ÿWPC  pZ gdÚìð Ö½°FȽÑíUœ5hãbõÿ’U¦VÁ ‡“ ôº˜èÆÙ…o Û²1êªWôg\!èè±±* z½$™êý´™Ô£DÅ81mýÑ \‚ëœ'o‹ztj§îÓtòÑiƒ^°ŸK¹~žtºˆzÞKïð?`\…‡,\™-p€\jÿ(“ŠÂ‡u1SÊ<Øêæ‘e\Acãîè¿Þñ€¤“¨A 5†©Î®â ³[¢vÑÀàÑ ­A W~yd …­5Üž#nk4¥è@žSÕ+¿Jƒ—+ÌcY¼$Û[¾¬Y†q×­åÍ´ ûh<(¢£ǨPé­íoå÷ n ¯1Žû.j€4(F $ØÉφε²*^´I¹#— ˆÿ'1ZèËðj±L9 ›±}Ê?ü,(Â7¼Ñ”±72ûe“,G¾RiQ_Q„êÚ(¯w]ÜA·gY%ØËTˆµ.zÆ#mÑ~öEÖw2p­Ù =¸©ÐI7—“øä3ÇŒ³Ÿí†„_‡‹ô“%¿å—…­_˜ÿª÷fòe”ÂêÌ¢ˆ’_*ªhð[²ùnÛBü÷=Ž4)s+ñ‘‡LsYñwø<¢åe4̨„]÷jïvÌsF#4ÿŒT?¢–n 0Ãz@=(} ¥ B¯EÌ Î mÜ#ÁóUN´ %N 0Œ  ~–¶ D-ÊUª>÷ 0Œ5 0eŒÁ ^ M 0NY B>§ wå 4é ý  (›FQ$¡¡ÔUSUS.,ÔÓK€(€X°KÓÔ€Xò¥XXXÔÔ€Xò¥XXXò¥Ô@Final Privacy Rule Preamblehttp://www.eeoc.govN_1_ dN_1_ÿU‹ÿÿÿÿ˜0&Öd9 Z‹6Times New Roman Regular X(/"xg$ÅÅÔ€ „ßÝ„X XÔò òÔ  ÔÔ Ô"ÔÔ€ „ßÝ„X XÔó ó˜C:\PROGRA~1\Corel\WORDPE~1\Template\CUSTOM~1\Web\wp9web.wptC:\Program Files\Corel\WordPerfect Office 2000\Template\Custom WP Templates\Web\wp9web.wpt)!ÈÈÈÈdxdx&Öd9 Z‹&Times New Roman(/" $ÆÆÔ€ ¼ôÚ»X XÔò òÔ  ÔÔ Ô"ÔÔ€ ¼ôÚ»X XÔó ó(/" $ÇÇÔ€ X>÷XX XÔò òÔ  ÔÔ Ô"ÔÔ€ X>÷XX XÔó ó³†A* (›$——ÔÿÔòòÔÿÔóó:web3dhrz160 €€€d ÿÿÿd”P(*ê:i¢×+003|xpÝ ƒFQ!ÝÔUSUS.,ÔÓK€(€XKÓÔ€X>÷XX XÔÔ€X>÷XXX>÷ÔÝ  ÝÔ_ÔÝ‚ xgEÝÔ€„ßÝ„XX>÷Ôò òÔ  ÔÝ  ÝÝ‚ xgÆÝÝ  ÝII.€SECTION-BY-SECTION€DESCRIPTION€OF€RULE€PROVISIONS݃ xgÆÝÔ ÔøԌРÜÜ ÐŒÔ€X>÷X„„ßÝÔó óÝ  ÝÝ‚ FÝÔ€¼ôÚ»XX>÷Ôò òÔ  ÔÝ  ÝÝ‚ ÑÝÝ  ÝPART€160€-€SUBPART€A€-€GENERAL€PROVISIONS݃ ÑÝÔ ÔԌР   ЌԀX>÷X»¼ôÚÔó óÝ  ÝPart€160€applies€to€all€the€administrative€simplification€regulations.€We€include€the€entire€regulation€text€in€this€rule,€not€just€those€provisions€relevant€to€this€PrivacyÐ  Ðregulation.€For€example,€the€term€"trading€partner"€is€defined€here,€for€use€in€the€Health€Insurance€Reform:€Standards€for€Electronic€Transactions€regulation,€published€atÐ  Ð65€FR€50312,€August€17,€2000€(the€"Transactions€Rule").€It€does€not€appear€in€the€remainder€of€this€Privacy€rule.Ð úú ÐSections€160.101€and€160.104€of€Subpart€A€of€part€160€were€promulgated€in€the€Transactions€Rule,€and€we€do€not€change€them€here.€We€do,€however,€make€changesÐ ÐÐ Ðand€additions€to€ðð€160.103,€the€definitions€section€of€Subpart€A.€The€definitions€that€were€promulgated€in€the€Transactions€Rule€and€that€remain€unchanged€here€are:€Act,Ð Ê Ê  ÐANSI,€covered€entity,€compliance€date,€group€health€plan,€HCFA,€HHS,€health€care€provider,€health€information,€health€insurance€issuer,€health€maintenance€organization,Ð Ä Ä  Ðmodify€or€modification,€Secretary,€small€health€plan,€standard€setting€organization,€and€trading€partner€agreement.€Of€these€terms,€we€discuss€further€in€this€preamble€onlyÐ ¾ ¾  Ðcovered€entity€and€health€care€provider.Ð ¸ ¸  ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ ÝÝ  ÝSECTION€160.102€-€APPLICABILITY݃ PÝÔ Ô8ԌРŽŽ  ЌԀX>÷XXX>÷Ôó óÝ  ÝThe€proposed€rule€stated€that€the€subchapter€(Parts€160,€162,€and€164)€applies€to€the€entities€set€out€at€section€1172(a)€of€the€Act:€health€plans,€health€careÐ dd  Ðclearinghouses,€and€health€care€providers€who€transmit€any€health€information€in€electronic€form€in€connection€with€a€transaction€covered€by€the€subchapter.€The€final€ruleÐ ^^  Ðadds€a€provision€(ðð€160.102(b))€clarifying€that€to€the€extent€required€under€section€201(a)(5)€of€HIPAA,€nothing€in€the€subchapter€is€to€be€construed€to€diminish€theÐ XX  Ðauthority€of€any€Inspector€General.€This€was€done€in€response€to€comment,€to€clarify€that€the€administrative€simplification€rules,€including€the€rules€below,€do€not€conflictÐ RR Ðwith€the€cited€provision€of€HIPAA.Ð LL ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ % ÝÝ  ÝSECTION€160.103€-€DEFINITIONS݃ % o ÝÔ ÔW ԌР"" ЌԀX>÷XXX>÷Ôó óÝ  ÝÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚  ÝÝ  ÝòòBusiness€Associate.óó݃  b ÝÔ ÔJ ԌРøø ЌԀX>÷XXX>÷Ôó óÝ  ÝWe€proposed€to€define€the€term€"business€partner"€to€mean,€with€respect€to€a€covered€entity,€a€person€to€whom€the€covered€entity€discloses€protected€health€informationÐ ÎÎ Ðso€that€the€person€can€carry€out,€assist€with€the€performance€of,€or€perform€on€behalf€of,€a€function€or€activity€for€the€covered€entity.€"Business€partner"€would€haveÐ ÈÈ Ðincluded€contractors€or€other€persons€who€receive€protected€health€information€from€the€covered€entity€(or€from€another€business€partner€of€the€covered€entity)€for€theР Ðpurposes€described€in€the€previous€sentence,€including€lawyers,€auditors,€consultants,€third-party€administrators,€health€care€clearinghouses,€data€processing€firms,€billingÐ ¼¼ Ðfirms,€and€other€covered€entities.€"Business€partner"€would€have€excluded€persons€who€are€within€the€covered€entity's€workforce,€as€defined€in€this€section.Ð ¶¶ ÐThis€rule€reflects€the€change€in€the€name€from€"business€partner"€to€"business€associate,"€included€in€the€Transactions€Rule.Ð ŒŒ ÐIn€the€final€rule,€we€change€the€definition€of€"business€associate"€to€clarify€the€circumstances€in€which€a€person€is€acting€as€a€business€associate€of€a€covered€entity.€TheÐ b!b! Ðchanges€clarify€that€the€business€association€occurs€when€the€right€to€use€or€disclose€the€protected€health€information€belongs€to€the€covered€entity,€and€another€person€isÐ \"\" Ðusing€or€disclosing€the€protected€health€information€(or€creating,€obtaining€and€using€the€protected€health€information)€to€perform€a€function€or€activity€on€behalf€of€theÐ V#V# Ðcovered€entity.€We€also€clarify€that€providing€specified€services€to€a€covered€entity€creates€a€business€associate€relationship€if€the€provision€of€the€service€involves€theÐ P$P$ Ðdisclosure€of€protected€health€information€to€the€service€provider.€In€the€proposed€rule,€we€had€included€a€list€of€persons€that€were€considered€to€be€business€partners€ofÐ J%J% Ðthe€covered€entity.€However,€it€is€not€always€clear€whether€the€provision€of€certain€services€to€a€covered€entity€is€"for"€the€covered€entity€or€whether€the€service€provider€isÐ D&D& Ðacting€"on€behalf€of"€the€covered€entity.€For€example,€a€person€providing€management€consulting€services€may€need€protected€health€information€to€perform€thoseÐ >'>' Ðservices,€but€may€not€be€acting€"on€behalf€of"€the€covered€entity.€This€we€believe€led€to€some€general€confusion€among€the€commenters€as€to€whether€certain€arrangementsÐ 8(8( Ðfell€within€the€definition€of€a€business€partner€under€the€proposed€rule.€The€construction€of€the€final€rule€clarifies€that€the€provision€of€the€specified€services€gives€rise€to€aÐ 2)2)  Ðbusiness€associate€relationship€if€the€performance€of€the€service€involves€disclosure€of€protected€health€information€by€the€covered€entity€to€the€business€associate.€TheÐ ,*,*! Ðspecified€services€are€legal,€actuarial,€accounting,€consulting,€management,€administrative€accreditation,€data€aggregation,€and€financial€services.€The€list€is€intended€toÐ &+&+" Ðinclude€the€types€of€services€commonly€provided€to€covered€entities€where€the€disclosure€of€protected€health€information€is€routine€to€the€performance€of€the€service,€butÐ  , ,# Ðwhen€the€person€providing€the€service€may€not€always€be€acting€"on€behalf€of"€the€covered€entity.Ð --$ ÐIn€the€final€rule,€we€reorganize€the€list€of€examples€of€the€functions€or€activities€that€may€be€conducted€by€business€associates.€We€place€a€part€of€the€proposed€list€in€theÐ ð.ð.% Ðportion€of€the€definition€that€addresses€when€a€person€is€providing€functions€or€activities€for€or€on€behalf€of€a€covered€entity.€We€place€other€parts€of€the€list€in€the€portionÐ ê/ê/& Ðof€the€definition€that€specifies€the€services€that€give€rise€to€a€business€associate€relationship,€as€discussed€above.€We€also€have€expanded€the€examples€to€provideÐ ä0ä0' Ðadditional€guidance€and€in€response€to€questions€from€commenters.Ð Þ1Þ1( ÐWe€have€added€data€aggregation€to€the€list€of€services€that€give€rise€to€a€business€associate€relationship.€Data€aggregation,€as€discussed€below,€is€where€a€businessÐ ÜÜ Ðassociate€in€its€capacity€as€the€business€associate€of€one€covered€entity€combines€the€protected€health€information€of€such€covered€entity€with€protected€health€informationÐ ÖÖ Ðreceived€by€the€business€associate€in€its€capacity€as€a€business€associate€of€another€covered€entity€in€order€to€permit€the€creation€of€data€for€analyses€that€relate€to€theÐ ÐÐ Ðhealth€care€operations€of€the€respective€covered€entities.€Adding€this€service€to€the€business€associate€definition€clarifies€the€ability€of€covered€entities€to€contract€withÐ ÊÊ Ðbusiness€associates€to€undertake€quality€assurance€and€comparative€analyses€that€involve€the€protected€health€information€of€more€than€one€contracting€covered€entity.€ForÐ ÄÄ Ðexample,€a€state€hospital€association€could€act€as€a€business€associate€of€its€member€hospitals€and€could€combine€data€provided€to€it€to€assist€the€hospitals€in€evaluatingÐ ¾¾ Ðtheir€relative€performance€in€areas€such€as€quality,€efficiency€and€other€patient€care€issues.€As€discussed€below,€however,€the€business€associate€contracts€of€each€of€theÐ ¸¸ Ðhospitals€would€have€to€permit€the€activity,€and€the€protected€health€information€of€one€hospital€could€not€be€disclosed€to€another€hospital€unless€the€disclosure€is€otherwiseÐ ²² Ðpermitted€by€the€rule.Ð ¬¬ ÐThe€definition€also€states€that€a€business€associate€may€be€a€covered€entity,€and€that€business€associate€excludes€a€person€who€is€part€of€the€covered€entity's€workforce.Ð ‚ ‚  ÐWe€also€clarify€in€the€final€rule€that€a€business€association€arises€with€respect€to€a€covered€entity€when€a€person€performs€functions€or€activities€on€behalf€of,€or€providesÐ X X  Ðthe€specified€services€to€or€for,€an€organized€health€care€health€care€arrangement€in€which€the€covered€entity€participates.€This€change€recognizes€that€where€coveredÐ R R  Ðentities€participate€in€certain€joint€arrangements€for€the€financing€or€delivery€of€health€care,€they€often€contract€with€persons€to€perform€functions€or€to€provide€services€forÐ LL  Ðthe€joint€arrangement.€This€change€is€consistent€with€changes€made€in€the€final€rule€to€the€definition€of€health€care€operations,€which€permits€covered€entities€to€use€orÐ FF  Ðdisclose€protected€health€information€not€only€for€their€own€health€care€operations,€but€also€for€the€operations€of€an€organized€health€care€arrangement€in€which€theÐ @@ Ðcovered€entity€participates.€By€making€these€changes,€we€avoid€the€confusion€that€could€arise€in€trying€to€determine€whether€a€function€or€activity€is€being€provided€onÐ :: Ðbehalf€of€(or€if€a€specified€service€is€being€provided€to€or€for)€a€covered€entity€or€on€behalf€of€or€for€a€joint€enterprise€involving€the€covered€entity.€The€change€clarifies€thatÐ 44 Ðin€either€instance€the€person€performing€the€function€or€activity€(or€providing€the€specified€service)€is€a€business€associate.Ð .. ÐWe€also€add€language€to€the€final€rule€that€clarifies€that€the€mere€fact€that€two€covered€entities€participate€in€an€organized€health€care€arrangement€does€not€make€either€ofÐ  Ðthe€covered€entities€a€business€associate€of€the€other€covered€entity.€The€fact€that€the€entities€participate€in€joint€health€care€operations€or€other€joint€activities,€or€pursueÐ þþ Ðcommon€goals€through€a€joint€activity,€does€not€mean€that€one€party€is€performing€a€function€or€activity€on€behalf€of€the€other€party€(or€is€providing€a€specified€services€toÐ øø Ðor€for€the€other€party).Ð òò ÐIn€general€under€this€provision,€actions€relating€to€the€protected€health€information€of€an€individual€undertaken€by€a€business€associate€are€considered,€for€the€purposes€ofÐ ÈÈ Ðthis€rule,€to€be€actions€of€the€covered€entity,€although€the€covered€entity€is€subject€to€sanctions€under€this€rule€only€if€it€has€knowledge€of€the€wrongful€activity€and€fails€toР Ðtake€the€required€actions€to€address€the€wrongdoing.€For€example,€if€a€business€associate€maintains€the€medical€records€or€manages€the€claims€system€of€a€covered€entity,Ð ¼¼ Ðthe€covered€entity€is€considered€to€have€protected€health€information€and€the€covered€entity€must€ensure€that€individuals€who€are€the€subject€of€the€information€can€haveÐ ¶¶ Ðaccess€to€it€pursuant€to€ðð€164.524.Ð °° ÐThe€business€associate€relationship€does€not€describe€all€relationships€between€covered€entities€and€other€persons€or€organizations.€While€we€permit€uses€or€disclosures€ofÐ †† Ðprotected€health€information€for€a€variety€of€purposes,€business€associate€contracts€or€other€arrangements€are€only€required€for€those€cases€in€which€the€covered€entity€isÐ € €  Ðdisclosing€information€to€someone€or€some€organization€that€will€use€the€information€on€behalf€of€the€covered€entity,€when€the€other€person€will€be€creating€or€obtainingÐ z!z! Ðprotected€health€information€on€behalf€of€the€covered€entity,€or€when€the€business€associate€is€providing€the€specified€services€to€the€covered€entity€and€the€provision€ofÐ t"t" Ðthose€services€involves€the€disclosure€of€protected€health€information€by€the€covered€entity€to€the€business€associate.€For€example,€when€a€health€care€provider€disclosesÐ n#n# Ðprotected€health€information€to€health€plans€for€payment€purposes,€no€business€associate€relationship€is€established.€While€the€covered€provider€may€have€an€agreement€toÐ h$h$  Ðaccept€discounted€fees€as€reimbursement€for€services€provided€to€health€plan€members,€neither€entity€is€acting€on€behalf€of€or€providing€a€service€to€the€other.Ð b%b%! ÐSimilarly,€where€a€physician€or€other€provider€has€staff€privileges€at€an€institution,€neither€party€to€the€relationship€is€a€business€associate€based€solely€on€the€staff€privilegesÐ 8'8'" Ðbecause€neither€party€is€providing€functions€or€activities€on€behalf€of€the€other.€However,€if€a€party€provides€services€to€or€for€the€other,€such€as€where€a€hospital€providesÐ 2(2(# Ðbilling€services€for€physicians€with€staff€privileges,€a€business€associate€relationship€may€arise€with€respect€to€those€services.€Likewise,€where€a€group€health€plan€purchasesÐ ,),)$ Ðinsurance€or€coverage€from€a€health€insurance€issuer€or€HMO,€the€provision€of€insurance€by€the€health€insurance€issuer€or€HMO€to€the€group€health€plan€does€not€makeÐ &*&*% Ðthe€issuer€a€business€associate.€In€such€case,€the€activities€of€the€health€insurance€issuer€or€HMO€are€on€their€own€behalf€and€not€on€the€behalf€of€the€group€health€plan.Ð  + +& ÐWe€note€that€where€a€group€health€plan€contracts€with€a€health€insurance€issuer€or€HMO€to€perform€functions€or€activities€or€to€provide€services€that€are€in€addition€to€orÐ ,,' Ðnot€directly€related€to€the€provision€of€insurance,€the€health€insurance€issuer€or€HMO€may€be€a€business€associate€with€respect€to€those€additional€functions,€activities€orÐ --( Ðservices.