[Federal Register: December 28, 2000 (Volume 65, Number 250)]
[Rules and Regulations]
[Page 82461-82510]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr28de00-29]
[[Page 82461]]
-----------------------------------------------------------------------
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
Standards for Privacy of Individually Identifiable Health Information;
Final Rule
[[Page 82462]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
Rin: 0991-AB08
Standards for Privacy of Individually Identifiable Health
Information
AGENCY: Office of the Assistant Secretary for Planning and Evaluation,
DHHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This rule includes standards to protect the privacy of
individually identifiable health information. The rules below, which
apply to health plans, health care clearinghouses, and certain health
care providers, present standards with respect to the rights of
individuals who are the subjects of this information, procedures for
the exercise of those rights, and the authorized and required uses and
disclosures of this information.
The use of these standards will improve the efficiency and
effectiveness of public and private health programs and health care
services by providing enhanced protections for individually
identifiable health information. These protections will begin to
address growing public concerns that advances in electronic technology
and evolution in the health care industry are resulting, or may result,
in a substantial erosion of the privacy surrounding individually
identifiable health information maintained by health care providers,
health plans and their administrative contractors. This rule implements
the privacy requirements of the Administrative Simplification subtitle
of the Health Insurance Portability and Accountability Act of 1996.DATES: The final rule is effective on February 26, 2001.
FOR FURTHER INFORMATION CONTACT: Kimberly Coleman, 1-866-OCR-PRIV (1-
866-627-7748) or TTY 1-866-788-4989.
SUPPLEMENTARY INFORMATION: Availability of copies, and electronic
access.
Copies: To order copies of the Federal Register containing this
document, send your request to: New Orders, Superintendent of
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date
of the issue requested and enclose a check or money order payable to
the Superintendent of Documents, or enclose your Visa or Master Card
number and expiration date. Credit card orders can also be placed by
calling the order desk at (202) 512-1800 or by fax to (202) 512-2250.
The cost for each copy is $8.00. As an alternative, you can view and
photocopy the Federal Register document at most libraries designated as
Federal Depository Libraries and at many other public and academic
libraries throughout the country that receive the Federal Register.
Electronic Access: This document is available electronically at
http://aspe.hhs.gov/admnsimp/ as well as at the web site of the
Government Printing Office at http://www.access.gpo.gov/su_docs/aces/
aces140.html.I. Background
Table of Contents
Sec.
160.101 Statutory basis and purpose.
160.102 Applicability.
160.103 Definitions.
160.104 Modifications.
160.201 Applicability
160.202 Definitions.
160.203 General rule and exceptions.
160.204 Process for requesting exception determinations.
160.205 Duration of effectiveness of exception determinations.
160.300 Applicability.
160.302 Definitions.
160.304 Principles for achieving compliance.
(a) Cooperation.
(b) Assistance.
160.306 Complaints to the Secretary.
(a) Right to file a complaint.
(b) Requirements for filing complaints.
(c) Investigation.
160.308 Compliance reviews.
160.310 Responsibilities of covered entities.
(a) Provide records and compliance reports.
(b) Cooperate with complaint investigations and compliance
reviews.
(c) Permit access to information.
160.312 Secretarial action regarding complaints and compliance
reviews.
(a) Resolution where noncompliance is indicated.
(b) Resolution when no violation is found.
164.102 Statutory basis.
164.104 Applicability.
164.106 Relationship to other parts.
164.500 Applicability.
164.501 Definitions.
164.502 Uses and disclosures of protected health information:
general rules.
(a) Standard.
(b) Standard: minimum necessary.
(c) Standard: uses and disclosures of protected health
information subject to an agreed upon restriction.
(d) Standard: uses and disclosures of de-identified protected
health information.
(e) Standard: disclosures to business associates.
(f) Standard: deceased individuals.
(g) Standard: personal representatives.
(h) Standard: confidential communications.
(i) Standard: uses and disclosures consistent with notice.
(j) Standard: disclosures by whistleblowers and workforce member
crime victims.
164.504 Uses and disclosures: organizational requirements.
(a) Definitions.
(b) Standard: health care component.
(c) Implementation specification: application of other
provisions.
(d) Standard: affiliated covered entities.
(e) Standard: business associate contracts.
(f) Standard: requirements for group health plans.
(g) Standard: requirements for a covered entity with multiple
covered functions.
164.506 Consent for uses or disclosures to carry out treatment,
payment, or health care operations.
(a) Standard: consent requirement.
(b) Implementation specifications: general requirements.
(c) Implementation specifications: content requirements.
(d) Implementation specifications: defective consents.
(e) Standard: resolving conflicting consents and authorizations.
(f) Standard: joint consents.
164.508 Uses and disclosures for which an authorization is
required.
(a) Standard: authorizations for uses and disclosures.
(b) Implementation specifications: general requirements.
(c) Implementation specifications: core elements and
requirements.
(d) Implementation specifications: authorizations requested by a
covered entity for its own uses and disclosures.
(e) Implementation specifications: authorizations requested by a
covered entity for disclosures by others.
(f) Implementation specifications: authorizations for uses and
disclosures of protected health information created for research
that includes treatment of the individual.
164.510 Uses and disclosures requiring an opportunity for the
individual to agree or to object.
(a) Standard: use and disclosure for facility directories.
(b) Standard: uses and disclosures for involvement in the
individual's care and notification purposes.
164.512 Uses and disclosures for which consent, an authorization,
or opportunity to agree or object is not required.
(a) Standard: uses and disclosures required by law.
(b) Standard: uses and disclosures for public health activities.
(c) Standard: disclosures about victims of abuse, neglect or
domestic violence.
(d) Standard: uses and disclosures for health oversight
activities.
(e) Standard: disclosures for judicial and administrative
proceedings.
(f) Standard: disclosures for law enforcement purposes.
(g) Standard: uses and disclosures about decedents.
(h) Standard: uses and disclosures for cadaveric organ, eye or
tissue donation purposes.
[[Page 82463]]
(i) Standard: uses and disclosures for research purposes.
(j) Standard: uses and disclosures to avert a serious threat to
health or safety.
(k) Standard: uses and disclosures for specialized government
functions.
(l) Standard: disclosures for workers' compensation.
164.514 Other requirements relating to uses and disclosures of
protected health information.
(a) Standard: de-identification of protected health information.
(b) Implementation specifications: requirements for de-
identification of protected health information.
(c) Implementation specifications: re-identification.
(d) Standard: minimum necessary requirements.
(e) Standard: uses and disclosures of protected health
information for marketing.
(f) Standard: uses and disclosures for fundraising.
(g) Standard: uses and disclosures for underwriting and related
purposes.
(h) Standard: verification requirements
164.520 Notice of privacy practices for protected health
information.
(a) Standard: notice of privacy practices.
(b) Implementation specifications: content of notice.
(c) Implementation specifications: provision of notice.
(d) Implementation specifications: joint notice by separate
covered entities.
(e) Implementation specifications: documentation.
164.522 Rights to request privacy protection for protected health
information.
(a) Standard: right of an individual to request restriction of
uses and disclosures.
(b) Standard: confidential communications requirements.
164.524 Access of individuals to protected health information.
(a) Standard: access to protected health information.
(b) Implementation specifications: requests for access and timely
action.
(c) Implementation specifications: provision of access.
(d) Implementation specifications: denial of access.
(e) Implementation specification: documentation.
164.526 Amendment of protected health information.
(a) Standard: right to amend.
(b) Implementation specifications: requests for amendment and
timely action.
(c) Implementation specifications: accepting the amendment.
(d) Implementation specifications: denying the amendment.
(e) Implementation specification: actions on notices of
amendment.
(f) Implementation specification: documentation.
164.528 Accounting of disclosures of protected health information.
(a) Standard: right to an accounting of disclosures of protected
health information.
(b) Implementation specifications: content of the accounting.
(c) Implementation specifications: provision of the accounting.
(d) Implementation specification: documentation.
164.530 Administrative requirements.
(a) Standard: personnel designations.
(b) Standard: training.
(c) Standard: safeguards.
(d) Standard: complaints to the covered entity.
(e) Standard: sanctions
(f) Standard: mitigation.
(g) Standard: refraining from intimidating or retaliatory acts.
(h) Standard: waiver of rights.
(i) Standard: policies and procedures.
(j) Standard: documentation.
(k) Standard: group health plans.
164.532 Transition provisions.
(a) Standard: effect of prior consents and authorizations.
(b) Implementation specification: requirements for retaining
effectiveness of prior consents and authorizations.
164.534 Compliance dates for initial implementation of the privacy
standards.
(a) Health care providers.
(b) Health plans.
(c) Health care clearinghouses.
Purpose of the Administrative Simplification Regulations
This regulation has three major purposes: (1) To protect and
enhance the rights of consumers by providing them access to their
health information and controlling the inappropriate use of that
information; (2) to improve the quality of health care in the U.S. by
restoring trust in the health care system among consumers, health care
professionals, and the multitude of organizations and individuals
committed to the delivery of care; and (3) to improve the efficiency
and effectiveness of health care delivery by creating a national
framework for health privacy protection that builds on efforts by
states, health systems, and individual organizations and individuals.
This regulation is the second final regulation to be issued in the
package of rules mandated under title II subtitle F section 261-264 of
the Health Insurance Portability and Accountability Act of 1996
(HIPAA), Public Law 104-191, titled ``Administrative Simplification.''
Congress called for steps to improve ``the efficiency and effectiveness
of the health care system by encouraging the development of a health
information system through the establishment of standards and
requirements for the electronic transmission of certain health
information.'' To achieve that end, Congress required the Department to
promulgate a set of interlocking regulations establishing standards and
protections for health information systems. The first regulation in
this set, Standards for Electronic Transactions 65 FR 50312, was
published on August 17, 2000 (the ``Transactions Rule''). This
regulation establishing Standards for Privacy of Individually
Identifiable Health Information is the second final rule in the
package. A rule establishing a unique identifier for employers to use
in electronic health care transactions, a rule establishing a unique
identifier for providers for such transactions, and a rule establishing
standards for the security of electronic information systems have been
proposed. See 63 FR 25272 and 25320 (May 7, 1998); 63 FR 32784 (June
16, 1998); 63 FR 43242 (August 12, 1998). Still to be proposed are
rules establishing a unique identifier for health plans for electronic
transactions, standards for claims attachments, and standards for
transferring among health plans appropriate standard data elements
needed for coordination of benefits. (See section C, below, for a more
detailed explanation of the statutory mandate for these regulations.)
In enacting HIPAA, Congress recognized the fact that administrative
simplification cannot succeed if we do not also protect the privacy and
confidentiality of personal health information. The provision of high-
quality health care requires the exchange of personal, often-sensitive
information between an individual and a skilled practitioner. Vital to
that interaction is the patient's ability to trust that the information
shared will be protected and kept confidential. Yet many patients are
concerned that their information is not protected. Among the factors
adding to this concern are the growth of the number of organizations
involved in the provision of care and the processing of claims, the
growing use of electronic information technology, increased efforts to
market health care and other products to consumers, and the increasing
ability to collect highly sensitive information about a person's
current and future health status as a result of advances in scientific
research.
Rules requiring the protection of health privacy in the United
States have been enacted primarily by the states. While virtually every
state has enacted one or more laws to safeguard privacy, these laws
vary significantly from state to state and typically apply to only part
of the health care system. Many states have adopted laws that protect
the health information relating to certain health conditions such as
mental illness, communicable diseases, cancer, HIV/AIDS, and other
stigmatized conditions. An examination of state health privacy laws and
regulations,[[Page 82464]]
however, found that ``state laws, with a few notable exceptions, do not
extend comprehensive protections to people's medical records.'' Many
state rules fail to provide such basic protections as ensuring a
patient's legal right to see a copy of his or her medical record. See
Health Privacy Project, ``The State of Health Privacy: An Uneven
Terrain,'' Institute for Health Care Research and Policy, Georgetown
University (July 1999) (http://www.healthprivacy.org) (the ``Georgetown
Study'').
