect” is a change from the NPRM which was worded “unless a longer period applies under this subpart.”

This approach is consistent with the approach recommended by the Joint Commission on Accreditation of Healthcare Organizations, and the National Committee for Quality Assurance, in its paper “Protecting Personal Health Information; A framework for Meeting the Challenges in a Managed Care Environment.” This paper notes that “MCOs [Managed Care Organizations] should have clearly defined policies and procedures for dealing with confidentiality issues.” (p. 29).

Standards for Certain Group Health Plans

We add a new provision (§ 164.530(k)) to clarify the administrative responsibilities of group health plans that offer benefits through issuers and HMOs. Specifically, a group health plan that provides benefits solely through an issuer or HMO, and that does not create, receive or maintain protected health information other than summary health information or information regarding enrollment and disenrollment, is not subject to the requirements of this section regarding designation of a privacy official and contact person, workforce training, safeguards, complaints, mitigation, or policies and procedures. Such a group health plan is only subject to the requirements of this section regarding documentation with respect to its plan documents. Issuers and HMOs are covered entities under this rule, and thus have independent obligations to comply with this section with respect to the protected health information they maintain about the enrollees in such group health plans. The group health plans subject to this provision will have only limited protected health information. Therefore, imposing these requirements on the group health plan would impose burdens not outweighed by a corresponding enhancement in privacy protections.

Section 164.532—Transition Provisions Back to Top

In the NPRM, we did not address the effect of the regulation on consents and authorizations covered entities obtained prior to the compliance date of the regulation.

In the final rule, we clarify that, in certain circumstances, a covered entity may continue to rely upon consents, authorizations, or other express legal permissions obtained prior to the compliance date of this regulation to use or disclose protected health information even if these consents, authorizations, or permissions do not meet the requirements set forth in §§ 164.506 or 164.508.

We realize that a covered entity may wish to rely upon a consent, authorization, or other express legal permission obtained from an individual prior to the compliance date of this regulation which permits the use or disclosure of individually identifiable health information for activities that come within treatment, payment, or health care operations (as defined in § 164.501), but that do not meet the requirements for consents set forth in § 164.506. In the final rule, we permit a covered entity to rely upon such consent, authorization, or permission to use or disclose protected health information that it created or received before the applicable compliance date of the regulation to carry out the treatment, payment, or health care operations as long as it meets two requirements. First, the covered entity may not make any use or disclosure that is expressly excluded from the consent, authorization, or permission. Second, the covered entity must comply with all limitations expressed in the consent, authorization, or permission. Thus, we do not require a covered entity to obtain a consent that meets the requirements of § 164.506 to use or disclose this previously obtained protected health information as long as the use or disclosure is consistent with the requirements of this section. However, a covered entity will need to obtain a consent that meets the requirements of § 164.506 to the extent that it is required to obtain a consent under § 164.506 from an individual before it may use or disclose any protected health information it creates or receives after the date by which it must comply with this rule.

Similarly, we recognize that a covered entity may wish to rely upon a consent, authorization, or other express legal permission obtained from an individual prior to the applicable compliance date of this regulation that specifically permits the covered entity to use or disclose individually identifiable health information for activities other than to carry out treatment, payment, or health care operations. In the final rule, we permit a covered entity to rely upon such a consent, authorization, or permission to use or disclose protected health information that it created or received before the applicable compliance date of the regulation for the specific activities described in the consent, authorization, or permission as long as the covered entity complies with two requirements. First, the covered entity may not make any use or disclosure that is expressly excluded from the consent, authorization, or permission. Second, the covered entity must comply with all limitations expressed in the consent, authorization, or permission. Thus, we do not required a covered entity to obtain an authorization that meets the requirements of § 164.508 to use or disclose this previously obtained protected health information so long as the use or disclosure is consistent with the requirements of this section. However, a covered entity will need to obtain an authorization that meets the requirements of § 164.508, to the extent that it is required to obtain an authorization under this rule, from an individual before it may use or disclose any protected health information it creates or receives after the date by which it must comply with this rule.

Additionally, the final rule acknowledges that covered entities may wish to rely upon consents, authorizations, or other express legal permission obtained from an individual prior to the applicable compliance date for a specific research project that includes the treatment of individuals, such as clinical trials. These consents, authorizations, or permissions may specifically permit a use or disclosure of individually identifiable health information for purposes of the project. Alternatively, they may be general consents to participate in the project. A covered entity may use or disclose protected health information it created or received before or after to the applicable compliance date of this rule for purposes of the project provided that the covered entity complies with all limitations expressed in the consent, authorization, or permission.