€We€also€note€that€covered€entities€are€permitted€to€disclose€protected€health€information€to€oversight€agencies€that€act€to€provide€oversight€of€federal€programsÐ ..) Ðand€the€health€care€system.€These€oversight€agencies€are€not€performing€services€for€or€on€behalf€of€the€covered€entities€and€so€are€not€business€associates€of€the€coveredÐ //* Ðentities.€Therefore€HCFA,€the€federal€agency€that€administers€Medicare,€is€not€required€to€enter€into€a€business€associate€contract€in€order€to€disclose€protected€healthÐ 00+ Ðâ âinformation€to€the€Department's€Office€of€Inspector€General.Ð ü0ü0, ÐWe€do€not€require€a€covered€entity€to€enter€into€a€business€associate€contract€with€a€person€or€organization€that€acts€merely€as€a€conduit€for€protected€health€informationÐ ÜÜ Ðâ â(e.g.,€the€US€Postal€Service,€certain€private€couriers€and€their€electronic€equivalents).€A€conduit€transports€information€but€does€not€access€it€other€than€on€a€random€orÐ ÖÖ Ðinfrequent€basis€as€may€be€necessary€for€the€performance€of€the€transportation€service,€or€as€required€by€law.€Since€no€disclosure€is€intended€by€the€covered€entity€and€theÐ ÐÐ Ðprobability€of€exposure€of€any€particular€protected€health€information€to€a€conduit€is€very€small,€we€do€not€consider€a€conduit€to€be€a€business€associate€of€the€coveredÐ ÊÊ Ðentity.Ð ÄÄ ÐWe€do€not€consider€a€financial€institution€to€be€acting€on€behalf€of€a€covered€entity,€and€therefore€no€business€associate€contract€is€required,€when€it€processesÐ šš Ðconsumer-conducted€financial€transactions€by€debit,€credit€or€other€payment€card,€clears€checks,€initiates€or€processes€electronic€funds€transfers,€or€conducts€any€otherÐ ”” Ðactivity€that€directly€facilitates€or€effects€the€transfer€of€funds€for€compensation€for€health€care.€A€typical€consumer-conducted€payment€transaction€is€when€a€consumerÐ ŽŽ Ðpays€for€health€care€or€health€insurance€premiums€using€a€check€or€credit€card.€In€these€cases€the€identity€of€the€consumer€is€always€included€and€some€health€informationÐ ˆ ˆ  Ð(e.g.,€diagnosis€or€procedure)€may€be€implied€through€the€name€of€the€health€care€provider€or€health€plan€being€paid.€Covered€entities€that€initiate€such€payment€activitiesÐ ‚ ‚  Ðmust€meet€the€minimum€necessary€disclosure€requirements€described€in€the€preamble€to€ðð€164.514.Ð | |  ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ 1EÝÝ  ÝòòCovered€Entity.óó݃ 1E{EÝÔ ÔcEԌРR R  ЌԀX>÷XXX>÷Ôó óÝ  ÝWe€provided€this€definition€in€the€NPRM€for€convenience€of€reference€and€proposed€it€to€mean€the€entities€to€which€part€C€of€title€XI€of€the€Act€applies.€These€are€theÐ ((  Ðentities€described€in€section€1172(a)(1):€health€plans,€health€care€clearinghouses,€and€health€care€providers€who€transmit€any€health€information€in€electronic€form€inÐ ""  Ðconnection€with€a€transaction€referred€to€in€section€1173(a)(1)€of€the€Act€(a€"standard€transaction").Ð  ÐWe€note€that€health€care€providers€who€do€not€submit€HIPAA€transactions€in€standard€form€become€covered€by€this€rule€when€other€entities,€such€as€a€billing€service€or€aÐ òò Ðhospital,€transmit€standard€electronic€transactions€on€their€behalf.€A€provider€could€not€circumvent€these€requirements€by€assigning€the€task€to€its€business€associate€sinceÐ ìì Ðthe€business€associate€would€be€considered€to€be€acting€on€behalf€of€the€provider.€See€the€definition€of€"business€associate."Ð ææ ÐWhere€a€public€agency€is€required€or€authorized€by€law€to€administer€a€health€plan€jointly€with€another€entity,€we€consider€each€agency€to€be€a€covered€entity€with€respectÐ ¼¼ Ðto€the€health€plan€functions€it€performs.€Unlike€private€sector€health€plans,€public€plans€are€often€required€by€or€expressly€authorized€by€law€to€jointly€administer€healthÐ ¶¶ Ðprograms€that€meet€the€definition€of€"health€plan"€under€this€regulation.€In€some€instances€the€public€entity€is€required€or€authorized€to€administer€the€program€with€anotherÐ °° Ðpublic€agency.€In€other€instances,€the€public€entity€is€required€or€authorized€to€administer€the€program€with€a€private€entity.€In€either€circumstance,€we€note€that€jointÐ ªª Ðadministration€does€not€meet€the€definition€of€"business€associate"€in€ðð€164.501.€Examples€of€joint€administration€include€state€and€federal€administration€of€the€MedicaidÐ ¤¤ Ðand€SCHIP€program,€or€joint€administration€of€a€Medicare+Choice€plan€by€the€Health€Care€Financing€Administration€and€the€issuer€offering€the€plan.Ð žž ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ ŽNÝÝ  ÝòòHealth€Careóó.݃ ŽNØNÝÔ ÔÀNԌРtt ЌԀX>÷XXX>÷Ôó óÝ  ÝWe€proposed€to€define€"health€care"€to€mean€the€provision€of€care,€services,€or€supplies€to€a€patient€and€to€include€any:€(1)€preventive,€diagnostic,€therapeutic,Ð JJ Ðrehabilitative,€maintenance,€or€palliative€care,€counseling,€service,€or€procedure€with€respect€to€the€physical€or€mental€condition,€or€functional€status,€of€a€patient€orÐ D D  Ðaffecting€the€structure€or€function€of€the€body;€(2)€sale€or€dispensing€of€a€drug,€device,€equipment,€or€other€item€pursuant€to€a€prescription;€or€(3)€procurement€or€bankingÐ >!>! Ðof€blood,€sperm,€organs,€or€any€other€tissue€for€administration€to€patients.Ð 8"8" ÐThe€final€rule€revises€both€the€NPRM€definition€and€the€definition€as€provided€in€the€Transactions€Rule,€to€now€mean€"care,€services,€or€supplies€related€to€the€health€of€anÐ $$ Ðindividual.€òòHealth€careóó€includes€the€following:Ð %% Ð(1)€Preventive,€diagnostic,€therapeutic,€rehabilitative,€maintenance,€or€palliative€care,€and€counseling,€service,€assessment,€or€procedure€with€respect€to€the€physical€orÐ Þ&Þ& Ðmental€condition,€or€functional€status,€of€an€individual€or€that€affects€the€structure€or€function€of€the€body;€andÐ Ø'Ø'  Ð(2)€Sale€or€dispensing€of€a€drug,€device,€equipment,€or€other€item€in€accordance€with€a€prescription.Ð ®)®)! ÐWe€delete€the€term€"providing"€from€the€definition€to€delineate€more€clearly€the€relationship€between€"treatment,"as€the€term€is€defined€in€ðð€164.501,€and€"health€care."Ð „+„+" ÐOther€key€revisions€include€adding€the€term€"assessment"€in€subparagraph€(1)€and€deleting€proposed€subparagraph€(3)€from€the€rule.€Therefore€the€procurement€orÐ ~,~,# Ðbanking€of€organs,€blood€(including€autologous€blood),€sperm,€eyes€or€any€other€tissue€or€human€product€is€not€considered€to€be€health€care€under€this€rule€and€theÐ x-x-$ Ðorganizations€that€perform€such€activities€would€not€be€considered€health€care€providers€when€conducting€these€functions.€As€described€in€ðð€164.512(h),€covered€entitiesÐ r.r.% Ðare€permitted€to€disclose€protected€health€information€without€individual€authorization,€consent,€or€agreement€(see€below€for€explanation€of€authorizations,€consents,€andÐ l/l/& Ðagreements)€as€necessary€to€facilitate€cadaveric€donation.Ð f0f0' ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ ØXÝÝ  ÝòòHealth€Care€Clearinghouseóó.݃ ØX"YÝÔ Ô YԌР<2<2( ЌԀX>÷XXX>÷Ôó óÝ  ÝIn€the€NPRM,€we€defined€"health€care€clearinghouse"€as€a€public€or€private€entity€that€processes€or€facilitates€the€processing€of€nonstandard€data€elements€of€healthÐ ÜÜ Ðinformation€into€standard€data€elements.€The€entity€receives€health€care€transactions€from€health€care€providers€or€other€entities,€translates€the€data€from€a€given€format€intoÐ ÖÖ Ðone€acceptable€to€the€intended€payor€or€payors,€and€forwards€the€processed€transaction€to€appropriate€payors€and€clearinghouses.€Billing€services,€repricing€companies,Ð ÐÐ Ðcommunity€health€management€information€systems,€community€health€information€systems,€and€"value-added"€networks€and€switches€would€have€been€considered€to€beÐ ÊÊ Ðhealth€care€clearinghouses€for€purposes€of€this€part,€if€they€perform€the€functions€of€health€care€clearinghouses€as€described€in€the€preceding€sentences.Ð ÄÄ ÐIn€the€final€regulation,€we€modify€the€definition€of€health€care€clearinghouse€to€reflect€changes€in€the€definition€published€in€the€Transactions€Rule.€The€definition€in€the€finalÐ šš Ðrule€is:Ð ”” ÐHealth€care€clearinghouse€means€a€public€or€private€entity,€including€billing€services,€repricing€companies,€community€health€management€information€systems€orÐ j j  Ðcommunity€health€information€systems,€and€"value-added"€networks€and€switches,€that€does€either€of€the€following€functions:Ð d d  Ð(1)€Processes€or€facilitates€the€processing€of€health€information€received€from€another€entity€in€a€nonstandard€format€or€containing€nonstandard€data€content€into€standardÐ : :  Ðdata€elements€or€a€standard€transaction.Ð 4 4  Ð(2)€Receives€a€standard€transaction€from€another€entity€and€processes€or€facilitates€the€processing€of€health€information€into€nonstandard€format€or€nonstandard€dataÐ     Ðcontent€for€the€receiving€entity.Ð   ÐWe€note€here€that€the€term€health€care€clearinghouse€may€have€other€meanings€and€connotations€in€other€contexts,€but€the€regulation€defines€it€specifically,€and€an€entity€isÐ ÚÚ  Ðconsidered€a€health€care€clearinghouse€only€to€the€extent€that€it€meets€the€criteria€in€this€definition.€Telecommunications€entities€that€provide€connectivity€or€mechanisms€toÐ ÔÔ Ðconvey€information,€such€as€telephone€companies€and€Internet€Service€Providers,€are€not€health€care€clearinghouses€as€defined€in€the€rule€unless€they€actually€carry€out€theÐ ÎÎ Ðfunctions€outlined€in€our€definition.€Value€added€networks€and€switches€are€not€health€care€clearinghouses€unless€they€carry€out€the€functions€outlined€in€the€definition.€TheÐ ÈÈ Ðexamples€of€entities€in€our€proposed€definition€we€continue€to€consider€to€be€health€care€clearinghouses,€as€well€as€any€other€entities€that€meet€that€definition,€to€the€extentР Ðthat€they€perform€the€functions€in€the€definition.Ð ¼¼ ÐIn€order€to€fall€within€this€definition€of€clearinghouse,€the€covered€entity€must€perform€the€clearinghouse€function€on€health€information€received€from€some€other€entity.€AÐ ’’ Ðdepartment€or€component€of€a€health€plan€or€health€care€provider€that€transforms€nonstandard€information€into€standard€data€elements€or€standard€transactions€(or€viceÐ ŒŒ Ðversa)€is€not€a€clearinghouse€for€purposes€of€this€rule,€unless€it€also€performs€these€functions€for€another€entity.€As€described€in€more€detail€in€ðð€164.504(d),€we€allowÐ †† Ðaffiliates€to€perform€clearinghouse€functions€for€each€other€without€triggering€the€definition€of€"clearinghouse"€if€the€conditions€in€ðð€164.504(d)€are€met.Ð €€ ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ ‹hÝÝ  ÝòòHealth€Care€Provideróó.݃ ‹hÕhÝÔ Ô½hԌРVV ЌԀX>÷XXX>÷Ôó óÝ  ÝWe€proposed€to€define€health€care€provider€to€mean€a€provider€of€services€as€defined€in€section€1861(u)€of€the€Act,€a€provider€of€medical€or€health€services€as€defined€inÐ ,, Ðsection€1861(s)€of€the€Act,€and€any€other€person€or€organization€who€furnishes,€bills,€or€is€paid€for€health€care€services€or€supplies€in€the€normal€course€of€business.Ð & &  ÐIn€the€final€rule,€we€delete€the€term€"services€and€supplies,"€in€order€to€eliminate€redundancy€within€the€definition.€The€definition€also€reflects€the€addition€of€the€applicableÐ ü!ü! ÐU.S.C.€citations€(42€U.S.C.€1395x(u)€and€42€U.S.C.€1395x(s),€respectively)€for€the€referenced€provisions€of€the€Act€that€were€promulgated€in€the€Transactions€Rule.Ð ö"ö" ÐTo€assist€the€reader,€we€also€provide€here€excerpts€from€the€relevant€sections€of€the€Act.€(Refer€to€the€U.S.C.€sections€cited€above€for€complete€definitions€in€sectionsÐ Ì$Ì$ Ð1861(u)€and€1861(s).)€Section€1861(u)€of€the€Act€defines€a€"provider€of€services,"€to€include,€for€example,a€hospital,€critical€access€hospital,€skilled€nursing€facility,Ð Æ%Æ% Ðcomprehensive€outpatient€rehabilitation€facility,€home€health€agency,€hospice€program,€or,€for€purposes€of€section€1814(g)€[42€U.S.C.€1395f(g)]€and€section€1835(e)€[42Ð À&À& ÐU.S.C.€1395n(e)],€a€fund."€Section€1861(s)€of€the€Act€defines€the€term,€"medical€and€other€health€services,"€and€includes€a€list€of€covered€items€or€services,€as€illustratedÐ º'º' Ðby€the€following€excerpt:Ð ´(´(  Ð(s)€Medical€and€other€health€services.€The€term€"medical€and€other€health€services"€means€any€of€the€following€items€or€services:Ð Š*Š*! Ð(1)€physicians'€services;Ð `,`," Ð(2)€(A)€services€and€suppliesð8ðfurnished€as€an€incident€to€a€physician's€professional€service,€or€kinds€which€are€commonly€furnished€in€physicians'€offices€and€areÐ 6.6.# Ðcommonly€either€rendered€without€charge€or€included€in€the€physicians'€bills;Ð 0/0/$ Ðâ â(B)€hospital€servicesð8ðincident€to€physicians'€services€rendered€to€outpatients€and€partial€hospitalization€services€incident€to€such€services;Ð 11% Ð(C)diagnostic€services€which€are-Ð ÜÜ Ðâ â(i)€furnished€to€an€individual€as€an€outpatient€by€a€hospital€or€by€others€under€arrangements€with€them€made€by€a€hospital,€andÐ ²² Ð(ii)€ordinarily€furnished€by€such€hospital€(or€by€others€under€such€arrangements)€to€its€outpatients€for€the€purpose€of€diagnostic€study;Ð ˆˆ Ð(D)€outpatient€physical€therapy€services€and€outpatient€occupational€therapy€services;Ð ^^ Ð(E)€rural€health€clinic€services€and€federally€qualified€health€center€services;Ð 44 Ð(F)€home€dialysis€supplies€and€equipment,€self-care€home€dialysis€support€services,€and€institutional€dialysis€services€and€supplies;Ð   Ð(G)€antigensð8ðprepared€by€a€physicianð8ðfor€a€particular€patient,€including€antigens€so€prepared€which€are€forwarded€to€another€qualified€personð8ðfor€administration€toÐ à à  Ðsuch€patient,ð8ðby€or€under€the€supervision€of€another€such€physician;Ð Ú Ú  Ð(H)€(i)€services€furnished€pursuant€to€a€contract€under€section€1876€[42€U.S.C.€1395mm]€to€a€member€of€an€eligible€organization€by€a€physician€assistant€or€by€a€nurseÐ °° Ðpractitionerð8ðand€such€services€and€supplies€furnished€as€an€incident€to€his€service€to€such€a€memberð8ðandÐ ªª  Ð(ii)€services€furnished€pursuant€to€a€risk-sharing€contract€under€section€1876(g)€[42€U.S.C.€1395mm(g)]€to€a€member€of€an€eligible€organization€by€a€clinicalÐ €€  Ðpsychologistð8ðor€by€a€clinical€social€workerð8ð[and]€furnished€as€an€incident€to€such€clinical€psychologist's€services€or€clinical€social€worker's€servicesð8ð;Ð zz  Ð(I)€blood€clotting€factors,€for€hemophilia€patientsð8ð;Ð PP  Ð(J)€prescription€drugs€used€in€immunosuppressive€therapy€furnished,€to€an€individual€who€receives€an€organ€transplant€for€which€payment€is€made€under€this€title€[42Ð &&  ÐU.S.C.