Until now, virtually no federal rules existed to protect the
privacy of health information and guarantee patient access to such
information. This final rule establishes, for the first time, a set of
basic national privacy standards and fair information practices that
provides all Americans with a basic level of protection and peace of
mind that is essential to their full participation in their care. The
rule sets a floor of ground rules for health care providers, health
plans, and health care clearinghouses to follow, in order to protect
patients and encourage them to seek needed care. The rule seeks to
balance the needs of the individual with the needs of the society. It
creates a framework of protection that can be strengthened by both the
federal government and by states as health information systems continue
to evolve.Need for a National Health Privacy Framework
The Importance of Privacy
Privacy is a fundamental right. As such, it must be viewed
differently than any ordinary economic good. The costs and benefits of
a regulation must, of course, be considered as a means of identifying
and weighing options. At the same time, it is important not to lose
sight of the inherent meaning of privacy: it speaks to our individual
and collective freedom.
A right to privacy in personal information has historically found
expression in American law. All fifty states today recognize in tort
law a common law or statutory right to privacy. Many states
specifically provide a remedy for public revelation of private facts.
Some states, such as California and Tennessee, have a right to privacy
as a matter of state constitutional law. The multiple historical
sources for legal rights to privacy are traced in many places,
including Chapter 13 of Alan Westin's Privacy and Freedom and in Ellen
Alderman & Caroline Kennedy, The Right to Privacy (1995).
Throughout our nation's history, we have placed the rights of the
individual at the forefront of our democracy. In the Declaration of
Independence, we asserted the ``unalienable right'' to ``life, liberty
and the pursuit of happiness.'' Many of the most basic protections in
the Constitution of the United States are imbued with an attempt to
protect individual privacy while balancing it against the larger social
purposes of the nation.
To take but one example, the Fourth Amendment to the United States
Constitution guarantees that ``the right of the people to be secure in
their persons, houses, papers and effects, against unreasonable
searches and seizures, shall not be violated.'' By referring to the
need for security of ``persons'' as well as ``papers and effects'' the
Fourth Amendment suggests enduring values in American law that relate
to privacy. The need for security of ``persons'' is consistent with
obtaining patient consent before performing invasive medical
procedures. The need for security in ``papers and effects'' underscores
the importance of protecting information about the person, contained in
sources such as personal diaries, medical records, or elsewhere. As is
generally true for the right of privacy in information, the right is
not absolute. The test instead is what constitutes an ``unreasonable''
search of the papers and effects.
The United States Supreme Court has upheld the constitutional
protection of personal health information. In Whalen v. Roe, 429 U.S.
589 (1977), the Court analyzed a New York statute that created a
database of persons who obtained drugs for which there was both a
lawful and unlawful market. The Court, in upholding the statute,
recognized at least two different kinds of interests within the
constitutionally protected ``zone of privacy.'' ``One is the individual
interest in avoiding disclosure of personal matters,'' such as this
regulation principally addresses. This interest in avoiding disclosure,
discussed in Whalen in the context of medical information, was found to
be distinct from a different line of cases concerning ``the interest in
independence in making certain kinds of important decisions.''
Individuals' right to privacy in information about themselves is
not absolute. It does not, for instance, prevent reporting of public
health information on communicable diseases or stop law enforcement
from getting information when due process has been observed. But many
people believe that individuals should have some right to control
personal and sensitive information about themselves. Among different
sorts of personal information, health information is among the most
sensitive. Many people believe that details about their physical self
should not generally be put on display for neighbors, employers, and
government officials to see. Informed consent laws place limits on the
ability of other persons to intrude physically on a person's body.
Similar concerns apply to intrusions on information about the person.
Moving beyond these facts of physical treatment, there is also
significant intrusion when records reveal details about a person's
mental state, such as during treatment for mental health. If, in
Justice Brandeis' words, the ``right to be let alone'' means anything,
then it likely applies to having outsiders have access to one's
intimate thoughts, words, and emotions. In the recent case of Jaffee v.
Redmond, 116 S.Ct. 1923 (1996), the Supreme Court held that statements
made to a therapist during a counseling session were protected against
civil discovery under the Federal Rules of Evidence. The Court noted
that all fifty states have adopted some form of the psychotherapist-
patient privilege. In upholding the federal privilege, the Supreme
Court stated that it ``serves the public interest by facilitating the
appropriate treatment for individuals suffering the effects of a mental
or emotional problem. The mental health of our citizenry, no less than
its physical health, is a public good of transcendent importance.''
Many writers have urged a philosophical or common-sense right to
privacy in one's personal information. Examples include Alan Westin,
Privacy and Freedom (1967) and Janna Malamud Smith, Private Matters: In
Defense of the Personal Life (1997). These writings emphasize the link
between privacy and freedom and privacy and the ``personal life,'' or
the ability to develop one's own personality and self-expression.
Smith, for instance, states: The bottom line is clear. If we continually, gratuitously,
reveal other people's privacies, we harm them and ourselves, we
undermine the richness of the personal life, and we fuel a social
atmosphere of mutual exploitation. Let me put it another way: Little
in life is as precious as the freedom to say and do things with
people you love that you would not say or do if someone else were
present. And few experiences are as fundamental to liberty and
autonomy as maintaining control over when, how, to whom, and where
you disclose personal material. Id. at 240-241.
In 1890, Louis D. Brandeis and Samuel D. Warren defined the right
to privacy as ``the right to be let alone.'' See L. Brandeis, S.
Warren, ``The Right
[[Page 82465]]
To Privacy,'' 4 Harv.L.Rev. 193. More than a century later, privacy
continues to play an important role in Americans' lives. In their book,
The Right to Privacy, (Alfred A. Knopf, New York, 1995) Ellen Alderman
and Caroline Kennedy describe the importance of privacy in this way:
Privacy covers many things. It protects the solitude necessary
for creative thought. It allows us the independence that is part of
raising a family. It protects our right to be secure in our own
homes and possessions, assured that the government cannot come
barging in. Privacy also encompasses our right to self-determination
and to define who we are. Although we live in a world of noisy self-
confession, privacy allows us to keep certain facts to ourselves if
we so choose. The right to privacy, it seems, is what makes us
civilized.
Or, as Cavoukian and Tapscott observed the right of privacy is: ``the
claim of individuals, groups, or institutions to determine for
themselves when, how, and to what extent information about them is
communicated.'' See A. Cavoukian, D. Tapscott, ``Who Knows:
Safeguarding Your Privacy in a Networked World,'' Random House (1995).
Increasing Public Concern About Loss of Privacy
Today, it is virtually impossible for any person to be truly ``let
alone.'' The average American is inundated with requests for
information from potential employers, retail shops, telephone marketing
firms, electronic marketers, banks, insurance companies, hospitals,
physicians, health plans, and others. In a 1998 national survey, 88
percent of consumers said they were ``concerned'' by the amount of
information being requested, including 55 percent who said they were
``very concerned.'' See Privacy and American Business, 1998 Privacy
Concerns & Consumer Choice Survey (http://www.pandab.org). These
worries are not just theoretical. Consumers who use the Internet to
make purchases or request ``free'' information often are asked for
personal and financial information. Companies making such requests
routinely promise to protect the confidentiality of that information.
Yet several firms have tried to sell this information to other
companies even after promising not to do so.
Americans' concern about the privacy of their health information is
part of a broader anxiety about their lack of privacy in an array of
areas. A series of national public opinion polls conducted by Louis
Harris & Associates documents a rising level of public concern about
privacy, growing from 64 percent in 1978 to 82 percent in 1995. Over 80
percent of persons surveyed in 1999 agreed with the statement that they
had ``lost all control over their personal information.'' See Harris
Equifax, Health Information Privacy Study (1993) (http://www.epic.org/
privacy/medical/polls.html). A Wall Street Journal/ABC poll on
September 16, 1999 asked Americans what concerned them most in the
coming century. ``Loss of personal privacy'' was the first or second
concern of 29 percent of respondents. All other issues, such a
terrorism, world war, and global warming had scores of 23 percent or
less.
This growing concern stems from several trends, including the
growing use of interconnected electronic media for business and
personal activities, our increasing ability to know an individual's
genetic make-up, and, in health care, the increasing complexity of the
system. Each of these trends brings the potential for tremendous
benefits to individuals and society generally. At the same time, each
also brings new potential for invasions of our privacy.Increasing Use of Interconnected Electronic Information Systems
Until recently, health information was recorded and maintained on
paper and stored in the offices of community-based physicians, nurses,
hospitals, and other health care professionals and institutions. In
some ways, this imperfect system of record keeping created a false
sense of privacy among patients, providers, and others. Patients'
health information has never remained completely confidential. Until
recently, however, a breach of confidentiality involved a physical
exchange of paper records or a verbal exchange of information. Today,
however, more and more health care providers, plans, and others are
utilizing electronic means of storing and transmitting health
information. In 1996, the health care industry invested an estimated
$10 billion to $15 billion on information technology. See National
Research Council, Computer Science and Telecommunications Board, ``For
the Record: Protecting Electronic Health Information,'' (1997). The
electronic information revolution is transforming the recording of
health information so that the disclosure of information may require
only a push of a button. In a matter of seconds, a person's most
profoundly private information can be shared with hundreds, thousands,
even millions of individuals and organizations at a time. While the
majority of medical records still are in paper form, information from
those records is often copied and transmitted through electronic means.
This ease of information collection, organization, retention, and
exchange made possible by the advances in computer and other electronic
technology affords many benefits to individuals and to the health care
industry. Use of electronic information has helped to speed the
delivery of effective care and the processing of billions of dollars
worth of health care claims. Greater use of electronic data has also
increased our ability to identify and treat those who are at risk for
disease, conduct vital research, detect fraud and abuse, and measure
and improve the quality of care delivered in the U.S. The National
Research Council recently reported that ``the Internet has great
potential to improve Americans'' health by enhancing communications and
improving access to information for care providers, patients, health
plan administrators, public health officials, biomedical researchers,
and other health professionals.'' See ``Networking Health:
Prescriptions for the Internet,'' National Academy of Sciences (2000).
At the same time, these advances have reduced or eliminated many of
the financial and logistical obstacles that previously served to
protect the confidentiality of health information and the privacy
interests of individuals. And they have made our information available
to many more people. The shift from paper to electronic records, with
the accompanying greater flows of sensitive health information, thus
strengthens the arguments for giving legal protection to the right to
privacy in health information. In an earlier period where it was far
more expensive to access and use medical records, the risk of harm to
individuals was relatively low. In the potential near future, when
technology makes it almost free to send lifetime medical records over
the Internet, the risks may grow rapidly. It may become cost-effective,
for instance, for companies to offer services that allow purchasers to
obtain details of a person's physical and mental treatments. In
addition to legitimate possible uses for such services, malicious or
inquisitive persons may download medical records for purposes ranging
from identity theft to embarrassment to prurient interest in the life
of a celebrity or neighbor. The comments to the proposed privacy rule
indicate that many persons believe that they have a right to live in
society without having these details of their lives laid open to
unknown and possibly hostile eyes. These technological changes, in
short, may provide a reason for institutionalizing[[Page 82466]]
privacy protections in situations where the risk of harm did not
previously justify writing such protections into law.
The growing level of trepidation about privacy in general, noted
above, has tracked the rise in electronic information technology.
Americans have embraced the use of the Internet and other forms of
electronic information as a way to provide greater access to
information, save time, and save money. For example, 60 percent of
Americans surveyed in 1999 reported that they have a computer in their
home; 82 percent reported that they have used a computer; 64 percent
say they have used the Internet; and 58 percent have sent an e-mail.
Among those who are under the age of 60, these percentages are even
higher. See ``National Survey of Adults on Technology,'' Henry J.
Kaiser Family Foundation (February, 2000). But 59 percent of Americans
reported that they worry that an unauthorized person will gain access
to their information. A recent survey suggests that 75 percent of
consumers seeking health information on the Internet are concerned or
very concerned about the health sites they visit sharing their personal
health information with a third party without their permission. Ethics
Survey of Consumer Attitudes about Health Web Sites, California Health
Care Foundation, at 3 (January, 2000).