If, pursuant to this section, a covered entity relies upon a previously obtained consent, authorization, or other express legal permission and agrees to a request for a restriction by an individual under § 164.522(a), any subsequent use or disclosure under that consent, authorization, or permission must comply with the agreed upon restriction as well.

We believe it is necessary to grandfather in previously obtained consents, authorizations, or other express legal permissions in these circumstances to ensure that important functions of the health care system are not impeded. We link the effectiveness of such consents, authorizations, or permissions in these circumstances to the applicable compliance date to give covered entities sufficient notice of the requirements set forth in §§ 164.506 and 164.508.

The rule does not change the past effectiveness of consents, authorizations, or other express legal permissions that do not come within this section. This means that uses or disclosures of individually identifiable health information made prior to the compliance date of this regulation are not subject to sanctions, even if they were made pursuant to documents or permissions that do not meet the requirements of this rule or were made without permission. This rule alters only the future effectiveness of the previously obtained consents, authorizations, or permissions. Covered entities are not required to rely upon these consents, authorizations, or permissions and may obtain new consents or authorizations that meet the applicable requirements of §§ 164.506 and 164.508.

When reaching this decision, we considered requiring all covered entities to obtain new consents or authorizations consistent with the requirements of §§ 164.506 and 164.508 before they would be able to use or disclose protected health information obtained after the compliance date of these rules. We rejected this option because we recognize that covered entities may not always be able to obtain new consents or authorizations consistent with the requirements of §§ 164.506 and 164.508 from all individuals upon whose information they rely. We also refrained from impeding the rights of covered entities to exercise their interests in the records they have created. We do not require covered entities with existing records or databases to destroy or remove the protected health information for which they do not have valid consents or authorizations that meet the requirements of §§ 164.506 and 164.508. Covered entities may rely upon the consents, authorizations, or permissions they obtained from individuals prior to the applicable compliance date of this regulation consistent with the constraints of those documents and the requirements discussed above.

We note that if a covered entity obtains before the applicable compliance date of this regulation a consent that meets the requirements of § 164.506, an authorization that meets the requirements of § 164.508, or an IRB or privacy board waiver of authorization that meets the requirements of § 164.512(i), the consent, authorization, or waiver is effective for uses or disclosures that occur after the compliance date and that are consistent with the terms of the consent, authorization, or waiver.

Section 164.534—Compliance Dates for Initial Implementation of the Privacy Standards Back to Top

In the NPRM, we provided that a covered entity must be in compliance with this subpart not later than 24 months following the effective date of this rule, except that a covered entity that is a small health plan must be in compliance with this subpart not later than 36 months following the effective date of the rule.

The final rule did not make any substantive changes. The format is changed so as to more clearly present the various compliance dates. The final rule lists the types of covered entities and then the various dates that would apply to each of these entities.

III. Section-by-Section Discussion of Comments Back to Top

The following describes the provisions in the final regulation, and the changes we make to the proposed provisions section-by-section. Following each section are our responses to the comments to that section. This section of the preamble is organized to follow the corresponding section of the final rule, not the NPRM.

General Comments Back to Top

We received many comments on the rule overall, not to a particular provision. We respond to those comments here. Similar comments, but directed to a specific provision in the proposed rule, are answered below in the corresponding section of this preamble.

Comments on the Need for Privacy Standards, and Effects of this Regulation on Current Protections

Comment: Many commenters expressed the opinion that federal legislation is necessary to protect the privacy of individuals' health information. One comment advocated Congressional efforts to provide a comprehensive federal health privacy law that would integrate the substance abuse regulations with the privacy regulation.

Response: We agree that comprehensive privacy legislation is urgently needed. This administration has urged the Congress to pass such legislation. While this regulation will improve the privacy of individuals' health information, only legislation can provide the full array of privacy protection that individuals need and deserve.

Comment: Many commenters noted that they do not go to a physician, or do not completely share health information with their physician, because they are concerned about who will have access to that information. Many physicians commented on their patients' reluctance to share information because of fear that their information will later be used against them.

Response: We agree that strong federal privacy protections are necessary to enhance patients' trust in the health care system.