€1395€et€seq.],€but€only€in€the€case€of€[certain]€drugs€furnishedð8ðÐ    Ð(K)€(i)€services€which€would€be€physicians'€services€if€furnished€by€a€physicianð8ðand€which€are€performed€by€a€physician€assistantð8ð;andÐ öö Ð(ii)€services€which€would€be€physicians'€services€if€furnished€by€a€physicianð8ðand€which€are€performed€by€a€nurseð8ð;Ð ÌÌ Ð(L)€certified€nurse-midwife€services;Ð ¢¢ Ð(M)€qualified€psychologist€services;Ð xx Ð(N)€clinical€social€worker€servicesð8ð;Ð N N  Ð(O)€erythropoietin€for€dialysis€patientsð8ð;Ð $"$" Ð(P)€prostate€cancer€screening€testsð8ð;Ð ú#ú# Ð(Q)€an€oral€drug€(which€is€approved€by€the€federal€Food€and€Drug€Administration)€prescribed€for€use€as€an€anti-cancer€chemotherapeutic€agent€for€a€given€indication,€andÐ Ð%Ð% Ðcontaining€an€active€ingredient€(or€ingredients)ð8ð;Ð Ê&Ê& Ð(R)€colorectal€cancer€screening€testsð8ð;Ð  ( ( Ð(S)€diabetes€outpatient€self-management€training€servicesð8ð;€andÐ v*v* Ð(T)€an€oral€drug€(which€is€approved€by€the€federal€Food€and€Drug€Administration)€prescribed€for€use€as€an€acute€anti-emetic€used€as€part€of€an€anti-cancerÐ L,L, Ðchemotherapeutic€regimenð8ðÐ F-F- Ð(3)€diagnostic€X-ray€testsð8ðfurnished€in€a€place€of€residence€used€as€the€patient's€homeð8ð;Ð // Ðâ â(4)€X-ray,€radium,€and€radioactive€isotope€therapy,€including€materials€and€services€of€technicians;Ð ò0ò0 Ð(5)€surgical€dressings,€and€splints,€casts,€and€other€devices€used€for€reduction€of€fractures€and€dislocations;Ð ÜÜ Ðâ â(6)€durable€medical€equipment;Ð ²² Ð(7)€ambulance€service€where€the€use€of€other€methods€of€transportation€is€contraindicated€by€the€individual's€conditionð8ð;Ð ˆˆ Ð(8)€prosthetic€devices€(other€than€dental)€which€replace€all€or€part€of€an€internal€body€organ€(including€colostomy€bags€and€supplies€directly€related€to€colostomyÐ ^^ Ðcare),ð8ðand€including€one€pair€of€conventional€eyeglasses€or€contact€lenses€furnished€subsequent€to€each€cataract€surgeryð8ð[;]Ð XX Ð(9)€leg,€arm,€back,€and€neck€braces,€and€artificial€legs,€arms,€and€eyes,€including€replacements€if€requiredð8ð;Ð . .  Ð(10)€(A)€pneumococcal€vaccine€and€its€administrationð8ð;€andÐ    Ð(B)€hepatitis€B€vaccine€and€its€administrationð8ð,€andÐ Ú Ú  Ð(11)€services€of€a€certified€registered€nurse€anesthetistð8ð;Ð °° Ð(12)€ð8ðextra-depth€shoes€with€inserts€or€custom€molded€shoes€with€inserts€for€an€individual€with€diabetes,€ifð8ð;Ð ††  Ð(13)€screening€mammographyð8ð;Ð \\  Ð(14)€screening€pap€smear€and€screening€pelvic€exam;€andÐ 22  Ð(15)€bone€mass€measurementð8ð.€(etc.)Ð   ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ d…ÝÝ  ÝòòHealth€Planóó.݃ d…®…ÝÔ Ô–…ԌРÞÞ  ЌԀX>÷XXX>÷Ôó óÝ  ÝWe€proposed€to€define€"health€plan"€essentially€as€section€1171(5)€of€the€Act€defines€it.€Section€1171€of€the€Act€refers€to€several€definitions€in€section€2791€of€the€PublicÐ ´´ ÐHealth€Service€Act,€42€U.S.C.€300gg-91,€as€added€by€Public€Law€104-191.Ð ®® ÐAs€defined€in€section€1171(5),€a€"health€plan"€is€an€individual€plan€or€group€health€plan€that€provides,€or€pays€the€cost€of,€medical€care.€We€proposed€that€this€definitionÐ „„ Ðinclude,€but€not€be€limited€to€the€15€types€of€plans€(e.g.,€group€health€plan,€health€insurance€issuer,€health€maintenance€organization)€listed€in€the€statute,€as€well€as€anyÐ ~~ Ðcombination€of€them.€Such€term€would€have€included,€when€applied€to€public€benefit€programs,€the€component€of€the€government€agency€that€administers€the€program.Ð xx ÐChurch€plans€and€government€plans€would€have€been€included€to€the€extent€that€they€fall€into€one€or€more€of€the€listed€categories.Ð rr ÐIn€the€proposed€rule,€"health€plan"€included€the€following,€singly€or€in€combination:Ð H!H! Ð(1)€A€group€health€plan,€defined€as€an€employee€welfare€benefit€plan€(as€currently€defined€in€section€3(1)€of€the€Employee€Retirement€Income€and€Security€Act€of€1974,Ð ## Ð29€U.S.C.€1002(1)),€including€insured€and€self-insured€plans,€to€the€extent€that€the€plan€provides€medical€care€(as€defined€in€section€2791(a)(2)€of€the€Public€HealthÐ $$ ÐService€Act,€42€U.S.C.€300gg-91(a)(2)),€including€items€and€services€paid€for€as€medical€care,€to€employees€or€their€dependents€directly€or€through€insurance€orÐ %% Ðotherwise,€that:Ð  & & Ð(i)€Has€50€or€more€participants;€orÐ â'â' Ð(ii)€Is€administered€by€an€entity€other€than€the€employer€that€established€and€maintains€the€plan.Ð ¸)¸) Ð(2)€A€health€insurance€issuer,€defined€as€an€insurance€company,€insurance€service,€or€insurance€organization€that€is€licensed€to€engage€in€the€business€of€insurance€in€a€stateÐ Ž+Ž+ Ðand€is€subject€to€state€or€other€law€that€regulates€insurance.Ð ˆ,ˆ, Ð(3)€A€health€maintenance€organization,€defined€as€a€federally€qualified€health€maintenance€organization,€an€organization€recognized€as€a€health€maintenance€organizationÐ ^.^. Ðunder€state€law,€or€a€similar€organization€regulated€for€solvency€under€state€law€in€the€same€manner€and€to€the€same€extent€as€such€a€health€maintenance€organization.Ð X/X/ Ðâ â(4)€Part€A€or€Part€B€of€the€Medicare€program€under€title€XVIII€of€the€Act.Ð .1.1 Ð(5)€The€Medicaid€program€under€title€XIX€of€the€Act.Ð ÜÜ Ðâ â(6)€A€Medicare€supplemental€policy€(as€defined€in€section€1882(g)(1)€of€the€Act,€42€U.S.C.€1395ss).Ð ²² Ð(7)€A€long-term€care€policy,€including€a€nursing€home€fixed-indemnity€policy.Ð ˆˆ Ð(8)€An€employee€welfare€benefit€plan€or€any€other€arrangement€that€is€established€or€maintained€for€the€purpose€of€offering€or€providing€health€benefits€to€the€employees€ofÐ ^^ Ðtwo€or€more€employers.Ð XX Ð(9)€The€health€care€program€for€active€military€personnel€under€title€10€of€the€United€States€Code.Ð . .  Ð(10)€The€veterans€health€care€program€under€38€U.S.C.€chapter€17.Ð    Ð(11)€The€Civilian€Health€and€Medical€Program€of€the€Uniformed€Services€(CHAMPUS),€as€defined€in€10€U.S.C.€1072(4).Ð Ú Ú  Ð(12)€The€Indian€Health€Service€program€under€the€Indian€Health€Care€Improvement€Act€(25€U.S.C.€1601,€et€seq.).Ð °° Ð(13)€The€Federal€Employees€Health€Benefits€Program€under€5€U.S.C.€chapter€89.Ð ††  Ð(14)€An€approved€state€child€health€plan€for€child€health€assistance€that€meets€the€requirements€of€section€2103€of€the€Act.Ð \\  Ð(15)€A€Medicare€Plus€Choice€organization€as€defined€in€42€CFR€422.2,€with€a€contract€under€42€CFR€part€422,€subpart€K.Ð 22  ÐIn€addition€to€the€15€specific€categories,€we€proposed€that€the€list€include€any€other€individual€plan€or€group€health€plan,€or€combination€thereof,€that€provides€or€pays€forÐ   Ðthe€cost€of€medical€care.€The€Secretary€would€determine€which€plans€that€meet€these€criteria€would€to€be€considered€health€plans€for€the€purposes€of€this€rule.Ð   ÐConsistent€with€the€other€titles€of€HIPAA,€our€proposed€definition€did€not€include€certain€types€of€insurance€entities,€such€as€workers'€compensation€and€automobileÐ ØØ Ðinsurance€carriers,€other€property€and€casualty€insurers,€and€certain€forms€of€limited€benefits€coverage,€even€when€such€arrangements€provide€coverage€for€health€careÐ ÒÒ Ðservices.Ð ÌÌ ÐIn€the€final€rule,€we€add€two€provisions€to€clarify€the€types€of€policies€or€programs€that€we€do€not€consider€to€be€a€health€plan.€First,€the€rule€excepts€any€policy,€plan€orÐ ¢¢ Ðprogram€to€the€extent€that€it€provides,€or€pays€for€the€cost€of,€excepted€benefits,€as€defined€in€section€2791(c)(1)€of€the€PHS€Act,€42€U.S.C.€300gg-91(c)(1).€We€noteÐ œœ Ðthat,€while€coverage€for€on-site€medical€clinics€is€excluded€from€definition€of€"health€plans,"€such€clinics€may€meet€the€definition€of€"health€care€provider"€and€persons€whoÐ –– Ðwork€in€the€clinic€may€also€meet€the€definition€of€health€care€provider."€Second,€many€commenters€were€confused€by€the€statutory€inclusion€as€a€health€plan€of€any€"otherÐ  Ðindividual€or€group€plan€that€provides€or€pays€the€cost€of€medical€care;"€they€questioned€how€the€provision€applied€to€many€government€programs.€We€therefore€clarifyÐ Š Š  Ðthat€while€many€government€programs€(other€than€the€programs€specified€in€the€statute)€provide€or€pay€the€cost€of€medical€care,€we€do€not€consider€them€to€be€individualÐ „!„! Ðor€group€plans€and€therefore,€do€not€consider€them€to€be€health€plans.€Government€funded€programs€that€do€not€have€as€their€principal€purpose€the€provision€of,€orÐ ~"~" Ðpayment€for,€the€cost€of€health€care€but€which€do€incidentally€provide€such€services€are€not€health€plans€(for€example,€programs€such€as€the€Special€Supplemental€NutritionÐ x#x# ÐProgram€for€Women,€Infants€and€Children€(WIC)€and€the€Food€Stamp€Program,€which€provide€or€pay€for€nutritional€services,€are€not€considered€to€be€health€plans).Ð r$r$ ÐGovernment€funded€programs€that€have€as€their€principal€purpose€the€provision€of€health€care,€either€directly€or€by€grant,€are€also€not€considered€to€be€health€plans.Ð l%l% ÐExamples€include€the€Ryan€White€Comprehensive€AIDS€Resources€Emergency€Act,€government€funded€health€centers€and€immunization€programs.€We€note€that€some€ofÐ f&f& Ðthese€may€meet€the€rule's€definition€of€health€care€provider.Ð `'`' ÐWe€note€that€in€certain€instances€eligibility€for€or€enrollment€in€a€health€plan€that€is€a€government€program€providing€public€benefits,€such€as€Medicaid€or€SCHIP,€isÐ 6)6) Ðdetermined€by€an€agency€other€than€the€agency€that€administers€the€program,€or€individually€identifiable€health€information€used€to€determine€enrollment€or€eligibility€in€suchÐ 0*0* Ða€health€plan€is€collected€by€an€agency€other€than€the€agency€that€administers€the€health€plan.€In€these€cases,€we€do€not€consider€an€agency€that€is€not€otherwise€a€coveredÐ *+*+ Ðentity,€such€as€a€local€welfare€agency,€to€be€a€covered€entity€because€it€determines€eligibility€or€enrollment€or€collects€enrollment€information€as€authorized€by€law.€We€alsoÐ $,$,  Ðdo€not€consider€the€agency€to€be€a€business€associate€when€conducting€these€functions,€as€we€describe€further€in€the€business€associate€discussion€above.Ð --! ÐThe€definition€in€the€final€rule€also€reflects€the€following€changes€promulgated€in€the€Transactions€Rule:Ð ô.ô." Ðâ â(1)€Exclusion€of€nursing€home€fixed-indemnity€policies;Ð Ê0Ê0# Ð(2)€Addition€of€the€word€"issuer"€to€Medicare€supplemental€policy,€and€long-term€care€policy;Ð ÜÜ Ðâ â(3)€Addition€or€revision€of€the€relevant€statutory€cites€where€appropriate;Ð ²² Ð(4)€Deletion€of€the€term€"or€assisted"€when€referring€to€government€programs;Ð ˆˆ Ð(5)€Replacement€of€the€word€"organization"€with€"program"€when€referring€to€Medicare€+€Choice;Ð ^^ Ð(6)€Deletion€of€the€term€"health"€when€referring€to€a€group€plan€in€subparagraph€(xvi);Ð 44 Ð(7)€Extraction€of€the€definitions€of€"group€health€plan,"€"health€insurance€issuer,"€and€"health€maintenance€organization"€into€Part€160€as€distinct€definitions;Ð   Ð(8)€In€the€definition€of€"group€health€plan,"€deletion€of€the€term€"currently"€from€the€reference€to€the€statutory€cite€of€ERISA,€addition€of€the€relevant€statutory€cite€for€theÐ à à  Ðterm€"participant,"€and€addition€of€the€term€"reimbursement;"Ð Ú Ú  Ð(9)€In€the€definition€of€"health€insurance€issuer,"€addition€of€the€relevant€statutory€cite,€deletion€of€the€term€"or€other€law"€after€"state€law,"€addition€of€health€maintenanceÐ °° Ðorganizations€for€consistency€with€the€statute,€and€clarification€that€the€term€does€not€include€a€group€health€plan;€andÐ ªª  Ð(10)€In€the€definition€of€"health€maintenance€organization,"€addition€of€the€relevant€statutory€cite.Ð €€  ÐFinally,€we€add€to€this€definition€a€high€risk€pool€that€is€a€mechanism€established€under€state€law€to€provide€health€insurance€coverage€or€comparable€coverage€to€eligibleÐ VV  Ðindividuals.€High€risk€pools€are€designed€mainly€to€provide€health€insurance€coverage€for€individuals€who,€due€to€health€status€or€pre-existing€conditions,€cannot€obtainÐ PP  Ðinsurance€through€the€individual€market€or€who€can€do€so€only€at€very€high€premiums.€Some€states€use€their€high€risk€pool€as€an€alternative€mechanism€under€section€2744Ð JJ  Ðof€HIPAA.€We€do€not€reference€the€definition€of€"qualified€high€risk€pool"€in€HIPAA€because€that€definition€includes€the€requirements€for€a€state€to€use€its€risk€pool€as€itsÐ DD Ðalternative€mechanism€under€HIPAA.€Some€states€may€have€high€risk€pools,€but€do€not€use€them€as€their€alternative€mechanism€and€therefore€may€not€meet€the€definitionÐ >> Ðin€HIPAA.€We€want€to€make€clear€that€state€high€risk€pools€are€covered€entities€under€this€rule€whether€or€not€they€meet€the€definition€of€a€qualified€high€risk€pool€underÐ 88 Ðsection€2744.€High€risk€pools,€as€described€in€this€rule,€do€not€include€any€program€established€under€state€law€solely€to€provide€excepted€benefits.€For€example,€a€stateÐ 22 Ðprogram€established€to€provide€workers'€compensation€coverage€is€not€considered€to€be€a€high€risk€pool€under€the€rule.Ð ,, ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ v±ÝÝ  ÝòòImplementation€specificationóó݃ v±À±ÝÔ Ô¨±ÔŒÐ  ЌԀX>÷XXX>÷Ôó óÝ  ÝThis€definition€was€adopted€in€the€Transactions€Rule€and€is€minimally€revised€here.€We€add€the€words€"requirements€or"€before€the€word€"instructions."€The€wordÐ ØØ Ð"instructions"€is€appropriate€in€the€context€of€the€implementation€specifications€adopted€in€the€Transactions€Rule,€which€are€generally€a€series€of€instructions€as€to€how€toÐ ÒÒ Ðuse€particular€electronic€forms.€However,€that€word€is€not€apropos€in€the€context€of€the€rules€below.€In€the€rules€below,€the€implementation€specifications€are€specificÐ ÌÌ Ðrequirements€for€how€to€comply€with€a€given€standard.€The€change€to€this€definition€thus€ties€in€to€this€regulatory€framework.Ð Æ Æ  ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ 4µÝÝ  ÝòòStandardóó݃ 4µ~µÝÔ ÔfµÔŒÐ œ"œ" ЌԀX>÷XXX>÷Ôó óÝ  ÝThis€definition€was€adopted€in€the€Transactions€Rule€and€we€have€modified€it€to€make€it€clearer.€We€also€add€language€reflecting€section€264€of€the€statute,€to€clarify€thatÐ r$r$ Ðthe€standards€adopted€by€this€rule€meet€this€definition.Ð l%l% ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ &·ÝÝ  ÝòòStateóó݃ &·p·ÝÔ ÔX·ÔŒÐ B'B' ЌԀX>÷XXX>÷Ôó óÝ  ÝWe€modify€the€definition€of€state€as€adopted€in€the€Transactions€Rule€to€clarify€that€this€term€refers€to€any€of€the€several€states.Ð )) ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚  ¸ÝÝ  ÝòòTransactionóó݃  ¸ê¸ÝÔ ÔҸԌРî*î* ЌԀX>÷XXX>÷Ôó óÝ  ÝWe€change€the€term€"exchange"€to€the€term€"transmission"€in€the€definition€of€Transaction€to€clarify€that€these€transactions€may€be€one-way€communications.