Unless public fears are allayed, we will be unable to obtain the
full benefits of electronic technologies. The absence of national
standards for the confidentiality of health information has made the
health care industry and the population in general uncomfortable about
this primarily financially-driven expansion in the use of electronic
data. Many plans, providers, and clearinghouses have taken steps to
safeguard the privacy of individually identifiable health information.
Yet they must currently rely on a patchwork of State laws and
regulations that are incomplete and, at times, inconsistent. States
have, to varying degrees, attempted to enhance confidentiality by
establishing laws governing at least some aspects of medical record
privacy. This approach, though a step in the right direction, is
inadequate. These laws fail to provide a consistent or comprehensive
legal foundation of health information privacy. For example, there is
considerable variation among the states in the type of information
protected and the scope of the protections provided. See Georgetown
Study, at Executive Summary; Lawrence O. Gostin, Zita Lazzarrini,
Kathleen M. Flaherty, Legislative Survey of State Confidentiality Laws,
with Specific Emphasis on HIV and Immunization, Report to Centers for
Disease Control, Council of State and Territorial Epidemiologists, and
Task Force for Child Survival and Development, Carter Presidential
Center (1996) (Gostin Study).
Moreover, electronic health data is becoming increasingly
``national''; as more information becomes available in electronic form,
it can have value far beyond the immediate community where the patient
resides. Neither private action nor state laws provide a sufficiently
comprehensive and rigorous legal structure to allay public concerns,
protect the right to privacy, and correct the market failures caused by
the absence of privacy protections (see discussion below of market
failure under section V.C). Hence, a national policy with consistent
rules is necessary to encourage the increased and proper use of
electronic information while also protecting the very real needs of
patients to safeguard their privacy.Advances in Genetic Sciences
Recently, scientists completed nearly a decade of work unlocking
the mysteries of the human genome, creating tremendous new
opportunities to identify and prevent many of the leading causes of
death and disability in this country and around the world. Yet the
absence of privacy protections for health information endanger these
efforts by creating a barrier of distrust and suspicion among
consumers. A 1995 national poll found that more than 85 percent of
those surveyed were either ``very concerned'' or ``somewhat concerned''
that insurers and employers might gain access to and use genetic
information. See Harris Poll, 1995 #34. Sixty-three percent of the
1,000 participants in a 1997 national survey said they would not take
genetic tests if insurers and employers could gain access to the
results. See ``Genetic Information and the Workplace,'' Department of
Labor, Department of Health and Human Services, Equal Employment
Opportunity Commission, January 20, 1998. ``In genetic testing studies
at the National Institutes of Health, thirty-two percent of eligible
people who were offered a test for breast cancer risk declined to take
it, citing concerns about loss of privacy and the potential for
discrimination in health insurance.'' Sen. Leahy's comments for March
10, 1999 Introduction of the Medical Information Privacy and Security
Act.
The Changing Health Care System
The number of entities who are maintaining and transmitting
individually identifiable health information has increased
significantly over the last 10 years. In addition, the rapid growth of
integrated health care delivery systems requires greater use of
integrated health information systems. The health care industry has
been transformed from one that relied primarily on one-on-one
interactions between patients and clinicians to a system of integrated
health care delivery networks and managed care providers. Such a system
requires the processing and collection of information about patients
and plan enrollees (for example, in claims files or enrollment
records), resulting in the creation of databases that can be easily
transmitted. This dramatic change in the practice of medicine brings
with it important prospects for the improvement of the quality of care
and reducing the cost of that care. It also, however, means that
increasing numbers of people have access to health information. And, as
health plan functions are increasingly outsourced, a growing number of
organizations not affiliated with our physicians or health plans also
have access to health information.
According to the American Health Information Management Association
(AHIMA), an average of 150 people ``from nursing staff to x-ray
technicians, to billing clerks'' have access to a patient's medical
records during the course of a typical hospitalization. While many of
these individuals have a legitimate need to see all or part of a
patient's records, no laws govern who those people are, what
information they are able to see, and what they are and are not allowed
to do with that information once they have access to it. According to
the National Research Council, individually identifiable health
information frequently is shared with:
Consulting physicians;
Managed care organizations;
Health insurance companies
Life insurance companies;
Self-insured employers;
Pharmacies;
Pharmacy benefit managers;
Clinical laboratories;
Accrediting organizations;
State and Federal statistical agencies; and
Medical information bureaus.Much of this sharing of information is done without the knowledge of
the patient involved. While many of these functions are important for
smooth functioning of the health care system, there are no rules
governing how that
[[Page 82467]]
information is used by secondary and tertiary users. For example, a
pharmacy benefit manager could receive information to determine whether
an insurance plan or HMO should cover a prescription, but then use the
information to market other products to the same patient. Similarly,
many of us obtain health insurance coverage though our employer and, in
some instances, the employer itself acts as the insurer. In these
cases, the employer will obtain identifiable health information about
its employees as part of the legitimate health insurance functions such
as claims processing, quality improvement, and fraud detection
activities. At the same time, there is no comprehensive protection
prohibiting the employer from using that information to make decisions
about promotions or job retention.
Public concerns reflect these developments. A 1993 Lou Harris poll
found that 75 percent of those surveyed worry that medical information
from a computerized national health information system will be used for
many non-health reasons, and 38 percent are very concerned. This poll,
taken during the health reform efforts of 1993, showed that 85 percent
of respondents believed that protecting the confidentiality of medical
records is ``absolutely essential'' or ``very essential'' in health
care reform. An ACLU Poll in 1994 also found that 75 percent of those
surveyed are concerned a ``great deal'' or a ``fair amount''' about
insurance companies putting medical information about them into a
computer information bank to which others have access. Harris Equifax,
Health Information Privacy Study 2,33 (1993) http://www.epic.org/
privacy/medical/poll.html. Another survey found that 35 percent of
Fortune 500 companies look at people's medical records before making
hiring and promotion decisions. Starr, Paul. ``Health and the Right to
Privacy,'' American Journal of Law and Medicine, 1999. Vol 25, pp. 193-
201.
Concerns about the lack of attention to information privacy in the
health care industry are not merely theoretical. In the absence of a
national legal framework of health privacy protections, consumers are
increasingly vulnerable to the exposure of their personal health
information. Disclosure of individually identifiable information can
occur deliberately or accidentally and can occur within an organization
or be the result of an external breach of security. Examples of recent
privacy breaches include:
A Michigan-based health system accidentally posted the
medical records of thousands of patients on the Internet (The Ann Arbor
News, February 10, 1999).
A Utah-based pharmaceutical benefits management firm used
patient data to solicit business for its owner, a drug store
(Kiplingers, February 2000).
An employee of the Tampa, Florida, health department took
a computer disk containing the names of 4,000 people who had tested
positive for HIV, the virus that causes AIDS (USA Today, October 10,
1996).
The health insurance claims forms of thousands of patients
blew out of a truck on its way to a recycling center in East Hartford,
Connecticut (The Hartford Courant, May 14, 1999).
A patient in a Boston-area hospital discovered that her
medical record had been read by more than 200 of the hospital's
employees (The Boston Globe, August 1, 2000).
A Nevada woman who purchased a used computer discovered
that the computer still contained the prescription records of the
customers of the pharmacy that had previously owned the computer. The
pharmacy data base included names, addresses, social security numbers,
and a list of all the medicines the customers had purchased. (The New
York Times, April 4, 1997 and April 12, 1997).
A speculator bid $4000 for the patient records of a family
practice in South Carolina. Among the businessman's uses of the
purchased records was selling them back to the former patients. (New
York Times, August 14, 1991).
In 1993, the Boston Globe reported that Johnson and
Johnson marketed a list of 5 million names and addresses of elderly
incontinent women. (ACLU Legislative Update, April 1998).
A few weeks after an Orlando woman had her doctor perform
some routine tests, she received a letter from a drug company promoting
a treatment for her high cholesterol. (Orlando Sentinel, November 30,
1997).
No matter how or why a disclosure of personal information is made,
the harm to the individual is the same. In the face of industry
evolution, the potential benefits of our changing health care system,
and the real risks and occurrences of harm, protection of privacy must
be built into the routine operations of our health care system.Privacy Is Necessary To Secure Effective, High Quality Health Care
While privacy is one of the key values on which our society is
built, it is more than an end in itself. It is also necessary for the
effective delivery of health care, both to individuals and to
populations. The market failures caused by the lack of effective
privacy protections for health information are discussed below (see
section V.C below). Here, we discuss how privacy is a necessary
foundation for delivery of high quality health care. In short, the
entire health care system is built upon the willingness of individuals
to share the most intimate details of their lives with their health
care providers.
The need for privacy of health information, in particular, has long
been recognized as critical to the delivery of needed medical care.
More than anything else, the relationship between a patient and a
clinician is based on trust. The clinician must trust the patient to
give full and truthful information about their health, symptoms, and
medical history. The patient must trust the clinician to use that
information to improve his or her health and to respect the need to
keep such information private. In order to receive accurate and
reliable diagnosis and treatment, patients must provide health care
professionals with accurate, detailed information about their personal
health, behavior, and other aspects of their lives. The provision of
health information assists in the diagnosis of an illness or condition,
in the development of a treatment plan, and in the evaluation of the
effectiveness of that treatment. In the absence of full and accurate
information, there is a serious risk that the treatment plan will be
inappropriate to the patient's situation.
Patients also benefit from the disclosure of such information to
the health plans that pay for and can help them gain access to needed
care. Health plans and health care clearinghouses rely on the provision
of such information to accurately and promptly process claims for
payment and for other administrative functions that directly affect a
patient's ability to receive needed care, the quality of that care, and
the efficiency with which it is delivered.
Accurate medical records assist communities in identifying
troubling public health trends and in evaluating the effectiveness of
various public health efforts. Accurate information helps public and
private payers make correct payments for care received and lower costs
by identifying fraud. Accurate information provides scientists with
data they need to conduct research. We cannot improve the quality of
health care without information about which treatments work, and which
do not.
Individuals cannot be expected to share the most intimate details
of their lives unless they have confidence that such information will
not be used or[[Page 82468]]
shared inappropriately. Privacy violations reduce consumers' trust in
the health care system and institutions that serve them. Such a loss of
faith can impede the quality of the health care they receive, and can
harm the financial health of health care institutions.
Patients who are worried about the possible misuse of their
information often take steps to protect their privacy. Recent studies
show that a person who does not believe his privacy will be protected
is much less likely to participate fully in the diagnosis and treatment
of his medical condition. A national survey conducted in January 1999
found that one in five Americans believe their health information is
being used inappropriately. See California HealthCare Foundation,
``National Survey: Confidentiality of Medical Records'' (January, 1999)
(http://www.chcf.org). More troubling is the fact that one in six
Americans reported that they have taken some sort of evasive action to
avoid the inappropriate use of their information by providing
inaccurate information to a health care provider, changing physicians,
or avoiding care altogether. Similarly, in its comments on our proposed
rule, the Association of American Physicians and Surgeons reported 78
percent of its members reported withholding information from a
patient's record due to privacy concerns and another 87 percent
reported having had a patient request to withhold information from
their records. For an example of this phenomenon in a particular
demographic group, see Drs. Bearman, Ford, and Moody, ``Foregone Health
Care among Adolescents,'' JAMA, vol. 282, no. 23 (999); Cheng, T.L., et
al., ``Confidentiality in Health Care: A Survey of Knowledge,
Perceptions, and Attitudes among High School Students,'' JAMA, vol.
269, no. 11 (1993), at 1404-1407.