Ð Ä,Ä, ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ 7ºÝÝ  ÝòòWorkforceóó݃ 7ººÝÔ ÔiºÔŒÐ š.š. ЌԀX>÷XXX>÷Ôó óÝ  ÝWe€proposed€in€the€NPRM€to€define€workforce€to€mean€employees,€volunteers,€trainees,€and€other€persons€under€the€direct€control€of€a€covered€entity,€including€personsÐ p0p0  Ðâ âproviding€labor€on€an€unpaid€basis.Ð j1j1! ÐThe€definition€in€the€final€rule€reflects€one€revision€established€in€the€Transactions€Rule,€which€replaces€the€term€"including€persons€providing€labor€on€an€unpaid€basis"€withÐ ÜÜ Ðâ âthe€term€"whether€or€not€they€are€paid€by€the€covered€entity."€In€addition,€we€clarify€that€if€the€assigned€work€station€of€persons€under€contract€is€on€the€covered€entity'sÐ ÖÖ Ðpremises€and€such€persons€perform€a€substantial€proportion€of€their€activities€at€that€location,€the€covered€entity€may€choose€to€treat€them€either€as€business€associates€orÐ ÐÐ Ðas€part€of€the€workforce,€as€explained€in€the€discussion€of€the€definition€of€business€associate.€If€there€is€no€business€associate€contract,€we€assume€the€person€is€a€memberÐ ÊÊ Ðof€the€covered€entity's€workforce.€We€note€that€independent€contractors€may€or€may€not€be€workforce€members.€However,€for€compliance€purposes€we€will€assume€thatÐ ÄÄ Ðsuch€personnel€are€members€of€the€workforce€if€no€business€associate€contract€exists.Ð ¾¾ ÐÝ‚ FÝÔ€¼ôÚ»XX>÷Ôò òÔ  ÔÝ  ÝÝ‚ OÀÝÝ  ÝPART€160€-€SUBPART€B€-€PREEMPTION€OF€STATE€LAWS݃ OÀ™ÀÝÔ ÔÀԌР”” ЌԀX>÷X»¼ôÚÔó óÝ  ÝÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ TÁÝÝ  ÝòòStatutory€Backgroundóó݃ TÁžÁÝÔ Ô†ÁԌР  ЌԀX>÷XXX>÷Ôó óÝ  ÝSection€1178€of€the€Act€establishes€a€"general€rule"€that€state€law€provisions€that€are€contrary€to€the€provisions€or€requirements€of€part€C€of€title€XI€or€the€standards€orÐ f f  Ðimplementation€specifications€adopted€or€established€thereunder€are€preempted€by€the€federal€requirements.€The€statute€provides€three€exceptions€to€this€general€rule:€(1)Ð ` `  Ðin€section€1178(a)(2)(A)(i),€for€state€laws€that€the€Secretary€determines€are€necessary€to€prevent€fraud€and€abuse,€ensure€appropriate€state€regulation€of€insurance€andÐ Z Z  Ðhealth€plans,€for€state€reporting€on€health€care€delivery,€and€other€purposes;€(2)€in€section€1178(a)(2)(A)(ii),€for€state€laws€that€address€controlled€substances;€and€(3)€inÐ TT  Ðsection€1178(a)(2)(B),€for€state€laws€relating€to€the€privacy€of€individually€identifiable€health€information€that€as€provided€for€by€the€related€provision€of€section€264(c)(2)Ð NN  Ðof€HIPAA,€are€contrary€to€and€more€stringent€than€the€federal€requirements.€Section€1178€also€carves€out,€in€sections€1178(b)€and€1178(c),€certain€areas€of€stateÐ HH  Ðauthority€that€are€not€limited€or€invalidated€by€the€provisions€of€part€C€of€title€XI:€these€areas€relate€to€public€health€and€state€regulation€of€health€plans.Ð BB ÐThe€NPRM€proposed€a€new€Subpart€B€of€the€proposed€part€160.€The€new€Subpart€B,€which€would€apply€to€all€standards,€implementation€specifications,€andÐ  Ðrequirements€adopted€under€HIPAA,€would€consist€of€four€sections.€Proposed€ðð€160.201€provided€that€the€provisions€of€Subpart€B€applied€to€exception€determinationsÐ  Ðand€advisory€opinions€issued€by€the€Secretary€under€section€1178.€Proposed€ðð€160.202€set€out€proposed€definitions€for€four€terms:€(1)€"contrary,"€(2)€"more€stringent,"Ð    Ð(3)€"relates€to€the€privacy€of€individually€identifiable€health€information,"€and€(4)€"state€law."€The€definition€of€"contrary"€was€drawn€from€case€law€concerning€preemption.Ð  ÐA€seven-part€set€of€specific€criteria,€drawn€from€fair€information€principles,€was€proposed€for€the€definition€of€"more€stringent."€The€definition€of€"relates€to€the€privacy€ofÐ  Ðindividually€identifiable€health€information"€was€also€based€on€case€law.€The€definition€of€"state€law"€was€drawn€from€the€statutory€definition€of€this€term€elsewhere€inÐ úú ÐHIPAA.€We€note€that€state€action€having€the€force€and€effect€of€law€may€include€common€law.€We€eliminate€the€term€"decision"€from€the€proposed€rule€because€it€isÐ ôô Ðredundant.Ð îî ÐProposed€ðð€160.203€proposed€a€general€rule€reflecting€the€statutory€general€rule€and€exceptions€that€generally€mirrored€the€statutory€language€of€the€exceptions.€The€oneÐ ÄÄ Ðsubstantive€addition€to€the€statutory€exception€language€was€with€respect€to€the€statutory€exception,€"for€other€purposes."€The€following€language€was€added:€"for€otherÐ ¾¾ Ðpurposes€related€to€improving€the€Medicare€program,€the€Medicaid€program,€or€the€efficiency€and€effectiveness€of€the€health€care€system."Ð ¸¸ ÐProposed€ðð€160.204€proposed€two€processes,€one€for€the€making€of€exception€determinations,€relating€to€determinations€under€section€1178(a)(2)(A)€of€the€Act,€theÐ ŽŽ Ðother€for€the€rendering€of€advisory€opinions,€with€respect€to€section€1178(a)(2)(B)€of€the€Act.€The€processes€proposed€were€similar€in€the€following€respects:€(1)€only€theÐ ˆ ˆ  Ðstate€could€request€an€exception€determination€or€advisory€opinion,€as€applicable;€(2)€both€required€the€request€to€contain€the€same€information,€except€that€a€request€forÐ ‚!‚! Ðan€exception€determination€also€had€to€set€out€the€length€of€time€the€requested€exception€would€be€in€effect,€if€less€than€three€years;€(3)€both€sets€of€requirements€providedÐ |"|" Ðthat€requests€had€to€be€submitted€to€the€Secretary€as€required€by€the€Secretary,€and€until€the€Secretary's€determination€was€made,€the€federal€standard,€requirement€orÐ v#v# Ðimplementation€specification€remained€in€effect;€(4)€both€sets€of€requirements€provided€that€the€Secretary's€decision€would€be€effective€intrastate€only;€(5)€both€sets€ofÐ p$p$ Ðrequirements€provided€that€any€change€to€either€the€federal€or€state€basis€for€the€Secretary's€decision€would€require€a€new€request,€and€the€federal€standard,Ð j%j%  Ðimplementation€specification,€or€requirement€would€remain€in€effect€until€the€Secretary€acted€favorably€on€the€new€request;€(6)€both€sets€of€requirements€provided€that€theÐ d&d&! ÐSecretary€could€seek€changes€to€the€federal€rules€or€urge€states€or€other€organizations€to€seek€changes;€and€(7)€both€sets€of€requirements€provided€for€annual€publicationÐ ^'^'" Ðof€Secretarial€decisions.€In€addition,€the€process€for€exception€determinations€provided€for€a€maximum€effective€period€of€three€years€for€such€determinations.Ð X(X(# ÐThe€following€changes€have€been€made€to€Subpart€B€in€the€final€rules.€First,€ðð€160.201€now€expressly€implements€section€1178.€Second,€the€definition€of€"more€stringent"Ð .*.*$ Ðhas€been€changed€by€eliminating€the€criterion€relating€to€penalties€and€by€framing€the€criterion€under€paragraph€(1)€more€generally.€Also,€we€have€clarified€that€the€termÐ (+(+% Ð"individual"€means€the€person€who€is€the€subject€of€the€individually€identifiable€health€information,€since€the€term€"individual"€is€defined€this€way€only€in€Subpart€E€of€PartÐ ",",& Ð164,€not€in€Part€160.€Third,€the€definition€of€"state€law"€has€been€changed€by€substituting€the€words€"statute,€constitutional€provision"€for€the€word€"law,"€the€wordsÐ --' Ð"common€law"€for€the€word€"decision,"€and€adding€the€words€"force€and"€before€the€word€"effect"€in€the€proposed€definition.€Fourth,€in€ðð€160.203,€several€criteria€relatingÐ ..( Ðto€the€statutory€grounds€for€exception€determinations€have€been€further€spelled€out:€(1)€the€words€"€related€to€the€provision€of€or€payment€for€health€care"€have€beenÐ //) Ðadded€to€the€exception€for€fraud€and€abuse;€(2)€the€words€"€to€the€extent€expressly€authorized€by€statute€or€regulation"€have€been€added€to€the€exception€for€stateÐ  0 0* Ðregulation€of€health€plans;€(3)€the€words€"of€serving€a€compelling€need€related€to€public€health,€safety,€or€welfare,€and,€where€a€standard,€requirement,€or€implementationÐ 11+ Ðspecification€under€part€164€of€this€subchapter€is€at€issue,€where€the€Secretary€determines€that€the€intrusion€into€privacy€is€warranted€when€balanced€against€the€need€to€beÐ þ1þ1, Ðserved"€have€been€added€to€the€general€exception€"for€other€purposes";€and€(4)€the€statutory€provision€regarding€controlled€substances€has€been€elaborated€on€as€follows:Ð ÜÜ Ð"Has€as€its€principal€purpose€the€regulation€of€the€manufacture,€registration,€distribution,€dispensing,€or€other€control€of€any€controlled€substance,€as€defined€at€21€U.S.C.Ð ÖÖ Ð802,€or€which€is€deemed€a€controlled€substance€by€state€law."Ð ÐÐ ÐThe€most€extensive€changes€have€been€made€to€proposed€ðð€160.204.€The€provision€for€advisory€opinions€has€been€eliminated.€Section€160.204€now€sets€out€only€aÐ ¦¦ Ðprocess€for€requesting€exception€determinations.€In€most€respects,€this€process€is€the€same€as€proposed.€However,€the€proposed€restriction€of€the€effect€of€exceptionÐ    Ðdeterminations€to€wholly€intrastate€transactions€has€been€eliminated.€Section€160.204(a)€has€been€modified€to€allow€any€person,€not€just€a€state,€to€submit€a€request€for€anÐ šš Ðexception€determination,€and€clarifies€that€requests€from€states€may€be€made€by€the€state's€chief€elected€official€or€his€or€her€designee.€Proposed€ðð€160.204(a)(3)€statedÐ ”” Ðthat€if€it€is€determined€that€the€federal€standard,€requirement,€or€implementation€specification€in€question€meets€the€exception€criteria€as€well€as€or€better€than€the€state€lawÐ ŽŽ Ðfor€which€the€exception€is€requested,€the€request€will€be€denied;€this€language€has€been€deleted.€Thus,€the€criterion€for€granting€or€denying€an€exception€request€is€whetherÐ ˆ ˆ  Ðthe€applicable€exception€criterion€or€criteria€are€met.Ð ‚ ‚  ÐA€new€ðð€160.205€is€also€adopted,€replacing€part€of€what€was€proposed€at€proposed€ðð€160.204.€The€new€ðð€160.205€sets€out€the€rules€relating€to€the€effectiveness€ofÐ X X  Ðexception€determinations.€Exception€determinations€are€effective€until€either€the€underlying€federal€or€state€laws€change€or€the€exception€is€revoked,€by€the€Secretary,Ð R R  Ðbased€on€a€determination€that€the€grounds€supporting€the€exception€no€longer€exist.€The€proposed€maximum€of€three€years€has€been€eliminated.Ð LL  ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ ˜åÝÝ  ÝòòRelationship€to€Other€Federal€Lawsóó݃ ˜åâåÝÔ ÔÊåԌР""  ЌԀX>÷XXX>÷Ôó óÝ  ÝCovered€entities€subject€to€these€rules€are€also€subject€to€other€federal€statutes€and€regulations.€For€example,€federal€programs€must€comply€with€the€statutes€andÐ øø Ðregulations€that€govern€them.€Pursuant€to€their€contracts,€Medicare€providers€must€comply€with€the€requirements€of€the€Privacy€Act€of€1974.€Substance€abuse€treatmentÐ òò Ðfacilities€are€subject€to€the€Substance€Abuse€Confidentiality€provisions€of€the€Public€Health€Service€Act,€section€543€and€its€regulations.€And,€health€care€providers€inÐ ìì Ðschools,€colleges,€and€universities€may€come€within€the€purview€of€the€Family€Educational€Rights€and€Privacy€Act.€Thus,€covered€entities€will€need€to€determine€how€theÐ ææ Ðprivacy€regulation€will€affect€their€ability€to€comply€with€these€other€federal€laws.Ð àà ÐMany€commenters€raised€questions€about€how€different€federal€statutes€and€regulations€intersect€with€the€privacy€regulation.€While€we€address€specific€concerns€in€theÐ ¶¶ Ðresponse€to€comments€later€in€the€preamble,€in€this€section,€we€explore€some€of€the€general€interaction€issues.€These€summaries€do€not€identify€all€possible€conflicts€orÐ °° Ðoverlaps€of€the€privacy€regulation€and€other€federal€laws,€but€should€provide€general€guidance€for€complying€with€both€the€privacy€regulation€and€other€federal€laws.€TheÐ ªª Ðsummaries€also€provide€examples€of€how€covered€entities€can€analyze€other€federal€laws€when€specific€questions€arise.€HHS€may€consult€with€other€agencies€concerningÐ ¤¤ Ðthe€interpretation€of€other€federal€laws€as€necessary.Ð žž ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ 'íÝÝ  ÝòòImplied€Repeal€Analysisóó݃ 'íqíÝÔ ÔYíԌРtt ЌԀX>÷XXX>÷Ôó óÝ  ÝWhen€faced€with€the€need€to€determine€how€different€federal€laws€interact€with€one€another,€we€turn€to€the€judiciary's€approach.€Courts€apply€the€implied€repeal€analysisÐ JJ Ðto€resolve€tensions€that€appear€to€exist€between€two€or€more€statutes.€While€the€implication€of€a€regulation-on-regulation€conflict€is€unclear,€courts€agree€that€administrativeÐ D D  Ðrules€and€regulations€that€do€not€conflict€with€express€statutory€provisions€have€the€force€and€effect€of€law.€Thus,€we€believe€courts€would€apply€the€standard€rules€ofÐ >!>! Ðinterpretation€that€apply€to€statutes€to€address€questions€of€interpretation€with€regard€to€regulatory€conflicts.Ð 8"8" ÐWhen€faced€with€two€potentially€conflicting€statutes,€courts€attempt€to€construe€them€so€that€both€are€given€effect.€If€this€construction€is€not€possible,€courts€will€look€forÐ $$ Ðexpress€language€in€the€later€statute,€or€an€intent€in€its€legislative€history,€indicating€that€Congress€intended€the€later€statute€to€repeal€the€earlier€one.€If€there€is€no€expressedÐ %% Ðintent€to€repeal€the€earlier€statute,€courts€will€characterize€the€statutes€as€either€general€or€specific.€Ordinarily,€later,€general€statutes€will€not€repeal€the€special€provisions€ofÐ && Ðan€earlier,€specific€statute.€In€some€cases,€when€a€later,€general€statute€creates€an€irreconcilable€conflict€or€is€manifestly€inconsistent€with€the€earlier,€specific€statute€in€aÐ ü&ü&  Ðmanner€that€indicates€a€clear€and€manifest€Congressional€intent€to€repeal€the€earlier€statute,€courts€will€find€that€the€later€statute€repeals€the€earlier€statute€by€implication.€InÐ ö'ö'! Ðthese€cases,€the€latest€legislative€action€may€prevail€and€repeal€the€prior€law,€but€only€to€the€extent€of€the€conflict.Ð ð(ð(" ÐThere€should€be€few€instances€in€which€conflicts€exist€between€a€statute€or€regulation€and€the€rules€below.€For€example,€if€a€statute€permits€a€covered€entity€to€discloseÐ Æ*Æ*# Ðprotected€health€information€and€the€rules€below€permit€such€a€disclosure,€no€conflict€arises;€the€covered€entity€could€comply€with€both€and€choose€whether€or€not€toÐ À+À+$ Ðdisclose€the€information.€In€instances€in€which€a€potential€conflict€appears,€we€would€attempt€to€resolve€it€so€that€both€laws€applied.€For€example,€if€a€statute€or€regulationÐ º,º,% Ðpermits€dissemination€of€protected€health€information,€but€the€rules€below€prohibit€the€use€or€disclosure€without€an€authorization,€we€believe€a€covered€entity€would€be€ableÐ ´-´-& Ðto€comply€with€both€because€it€could€obtain€an€authorization€under€ðð€164.508€before€disseminating€the€information€under€the€other€law.Ð ®.®.' ÐMany€apparent€conflicts€will€not€be€true€conflicts.€For€example,€if€a€conflict€appears€to€exist€because€a€previous€statute€or€regulation€requires€a€specific€use€or€disclosure€ofÐ „0„0( Ðprotected€health€information€that€the€rules€below€appear€to€prohibit,€the€use€or€disclosure€pursuant€to€that€statute€or€regulation€would€not€be€a€violation€of€the€privacyÐ ~1~1) Ðregulation€because€ðð€164.512(a)€permits€covered€entities€to€use€or€disclose€protected€health€information€as€required€by€law.Ð x2x2* ÐIf€a€statute€or€regulation€prohibits€dissemination€of€protected€health€information,€but€the€privacy€regulation€requires€that€an€individual€have€access€to€that€information,€theÐ ÜÜ Ðearlier,€more€specific€statute€would€apply.€The€interaction€between€the€Clinical€Laboratory€Improvement€Amendments€regulation€is€an€example€of€this€type€of€conflict.Ð ÖÖ ÐFrom€our€review€of€several€federal€laws,€it€appears€that€Congress€did€not€intend€for€the€privacy€regulation€to€overrule€existing€statutory€requirements€in€these€instances.Ð ÐÐ ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ PýÝÝ  ÝòòExamples€of€Interactionóó݃ PýšýÝÔ Ô‚ýԌР¦¦ ЌԀX>÷XXX>÷Ôó óÝ  ÝWe€have€summarized€how€certain€federal€laws€interact€with€the€privacy€regulation€to€provide€specific€guidance€in€areas€deserving€special€attention€and€to€serve€asÐ || Ðexamples€of€the€analysis€involved.€In€the€Response€to€Comment€section,€we€have€provided€our€responses€to€specific€questions€raised€during€the€comment€period.Ð vv ÐòòThe€Privacy€Act.óóÐ L L  ÐThe€Privacy€Act€of€1974,€5€U.S.C.€552a,€prohibits€disclosures€of€records€contained€in€a€system€of€records€maintained€by€a€federal€agency€(or€its€contractors)€without€theÐ " "  Ðwritten€request€or€consent€of€the€individual€to€whom€the€record€pertains.€This€general€rule€is€subject€to€various€statutory€exceptions.€In€addition€to€the€disclosures€explicitlyÐ    Ðpermitted€in€the€statute,€the€Privacy€Act€permits€agencies€to€disclose€information€for€other€purposes€compatible€with€the€purpose€for€which€the€information€was€collectedÐ    Ðby€identifying€the€disclosure€as€a€"routine€use"€and€publishing€notice€of€it€in€the€òòFederal€Registeróó.€The€Act€applies€to€all€federal€agencies€and€certain€federal€contractorsÐ   Ðwho€operate€Privacy€Act€systems€of€records€on€behalf€of€federal€agencies.Ð     ÐSome€federal€agencies€and€contractors€of€federal€agencies€that€are€covered€entities€under€the€privacy€rules€are€subject€to€the€Privacy€Act.€These€entities€must€comply€withÐ àà  Ðall€applicable€federal€statutes€and€regulations.€For€example,€if€the€privacy€regulation€permits€a€disclosure,€but€the€disclosure€is€not€permitted€under€the€Privacy€Act,€theÐ ÚÚ  Ðfederal€agency€may€not€make€the€disclosure.€If,€however,€the€Privacy€Act€allows€a€federal€agency€the€discretion€to€make€a€routine€use€disclosure,€but€the€privacyÐ ÔÔ Ðregulation€prohibits€the€disclosure,€the€federal€agency€will€have€to€apply€its€discretion€in€a€way€that€complies€with€the€regulation.€This€means€not€making€the€particularÐ ÎÎ Ðdisclosure.Ð ÈÈ ÐòòThe€Freedom€of€Information€Act.óóÐ žž ÐFOIA,€5€U.S.C.€552,€provides€for€public€disclosure,€upon€the€request€of€any€person,€of€many€types€of€information€in€the€possession€of€the€federal€government,€subject€toÐ tt Ðnine€exemptions€and€three€exclusions.€For€example,€Exemption€6€permits€federal€agencies€to€withhold€"personnel€and€medical€files€and€similar€files€the€disclosure€of€whichÐ nn Ðwould€constitute€a€clearly€unwarranted€invasion€of€personal€privacy."€5€U.S.C.€552(b)(6).Ð hh ÐUses€and€disclosures€required€by€FOIA€come€within€ðð€164.512(a)€of€the€privacy€regulation€that€permits€uses€or€disclosures€required€by€law€if€the€uses€or€disclosures€meetÐ >> Ðthe€relevant€requirements€of€the€law.€Thus,€a€federal€agency€must€determine€whether€it€may€apply€an€exemption€or€exclusion€to€redact€the€protected€health€informationÐ 88 Ðwhen€responding€to€a€FOIA€request.€When€a€FOIA€request€asks€for€documents€that€include€protected€health€information,€we€believe€the€agency,€when€appropriate,€mustÐ 22 Ðapply€Exemption€6€to€preclude€the€release€of€medical€files€or€otherwise€redact€identifying€details€before€disclosing€the€remaining€information.Ð ,, ÐWe€offer€the€following€analysis€for€federal€agencies€and€federal€contractors€who€operate€Privacy€Act€systems€of€records€on€behalf€of€federal€agencies€and€must€complyÐ !! Ðwith€FOIA€and€the€privacy€regulation.€If€presented€with€a€FOIA€request€that€would€result€in€the€disclosure€of€protected€health€information,€a€federal€agency€must€firstÐ ü!ü! Ðdetermine€if€FOIA€requires€the€disclosure€or€if€an€exemption€or€exclusion€would€be€appropriate.€We€believe€that€generally€a€disclosure€of€protected€health€information,Ð ö"ö" Ðwhen€requested€under€FOIA,€would€come€within€FOIA€Exemption€6.€We€recognize,€however,€that€the€application€of€this€exemption€to€information€about€deceasedÐ ð#ð# Ðindividuals€requires€a€different€analysis€than€that€applicable€to€living€individuals€because,€as€a€general€rule,€under€the€Privacy€Act,€privacy€rights€are€extinguished€at€death.Ð ê$ê$ ÐHowever,€under€FOIA,€it€is€entirely€appropriate€to€consider€the€privacy€interests€of€a€decedent's€survivors€under€Exemption€6.€òòSeeóóDepartment€of€Justice€FOIA€GuideÐ ä%ä% Ð2000,€Exemption€6:€Privacy€Considerations.€Covered€entities€subject€to€FOIA€must€evaluate€each€disclosure€on€a€case-by-case€basis,€as€they€do€now€under€currentÐ Þ&Þ& ÐFOIA€procedures.Ð Ø'Ø'  ÐòòFederal€Substance€Abuse€Confidentiality€Requirements.óóÐ ®)®)! ÐThe€federal€confidentiality€of€substance€abuse€patient€records€statute,€section€543€of€the€Public€Health€Service€Act,€42€U.S.C.€290dd-2,€and€its€implementing€regulation,Ð „+„+" Ð42€CFR€Part€2,€establish€confidentiality€requirements€for€patient€records€that€are€maintained€in€connection€with€the€performance€of€any€federally-assisted€specializedÐ ~,~,# Ðalcohol€or€drug€abuse€program.€Substance€abuse€programs€are€generally€programs€or€personnel€that€provide€alcohol€or€drug€abuse€treatment,€diagnosis,€or€referral€forÐ x-x-$ Ðtreatment.€The€term€"federally-assisted"€is€broadly€defined€and€includes€federally€conducted€or€funded€programs,€federally€licensed€or€certified€programs,€and€programsÐ r.r.% Ðthat€are€tax€exempt.€Certain€exceptions€apply€to€information€held€by€the€Veterans€Administration€and€the€Armed€Forces.Ð l/l/& ÐThere€are€a€number€of€health€care€providers€that€are€subject€to€both€these€rules€and€the€substance€abuse€statute€and€regulations.€In€most€cases,€a€conflict€will€not€existÐ B1B1' Ðbetween€these€rules.€These€privacy€rules€permit€a€health€care€provider€to€disclose€information€in€a€number€of€situations€that€are€not€permitted€under€the€substance€abuseÐ <2<2( Ðregulation.€For€example,€disclosures€allowed,€without€patient€authorization,€under€the€privacy€rule€for€law€enforcement,€judicial€and€administrative€proceedings,€publicÐ ÜÜ Ðhealth,€health€oversight,€directory€assistance,€and€as€required€by€other€laws€would€generally€be€prohibited€under€the€substance€abuse€statute€and€regulation.€However,Ð ÖÖ Ðbecause€these€disclosures€are€permissive€and€not€mandatory,€there€is€no€conflict.€An€entity€would€not€be€in€violation€of€the€privacy€rules€for€failing€to€make€theseÐ ÐÐ Ðdisclosures.Ð ÊÊ ÐSimilarly,€provisions€in€the€substance€abuse€regulation€provide€for€permissive€disclosures€in€case€of€medical€emergencies,€to€the€FDA,€for€research€activities,€for€audit€andÐ    Ðevaluation€activities,€and€in€response€to€certain€court€orders.€Because€these€are€permissive€disclosures,€programs€subject€to€both€the€privacy€rules€and€the€substance€abuseÐ šš Ðrule€are€able€to€comply€with€both€rules€even€if€the€privacy€rules€restrict€these€types€of€disclosures.€In€addition,€the€privacy€rules€generally€require€that€an€individual€be€givenÐ ”” Ðaccess€to€his€or€her€own€health€information.€Under€the€substance€abuse€regulation,€programs€may€provide€such€access,€so€there€is€no€conflict.Ð ŽŽ ÐThe€substance€abuse€regulation€requires€notice€to€patients€of€the€substance€abuse€confidentiality€requirements€and€provides€for€written€consent€for€disclosure.€While€theÐ d d  Ðprivacy€rules€have€requirements€that€are€somewhat€different,€the€program€may€use€notice€and€authorization€forms€that€include€all€the€elements€required€by€both€regulations.Ð ^ ^  ÐThe€substance€abuse€rule€provides€a€sample€notice€and€a€sample€authorization€form€and€states€that€the€use€of€these€forms€would€be€sufficient.€While€these€forms€do€notÐ X X  Ðsatisfy€all€of€the€requirements€of€the€privacy€regulation,€there€is€no€conflict€because€the€substance€abuse€regulation€does€not€mandate€the€use€of€these€forms.Ð R R  ÐòòEmployee€Retirement€Income€Security€Act€of€1974.óóÐ ((  ÐERISA€was€enacted€in€1974€to€regulate€pension€and€welfare€employee€benefit€plans€established€by€private€sector€employers,€unions,€or€both,€to€provide€benefits€to€theirÐ þþ  Ðworkers€and€dependents.€Under€ERISA,€plans€that€provide€"through€the€purchase€of€insurance€or€otherwise€...€medical,€surgical,€or€hospital€care€or€benefits,€or€benefits€inÐ øø Ðthe€event€of€sickness,€accident,€disability,€[or]€death"€are€defined€as€employee€welfare€benefit€plans.€29€U.S.C.€1002(1).€In€1996,€HIPAA€amended€ERISA€to€requireÐ òò Ðportability,€nondiscrimination,€and€renewability€of€health€benefits€provided€by€group€health€plans€and€group€health€insurance€issuers.€Numerous,€although€not€all,€ERISAÐ ìì Ðplans€are€covered€under€the€rules€proposed€below€as€"health€plans."Ð ææ ÐSection€514(a)€of€ERISA,€29€U.S.C.€1144(a),€preempts€all€state€laws€that€"relate€to"€any€employee€benefit€plan.€However,€section€514(b)€of€ERISA,€29€U.S.C.Ð ¼¼ Ð1144(b)(2)(A),€expressly€saves€from€preemption€state€laws€that€regulate€insurance.€Section€514(b)(2)(B)€of€ERISA,€29€U.S.C.€1144(b)(2)(B),€provides€that€an€ERISAÐ ¶¶ Ðplan€is€deemed€not€to€be€an€insurer€for€the€purpose€of€regulating€the€plan€under€the€state€insurance€laws.€Thus,€under€the€deemer€clause,€states€may€not€treat€ERISA€plansÐ °° Ðas€insurers€subject€to€direct€regulation€by€state€law.€Finally,€section€514(d)€of€ERISA,€29€U.S.C.€1144(d),€provides€that€ERISA€does€not€"alter,€amend,€modify,Ð ªª Ðinvalidate,€impair,€or€supersede€any€law€of€the€United€States."Ð ¤¤ ÐWe€considered€whether€the€preemption€provision€of€section€264(c)(2)€of€HIPAA€would€give€effect€to€state€laws€that€would€otherwise€be€preempted€by€section€514(a)€ofÐ zz ÐERISA.€As€discussed€above,€our€reading€of€the€statutes€together€is€that€the€effect€of€section€264(c)(2)€is€only€to€leave€in€place€state€privacy€protections€that€wouldÐ tt Ðotherwise€apply€and€that€are€more€stringent€than€the€federal€privacy€protections.Ð nn ÐMany€health€plans€covered€by€the€privacy€regulation€are€also€subject€to€ERISA€requirements.€Our€discussions€and€consultations€have€not€uncovered€any€particular€ERISAÐ D D  Ðrequirements€that€would€conflict€with€the€rules.Ð >!>! ÐòòThe€Family€Educational€Rights€and€Privacy€Act.óóÐ ## ÐFERPA,€as€amended,€20€U.S.C.€1232g,€provides€parents€of€students€and€eligible€students€(students€who€are€18€or€older)€with€privacy€protections€and€rights€for€theÐ ê$ê$ Ðrecords€of€students€maintained€by€federally€funded€educational€agencies€or€institutions€or€persons€acting€for€these€agencies€or€institutions.€We€have€excluded€educationÐ ä%ä% Ðrecords€covered€by€FERPA,€including€those€education€records€designated€as€education€records€under€Parts€B,€C,€and€D€of€the€Individuals€with€Disabilities€Education€ActÐ Þ&Þ& ÐAmendments€of€1997,€from€the€definition€of€protected€health€information.€For€example,€individually€identifiable€health€information€of€students€under€the€age€of€18€createdÐ Ø'Ø'  Ðby€a€nurse€in€a€primary€or€secondary€school€that€receives€federal€funds€and€that€is€subject€to€FERPA€is€an€education€record,€but€not€protected€health€information.Ð Ò(Ò(! ÐTherefore,€the€privacy€regulation€does€not€apply.€We€followed€this€course€because€Congress€specifically€addressed€how€information€in€education€records€should€beÐ Ì)Ì)" Ðprotected€in€FERPA.Ð Æ*Æ*# ÐWe€have€also€excluded€certain€records,€those€described€at€20€U.S.C.€1232g(a)(4)(B)(iv),€from€the€definition€of€protected€health€information€because€FERPA€alsoÐ œ,œ,$ Ðprovided€a€specific€structure€for€the€maintenance€of€these€records.€These€are€records€(1)€of€students€who€are€18€years€or€older€or€are€attending€post-secondaryÐ –-–-% Ðeducational€institutions,€(2)€maintained€by€a€physician,€psychiatrist,€psychologist,€or€recognized€professional€or€paraprofessional€acting€or€assisting€in€that€capacity,€(3)€thatÐ ..& Ðare€made,€maintained,€or€used€only€in€connection€with€the€provision€of€treatment€to€the€student,€and€(4)€that€are€not€available€to€anyone,€except€a€physician€or€appropriateÐ Š/Š/' Ðprofessional€reviewing€the€record€as€designated€by€the€student.€Because€FERPA€excludes€these€records€from€its€protections€only€to€the€extent€they€are€not€available€toÐ „0„0( Ðanyone€other€than€persons€providing€treatment€to€students,€any€use€or€disclosure€of€the€record€for€other€purposes,€including€providing€access€to€the€individual€student€whoÐ ~1~1) Ðis€the€subject€of€the€information,€would€turn€the€record€into€an€education€record.€As€education€records,€they€would€be€subject€to€the€protections€of€FERPA.Ð x2x2* ÐThese€exclusions€are€not€applicable€to€all€schools,€however.€If€a€school€does€not€receive€federal€funds,€it€is€not€an€educational€agency€or€institution€as€defined€by€FERPA.Ð ÜÜ ÐTherefore,€its€records€that€contain€individually€identifiable€health€information€are€not€education€records.€These€records€may€be€protected€health€information.€TheÐ ÖÖ Ðeducational€institution€or€agency€that€employs€a€school€nurse€is€subject€to€our€regulation€as€a€health€care€provider€if€the€school€nurse€or€the€school€engages€in€a€HIPAAÐ ÐÐ Ðtransaction.Ð ÊÊ ÐWhile€we€strongly€believe€every€individual€should€have€the€same€level€of€privacy€protection€for€his/her€individually€identifiable€health€information,€Congress€did€not€provideÐ    Ðus€with€authority€to€disturb€the€scheme€it€had€devised€for€records€maintained€by€educational€institutions€and€agencies€under€FERPA.€We€do€not€believe€Congress€intendedÐ šš Ðto€amend€or€preempt€FERPA€when€it€enacted€HIPAA.Ð ”” ÐWith€regard€to€the€records€described€at€20€U.S.C.€1232g(a)(4)(b)(iv),€we€considered€requiring€health€care€providers€engaged€in€HIPAA€transactions€to€comply€with€theÐ j j  Ðprivacy€regulation€up€to€the€point€these€records€were€used€or€disclosed€for€purposes€other€than€treatment.