The absence of strong national standards for medical privacy has
widespread consequences. Health care professionals who lose the trust
of their patients cannot deliver high-quality care. In 1999, a
coalition of organizations representing various stakeholders including
health plans, physicians, nurses, employers, disability and mental
health advocates, accreditation organizations as well as experts in
public health, medical ethics, information systems, and health policy
adopted a set of ``best principles'' for health care privacy that are
consistent with the standards we lay out here. (See the Health Privacy
Working Group, ``Best Principles for Health Privacy'' (July, 1999)
(Best Principles Study). The Best Principles Study states that-- To protect their privacy and avoid embarrassment, stigma, and
discrimination, some people withhold information from their health
care providers, provide inaccurate information, doctor-hop to avoid
a consolidated medical record, pay out-of-pocket for care that is
covered by insurance, and--in some cases--avoid care altogether.
Best Principles Study, at 9. In their comments on our proposed rule,
numerous organizations representing health plans, health providers,
employers, and others acknowledged the value of a set of national
privacy standards to the efficient operation of their practices and
businesses.
Breaches of Health Privacy Harm More Than Our Health Status
A breach of a person's health privacy can have significant
implications well beyond the physical health of that person, including
the loss of a job, alienation of family and friends, the loss of health
insurance, and public humiliation. For example:
A banker who also sat on a county health board gained
access to patients' records and identified several people with cancer
and called in their mortgages. See the National Law Journal, May 30,
1994.
A physician was diagnosed with AIDS at the hospital in
which he practiced medicine. His surgical privileges were suspended.
See Estate of Behringer v. Medical Center at Princeton, 249 N.J. Super.
597.
A candidate for Congress nearly saw her campaign derailed
when newspapers published the fact that she had sought psychiatric
treatment after a suicide attempt. See New York Times, October 10,
1992, Section 1, page 25.
A 30-year FBI veteran was put on administrative leave
when, without his permission, his pharmacy released information about
his treatment for depression. (Los Angeles Times, September 1, 1998)
Consumer Reports found that 40 percent of insurers disclose personal
health information to lenders, employers, or marketers without customer
permission. ``Who's reading your Medical Records,'' Consumer Reports,
October 1994, at 628, paraphrasing Sweeny, Latanya, ``Weaving
Technology and Policy Together to Maintain Confidentiality,'' The
Journal Of Law Medicine and Ethics (Summer & Fall 1997) Vol. 25,
Numbers 2,3.
The answer to these concerns is not for consumers to withdraw from
society and the health care system, but for society to establish a
clear national legal framework for privacy. By spelling out what is and
what is not an allowable use of a person's identifiable health
information, such standards can help to restore and preserve trust in
the health care system and the individuals and institutions that
comprise that system. As medical historian Paul Starr wrote: ``Patients
have a strong interest in preserving the privacy of their personal
health information but they also have an interest in medical research
and other efforts by health care organizations to improve the medical
care they receive. As members of the wider community, they have an
interest in public health measures that require the collection of
personal data.'' (P. Starr, ``Health and the Right to Privacy,''
American Journal of Law & Medicine, 25, nos. 2&3 (1999) 193-201). The
task of society and its government is to create a balance in which the
individual's needs and rights are balanced against the needs and rights
of society as a whole.
National standards for medical privacy must recognize the sometimes
competing goals of improving individual and public health, advancing
scientific knowledge, enforcing the laws of the land, and processing
and paying claims for health care services. This need for balance has
been recognized by many of the experts in this field. Cavoukian and
Tapscott described it this way: ``An individual's right to privacy may
conflict with the collective rights of the public * * *. We do not
suggest that privacy is an absolute right that reigns supreme over all
other rights. It does not. However, the case for privacy will depend on
a number of factors that can influence the balance--the level of harm
to the individual involved versus the needs of the public.''The Federal Response
There have been numerous federal initiatives aimed at protecting
the privacy of especially sensitive personal information over the past
several years--and several decades. While the rules below are likely
the largest single federal initiative to protect privacy, they are by
no means alone in the field. Rather, the rules arrive in the context of
recent legislative activity to grapple with advances in technology, in
addition to an already established body of law granting federal
protections for personal privacy.
In 1965, the House of Representatives created a Special
Subcommittee on Invasion of Privacy. In 1973, this Department's
predecessor agency, the Department of Health, Education and Welfare
issued The Code of Fair Information Practice Principles establishing an
important baseline for[[Page 82469]]
information privacy in the U.S. These principles formed the basis for
the federal Privacy Act of 1974, which regulates the government's use
of personal information by limiting the disclosure of personally-
identifiable information, allows consumers access to information about
them, requires federal agencies to specify the purposes for collecting
personal information, and provides civil and criminal penalties for
misuse of information.
In the last several years, with the rapid expansion in electronic
technology--and accompanying concerns about individual privacy--laws,
regulations, and legislative proposals have been developed in areas
ranging from financial privacy to genetic privacy to the safeguarding
of children on-line. For example, the Children's Online Privacy
Protection Act was enacted in 1998, providing protection for children
when interacting at web-sites. In February, 2000, President Clinton
signed Executive Order 13145, banning the use of genetic information in
federal hiring and promotion decisions. The landmark financial
modernization bill, signed by the President in November, 1999, likewise
contained financial privacy protections for consumers. There also has
been recent legislative activity on establishing legal safeguards for
the privacy of individuals' Social Security numbers, and calls for
regulation of on-line privacy in general.
These most recent laws, regulations, and legislative proposals come
against the backdrop of decades of privacy-enhancing statutes passed at
the federal level to enact safeguards in fields ranging from government
data files to video rental records. In the 1970s, individual privacy
was paramount in the passage of the Fair Credit Reporting Act (1970),
the Privacy Act (1974), the Family Educational Rights and Privacy Act
(1974), and the Right to Financial Privacy Act (1978). These key laws
were followed in the next decade by another series of statutes,
including the Privacy Protection Act (1980), the Electronic
Communications Privacy Act (1986), the Video Privacy Protection Act
(1988), and the Employee Polygraph Protection Act (1988). In the last
ten years, Congress and the President have passed additional legal
privacy protection through, among others, the Telephone Consumer
Protection Act (1991), the Driver's Privacy Protection Act (1994), the
Telecommunications Act (1996), the Children's Online Privacy Protection
Act (1998), the Identity Theft and Assumption Deterrence Act (1998),
and Title V of the Gramm-Leach-Bliley Act (1999) governing financial
privacy.
In 1997, a Presidential advisory commission, the Advisory
Commission on Consumer Protection and Quality in the Health Care
Industry, recognized the need for patient privacy protection in its
recommendations for a Consumer Bill of Rights and Responsibilities
(November 1997). In 1997, Congress enacted the Balanced Budget Act
(Public Law 105-34), which added language to the Social Security Act
(18 U.S.C. 1852) to require Medicare+Choice organizations to establish
safeguards for the privacy of individually identifiable patient
information. Similarly, the Veterans Benefits section of the U.S. Code
provides for confidentiality of medical records in cases involving drug
abuse, alcoholism or alcohol abuse, HIV infection, or sickle cell
anemia (38 U.S.C. 7332).
As described in more detail in the next section, Congress
recognized the importance of protecting the privacy of health
information by enacting the Health Insurance Portability and
Accountability Act of 1996. The Act called on Congress to enact a
medical privacy statute and asked the Secretary of Health and Human
Services to provide Congress with recommendations for protecting the
confidentiality of health care information. The Congress further
recognized the importance of such standards by providing the Secretary
with authority to promulgate regulations on health care privacy in the
event that lawmakers were unable to act within the allotted three
years.
Finally, it also is important for the U.S. to join the rest of the
developed world in establishing basic medical privacy protections. In
1995, the European Union (EU) adopted a Data Privacy Directive
requiring its 15 member states to adopt consistent privacy laws by
October 1998. The EU urged all other nations to do the same or face the
potential loss of access to information from EU countries.Statutory Background
History of the Privacy Component of the Administrative Simplification
Provisions
The Congress addressed the opportunities and challenges presented
by the rapid evolution of health information systems in the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), Public
Law 104-191, which was enacted on August 21, 1996. Sections 261 through
264 of HIPAA are known as the Administrative Simplification provisions.
The major part of these Administrative Simplification provisions are
found at section 262 of HIPAA, which enacted a new part C of title XI
of the Social Security Act (hereinafter we refer to the Social Security
Act as the ``Act'' and we refer to all other laws cited in this
document by their names).
In section 262, Congress primarily sought to facilitate the
efficiencies and cost savings for the health care industry that the
increasing use of electronic technology affords. Thus, section 262
directs HHS to issue standards to facilitate the electronic exchange of
information with respect to financial and administrative transactions
carried out by health plans, health care clearinghouses, and health
care providers who transmit information electronically in connection
with such transactions.
At the same time, Congress recognized the challenges to the
confidentiality of health information presented by the increasing
complexity of the health care industry, and by advances in health
information systems technology and communications. Section 262 thus
also directs HHS to develop standards to protect the security,
including the confidentiality and integrity, of health information.
Congress has long recognized the need for protection of health
information privacy generally, as well as the privacy implications of
electronic data interchange and the increased ease of transmitting and
sharing individually identifiable health information. Congress has been
working on broad health privacy legislation for many years and, as
evidenced by the self-imposed three year deadline included in the
HIPAA, discussed below, believes it can and should enact such
legislation. A significant portion of the first Administrative
Simplification section debated on the floor of the Senate in 1994 (as
part of the Health Security Act) consisted of privacy provisions. In
the version of the HIPAA passed by the House of Representatives in
1996, the requirement for the issuance of privacy standards was located
in the same section of the bill (section 1173) as the requirements for
issuance of the other HIPAA Administrative Simplification standards. In
conference, the requirement for privacy standards was moved to a
separate section in the same part of HIPAA, section 264, so that
Congress could link the Privacy standards to Congressional action.
Section 264(b) requires the Secretary of HHS to develop and submit
to the Congress recommendations for:
The rights that an individual who is a subject of
individually identifiable health information should have.[[Page 82470]]
The procedures that should be established for the exercise
of such rights.
The uses and disclosures of such information that should
be authorized or required.The Secretary's Recommendations were submitted to the Congress on
September 11, 1997. Section 264(c)(1) provides that:
If legislation governing standards with respect to the privacy
of individually identifiable health information transmitted in
connection with the transactions described in section 1173(a) of the
Social Security Act (as added by section 262) is not enacted by
[August 21, 1999], the Secretary of Health and Human Services shall
promulgate final regulations containing such standards not later
than [February 21, 2000]. Such regulations shall address at least
the subjects described in subsection (b).
As the Congress did not enact legislation regarding the privacy of
individually identifiable health information prior to August 21, 1999,
HHS published proposed rules setting forth such standards on November
3, 1999, 64 FR 59918, and is now publishing the mandated final
regulation.
These privacy standards have been, and continue to be, an integral
part of the suite of Administrative Simplification standards intended
to simplify and improve the efficiency of the administration of our
health care system.The Administrative Simplification Provisions, and Regulatory Actions to
Date
Part C of title XI consists of sections 1171 through 1179 of the
Act. These sections define various terms and impose several
requirements on HHS, health plans, health care clearinghouses, and
health care providers who conduct the identified transactions
electronically.
The first section, section 1171 of the Act, establishes definitions
for purposes of part C of title XI for the following terms: code set,
health care clearinghouse, health care provider, health information,
health plan, individually identifiable health information, standard,
and standard setting organization.
Section 1172 of the Act makes the standard adopted under part C
applicable to: (1) Health plans, (2) health care clearinghouses, and
(3) health care providers who transmit health information in electronic
form in connection with transactions referred to in section 1173(a)(1)
of the Act (hereinafter referred to as the ``covered entities'').
Section 1172 also contains procedural requirements concerning the
adoption of standards, including the role of standard setting
organizations and required consultations, summarized in subsection F
and section VI, below.
Section 1173 of the Act requires the Secretary to adopt standards
for transactions, and data elements for such transactions, to enable
health information to be exchanged electronically. Section 1173(a)(1)
describes the transactions to be promulgated, which include the nine
transactions listed in section 1173(a)(2) and other transactions
determined appropriate by the Secretary. The remainder of section 1173
sets out requirements for the specific standards the Secretary is to
adopt: Unique health identifiers, code sets, security standards,
electronic signatures, and transfer of information among health plans.