€At€that€point,€the€records€would€be€converted€from€protectedÐ d d  Ðhealth€information€into€education€records.€This€conversion€would€occur€any€time€a€student€sought€to€exercise€his/her€access€rights.€The€provider,€then,€would€need€to€treatÐ ^ ^  Ðthe€record€in€accordance€with€FERPA's€requirements€and€be€relieved€from€its€obligations€under€the€privacy€regulation.€We€chose€not€to€adopt€this€approach€because€itÐ X X  Ðwould€be€unduly€burdensome€to€require€providers€to€comply€with€two€different,€yet€similar,€sets€of€regulations€and€inconsistent€with€the€policy€in€FERPA€that€theseÐ R R  Ðrecords€be€exempt€from€regulation€to€the€extent€the€records€were€used€only€to€treat€the€student.Ð LL  ÐòòGramm-Leach-Bliley.óóÐ ""  ÐIn€1999,€Congress€passed€Gramm-Leach-Bliley€(GLB),€Pub.€L.€106-102,€which€included€provisions,€section€501€òòet€seq.óó,€that€limit€the€ability€of€financial€institutions€toÐ øø Ðdisclose€"nonpublic€personal€information"€about€consumers€to€non-affiliated€third€parties€and€require€financial€institutions€to€provide€customers€with€their€privacy€policiesÐ òò Ðand€practices€with€respect€to€nonpublic€personal€information.€In€addition,€Congress€required€seven€agencies€with€jurisdiction€over€financial€institutions€to€promulgateÐ ìì Ðregulations€as€necessary€to€implement€these€provisions.€GLB€and€its€accompanying€regulations€define€"financial€institutions"€as€including€institutions€engaged€in€the€financialÐ ææ Ðactivities€of€bank€holding€companies,€which€may€include€the€business€of€insuring.€òòSeeóó€15€U.S.C.€6809(3);€12€U.S.C.€1843(k).€However,€Congress€did€not€provide€theÐ àà Ðdesignated€federal€agencies€with€the€authority€to€regulate€health€insurers.€Instead,€it€provided€states€with€an€incentive€to€adopt€and€have€their€state€insurance€authoritiesÐ ÚÚ Ðenforce€these€rules.òòSeeóó15€U.S.C.€6805.€If€a€state€were€to€adopt€laws€consistent€with€GLB,€health€insurers€would€have€to€determine€how€to€comply€with€both€sets€of€rules.Ð ÔÔ ÐThus,€GLB€has€caused€concern€and€confusion€among€health€plans€that€are€subject€to€our€privacy€regulation.€Although€Congress€remained€silent€as€to€its€understanding€ofÐ ªª Ðthe€interaction€of€GLB€and€HIPAA's€privacy€provisions,€the€Federal€Trade€Commission€and€other€agencies€implementing€the€GLB€privacy€provisions€noted€in€theÐ ¤¤ Ðpreamble€to€their€GLB€regulations€that€they€"would€consult€with€HHS€to€avoid€the€imposition€of€duplicative€or€inconsistent€requirements."€65€Fed.€Reg.€33646,€33648Ð žž Ð(2000).€Additionally,€the€FTC€also€noted€that€"persons€engaged€in€providing€insurance"€would€be€within€the€enforcement€jurisdiction€of€state€insurance€authorities€and€notÐ ˜˜ Ðwithin€the€jurisdiction€of€the€FTC.€òòId.óóÐ ’’ ÐBecause€the€FTC€has€clearly€stated€that€it€will€not€enforce€the€GLB€privacy€provisions€against€persons€engaged€in€providing€insurance,€health€plans€will€not€be€subject€toÐ hh Ðdual€federal€agency€jurisdiction€for€information€that€is€both€nonpublic€personal€information€and€protected€health€information.€If€states€choose€to€adopt€GLB-like€laws€orÐ b b  Ðregulations,€which€may€or€may€not€track€the€federal€rules€completely,€health€plans€would€need€to€evaluate€these€laws€under€the€preemption€analysis€described€in€subpart€BÐ \!\! Ðof€Part€160.Ð V"V" ÐòòFederally€Funded€Health€Programs.óóÐ ,$,$ ÐThese€rules€will€affect€various€federal€programs,€some€of€which€may€have€requirements€that€are,€or€appear€to€be,€inconsistent€with€the€requirements€of€these€regulations.Ð && ÐThese€programs€include€those€operated€directly€by€the€federal€government€(such€as€health€programs€for€military€personnel€and€veterans)€as€well€as€programs€in€whichÐ ü&ü&  Ðhealth€services€or€benefits€are€provided€by€the€private€sector€or€by€state€or€local€governments,€but€which€are€governed€by€various€federal€laws€(such€as€Medicare,Ð ö'ö'! ÐMedicaid,€and€ERISA).Ð ð(ð(" ÐCongress€explicitly€included€some€of€these€programs€in€HIPAA,€subjecting€them€directly€to€the€privacy€regulation.€Section€1171€of€the€Act€defines€the€term€"health€plan"Ð Æ*Æ*# Ðto€include€the€following€federally€conducted,€regulated,€or€funded€programs:€group€plans€under€ERISA€that€either€have€50€or€more€participants€or€are€administered€by€anÐ À+À+$ Ðentity€other€than€the€employer€who€established€and€maintains€the€plan;€federally€qualified€health€maintenance€organizations;€Medicare;€Medicaid;€Medicare€supplementalÐ º,º,% Ðpolicies;€the€health€care€program€for€active€military€personnel;€the€health€care€program€for€veterans;€the€Civilian€Health€and€Medical€Program€of€the€Uniformed€ServicesÐ ´-´-& Ð(CHAMPUS);€the€Indian€health€service€program€under€the€Indian€Health€Care€Improvement€Act,€25€U.S.C.€1601,€et€seq.;€and€the€Federal€Employees€Health€BenefitsÐ ®.®.' ÐProgram.€There€also€are€many€other€federally€conducted,€regulated,€or€funded€programs€in€which€individually€identifiable€health€information€is€created€or€maintained,€butÐ ¨/¨/( Ðwhich€do€not€come€within€the€statutory€definition€of€"health€plan."€While€these€latter€types€of€federally€conducted,€regulated,€or€assisted€programs€are€not€explicitly€coveredÐ ¢0¢0) Ðby€part€C€of€title€XI€in€the€same€way€that€the€programs€listed€in€the€statutory€definition€of€"health€plan"€are€covered,€the€statute€may€nonetheless€apply€to€transactions€andÐ œ1œ1* Ðother€activities€conducted€under€such€programs.€This€is€likely€to€be€the€case€when€the€federal€entity€or€federally€regulated€or€funded€entity€provides€health€services;€theÐ –2–2+ Ðrequirements€of€part€C€may€apply€to€such€an€entity€as€a€"health€care€provider."€Thus,€the€issue€of€how€different€federal€requirements€apply€is€likely€to€arise€in€numerousÐ ÜÜ Ðcontexts.Ð ÖÖ ÐThere€are€a€number€of€authorities€under€the€Public€Health€Service€Act€and€other€legislation€that€contain€explicit€confidentiality€requirements,€either€in€the€enabling€legislationÐ ¬¬ Ðor€in€the€implementing€regulations.€Many€of€these€are€so€general€that€there€would€appear€to€be€no€problem€of€inconsistency,€in€that€nothing€in€those€laws€or€regulationsÐ ¦¦ Ðwould€appear€to€restrict€the€provider's€ability€to€comply€with€the€privacy€regulation's€requirements.Ð    ÐThere€may,€however,€be€authorities€under€which€either€the€requirements€of€the€enabling€legislation€or€of€the€program€regulations€would€impose€requirements€that€differÐ vv Ðfrom€these€rules.Ð pp ÐFor€example,€regulations€applicable€to€the€substance€abuse€block€grant€program€funded€under€section€1943(b)€of€the€Public€Health€Service€Act€require€compliance€withÐ F F  Ð42€CFR€part€2,€and,€thus,€raise€the€issues€identified€above€in€the€substance€abuse€confidentiality€regulations€discussion.€There€are€a€number€of€federal€programs€which,Ð @ @  Ðeither€by€statute€or€by€regulation,€restrict€the€disclosure€of€patient€information€to,€with€minor€exceptions,€disclosures€"required€by€law."€See,€for€example,€the€program€ofÐ : :  Ðprojects€for€prevention€and€control€of€sexually€transmitted€diseases€funded€under€section€318(e)(5)€of€the€Public€Health€Service€Act€(42€CFR€51b.404);€the€regulationsÐ 4 4  Ðimplementing€the€community€health€center€program€funded€under€section€330€of€the€Public€Health€Service€Act€(42€CFR€51c.110);€the€regulations€implementing€theÐ ..  Ðprogram€of€grants€for€family€planning€services€under€title€X€of€the€Public€Health€Service€Act€(42€CFR€59.15);€the€regulations€implementing€the€program€of€grants€for€blackÐ ((  Ðlung€clinics€funded€under€30€U.S.C.€437(a)€(42€CFR€55a.104);€the€regulations€implementing€the€program€of€maternal€and€child€health€projects€funded€under€section€501Ð ""  Ðof€the€Act€(42€CFR€51a.6);€the€regulations€implementing€the€program€of€medical€examinations€of€coal€miners€(42€CFR€37.80(a)).€These€legal€requirements€would€restrictÐ  Ðthe€grantees€or€other€entities€providing€services€under€the€programs€involved€from€making€many€of€the€disclosures€that€ðððð€164.510€or€164.512€would€permit.€In€someÐ  Ðcases,€permissive€disclosures€for€treatment,€payment,€or€health€care€operations€would€also€be€limited.€Because€ðððð€164.510€and€164.512€are€merely€permissive,€thereÐ  Ðwould€not€be€a€conflict€between€the€program€requirements,€because€it€would€be€possible€to€comply€with€both.€However,€entities€subject€to€both€sets€of€requirementsÐ    Ðwould€not€have€the€total€range€of€discretion€that€they€would€have€if€they€were€subject€only€to€this€regulation.Ð  ÐòòFood,€Drug,€and€Cosmetic€Act.óóÐ ÚÚ ÐThe€Food,€Drug,€and€Cosmetic€Act,€21€U.S.C.€301,€òòet€seq.óó,€and€its€accompanying€regulations€outline€the€responsibilities€of€the€Food€and€Drug€Administration€with€regardÐ °° Ðto€monitoring€the€safety€and€effectiveness€of€drugs€and€devices.€Part€of€the€agency's€responsibility€is€to€obtain€reports€about€adverse€events,€track€medical€devices,€andÐ ªª Ðengage€in€other€types€of€post€marketing€surveillance.€Because€many€of€these€reports€contain€protected€health€information,€the€information€within€them€may€come€within€theÐ ¤¤ Ðpurview€of€the€privacy€rules.€Although€some€of€these€reports€are€required€by€the€Food,€Drug,€and€Cosmetic€Act€or€its€accompanying€regulations,€other€types€of€reportingÐ žž Ðare€voluntary.€We€believe€that€these€reports,€while€not€mandated,€play€a€critical€role€in€ensuring€that€individuals€receive€safe€and€effective€drugs€and€devices.€Therefore,€inÐ ˜˜ Ððð€164.512(b)(1)(iii),€we€have€provided€that€covered€entities€may€disclose€protected€health€information€to€a€person€subject€to€the€jurisdiction€of€the€Food€and€DrugÐ ’’ ÐAdministration€for€specified€purposes,€such€as€reporting€adverse€events,€tracking€medical€devices,€or€engaging€in€other€post€marketing€surveillance.€We€describe€the€scopeÐ ŒŒ Ðand€conditions€of€such€disclosures€in€more€detail€in€ðð€164.512(b).Ð †† ÐòòClinical€Laboratory€Improvement€Amendments.óóÐ \!\! ÐCLIA,€42€U.S.C.€263a,€and€the€accompanying€regulations,€42€CFR€part€493,€require€clinical€laboratories€to€comply€with€standards€regarding€the€testing€of€humanÐ 2#2# Ðspecimens.€This€law€requires€clinical€laboratories€to€disclose€test€results€or€reports€only€to€authorized€persons,€as€defined€by€state€law.€If€a€state€does€not€define€the€term,Ð ,$,$ Ðthe€federal€law€defines€it€as€the€person€who€orders€the€test.Ð &%&% ÐWe€realize€that€the€person€ordering€the€test€is€most€likely€a€health€care€provider€and€not€the€individual€who€is€the€subject€of€the€protected€health€information€included€withinÐ ü&ü&  Ðthe€result€or€report.€Under€this€requirement,€therefore,€a€clinical€laboratory€may€be€prohibited€by€law€from€providing€the€individual€who€is€the€subject€of€the€test€result€orÐ ö'ö'! Ðreport€with€access€to€this€information.Ð ð(ð(" ÐAlthough€we€believe€individuals€should€be€able€to€have€access€to€their€individually€identifiable€health€information,€we€recognize€that€in€the€specific€area€of€clinical€laboratoryÐ Æ*Æ*# Ðtesting€and€reporting,€the€Health€Care€Financing€Administration,€through€regulation,€has€provided€that€access€may€be€more€limited.€To€accommodate€this€requirement,€weÐ À+À+$ Ðhave€provided€at€ðð€164.524(1)(iii)€that€covered€entities€maintaining€protected€health€information€that€is€subject€to€the€CLIA€requirements€do€not€have€to€provideÐ º,º,% Ðindividuals€with€a€right€of€access€to€or€a€right€to€inspect€and€obtain€a€copy€of€this€information€if€the€disclosure€of€the€information€to€the€individual€would€be€prohibited€byÐ ´-´-& ÐCLIA.Ð ®.®.' ÐNot€all€clinical€laboratories,€however,€will€be€exempted€from€providing€individuals€with€these€rights.€If€a€clinical€laboratory€operates€in€a€state€in€which€the€term€"authorizedÐ „0„0( Ðperson"€is€defined€to€include€the€individual,€the€clinical€laboratory€would€have€to€provide€the€individual€with€these€rights.€Similarly,€if€the€individual€was€the€person€whoÐ ~1~1) Ðordered€the€test€and€an€authorized€person€included€such€a€person,€the€laboratory€would€be€required€to€provide€the€individual€with€these€rights.Ð x2x2* ÐAdditionally,€CLIA€regulations€exempt€the€components€or€functions€of€"research€laboratories€that€test€human€specimens€but€do€not€report€patient€specific€results€for€theÐ ÜÜ Ðdiagnosis,€prevention€or€treatment€of€any€disease€or€impairment€of,€or€the€assessment€of€the€health€of€individual€patients"€from€the€CLIA€regulatory€scheme.€42€CFRÐ ÖÖ Ð493.3(a)(2).€If€subject€to€the€access€requirements€of€this€regulation,€such€entities€would€be€forced€to€meet€the€requirements€of€CLIA€from€which€they€are€currently€exempt.Ð ÐÐ ÐTo€eliminate€this€additional€regulatory€burden,€we€have€also€excluded€covered€entities€that€are€exempt€from€CLIA€under€that€rule€from€the€access€requirement€of€thisÐ ÊÊ Ðregulation.Ð ÄÄ ÐAlthough€we€are€concerned€about€the€lack€of€immediate€access€by€the€individual,€we€believe€that,€in€most€cases,€individuals€who€receive€clinical€tests€will€be€able€toÐ šš Ðreceive€their€test€results€or€reports€through€the€health€care€provider€who€ordered€the€test€for€them.€The€provider€will€receive€the€information€from€the€clinical€laboratory.Ð ”” ÐAssuming€that€the€provider€is€a€covered€entity,€the€individual€will€have€the€right€of€access€and€right€to€inspect€and€copy€this€protected€health€information€through€his€or€herÐ ŽŽ Ðprovider.Ð ˆ ˆ  ÐòòOther€Mandatory€Federal€or€State€Laws.óóÐ ^ ^  ÐMany€federal€laws€require€covered€entities€to€provide€specific€information€to€specific€entities€in€specific€circumstances.€If€a€federal€law€requires€a€covered€entity€to€discloseÐ 4 4  Ða€specific€type€of€information,€the€covered€entity€would€not€need€an€authorization€under€ðð€164.508€to€make€the€disclosure€because€the€final€rule€permits€covered€entities€toÐ ..  Ðmake€disclosures€that€are€required€by€law€under€ðð€164.512(a).€Other€laws,€such€as€the€Social€Security€Act€(including€its€Medicare€and€Medicaid€provisions),€the€FamilyÐ ((  Ðand€Medical€Leave€Act,€the€Public€Health€Service€Act,€Department€of€Transportation€regulations,€the€Environmental€Protection€Act€and€its€accompanying€regulations,€theÐ ""  ÐNational€Labor€Relations€Act,€the€Federal€Aviation€Administration,€and€the€Federal€Highway€Administration€rules,€may€also€contain€provisions€that€require€coveredÐ  Ðentities€or€others€to€use€or€disclose€protected€health€information€for€specific€purposes.Ð  ÐWhen€a€covered€entity€is€faced€with€a€question€as€to€whether€the€privacy€regulation€would€prohibit€the€disclosure€of€protected€health€information€that€it€seeks€to€discloseÐ ìì Ðpursuant€to€a€federal€law,€the€covered€entity€should€determine€if€the€disclosure€is€required€by€that€law.