Of particular relevance to this proposed rule is section 1173(d), the
security standard provision. The security standard authority applies to
both the transmission and the maintenance of health information, and
requires the entities described in section 1172(a) to maintain
reasonable and appropriate safeguards to ensure the integrity and
confidentiality of the information, protect against reasonably
anticipated threats or hazards to the security or integrity of the
information or unauthorized uses or disclosures of the information, and
to ensure compliance with part C by the entity's officers and
employees.
In section 1174 of the Act, the Secretary is required to establish
standards for all of the above transactions, except claims attachments,
by February 21, 1998. The statutory deadline for the claims attachment
standard is February 21, 1999.
As noted above, a proposed rule for most of the transactions was
published on May 7, 1998, and the final Transactions Rule was
promulgated on August 17, 2000. The delay was caused by the deliberate
consensus building process, working with industry, and the large number
of comments received (about 17,000). In addition, in a series of
Notices of Proposed Rulemakings, HHS published other proposed
standards, as described above. Each of these steps was taken in concert
with the affected professions and industries, to ensure rapid adoption
and compliance.
Generally, after a standard is established, it may not be changed
during the first year after adoption except for changes that are
necessary to permit compliance with the standard. Modifications to any
of these standards may be made after the first year, but not more
frequently than once every 12 months. The Secretary also must ensure
that procedures exist for the routine maintenance, testing,
enhancement, and expansion of code sets and that there are crosswalks
from prior versions.
Section 1175 of the Act prohibits health plans from refusing to
process, or from delaying processing of, a transaction that is
presented in standard format. It also establishes a timetable for
compliance: each person to whom a standard or implementation
specification applies is required to comply with the standard within 24
months (or 36 months for small health plans) of its adoption. A health
plan or other entity may, of course, comply voluntarily before the
effective date. The section also provides that compliance with
modifications to standards or implementation specifications must be
accomplished by a date designated by the Secretary, which date may not
be earlier than 180 days from the notice of change.
Section 1176 of the Act establishes civil monetary penalties for
violation of the provisions in part C of title XI of the Act, subject
to several limitations. Penalties may not be more than $100 per person
per violation and not more than $25,000 per person for violations of a
single standard for a calendar year. The procedural provisions of
section 1128A of the Act apply to actions taken to obtain civil
monetary penalties under this section.
Section 1177 establishes penalties for any person that knowingly
uses a unique health identifier, or obtains or discloses individually
identifiable health information in violation of the part. The penalties
include: (1) A fine of not more than $50,000 and/or imprisonment of not
more than 1 year; (2) if the offense is ``under false pretenses,'' a
fine of not more than $100,000 and/or imprisonment of not more than 5
years; and (3) if the offense is with intent to sell, transfer, or use
individually identifiable health information for commercial advantage,
personal gain, or malicious harm, a fine of not more than $250,000 and/
or imprisonment of not more than 10 years.
Under section 1178 of the Act, the requirements of part C, as well
as any standards or implementation specifications adopted thereunder,
preempt contrary state law. There are three exceptions to this general
rule of preemption: State laws that the Secretary determines are
necessary for certain purposes set forth in the statute; state laws
that the Secretary determines address controlled substances; and state
laws relating to the privacy of[[Page 82471]]
individually identifiable health information that are contrary to and
more stringent than the federal requirements. There also are certain
areas of state law (generally relating to public health and oversight
of health plans) that are explicitly carved out of the general rule of
preemption and addressed separately.
Section 1179 of the Act makes the above provisions inapplicable to
financial institutions (as defined by section 1101 of the Right to
Financial Privacy Act of 1978) or anyone acting on behalf of a
financial institution when ``authorizing, processing, clearing,
settling, billing, transferring, reconciling, or collecting payments
for a financial institution.''
Finally, as explained above, section 264 requires the Secretary to
issue standards with respect to the privacy of individually
identifiable health information. Section 264 also contains a preemption
provision that provides that contrary provisions of state laws that are
more stringent than the federal standards, requirements, or
implementation specifications will not be preempted.Our Approach to This Regulation
Balance
A number of facts informed our approach to this regulation.
Determining the best approach to protecting privacy depends on where we
start, both with respect to existing legal expectations and also with
respect to the expectations of individuals, health care providers,
payers and other stakeholders. From the comments we received on the
proposed rule, and from the extensive fact finding in which we engaged,
a confused picture developed. We learned that stakeholders in the
system have very different ideas about the extent and nature of the
privacy protections that exist today, and very different ideas about
appropriate uses of health information. This leads us to seek to
balance the views of the different stakeholders, weighing the varying
interests on each particular issue with a view to creating balance in
the regulation as a whole.
For example, we received hundreds of comments explaining the
legitimacy of various uses and disclosure of health information. We
agree that many uses and disclosures of health information are
``legitimate,'' but that is not the end of the inquiry. Neither
privacy, nor the important social goals described by the commenters,
are absolutes. In this regulation, we are asking health providers and
institutions to add privacy into the balance, and we are asking
individuals to add social goals into the balance.
The vast difference among regulated entities also informed our
approach in significant ways. This regulation applies to solo
practitioners, and multi-national health plans. It applies to
pharmacies and information clearinghouses. These entities differ not
only in the nature and scope of their businesses, but also in the
degree of sophistication of their information systems and information
needs. We therefore designed the core requirements of this regulation
to be flexible and ``scalable.'' This is reflected throughout the rule,
particularly in the implementation specifications for making the
minimum necessary uses and disclosures, and in the administrative
policies and procedures requirements.
We also are informed by the rapid evolution in industry
organization and practice. Our goal is to enhance privacy protections
in ways that do not impede this evolution. For example, we received
many comments asking us to assign a status under this regulation based
on a label or title. For example, many commenters asked whether
``disease management'' is a ``health care operation,'' or whether a
``pharmacy benefits manager'' is a covered entity. From the comments
and our fact-finding, however, we learned that these terms do not have
consistent meanings today; rather, they encompass diverse activities
and information practices. Further, the statutory definitions of key
terms such as health care provider and health care clearinghouse
describe functions, not specific types of persons or entities. To
respect both the Congressional approach and industry evolution, we
design the rule to follow activities and functions, not titles and
labels.
Similarly, many comments asked whether a particular person would be
a ``business associate'' under the rule, based on the nature of the
person's business. Whether a business associate arrangement must exist
under the rule, however, depends on the relationship between the
entities and the services being performed, not on the type of persons
or companies involved.
Our approach is also significantly informed by the limited
jurisdiction conferred by HIPAA. In large part, we have the authority
to regulate those who create and disclose health information, but not
many key stakeholders who receive that health information from a
covered entity. Again, this led us to look to the balance between the
burden on covered entities and need to protect privacy in determining
our approach to such disclosures. In some instances, we approach this
dilemma by requiring covered entities to obtain a representation or
documentation of purpose from the person requesting information. While
there would be advantages to legislation regulating such third persons
directly, we cannot justify abandoning any effort to enhance privacy.
It also became clear from the comments and our fact-finding that we
have expectations as a society that conflict with individuals' views
about the privacy of health information. We expect the health care
industry to develop treatment protocols for the delivery of high
quality health care. We expect insurers and the government to reduce
fraud in the health care system. We expect to be protected from
epidemics, and we expect medical research to produce miracles. We
expect the police to apprehend suspects, and we expect to pay for our
care by credit card. All of these activities involve disclosure of
health information to someone other than our physician.
While most commenters support the concept of health privacy in
general, many go on to describe activities that depend on the
disclosure of health information and urge us to protect those
information flows. Section III, in which we respond to the comments,
describes our approach to balancing these conflicting expectations.
Finally, we note that many commenters were concerned that this
regulation would lessen current privacy protections. It is important to
understand this regulation as a new federal floor of privacy
protections that does not disturb more protective rules or practices.
Nor do we intend this regulation to describe a set of a ``best
practices.'' Rather, this regulation describes a set of basic consumer
protections and a series of regulatory permissions for use and
disclosure of health information. The protections are a mandatory
floor, which other governments and any covered entity may exceed. The
permissions are just that, permissive--the only disclosures of health
information required under this rule are to the individual who is the
subject of the information or to the Secretary for enforcement of this
rule. We expect covered entities to rely on their professional ethics
and use their own best judgements in deciding which of these
permissions they will use.Combining Workability With New Protections
This rule establishes national minimum standards to protect the
privacy of individually identifiable health information in prescribed
[[Page 82472]]
settings. The standards address the many varied uses and disclosures of
individually identifiable health information by health plans, certain
health care providers and health care clearinghouses. The complexity of
the standards reflects the complexity of the health care marketplace to
which they apply and the variety of subjects that must be addressed.
The rule applies not only to the core health care functions relating to
treating patients and reimbursing health care providers, but also to
activities that range from when individually identifiable health
information should be available for research without authorization to
whether a health care provider may release protected health information
about a patient for law enforcement purposes. The number of discrete
provisions, and the number of commenters requesting that the rule
recognize particular activities, is evidence of the significant role
that individually identifiable health information plays in many vital
public and private concerns.
At the same time, the large number of comments from individuals and
groups representing individuals demonstrate the deep public concern
about the need to protect the privacy of individually identifiable
health information. The discussion above is rich with evidence about
the importance of protecting privacy and the potential adverse
consequences to individuals and their health if such protections are
not extended.
The need to balance these competing interests--the necessity of
protecting privacy and the public interest in using identifiable health
information for vital public and private purposes--in a way that is
also workable for the varied stakeholders causes much of the complexity
in the rule. Achieving workability without sacrificing protection means
some level of complexity, because the rule must track current practices
and current practices are complex. We believe that the complexity
entailed in reflecting those practices is better public policy than a
perhaps simpler rule that disturbed important information flows.
Although the rule taken as a whole is complicated, we believe that
the standards are much less complex as they apply to particular actors.
What a health plan or covered health care provider must do to comply
with the rule is clear, and the two-year delayed implementation
provides a substantial period for trade and professional associations,
working with their members, to assess the effects of the standards and
develop policies and procedures to come into compliance with them. For
individuals, the system may look substantially more complicated
because, for the first time, we are ensuring that individuals will
receive detailed information about how their individually identifiable
health information may be used and disclosed. We also provide
individuals with additional tools to exercise some control over those
uses and disclosures. The additional complexity for individuals is the
price of expanding their understanding and their rights.
The Department will work actively with members of the health care
industry, representatives of individuals and others during the
implementation of this rule. As stated elsewhere, our focus is to
develop broader understanding of how the standards work and to
facilitate compliance. We intend to provide guidance and check lists as
appropriate, particularly to small businesses affected by the rule. We
also will work with trade and professional associations to develop
guidance and provide technical assistance so that they can help their
members understand and comply with these new standards. If this effort
is to succeed, the various public and private participants inside and
outside of the health care system will need to work together to assure
that the competing interests described above remain in balance and that
an ethic that recognizes their importance is established.Enforcement
The Secretary has decided to delegate her responsibility under this
regulation to the Department's Office for Civil Rights (OCR). OCR will
be responsible for enforcement of this regulation. Enforcement
activities will include working with covered entities to secure
voluntary compliance through the provision of technical assistance and
other means; responding to questions regarding the regulation and
providing interpretations and guidance; responding to state requests
for exception determinations; investigating complaints and conducting
compliance reviews; and, where voluntary compliance cannot be achieved,
seeking civil monetary penalties and making referrals for criminal
prosecution.
Consent
Current Law and Practice
The issue that drew the most comments overall is the question of
when individuals' permission should be obtained prior to use or
disclosure of their health information. We learned that individuals'
views and the legal view of ``consent'' for use and disclosure of
health information are different and in many ways incompatible.
Comments from individuals revealed a common belief that, today, people
must be asked permission for each and every release of their health
information. Many believe that they ``own'' the health records about
them. However, current law and practice do not support this view.
Current privacy protection practices are determined in part by the
standards and practices that the professional associations have adopted
for their members. Professional codes of conduct for ethical behavior
generally can be found as opinions and guidelines developed by
organizations such as the American Medical Association, American
Nurses' Association, the American Hospital Association, the American
Psychiatric Association, and the American Dental Association. These are
generally issued though an organization's governing body. The codes do
not have the force of law, but providers often recognize them as
binding rules.
Our review of professional codes of ethics revealed partial, but
loose, support for individuals' expectations of privacy. For example,
the American Medical Association's Code of Ethics recognizes both the
right to privacy and the need to balance it against societal needs. It
reads in part: ``conflicts between a patient's right to privacy and a
third party's need to know should be resolved in favor of the patient,
except where that would result in serious health hazard or harm to the
patient or others.'' AMA Policy No 140.989. See also, Mass. Med.
Society, Patient Privacy and Confidentiality (1996), at 14: Patients enter treatment with the expectation that the
information they share will be used exclusively for their clinical
care. Protection of our patients' confidences is an integral part of
our ethical training.
These codes, however, do not apply to many who obtain information
from providers. For example, the National Association of Insurance
Commissioners model code, ``Health Information Privacy Model Act''
(1998), applies to insurers but has not been widely adopted. Codes of
ethics are also often written in general terms that do not provide
guidance to providers and plans confronted with specific questions
about protecting health information.
State laws are a crucial means of protecting health information,
and today state laws vary dramatically. Some states defer to the
professional codes of conduct, others provide general guidelines for
privacy protection, and[[Page 82473]]
others provide detailed requirements relating to the protection of
information relating to specific diseases or to entire classes of
information. Cf., D.C. Code Ann. Sec. 2-3305.14(16) and Haw. Rev. Stat.
323C, et seq. In general, state statutes and case law addressing
consent to use of health information do not support the public's strong
expectations regarding consent for use and disclosure of health
information. Only about half of the states have a general law that
prohibits disclosure of health information without patient
authorization and some of these are limited to hospital medical
records.
Even when a state has a law limiting disclosure of health
information, the law typically exempts many types of disclosure from
the authorization requirement. Georgetown Study, Key Findings; Lisa
Dahm, ``50-State Survey on Patient Health Care Record
Confidentiality,'' American Health Lawyers Association (1999). One of
the most common exemptions from a consent requirement is disclosure of
health information for treatment and related purposes. See, e.g.,
Wis.Stat. Sec. 164.82; Cal. Civ. Code 56:10; National Conference of
Commissioners on Uniform State Laws, Uniform Health-Care Information
Act, Minneapolis, MN, August 9, 1985. Some states include utilization
review and similar activities in the exemption. See, e.g., Ariz. Rev.
Stat. Sec. 12-2294. Another common exemption from consent is disclosure
of health information for purposes of obtaining payment. See, e.g.,
Fla. Stat. Ann. Sec. 455.667; Tex. Rev. Civ. Stat. Art. 4495,
Sec. 5.08(h); 410 Ill. Comp. Stat. 50/3(d). Other common exemptions
include disclosures for emergency care, and for disclosures to
government authorities (such as a department of public health). See
Gostin Study, at 1-2; 48-51. Some states also exempt disclosure to law
enforcement officials (e.g., Massachusetts, Ch. 254 of the Acts of
2000), coroners (Wis. Stat. Sec. 146.82), and for such purposes as
business operations, oversight, research, and for directory
information. Under these exceptions, providers can disclose health
information without any consent or authorization from the patient. When
states require specific, written authorization for disclosure of health
information, the authorizations are usually only required for certain
types of disclosures or certain types of information, and one
authorization can suffice for multiple disclosures over time.
The states that do not have laws prohibiting disclosure of health
information impose no specific requirements for consent or
authorization prior to release of health information. There may,
however, be other controls on release of health information. For
instance, most health care professional licensure laws include general
prohibitions against ``breaches of confidentiality.'' In some states,
patients can hold providers accountable for some unauthorized
disclosures of health information about them under various tort
theories, such as invasion of privacy and breach of a confidential
relationship. While these controls may affect certain disclosure
practices, they do not amount to a requirement that a provider obtain
authorization for each and every disclosure of health information.
Further, patients are typically not given a choice; they must sign
the ``consent'' in order to receive care. As the Georgetown Study
points out, ``In effect, the authorization may function more as a
waiver of consent--the patient may not have an opportunity to object to
any disclosures.'' Georgetown Study, Key Findings.
In the many cases where neither state law nor professional ethical
standards exist, the only privacy protection individuals have is
limited to the policies and procedures that the health care entity
adopts. Corporate privacy policies are often proprietary. While several
professional associations attached their privacy principles to their
comments, health care entities did not. One study we found indicates
that these policies are not adequate to provide appropriate privacy
protections and alleviate public concern. The Committee on Maintaining
Privacy and Security in Health Care Applications of the National
Information Infrastructure made multiple findings highlighting the need
for heightened privacy and security, including: Finding 5: The greatest concerns regarding the privacy of health
information derives from widespread sharing of patient information
throughout the health care industry and the inadequate federal and
state regulatory framework for systematic protection of health
information.
For the Record: Protecting Electronic Health Information,
National Academy Press, Washington DC, 1997.
Consent Under This Rule
In the NPRM, we expressed concern about the coercive nature of
consents currently obtained by providers and plans relating to the use
and disclosure of health information. We also expressed concern about
the lack of information available to the patient during the process,
and the fact that patients often were not even presented with a copy of
the consent that they have signed. These and other concerns led us to
propose that covered entities be permitted to use and disclose
protected health information for treatment, payment and health care
operations without the express consent of the subject individual.
In the final rule, we alter our proposed approach and require, in
most instances, that health care providers who have a direct treatment
relationship with their patients obtain the consent of their patients
to use and disclose protected health information for treatment, payment
and health care operations. While our concern about the coerced nature
of these consents remains, many comments that we received from
individuals, health care professionals, and organizations that
represent them indicated that both patients and practitioners believe
that patient consent is an important part of the current health care
system and should be retained.
Providing and obtaining consent clearly has meaning for patients
and practitioners. Patient advocates argued that the act of signing
focuses the patient's attention on the substance of the transaction and
provides an opportunity for the patient to ask questions about or seek
modifications in the provider's practices. Many health care
practitioners and their representatives argued that seeking a patient's
consent to disclose confidential information is an ethical requirement
that strengthens the physician-patient relationship. Both practitioners
and patients argued that the approach proposed in the NPRM actually
reduced patient protections by eliminating the opportunity for patients
to agree to how their confidential information would be used and
disclosed.
While we believe that the provisions in the NPRM that provided for
detailed notice to the patient and the right to request restrictions
would have provided an opportunity for patients and providers to
discuss and negotiate over information practices, it is clear from the
comments that many practitioners and patients believe the approach
proposed in the NPRM is not an acceptable replacement for the patient
providing consent.
To encourage a more informed interaction between the patient and
the provider during the consent process, the final rule requires that
the consent form that is presented to the patient be accompanied by a
notice that contains a detailed discussion of the provider's health
information practices. The consent form must reference the notice and
also must inform the patient that he[[Page 82474]]
or she has the right to ask the health care provider to request certain
restrictions as to how the information of the patient will be used or
disclosed. Our goal is to provide an opportunity for and to encourage
more informed discussions between patients and providers about how
protected health information will be used and disclosed within the
health care system.
We considered and rejected other approaches to consent, including
those that involved individuals providing a global consent to uses and
disclosures when they sign up for insurance. While such approaches do
require the patient to provide consent, it is not really an informed
one or a voluntary one. It is also unclear how a consent obtained at
the enrollment stage would be meaningfully communicated to the many
providers who create the health information in the first instance. The
ability to negotiate restrictions or otherwise have a meaningful
discussion with the front-line provider would be independent of, and
potentially in conflict with, the consent obtained at the enrollment
stage. In addition, employers today are moving toward simplified
enrollment forms, using check-off boxes and similar devices. The
opportunity for any meaningful consideration or interaction at that
point is slight. For these and other reasons, we decided that, to the
extent a consent can accomplish the goal sought by individuals and
providers, it must be focused on the direct interaction between an
individual and provider.
The comments and fact-finding indicate that our approach will not
significantly change the administrative aspect of consent as it exists
today. Most direct treatment providers today obtain some type of
consent for some uses and disclosures of health information. Our
regulation will ensure that those consents cover the routine uses and
disclosures of health information, and provide an opportunity for
individuals to obtain further information and have further discussion,
should they so desire.Administrative Costs
Section 1172(b) of the Act provides that ``[a]ny standard adopted
under this part [part C of title XI of the Act] shall be consistent
with the objective of reducing the administrative costs of providing
and paying for health care.'' The privacy and security standards are
the platform on which the remaining standards rest; indeed, the design
of part C of title XI makes clear that the various standards are
intended to function together. Thus, the costs of privacy and security
are properly attributable to the suite of administrative simplification
regulations as a whole, and the cost savings realized should likewise
be calculated on an aggregated basis, as is done below. Because the
privacy standards are an integral and necessary part of the suite of
Administrative Simplification standards, and because that suite of
standards will result in substantial administrative cost savings, the
privacy standards are ``consistent with the objective of reducing the
administrative costs of providing and paying for health care.''
As more fully discussed in the Regulatory Impact and Regulatory
Flexibility analyses below, we recognize that these privacy standards
will entail substantial initial and ongoing administrative costs for
entities subject to the rules. It is also the case that the privacy
standards, like the security standards authorized by section 1173(d) of
the Act, are necessitated by the technological advances in information
exchange that the remaining Administrative Simplification standards
facilitate for the health care industry. The same technological
advances that make possible enormous administrative cost savings for
the industry as a whole have also made it possible to breach the
security and privacy of health information on a scale that was
previously inconceivable. The Congress recognized that adequate
protection of the security and privacy of health information is a sine
qua non of the increased efficiency of information exchange brought
about by the electronic revolution, by enacting the security and
privacy provisions of the law. Thus, as a matter of policy as well as
law, the administrative standards should be viewed as a whole in
determining whether they are ``consistent with'' the objective of
reducing administrative costs.Consultations
The Congress required the Secretary to consult with specified
groups in developing the standards under sections 262 and 264. Section
264(d) of HIPAA specifically requires the Secretary to consult with the
National Committee on Vital and Health Statistics (NCVHS) and the
Attorney General in carrying out her responsibilities under the
section. Section 1172(b)(3) of the Act, which was enacted by section
262, requires that, in developing a standard under section 1172 for
which no standard setting organization has already developed a
standard, the Secretary must, before adopting the standard, consult
with the National Uniform Billing Committee (NUBC), the National
Uniform Claim Committee (NUCC), the Workgroup for Electronic Data
Interchange (WEDI), and the American Dental Association (ADA). Section
1172(f) also requires the Secretary to rely on the recommendations of
the NCVHS and consult with other appropriate federal and state agencies
and private organizations.
We engaged in the required consultations including the Attorney
General, NUBC, NUCC, WEDI and the ADA. We consulted with the NCVHS in
developing the Recommendations, upon which this proposed rule is based.
We continued to consult with this committee by requesting the committee
to review the proposed rule and provide comments prior to its
publication, and by reviewing transcripts of its public meeting on
privacy and related topics. We consulted with representatives of the
National Congress of American Indians, the National Indian Health
Board, and the self governance tribes. We also met with representatives
of the National Governors' Association, the National Conference of
State Legislatures, the National Association of Public Health
Statistics and Information Systems, and a number of other state
organizations to discuss the framework for the proposed rule, issues of
special interests to the states, and the process for providing comments
on the proposed rule.
Many of these groups submitted comments to the proposed rule, and
those were taken into account in developing the final regulation.
In addition to the required consultations, we met with numerous
individuals, entities, and agencies regarding the regulation, with the
goal of making these standards as compatible as possible with current
business practices, while still enhancing privacy protection. During
the open comment period, we met with dozens of groups.