€In€other€words,€it€must€determine€if€the€disclosure€is€mandatoryÐ ææ Ðrather€than€merely€permissible.€If€it€is€mandatory,€a€covered€entity€may€disclose€the€protected€health€information€pursuant€to€ðð€164.512(a),€which€permits€covered€entitiesÐ àà Ðto€disclose€protected€health€information€without€an€authorization€when€the€disclosure€is€required€by€law.€If€the€disclosure€is€not€required€(but€only€permitted)€by€the€federalÐ ÚÚ Ðlaw,€the€covered€entity€must€determine€if€the€disclosure€comes€within€one€of€the€other€permissible€disclosures.€If€the€disclosure€does€not€come€within€one€of€the€provisionsÐ ÔÔ Ðfor€permissible€disclosures,€the€covered€entity€must€obtain€an€authorization€from€the€individual€who€is€the€subject€of€the€information€or€de-identify€the€information€beforeÐ ÎÎ Ðdisclosing€it.Ð ÈÈ ÐIf€another€federal€law€prohibits€a€covered€entity€from€using€or€disclosing€information€that€is€also€protected€health€information,€but€the€privacy€regulation€permits€the€use€orÐ žž Ðdisclosure,€a€covered€entity€will€need€to€comply€with€the€other€federal€law€and€not€use€or€disclose€the€information.Ð ˜˜ ÐòòFederal€Disability€Nondiscrimination€Lawsóó.Ð nn ÐThe€federal€laws€barring€discrimination€on€the€basis€of€disability€protect€the€confidentiality€of€certain€medical€information.€The€information€protected€by€these€laws€fallsÐ D D  Ðwithin€the€larger€definition€of€"health€information"€under€this€privacy€regulation.€The€two€primary€disability€nondiscrimination€laws€are€the€Americans€with€Disabilities€ActÐ >!>! Ð(ADA),€42€U.S.C.€12101òòet€seq.óó,€and€the€Rehabilitation€Act€of€1973,€as€amended,€29€U.S.C.€701òòet€seq.óó,€although€other€laws€barring€discrimination€on€the€basis€ofÐ 8"8" Ðdisability€(such€as€the€nondiscrimination€provisions€of€the€Workforce€Investment€Act€of€1988,€29€U.S.C.€2938)€may€also€apply.€Federal€disability€nondiscrimination€lawsÐ 2#2# Ðcover€two€general€categories€of€entities€relevant€to€this€discussion:€employers€and€entities€that€receive€federal€financial€assistance.Ð ,$,$ ÐEmployers€are€not€covered€entities€under€the€privacy€regulation.€Many€employers,€however,€are€subject€to€the€federal€disability€nondiscrimination€laws€and,€therefore,Ð && Ðmust€protect€the€confidentiality€of€all€medical€information€concerning€their€applicants€and€employees.Ð ü&ü&  ÐThe€employment€provisions€of€the€ADA,€42€U.S.C.€12111€òòet€seq.óó,€expressly€cover€employers€of€15€or€more€employees,€employment€agencies,€labor€organizations,€andÐ Ò(Ò(! Ðjoint€labor-management€committees.€Since€1992,€employment€discrimination€complaints€arising€under€sections€501,€503,€and€504€of€the€Rehabilitation€Act€also€have€beenÐ Ì)Ì)" Ðsubject€to€the€ADA's€employment€nondiscrimination€standards.€òòSeeóó€"Rehabilitation€Act€Amendments,"€Pub.€L.€No.€102-569,€106€Stat.€4344.€Employers€subject€to€ADAÐ Æ*Æ*# Ðnondiscrimination€standards€have€confidentiality€obligations€regarding€applicant€and€employee€medical€information.€Employers€must€treat€such€medical€information,Ð À+À+$ Ðincluding€medical€information€from€voluntary€health€or€wellness€programs€and€any€medical€information€that€is€voluntarily€disclosed€as€a€confidential€medical€record,€subjectÐ º,º,% Ðto€limited€exceptions.Ð ´-´-& ÐTransmission€of€health€information€by€an€employer€to€a€covered€entity,€such€as€a€group€health€plan,€is€governed€by€the€ADA€confidentiality€restrictions.€The€ADA,Ð Š/Š/' Ðhowever,€has€been€interpreted€to€permit€an€employer€to€use€medical€information€for€insurance€purposes.€òòSeeóó€29€CFR€1630€App.€at€ðð€1630.14(b)€(describing€such€useÐ „0„0( Ðwith€reference€to€29€CFR€1630.16(f),€which€in€turn€explains€that€the€ADA€regulation€"is€not€intended€to€disrupt€the€current€regulatory€structure€for€self-insured€employers€.Ð ~1~1) Ð.€.€or€current€industry€practices€in€sales,€underwriting,€pricing,€administrative€and€other€services,€claims€and€similar€insurance€related€activities€based€on€classification€ofÐ x2x2* Ðrisks€as€regulated€by€the€states").€òòSee€alsoóó,€"Enforcement€Guidance€on€Disability-Related€Inquiries€and€Medical€Examinations€of€Employees€under€the€Americans€withÐ ÜÜ ÐDisabilities€Act,"€4,€n.10€(July€26,€2000),€__€FEP€Manual€(BNA)€__€("Enforcement€Guidance€on€Employees").òòSee€generallyóó,€"ADA€Enforcement€Guidance€onÐ ÖÖ ÐPreemployment€Disability-Related€Questions€and€Medical€Examinations"€(October€10,€1995),€8€FEP€Manual€(BNA)€405:7191€(1995)€(also€available€atÐ ÐÐ ÐÔ4‚e€deÔÝ‚›ÝÔÿÔòòÝ  ÝÔ5  Ôhttp://www.eeoc.govÔ6džÔÝ‚›Û†ory€ÝÔÿÔóóÝ  ÝÔ7orat ‡Ô€).€Thus,€use€of€medical€information€for€insurance€purposes€may€include€transmission€of€health€information€to€a€covered€entity.Ð ÊÊ ÐIf€an€employer-sponsored€group€health€plan€is€closely€linked€to€an€employer,€the€group€health€plan€may€be€subject€to€ADA€confidentiality€restrictions,€as€well€as€thisÐ    Ðprivacy€regulation.€òòSeeóó€òòCarparts€Distribution€Center,€Inc.€v.€Automotive€Wholesaler's€Association€of€New€England,€Inc.óó,€37€F.3d€12€(1òòstóó€Cir.€1994)(setting€forthÐ šš Ðthree€bases€for€ADA€Title€I€jurisdiction€over€an€employer-provided€medical€reimbursement€plan,€in€a€discrimination€challenge€to€the€plan's€HIV/AIDS€cap).€TransmissionÐ ”” Ðof€applicant€or€employee€health€information€by€the€employer's€management€to€the€group€health€plan€may€be€permitted€under€the€ADA€standards€as€the€use€of€medicalÐ ŽŽ Ðinformation€for€insurance€purposes.€Similarly,€disclosure€of€such€medical€information€by€the€group€health€plan,€under€the€limited€circumstances€permitted€by€this€privacyÐ ˆ ˆ  Ðregulation,€may€involve€use€of€the€information€for€insurance€purposes€as€broadly€described€in€the€ADA€discussion€above.Ð ‚ ‚  ÐEntities€that€receive€federal€financial€assistance,€which€may€also€be€covered€entities€under€the€privacy€regulation,€are€subject€to€section€504€of€the€Rehabilitation€Act€(29Ð X X  ÐU.S.C.€794)€and€its€implementing€regulations.€Each€federal€agency€has€promulgated€such€regulations€that€apply€to€entities€that€receive€financial€assistance€from€that€agencyÐ R R  Ð("recipients").€These€regulations€may€limit€the€disclosure€of€medical€information€about€persons€who€apply€to€or€participate€in€a€federal€financially€assisted€program€orÐ LL  Ðactivity.€For€example,€the€Department€of€Labor's€section€504€regulation€(found€at€29€CFR€part€32),€consistent€with€the€ADA€standards,€requires€recipients€that€conductÐ FF  Ðemployment-related€programs,€including€employment€training€programs,€to€maintain€confidentiality€regarding€any€information€about€the€medical€condition€or€history€ofÐ @@ Ðapplicants€to€or€participants€in€the€program€or€activity.€Such€information€must€be€kept€separate€from€other€information€about€the€applicant€or€participant€and€may€beÐ :: Ðprovided€to€certain€specified€individuals€and€entities,€but€only€under€certain€limited€circumstances€described€in€the€regulation.€òòSeeóó€29€CFR€32.15(d).€Apart€from€thoseÐ 44 Ðcircumstances,€the€information€must€be€afforded€the€same€confidential€treatment€as€medical€records,€òòidóó.€Also,€recipients€of€federal€financial€assistance€from€the€DepartmentÐ .. Ðof€Health€and€Human€Services,€such€as€hospitals,€are€subject€to€the€ADA's€employment€nondiscrimination€standards.€They€must,€accordingly,€maintain€confidentialityÐ (( Ðregarding€the€medical€condition€or€history€of€applicants€for€employment€and€employees.Ð "" ÐThe€statutes€and€implementing€regulations€under€which€the€federal€financial€assistance€is€provided€may€contain€additional€provisions€regulating€collection€and€disclosure€ofÐ øø Ðmedical,€health,€and€disability-related€information.òòSee,€e.g.óó,€section€188€of€the€Workforce€Investment€Act€of€1988€(29€U.S.C.€2938)€and€29€CFR€37.3(b).€Thus,€coveredÐ òò Ðentities€that€are€subject€to€this€privacy€regulation,€may€also€be€subject€to€the€restrictions€in€these€laws€as€well.Ð ìì ÐòòU.S.€Safe€Harbor€Privacy€Principles€(European€Union€Directive€on€Data€Protection).óóР ÐThe€E.U.€Directive€became€effective€in€October€1998€and€prohibits€European€Union€Countries€from€permitting€the€transfer€of€personal€data€to€another€country€withoutÐ ˜˜ Ðensuring€that€an€"adequate€level€of€protection,"€as€determined€by€the€European€Commission,€exists€in€the€other€country€or€pursuant€to€one€of€the€Directive's€derogations€ofÐ ’’ Ðthis€rule,€such€as€pursuant€to€unambiguous€consent€or€to€fulfill€a€contract€with€the€individual.€In€July€2000,€the€European€Commission€concluded€that€the€U.S.€Safe€HarborÐ ŒŒ ÐPrivacy€PrinciplesòòÔ4‚oratÔÝ‚›ÝÔÿÔòòÝ  ÝÔ5  Ô(1)Ô6)˜ÔÝ‚›=˜DAÐÝÔÿÔóóÝ  ÝÔ7to€Ak˜Ôóó€constituted€"adequate€protection."€Adherence€to€the€Principles€is€voluntary.€Organizations€wishing€to€engage€in€the€exchange€of€personal€data€withÐ †† ÐE.U.€countries€may€assert€compliance€with€the€Principles€as€one€means€of€obtaining€data€from€E.U.€countries.Ð € €  ÐThe€Department€of€Commerce,€which€negotiated€these€Principles€with€the€European€Commission,€has€provided€guidance€for€U.S.€organizations€seeking€to€adhere€to€theÐ V"V" Ðguidelines€and€comply€with€U.S.€law.€We€believe€this€guidance€addresses€the€concerns€covered€entities€seeking€to€transfer€personal€data€from€E.U.€countries€may€have.Ð P#P# ÐWhen€"U.S.€law€imposes€a€conflicting€obligation,€U.S.€organizations€whether€in€the€safe€harbor€or€not€must€comply€with€the€law."€An€organization€does€not€need€to€complyÐ J$J$ Ðwith€the€Principles€if€a€conflicting€U.S.€law€"explicitly€authorizes"€the€particular€conduct.€The€organization's€non-compliance€is€"limited€to€the€extent€necessary€to€meet€theÐ D%D%  Ðoverriding€legitimate€interests€further[ed]€by€such€authorization."€However,€if€only€a€difference€exists€such€that€an€"option€is€allowable€under€the€Principles€and/or€U.S.€law,Ð >&>&! Ðorganizations€are€expected€to€opt€for€the€higher€protection€where€possible."€Questions€regarding€compliance€and€interpretation€will€be€decided€based€on€U.S.€law.€òòSeeÐ 8'8'" ÐóóDepartment€of€Commerce,€Memorandum€on€Damages€for€Breaches€of€Privacy,€Legal€Authorizations€and€Mergers€and€Takeovers€in€U.S.€Law€5€(July€17,€2000);Ð 2(2(# ÐDepartment€of€Commerce,€Safe€Harbor€Privacy€Principles€Issued€by€the€U.S.€Department€of€Commerce€on€July€21,€2000,€65€Fed.€Reg.€45666€(2000).€The€PrinciplesÐ ,),)$ Ðand€our€privacy€regulation€are€based€on€common€principles€of€fair€information€practices.€We€believe€they€are€essentially€consistent€and€that€an€organization€complying€withÐ &*&*% Ðour€privacy€regulation€can€fairly€and€correctly€self-certify€that€it€complies€with€the€Principles.€If€a€true€conflict€arises€between€the€privacy€regulation€and€the€Principles,€theÐ  + +& ÐDepartment€of€Commerce's€guidance€provides€that€an€entity€must€comply€with€the€U.S.€law.Ð ,,' ÐÝ‚ FÝÔ€¼ôÚ»XX>÷Ôò òÔ  ÔÝ  ÝÝ‚ À¡ÝÝ  ÝPART€160-SUBPART€C-COMPLIANCE€AND€ENFORCEMENT݃ À¡ ¢ÝÔ Ôò¡ÔŒÐ ð-ð-( ЌԀX>÷X»¼ôÚÔó óÝ  ÝProposed€ðð€164.522€included€five€paragraphs€addressing€activities€related€to€the€Secretary's€enforcement€of€the€rule.€These€provisions€were€based€on€procedures€andÐ ì/ì/) Ðrequirements€in€various€civil€rights€regulations.€Proposed€ðð€164.522(a)€provided€that€the€Secretary€would,€to€the€extent€practicable,€seek€the€cooperation€of€coveredÐ æ0æ0* Ðentities€in€obtaining€compliance,€and€could€provide€technical€assistance€to€covered€entities€to€help€them€comply€voluntarily.€Proposed€ðð€164.522(b)€provided€thatÐ à1à1+ Ðindividuals€could€file€complaints€with€the€Secretary.€However,€where€the€complaint€related€to€the€alleged€failure€of€a€covered€entity€to€amend€or€correct€protected€healthÐ ÜÜ Ðinformation€as€proposed€in€the€rule,€the€Secretary€would€not€make€certain€determinations€such€as€whether€protected€health€information€was€accurate€or€complete.€ThisÐ ÖÖ Ðparagraph€also€listed€the€requirements€for€filing€complaints€and€indicated€that€the€Secretary€may€investigate€such€complaints€and€what€might€be€reviewed€as€part€of€suchÐ ÐÐ Ðinvestigation.Ð ÊÊ ÐUnder€proposed€ðð€164.522(c),€the€Secretary€would€be€able€to€conduct€compliance€reviews.€Proposed€ðð€164.522(d)€described€the€responsibilities€that€covered€entitiesÐ    Ðkeep€records€and€reports€as€prescribed€by€the€Secretary,€cooperate€with€compliance€reviews,€permit€the€Secretary€to€have€access€to€their€facilities,€books,€records,€andÐ šš Ðother€sources€of€information€during€normal€business€hours,€and€seek€records€held€by€other€persons.€This€paragraph€also€stated€that€the€Secretary€would€maintain€theÐ ”” Ðconfidentiality€of€protected€health€information€she€collected€and€prohibit€covered€entities€from€taking€retaliatory€action€against€individuals€for€filing€complaints€or€for€otherÐ ŽŽ Ðactivities.€Proposed€ðð€164.522(e)€provided€that€the€Secretary€would€inform€the€covered€entity€and€the€individual€complainant€if€an€investigation€or€review€indicated€aÐ ˆ ˆ  Ðfailure€to€comply€and€would€seek€to€resolve€the€matter€informally€if€possible.€If€the€matter€could€not€be€resolved€informally,€the€Secretary€would€be€able€to€issue€writtenÐ ‚ ‚  Ðfindings,€be€required€to€inform€the€covered€entity€and€the€complainant,€and€be€able€to€pursue€civil€enforcement€action€or€make€a€criminal€referral.€The€Secretary€wouldÐ | |  Ðalso€be€required€to€inform€the€covered€entity€and€the€individual€complainant€if€no€violation€was€found.Ð v v  ÐWe€make€the€following€changes€and€additions€to€proposed€ðð€164.522€in€the€final€rule.€First,€we€have€moved€this€section€to€part€160,€as€a€new€subpart€C,€"ComplianceÐ LL  Ðand€Enforcement."€Second,€we€add€new€sections€that€explain€the€applicability€of€these€provisions€and€incorporate€certain€definitions.€Accordingly,€we€change€theÐ FF  Ðproposed€references€to€violations€to€"this€subpart"€to€violations€of€"the€applicable€requirements€of€part€160€and€the€applicable€standards,€requirements,€and€implementationÐ @@ Ðspecifications€of€subpart€E€of€part€164€of€this€subchapter."€Third,€the€final€rule€at€ðð€160.306(a)€provides€that€any€person,€not€just€an€"individual"€(the€person€who€is€theÐ :: Ðsubject€of€the€individually€identifiable€health€information)€may€file€a€complaint€with€the€Secretary.€Other€references€in€this€subpart€to€an€individual€have€been€changedÐ 44 Ðaccordingly.€Fourth,€we€delete€the€proposed€ðð€164.522(a)€language€that€indicated€that€the€Secretary€would€not€determine€whether€information€was€accurate€or€complete,Ð .. Ðor€whether€errors€or€omissions€might€have€an€adverse€effect€on€the€individual.