Relevant federal agencies participated in the interagency working
groups that developed the NPRM and the final regulation, with
additional representatives from all operating divisions and many staff
offices of HHS. The following federal agencies and offices were
represented on the interagency working groups: the Department of
Justice, the Department of Commerce, the Social Security
Administration, the Department of Defense, the Department of Veterans
Affairs, the Department of Labor, the Office of Personnel Management,
and the Office of Management and Budget.[[Page 82475]]
II. Section-by-Section Description of Rule Provisions
Part 160--Subpart A--General Provisions
Part 160 applies to all the administrative simplification
regulations. We include the entire regulation text in this rule, not
just those provisions relevant to this Privacy regulation. For example,
the term ``trading partner'' is defined here, for use in the Health
Insurance Reform: Standards for Electronic Transactions regulation,
published at 65 FR 50312, August 17, 2000 (the ``Transactions Rule'').
It does not appear in the remainder of this Privacy rule.
Sections 160.101 and 160.104 of Subpart A of part 160 were
promulgated in the Transactions Rule, and we do not change them here.
We do, however, make changes and additions to Sec. 160.103, the
definitions section of Subpart A. The definitions that were promulgated
in the Transactions Rule and that remain unchanged here are: Act, ANSI,
covered entity, compliance date, group health plan, HCFA, HHS, health
care provider, health information, health insurance issuer, health
maintenance organization, modify or modification, Secretary, small
health plan, standard setting organization, and trading partner
agreement. Of these terms, we discuss further in this preamble only
covered entity and health care provider.Section 160.102--Applicability
The proposed rule stated that the subchapter (Parts 160, 162, and
164) applies to the entities set out at section 1172(a) of the Act:
Health plans, health care clearinghouses, and health care providers who
transmit any health information in electronic form in connection with a
transaction covered by the subchapter. The final rule adds a provision
(Sec. 160.102(b)) clarifying that to the extent required under section
201(a)(5) of HIPAA, nothing in the subchapter is to be construed to
diminish the authority of any Inspector General. This was done in
response to comment, to clarify that the administrative simplification
rules, including the rules below, do not conflict with the cited
provision of HIPAA.
Section 160.103--Definitions
Business Associate
We proposed to define the term ``business partner'' to mean, with
respect to a covered entity, a person to whom the covered entity
discloses protected health information so that the person can carry
out, assist with the performance of, or perform on behalf of, a
function or activity for the covered entity. ``Business partner'' would
have included contractors or other persons who receive protected health
information from the covered entity (or from another business partner
of the covered entity) for the purposes described in the previous
sentence, including lawyers, auditors, consultants, third-party
administrators, health care clearinghouses, data processing firms,
billing firms, and other covered entities. ``Business partner'' would
have excluded persons who are within the covered entity's workforce, as
defined in this section.
This rule reflects the change in the name from ``business partner''
to ``business associate,'' included in the Transactions Rule.
In the final rule, we change the definition of ``business
associate'' to clarify the circumstances in which a person is acting as
a business associate of a covered entity. The changes clarify that the
business association occurs when the right to use or disclose the
protected health information belongs to the covered entity, and another
person is using or disclosing the protected health information (or
creating, obtaining and using the protected health information) to
perform a function or activity on behalf of the covered entity. We also
clarify that providing specified services to a covered entity creates a
business associate relationship if the provision of the service
involves the disclosure of protected health information to the service
provider. In the proposed rule, we had included a list of persons that
were considered to be business partners of the covered entity. However,
it is not always clear whether the provision of certain services to a
covered entity is ``for'' the covered entity or whether the service
provider is acting ``on behalf of'' the covered entity. For example, a
person providing management consulting services may need protected
health information to perform those services, but may not be acting
``on behalf of'' the covered entity. This we believe led to some
general confusion among the commenters as to whether certain
arrangements fell within the definition of a business partner under the
proposed rule. The construction of the final rule clarifies that the
provision of the specified services gives rise to a business associate
relationship if the performance of the service involves disclosure of
protected health information by the covered entity to the business
associate. The specified services are legal, actuarial, accounting,
consulting, management, administrative accreditation, data aggregation,
and financial services. The list is intended to include the types of
services commonly provided to covered entities where the disclosure of
protected health information is routine to the performance of the
service, but when the person providing the service may not always be
acting ``on behalf of'' the covered entity.
In the final rule, we reorganize the list of examples of the
functions or activities that may be conducted by business associates.
We place a part of the proposed list in the portion of the definition
that addresses when a person is providing functions or activities for
or on behalf of a covered entity. We place other parts of the list in
the portion of the definition that specifies the services that give
rise to a business associate relationship, as discussed above. We also
have expanded the examples to provide additional guidance and in
response to questions from commenters.
We have added data aggregation to the list of services that give
rise to a business associate relationship. Data aggregation, as
discussed below, is where a business associate in its capacity as the
business associate of one covered entity combines the protected health
information of such covered entity with protected health information
received by the business associate in its capacity as a business
associate of another covered entity in order to permit the creation of
data for analyses that relate to the health care operations of the
respective covered entities. Adding this service to the business
associate definition clarifies the ability of covered entities to
contract with business associates to undertake quality assurance and
comparative analyses that involve the protected health information of
more than one contracting covered entity. For example, a state hospital
association could act as a business associate of its member hospitals
and could combine data provided to it to assist the hospitals in
evaluating their relative performance in areas such as quality,
efficiency and other patient care issues. As discussed below, however,
the business associate contracts of each of the hospitals would have to
permit the activity, and the protected health information of one
hospital could not be disclosed to another hospital unless the
disclosure is otherwise permitted by the rule.
The definition also states that a business associate may be a
covered entity, and that business associate excludes a person who is
part of the covered entity's workforce.
We also clarify in the final rule that a business association
arises with[[Page 82476]]
respect to a covered entity when a person performs functions or
activities on behalf of, or provides the specified services to or for,
an organized health care health care arrangement in which the covered
entity participates. This change recognizes that where covered entities
participate in certain joint arrangements for the financing or delivery
of health care, they often contract with persons to perform functions
or to provide services for the joint arrangement. This change is
consistent with changes made in the final rule to the definition of
health care operations, which permits covered entities to use or
disclose protected health information not only for their own health
care operations, but also for the operations of an organized health
care arrangement in which the covered entity participates. By making
these changes, we avoid the confusion that could arise in trying to
determine whether a function or activity is being provided on behalf of
(or if a specified service is being provided to or for) a covered
entity or on behalf of or for a joint enterprise involving the covered
entity. The change clarifies that in either instance the person
performing the function or activity (or providing the specified
service) is a business associate.
We also add language to the final rule that clarifies that the mere
fact that two covered entities participate in an organized health care
arrangement does not make either of the covered entities a business
associate of the other covered entity. The fact that the entities
participate in joint health care operations or other joint activities,
or pursue common goals through a joint activity, does not mean that one
party is performing a function or activity on behalf of the other party
(or is providing a specified services to or for the other party).
In general under this provision, actions relating to the protected
health information of an individual undertaken by a business associate
are considered, for the purposes of this rule, to be actions of the
covered entity, although the covered entity is subject to sanctions
under this rule only if it has knowledge of the wrongful activity and
fails to take the required actions to address the wrongdoing. For
example, if a business associate maintains the medical records or
manages the claims system of a covered entity, the covered entity is
considered to have protected health information and the covered entity
must ensure that individuals who are the subject of the information can
have access to it pursuant to Sec. 164.524.
The business associate relationship does not describe all
relationships between covered entities and other persons or
organizations. While we permit uses or disclosures of protected health
information for a variety of purposes, business associate contracts or
other arrangements are only required for those cases in which the
covered entity is disclosing information to someone or some
organization that will use the information on behalf of the covered
entity, when the other person will be creating or obtaining protected
health information on behalf of the covered entity, or when the
business associate is providing the specified services to the covered
entity and the provision of those services involves the disclosure of
protected health information by the covered entity to the business
associate. For example, when a health care provider discloses protected
health information to health plans for payment purposes, no business
associate relationship is established. While the covered provider may
have an agreement to accept discounted fees as reimbursement for
services provided to health plan members, neither entity is acting on
behalf of or providing a service to the other.
Similarly, where a physician or other provider has staff privileges
at an institution, neither party to the relationship is a business
associate based solely on the staff privileges because neither party is
providing functions or activities on behalf of the other. However, if a
party provides services to or for the other, such as where a hospital
provides billing services for physicians with staff privileges, a
business associate relationship may arise with respect to those
services. Likewise, where a group health plan purchases insurance or
coverage from a health insurance issuer or HMO, the provision of
insurance by the health insurance issuer or HMO to the group health
plan does not make the issuer a business associate. In such case, the
activities of the health insurance issuer or HMO are on their own
behalf and not on the behalf of the group health plan. We note that
where a group health plan contracts with a health insurance issuer or
HMO to perform functions or activities or to provide services that are
in addition to or not directly related to the provision of insurance,
the health insurance issuer or HMO may be a business associate with
respect to those additional functions, activities or services. We also
note that covered entities are permitted to disclose protected health
information to oversight agencies that act to provide oversight of
federal programs and the health care system. These oversight agencies
are not performing services for or on behalf of the covered entities
and so are not business associates of the covered entities. Therefore
HCFA, the federal agency that administers Medicare, is not required to
enter into a business associate contract in order to disclose protected
health information to the Department's Office of Inspector General.
We do not require a covered entity to enter into a business
associate contract with a person or organization that acts merely as a
conduit for protected health information (e.g., the US Postal Service,
certain private couriers and their electronic equivalents). A conduit
transports information but does not access it other than on a random or
infrequent basis as may be necessary for the performance of the
transportation service, or as required by law. Since no disclosure is
intended by the covered entity and the probability of exposure of any
particular protected health information to a conduit is very small, we
do not consider a conduit to be a business associate of the covered
entity.
We do not consider a financial institution to be acting on behalf
of a covered entity, and therefore no business associate contract is
required, when it processes consumer-conducted financial transactions
by debit, credit or other payment card, clears checks, initiates or
processes electronic funds transfers, or conducts any other activity
that directly facilitates or effects the transfer of funds for
compensation for health care. A typical consumer-conducted payment
transaction is when a consumer pays for health care or health insurance
premiums using a check or credit card. In these cases the identity of
the consumer is always included and some health information (e.g.,
diagnosis or procedure) may be implied through the name of the health
care provider or health plan being paid. Covered entities that initiate
such payment activities must meet the minimum necessary disclosure
requirements described in the preamble to Sec. 164.514.Covered Entity
We provided this definition in the NPRM for convenience of
reference and proposed it to mean the entities to which part C of title
XI of the Act applies. These are the entities described in section
1172(a)(1): Health plans, health care clearinghouses, and health care
providers who transmit any health information in electronic form in
connection with a transaction referred
[[Page 82477]]
to in section 1173(a)(1) of the Act (a ``standard transaction'').
We note that health care providers who do not submit HIPAA
transactions in standard form become covered by this rule when other
entities, such as a billing service or a hospital, transmit standard
electronic transactions on their behalf. A provider could not
circumvent these requirements by assigning the task to its business
associate since the business associate would be considered to be acting
on behalf of the provider. See the definition of ``business
associate.''
Where a public agency is required or authorized by law to
administer a health plan jointly with another entity, we consider each
agency to be a covered entity with respect to the health plan functions
it performs. Unlike private sector health plans, public plans are often
required by or expressly authorized by law to jointly administer health
programs that meet the definition of ``health plan'' under this
regulation. In some instances the public entity is required or
authorized to administer the program with another public agency. In
other instances, the public entity is required or authorized to
administer the program with a private entity. In either circumstance,
we note that joint administration does not meet the definition of
``business associate'' in Sec. 164.501. Examples of joint
administration include state and federal administration of the Medicaid
and SCHIP program, or joint administration of a Medicare+Choice plan by
the Health Care Financing Administration and the issuer offering the
plan.Health Care
We proposed to define ``health care'' to mean the provision of
care, services, or supplies to a patient and to include any: (1)
Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or
palliative care, counseling, service, or procedure with respect to the
physical or mental condition, or functional status, of a patient or
affecting the structure or function of the body; (2) sale or dispensing
of a drug, device, equipment, or other item pursuant to a prescription;
or (3) procurement or banking of blood, sperm, organs, or any other
tissue for administration to patients.
The final rule revises both the NPRM definition and the definition
as provided in the Transactions Rule, to now mean ``care, services, or
supplies related to the health of an individual. Health care includes
the following:
(1) Preventive, diagnostic, therapeutic, rehabilitative,
maintenance, or palliative care, and counseling, service, assessment,
or procedure with respect to the physical or mental condition, or
functional status, of an individual or that affects the structure or
function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item
in accordance with a prescription.
We delete the term ``providing'' from the definition to delineate
more clearly the relationship between ``treatment,'' as the term is
defined in Sec. 164.501, and ``health care.'' Other key revisions
include adding the term ``assessment'' in subparagraph (1) and deleting
proposed subparagraph (3) from the rule. Therefore the procurement or
banking of organs, blood (including autologous blood), sperm, eyes or
any other tissue or human product is not considered to be health care
under this rule and the organizations that perform such activities
would not be considered health care providers when conducting these
functions. As described in Sec. 164.512(h), covered entities are
permitted to disclose protected health information without individual
authorization, consent, or agreement (see below for explanation of
authorizations, consents, and agreements) as necessary to facilitate
cadaveric donation.Health Care Clearinghouse
In the NPRM, we defined ``health care clearinghouse'' as a public
or private entity that processes or facilitates the processing of
nonstandard data elements of health information into standard data
elements. The entity receives health care transactions from health care
providers or other entities, translates the data from a given format
into one acceptable to the intended payor or payors, and forwards the
processed transaction to appropriate payors and clearinghouses. Billing
services, repricing companies, community health management information
systems, community health information systems, and ``value-added''
networks and switches would have been considered to be health care
clearinghouses for purposes of this part, if they perform the functions
of health care clearinghouses as described in the preceding sentences.
In the final regulation, we modify the definition of health care
clearinghouse to reflect changes in the definition published in the
Transactions Rule. The definition in the final rule is:
Health care clearinghouse means a public or private entity,
including billing services, repricing companies, community health
management information systems or community health information systems,
and ``value-added'' networks and switches, that does either of the
following functions:
(1) Processes or facilitates the processing of health information
received from another entity in a nonstandard format or containing
nonstandard data content into standard data elements or a standard
transaction.
(2) Receives a standard transaction from another entity and
processes or facilitates the processing of health information into
nonstandard format or nonstandard data content for the receiving
entity.
We note here that the term health care clearinghouse may have other
meanings and connotations in other contexts, but the regulation defines
it specifically, and an entity is considered a health care
clearinghouse only to the extent that it meets the criteria in this
definition. Telecommunications entities that provide connectivity or
mechanisms to convey information, such as telephone companies and
Internet Service Providers, are not health care clearinghouses as
defined in the rule unless they actually carry out the functions
outlined in our definition. Value added networks and switches are not
health care clearinghouses unless they carry out the functions outlined
in the definition. The examples of entities in our proposed definition
we continue to consider to be health care clearinghouses, as well as
any other entities that meet that definition, to the extent that they
perform the functions in the definition.
In order to fall within this definition of clearinghouse, the
covered entity must perform the clearinghouse function on health
information received from some other entity. A department or component
of a health plan or health care provider that transforms nonstandard
information into standard data elements or standard transactions (or
vice versa) is not a clearinghouse for purposes of this rule, unless it
also performs these functions for another entity. As described in more
detail in Sec. 164.504(d), we allow affiliates to perform clearinghouse
functions for each other without triggering the definition of
``clearinghouse'' if the conditions in Sec. 164.504(d) are met.Health Care Provider
We proposed to define health care provider to mean a provider of
services as defined in section 1861(u) of the Act, a provider of
medical or health services as defined in section 1861(s) of the Act,
and any other person or organization who furnishes, bills, or is paid
for health care services or supplies in the normal course of business.
[[Page 82478]]
In the final rule, we delete the term ``services and supplies,'' in
order to eliminate redundancy within the definition. The definition
also reflects the addition of the applicable U.S.C. citations (42
U.S.C. 1395x(u) and 42 U.S.C. 1395x(s), respectively) for the
referenced provisions of the Act that were promulgated in the
Transactions Rule.
To assist the reader, we also provide here excerpts from the
relevant sections of the Act. (Refer to the U.S.C. sections cited above
for complete definitions in sections 1861(u) and 1861(s).) Section
1861(u) of the Act defines a ``provider of services,'' to include, for
example,a hospital, critical access hospital, skilled nursing facility,
comprehensive outpatient rehabilitation facility, home health
agency, hospice program, or, for purposes of section 1814(g) (42
U.S.C. 1395f(g)) and section 1835(e) (42 U.S.C. 1395n(e)), a fund.''
Section 1861(s) of the Act defines the term, ``medical and other
health services,'' and includes a list of covered items or services,
as illustrated by the following excerpt:
(s) Medical and other health services. The term ``medical and
other health services'' means any of the following items or
services:
(1) Physicians' services;
(2) (A) services and supplies * * * furnished as an incident to
a physician's professional service, or kinds which are commonly
furnished in physicians' offices and are commonly either rendered
without charge or included in the physicians' bills;
(B) hospital services * * * incident to physicians' services
rendered to outpatients and partial hospitalization services
incident to such services;
(C) diagnostic services which are--
(i) furnished to an individual as an outpatient by a hospital or
by others under arrangements with them made by a hospital, and
(ii) ordinarily furnished by such hospital (or by others under
such arrangements) to its outpatients for the purpose of diagnostic
study;
(D) outpatient physical therapy services and outpatient
occupational therapy services;
(E) rural health clinic services and federally qualified health
center services;
(F) home dialysis supplies and equipment, self-care home
dialysis support services, and institutional dialysis services and
supplies;
(G) antigens * * * prepared by a physician * * * for a
particular patient, including antigens so prepared which are
forwarded to another qualified person * * * for administration to
such patient, * * * by or under the supervision of another such
physician;
(H)(i) services furnished pursuant to a contract under section
1876 (42 U.S.C. 1395mm) to a member of an eligible organization by a
physician assistant or by a nurse practitioner * * * and such
services and supplies furnished as an incident to his service to
such a member * * * and
(ii) services furnished pursuant to a risk-sharing contract
under section 1876(g) (42 U.S.C. 1395mm(g)) to a member of an
eligible organization by a clinical psychologist * * * or by a
clinical social worker * * * (and) furnished as an incident to such
clinical psychologist's services or clinical social worker's
services * * *;
(I) blood clotting factors, for hemophilia patients * * *;
(J) prescription drugs used in immunosuppressive therapy
furnished, to an individual who receives an organ transplant for
which payment is made under this title (42 U.S.C. 1395 et seq.), but
only in the case of (certain) drugs furnished * * *
(K)(i) services which would be physicians' services if furnished
by a physician * * * and which are performed by a physician
assistant * * *; and
(ii) services which would be physicians' services if furnished
by a physician * * * and which are performed by a nurse * * *;
(L) certified nurse-midwife services;
(M) qualified psychologist services;
(N) clinical social worker services * * *;
(O) erythropoietin for dialysis patients * * *;
(P) prostate cancer screening tests * * *;
(Q) an oral drug (which is approved by the Federal Food and Drug
Administration) prescribed for use as an anti-cancer
chemotherapeutic agent for a given indication, and containing an
active ingredient (or ingredients) * * *;
(R) colorectal cancer screening tests * * *;
(S) diabetes outpatient self-management training services * * *;
and
(T) an oral drug (which is approved by the federal Food and Drug
Administration) prescribed for use as an acute anti-emetic used as
part of an anti-cancer chemotherapeutic regimen * * *
(3) diagnostic X-ray tests * * * furnished in a place of
residence used as the patient's home * * * ;
(4) X-ray, radium, and radioactive isotope therapy, including
materials and services of technicians;
(5) surgical dressings, and splints, casts, and other devices
used for reduction of fractures and dislocations;
(6) durable medical equipment;
(7) ambulance service where the use of other methods of
transportation is contraindicated by the individual's condition * *
* ;
(8) prosthetic devices (other than dental) which replace all or
part of an internal body organ (including colostomy bags and
supplies directly related to colostomy care), * * * and including
one pair of conventional eyeglasses or contact lenses furnished
subsequent to each cataract surgery * * * [;]
(9) leg, arm, back, and neck braces, and artificial legs, arms,
and eyes, including replacements if required * * * ;
(10) (A) pneumococcal vaccine and its administration * * *; and
(B) hepatitis B vaccine and its administration * * *, and
(11) services of a certified registered nurse anesthetist * * *;
(12) * * * extra-depth shoes with inserts or custom molded shoes
with inserts for an individual with diabetes, if * * *;
(13) screening mammography * * *;
(14) screening pap smear and screening pelvic exam; and
(15) bone mass measurement * * *. (etc.)Health Plan
We proposed to define ``health plan'' essentially as section
1171(5) of the Act defines it. Section 1171 of the Act refers to
several definitions in section 2791 of the Public Health Service Act,
42 U.S.C. 300gg-91, as added by Public Law 104-191.
As defined in section 1171(5), a ``health plan'' is an individual
plan or group health plan that provides, or pays the cost of, medical
care. We proposed that this definition include, but not be limited to
the 15 types of plans (e.g., group health plan, health insurance
issuer, health maintenance organization) listed in the statute, as well
as any combination of them. Such term would have included, when applied
to public benefit programs, the component of the government agency that
administers the program. Church plans and government plans would have
been included to the extent that they fall into one or more of the
listed categories.
In the proposed rule, ``health plan'' included the following,
singly or in combination:
(1) A group health plan, defined as an employee welfare benefit
plan (as currently defined in section 3(1) of the Employee Retirement
Income and Security Act of 1974, 29 U.S.C. 1002(1)), including insured
and self-insured plans, to the extent that the plan provides medical
care (as defined in section 2791(a)(2) of the Public Health Service
Act, 42 U.S.C. 300gg-91(a)(2)), including items and services paid for
as medical care, to employees or their dependents directly or through
insurance or otherwise, that:
(i) Has 50 or more participants; or
(ii) Is administered by an entity other than the employer that
established and maintains the plan.
(2) A health insurance issuer, defined as an insurance company,
insurance service, or insurance organization that is licensed to engage
in the business of insurance in a state and is subject to state or
other law that regulates insurance.
(3) A health maintenance organization, defined as a federally
qualified health maintenance organization, an organization recognized
as a health maintenance organization under state law, or a similar
organization regulated for solvency under state law in the same manner
and to the same extent as such a health maintenance organization.
(4) Part A or Part B of the Medicare program under title XVIII of
the Act.
(5) The Medicaid program under title XIX of the Act.[[Page 82479]]
(6) A Medicare supplemental policy (as defined in section
1882(g)(1) of the Act, 42 U.S.C. 1395ss).
(7) A long-term care policy, including a nursing home fixed-
indemnity policy.
(8) An employee welfare benefit plan or any other arrangement that
is established or maintained for the purpose of offering or providing
health benefits to the employees of two or more employers.
(9) The health care program for active military personnel under
title 10 of the United States Code.
(10) The veterans health care program under 38 U.S.C. chapter 17.
(11) The Civilian Health and Medical Program of the Uniformed
Services (CHAMPUS), as defined in 10 U.S.C. 1072(4).
(12) The Indian Health Service program under the Indian Health Care
Improvement Act (25 U.S.C. 1601, et seq.).
(13) The Federal Employees Health Benefits Program under 5 U.S.C.
chapter 89.
(14) An approved state child health plan for child health
assistance that meets the requirements of section 2103 of the Act.
(15) A Medicare Plus Choice organization as defined in 42 CFR
422.2, with a contract under 42 CFR part 422, subpart K.
In addition to the 15 specific categories, we proposed that the
list include any other individual plan or group health plan, or
c