€While€the€policy€is€not€changed€in€that€the€Secretary€will€not€make€such€determinations,€weÐ (( Ðbelieve€the€language€is€unnecessary€and€may€suggest€that€we€would€make€all€other€types€of€determinations,€such€as€all€determinations€in€which€the€regulation€defers€to€theÐ "" Ðprofessional€judgment€of€the€covered€entity.€Fifth,€ðð€160.306(b)(3)€requires€that€complaints€be€filed€within€180€days€of€when€the€complainant€knew€or€should€have€knownÐ  Ðthat€the€act€or€omission€complained€of€occurred,€unless€this€time€limit€is€waived€by€the€Secretary€for€good€cause€shown.€Sixth,€ðð€160.310(b)€requires€cooperation€withÐ  Ðinvestigations€as€well€as€compliance€reviews.€Seventh,€ðð€160.310€(c)(1)€provides€that€the€Secretary€must€be€provided€access€to€a€covered€entity's€facilities,€books,Ð  Ðrecords,€accounts,€and€other€sources€of€information,€including€protected€health€information,€at€any€time€and€without€notice€where€exigent€circumstances€exist,€such€asÐ    Ðwhere€documents€might€be€hidden€or€destroyed.€Eighth,€the€provision€proposed€at€ðð€164.522(d)€that€would€prohibit€covered€entities€from€taking€retaliatory€action€againstÐ  Ðindividuals€for€filing€a€complaint€with€the€Secretary€or€for€certain€other€actions€has€been€changed€and€moved€to€ðð€164.530.€Ninth,€ðð€160.€312(a)(2)€deletes€the€referenceÐ þþ Ðin€the€proposed€rule€to€using€violation€findings€as€a€basis€for€initiating€action€to€secure€penalties.€This€deletion€is€not€a€substantive€change.€This€language€was€removedÐ øø Ðbecause€penalties€will€be€addressed€in€the€enforcement€regulation.€As€in€the€NPRM,€the€Secretary€may€promulgate€alternative€procedures€for€complaints€relating€toÐ òò Ðnational€security.€For€example,€to€protect€classified€information,€we€may€promulgate€rules€that€would€allow€an€intelligence€community€agency€to€create€a€separate€bodyÐ ìì Ðwithin€that€agency€to€receive€complaints.Ð ææ ÐThe€Department€plans€to€issue€an€Enforcement€Rule€that€applies€to€all€of€the€regulations€that€the€Department€issues€under€the€Administrative€Simplification€provisions€ofÐ ¼ ¼  ÐHIPAA.€This€regulation€will€address€the€imposition€of€civil€monetary€penalties€and€the€referral€of€criminal€cases€where€there€has€been€a€violation€of€this€rule.€Penalties€areÐ ¶!¶! Ðprovided€for€under€section€262€of€HIPAA.€The€Enforcement€Rule€would€also€address€the€topics€covered€by€Subpart€C€below.€It€is€expected€that€this€Enforcement€RuleÐ °"°"  Ðwould€replace€Subpart€C.Ð ª#ª#! ÐÝ‚ FÝÔ€¼ôÚ»XX>÷Ôò òÔ  ÔÝ  ÝÝ‚ 3¼ÝÝ  ÝPART€164€-€SUBPART€A€-€GENERAL€PROVISIONS݃ 3¼}¼ÝÔ Ôe¼ÔŒÐ €%€%" ЌԀX>÷X»¼ôÚÔó óÝ  ÝÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ 2½ÝÝ  ÝSECTION€164.102€-€STATUTORY€BASIS݃ 2½|½ÝÔ Ôd½ÔŒÐ |'|'# ЌԀX>÷XXX>÷Ôó óÝ  ÝIn€the€NPRM,€we€provided€that€the€provisions€of€this€part€are€adopted€pursuant€to€the€Secretary's€authority€to€prescribe€standards,€requirements,€and€implementationÐ R)R)$ Ðstandards€under€part€C€of€title€XI€of€the€Act€and€section€264€of€Public€Law€104-191.€The€final€rule€adopts€this€language.Ð L*L*% ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ p¿ÝÝ  ÝSECTION€164.104€-€APPLICABILITY݃ p¿º¿ÝÔ Ô¢¿ÔŒÐ ",",& ЌԀX>÷XXX>÷Ôó óÝ  ÝIn€the€NPRM,€we€provided€that€except€as€otherwise€provided,€the€provisions€of€this€part€apply€to€covered€entities:€health€plans,€health€care€clearinghouses,€and€healthÐ ø-ø-' Ðcare€providers€who€transmit€health€information€in€electronic€form€in€connection€with€any€transaction€referred€to€in€section€1173(a)(1)€of€the€Act.€The€final€rule€adopts€thisÐ ò.ò.( Ðlanguage.Ð ì/ì/) ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ ÂÝÝ  ÝSECTION€164.106€-€RELATIONSHIP€TO€OTHER€PARTS݃ ÂKÂÝÔ Ô3ÂԌРÂ1Â1* ЌԀX>÷XXX>÷Ôó óÝ  ÝThe€final€rule€adds€a€new€provision€stating€that€in€complying€with€the€requirements€of€this€part,€covered€entities€are€required€to€comply€with€the€applicable€provisions€ofÐ ÜÜ Ðparts€160€and€162€of€this€subchapter.€This€language€references€Subchapter€C€in€this€regulation,€Administrative€Data€Standards€and€Related€Requirements;€Part€160,Ð ÖÖ ÐGeneral€Administrative€Requirements;€and€Part€162,€Administrative€Requirements.€Part€160€includes€requirements€such€as€keeping€records€and€submitting€complianceÐ ÐÐ Ðreports€to€the€Secretary€and€cooperating€with€the€Secretary's€complaint€investigations€and€compliance€reviews.€Part€162€includes€requirements€such€as€requiring€a€coveredÐ ÊÊ Ðentity€that€conducts€an€electronic€transaction,€adopted€under€this€part,€with€another€covered€entity€to€conduct€the€transaction€as€a€standard€transaction€as€adopted€by€theÐ ÄÄ ÐSecretary.Ð ¾¾ ÐÝ‚ FÝÔ€¼ôÚ»XX>÷Ôò òÔ  ÔÝ  ÝÝ‚ ÌÆÝÝ  ÝPART€164€-€SUBPART€B-D€-€RESERVED݃ ÌÆÇÝÔ ÔþÆԌР”” ЌԀX>÷X»¼ôÚÔó óÝ  ÝÝ‚ FÝÔ€¼ôÚ»XX>÷Ôò òÔ  ÔÝ  ÝÝ‚ ÃÇÝÝ  ÝPART€164€-€SUBPART€E€-€PRIVACY݃ ÃÇ ÈÝÔ ÔõÇԌР  ЌԀX>÷X»¼ôÚÔó óÝ  ÝÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ ·ÈÝÝ  ÝSECTION€164.500€-€APPLICABILITY݃ ·ÈÉÝÔ ÔéÈԌРŒ Œ  ЌԀX>÷XXX>÷Ôó óÝ  ÝThe€discussion€below€describes€the€entities€and€the€information€that€are€subject€to€the€final€regulation.Ð b b  ÐMany€of€the€provisions€of€the€regulation€are€presented€as€"standards."€Generally,€the€standards€indicate€what€must€be€accomplished€under€the€regulation€andÐ 88  Ðimplementation€specifications€describe€how€the€standards€must€be€achieved.Ð 22  ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ 9ËÝÝ  ÝòòCovered€Entitiesóó݃ 9˃ËÝÔ ÔkËԌР  ЌԀX>÷XXX>÷Ôó óÝ  ÝWe€proposed€in€the€NPRM€to€apply€the€standards€in€the€regulation€to€health€plans,€health€care€clearinghouses,€and€to€any€health€care€provider€who€transmits€healthÐ ÞÞ  Ðinformation€in€electronic€form€in€connection€with€transactions€referred€to€in€section€1173(a)(1)€of€the€Act.€The€proposal€referred€to€these€entities€as€"covered€entities."Ð ØØ ÐWe€have€revised€ðð€164.500€to€clarify€the€applicability€of€the€rule€to€health€care€clearinghouses.€As€we€stated€in€the€preamble€to€the€NPRM,€we€believe€that€in€mostÐ ®® Ðinstances€health€care€clearinghouses€will€receive€protected€health€information€as€a€business€associate€to€another€covered€entity.€This€understanding€was€confirmed€by€theÐ ¨¨ Ðcomments€and€by€our€fact€finding.€Clearinghouses€rarely€have€direct€contact€with€individuals,€and€usually€will€not€be€in€a€position€to€create€protected€health€information€orÐ ¢¢ Ðto€receive€it€directly€from€them.€Unlike€health€plans€and€providers,€clearinghouses€usually€convey€and€repackage€information€and€do€not€add€materially€to€the€substance€ofÐ œœ Ðprotected€health€information€of€an€individual.Ð –– ÐThe€revised€language€provides€that€clearinghouses€are€not€subject€to€certain€requirements€in€the€rule€when€acting€as€business€associates€of€other€covered€entities.€AsÐ ll Ðrevised,€a€clearinghouse€acting€as€a€business€associate€is€subject€only€to€the€provisions€of€this€section,€to€the€definitions,€to€the€general€rules€for€uses€and€disclosures€ofÐ ff Ðprotected€health€information€(subject€to€limitations),€to€the€provision€relating€to€health€care€components,€to€the€provisions€relating€to€uses€and€disclosures€for€whichÐ `` Ðconsent,€individual€authorization€or€an€opportunity€to€agree€or€object€is€not€required€(subject€to€limitations),€to€the€transition€requirements€and€to€the€compliance€date.€WithÐ ZZ Ðrespect€to€the€uses€and€disclosures€authorized€under€ðð€164.502€or€ðð€164.512,€a€clearinghouse€acting€as€a€business€associate€is€not€authorized€by€the€rule€to€make€any€useÐ T T  Ðor€disclosure€not€permitted€by€its€business€associate€contract.€Clearinghouses€acting€as€business€associates€are€not€subject€to€the€other€requirements€of€this€rule,€whichÐ N!N! Ðinclude€the€provisions€relating€to€procedural€requirements,€requirements€for€obtaining€consent,€individual€authorization€or€agreement,€provision€of€a€notice,€individual€rightsÐ H"H" Ðto€request€privacy€protection,€access€and€amend€information€and€receive€an€accounting€of€disclosures€and€the€administrative€requirements.Ð B#B# ÐWe€note€that,€even€as€business€associates,€clearinghouses€remain€covered€entities.Ð %% ÐClearinghouses,€like€other€covered€entities,€are€responsible€under€this€regulation€for€abiding€by€the€terms€of€business€associate€contracts.€For€example,€while€the€provisionsÐ î&î& Ðregarding€individuals'€access€to€and€right€to€request€corrections€to€protected€health€information€about€them€apply€only€to€health€plans€and€covered€health€care€providers,Ð è'è' Ðclearinghouses€may€have€some€responsibility€for€providing€such€access€under€their€business€associate€contracts.€A€clearinghouse€(or€any€other€covered€entity)€that€violatesÐ â(â( Ðthe€terms€of€a€business€associate€contract€also€is€in€direct€violation€of€this€rule€and,€as€a€covered€entity,€is€subject€to€compliance€and€enforcement€action.Ð Ü)Ü)  ÐWe€clarify€that€a€covered€entity€is€only€subject€to€these€rules€to€the€extent€that€they€possess€protected€health€information.€Moreover,€these€rules€only€apply€with€regard€toÐ ²+²+! Ðprotected€health€information.€For€example,€if€a€covered€entity€does€not€disclose€or€receive€from€its€business€associate€any€protected€health€information€and€no€protectedÐ ¬,¬," Ðhealth€information€is€created€or€received€by€its€business€associate€on€behalf€of€the€covered€entity,€then€the€business€associate€requirements€of€this€rule€do€not€apply.Ð ¦-¦-# ÐWe€clarify€that€the€Department€of€Defense€or€any€other€federal€agency€and€any€non-governmental€organization€acting€on€its€behalf,€is€not€subject€to€this€rule€when€itÐ |/|/$ Ðprovides€health€care€in€another€country€to€foreign€national€beneficiaries.€The€Secretary€believes€that€this€exemption€is€warranted€because€application€of€the€rule€could€haveÐ v0v0% Ðthe€unintended€effect€of€impeding€or€frustrating€the€conduct€of€such€activities,€such€as€interfering€with€the€ability€of€military€command€authorities€to€obtain€protected€healthÐ p1p1& Ðinformation€on€prisoners€of€war,€refugees,€or€detainees€for€whom€they€are€responsible€under€international€law.€See€the€preamble€to€the€definition€of€"individual"€for€furtherÐ j2j2' Ðdiscussion.Ð ÜÜ ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ {ßÝÝ  ÝòòCovered€Informationóó݃ {ßÅßÝÔ Ô­ßԌР²² ЌԀX>÷XXX>÷Ôó óÝ  ÝWe€proposed€in€the€NPRM€to€apply€the€requirements€of€the€rule€to€individually€identifiable€health€information€that€is€or€has€been€electronically€transmitted€or€maintained€byÐ ˆˆ Ða€covered€entity.€The€provisions€would€have€applied€to€the€information€itself,€referred€to€as€protected€health€information€in€the€rule,€and€not€to€the€particular€records€inÐ ‚‚ Ðwhich€the€information€is€contained.€We€proposed€that€once€information€was€maintained€or€transmitted€electronically€by€a€covered€entity,€the€protections€would€follow€theÐ || Ðinformation€in€whatever€form,€including€paper€records,€in€which€it€exists€while€held€by€a€covered€entity.€The€proposal€would€not€have€applied€to€information€that€was€neverÐ vv Ðelectronically€maintained€or€transmitted€by€a€covered€entity.Ð pp ÐIn€the€final€rule,€we€extend€the€scope€of€protections€to€all€individually€identifiable€health€information€in€any€form,€electronic€or€non-electronic,€that€is€held€or€transmitted€by€aÐ F F  Ðcovered€entity.€This€includes€individually€identifiable€health€information€in€paper€records€that€never€has€been€electronically€stored€or€transmitted.€(See€ðð€164.501,€definitionÐ @ @  Ðof€"protected€health€information,"€for€further€discussion.)Ð : :  ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ žåÝÝ  ÝSECTION€164.501--DEFINITIONS݃ žåèåÝÔ ÔÐåԌР  ЌԀX>÷XXX>÷Ôó óÝ  ÝÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ æÝÝ  ÝòòCorrectional€institution.óó݃ æÚæÝÔ ÔÂæԌРææ  ÐŒÔ€X>÷XXX>÷Ôó óÝ  ÝThe€proposed€rule€did€not€define€the€term€correctional€institution.€The€final€rule€defines€correctional€institution€as€any€penal€or€correctional€facility,€jail,€reformatory,Ð ¼¼  Ðdetention€center,€work€farm,€halfway€house,€or€residential€community€program€center€operated€by,€or€under€contract€to,€the€United€States,€a€state,€a€territory,€a€politicalÐ ¶¶  Ðsubdivision€of€a€state€or€territory,€or€an€Indian€tribe,€for€the€confinement€or€rehabilitation€of€persons€charged€with€or€convicted€of€a€criminal€offense€or€other€persons€held€inÐ °° Ðlawful€custody.€òòOther€persons€held€in€lawful€custodyóó€includes€juvenile€offenders€adjudicated€delinquent,€aliens€detained€awaiting€deportation,€persons€committed€toÐ ªª Ðmental€institutions€through€the€criminal€justice€system,€witnesses,€or€others€awaiting€charges€or€trial.€This€language€was€necessary€to€explain€the€privacy€rights€andÐ ¤¤ Ðprotections€of€inmates€in€this€regulation.Ð žž ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ  ÔÝ  ÝÝ‚ †ëÝÝ  ÝòòCovered€functions.óó݃ †ëÐëÝÔ Ô¸ëԌРtt ЌԀX>÷XXX>÷Ôó óÝ  ÝWe€add€a€new€term,€"covered€functions,"€as€a€shorthand€way€of€expressing€and€referring€to€the€functions€that€the€entities€covered€by€section€1172(a)€of€the€Act€perform.Ð JJ ÐSection€1171€defines€the€terms€"health€plan",€"health€care€provider",€and€"health€care€clearinghouse"€in€functional€terms.€Thus,€a€"health€plan"€is€an€individual€or€group€planÐ DD Ð"that€provides,€or€pays€the€cost€of,€medical€care...",€a€"health€care€provider"€"furnish[es]€health€care€services€or€supplies,"€and€a€"health€care€clearinghouse"€is€an€entityÐ >> Ð"that€processes€or€facilitates€the€processing€of€...€data€elements€of€health€information...".€Covered€functions,€therefore,€are€the€activities€that€any€such€entity€engages€in€thatÐ 88 Ðare€directly€related€to€operating€as€a€health€plan,€health€care€provider,€or€health€care€clearinghouse;€that€is,€they€are€the€functions€that€make€it€a€health€plan,€health€careÐ 22 Ðprovider,€or€health€care€clearinghouse.Ð ,, ÐThe€term€"covered€functions"€is€not€intended€to€include€various€support€functions,€such€as€computer€support,€payroll€and€other€office€support,€and€similar€supportÐ !! Ðfunctions,€although€we€recognize€that€these€support€functions€must€occur€in€order€for€the€entity€to€carry€out€its€health€care€functions.€Because€such€support€functions€areÐ ü!ü! Ðoften€also€performed€for€parts€of€an€organization€that€are€not€doing€functions€directly€related€to€the€health€care€functions€and€may€involve€access€to€and/or€use€of€protectedÐ ö"ö" Ðhealth€information,€the€rules€below€describe€requirements€for€ensuring€that€workforce€members€who€perform€these€support€functions€do€not€impermissibly€use€or€discloseÐ ð#ð# Ðprotected€health€information.€See€ðð€164.504.Ð ê$ê$ ÐÝ‚ GÝÔ€X>÷XXX>÷Ôò òÔ