ÿWPCV T¡AðF£ÛÕŸ£¼°Æï’±ì]©â9€ÒŸŸ4÷ȼØ{èw6 B'‹ro|Zñ ^>¸”‰–ØqfÈ}qŽšuäej?(‡#¿^ôS'%©ÏwÛ[$Mú¹ãþ‹ìë6SƒÆ*d›ä8%üuT¦s‰ÔdF…0X¹Pù}啇) ÿ…Yêw~&SŽ¢\ÅZZ E›qÚ¶&ö+û-óxF#ód^†å-Çžÿ32Lõ;Ø\Eüýð€wQX¡‚ü“Ïþ@ŒùG9­LÐs̼2â{°ùtÏG´pŸ‘lbUôÜ)\<´ožú UX6&|,’þ”j£fÁ߯pñ‚©sKð‰eOHæøà‰šÓÚ«gŠR§‡—CÓ)Á_+ûÞ¿"Œ7(q¸0–÷§BbXžÔ3ðÔƒdXAI•$@ê*ÛŠhZ¶«;½¶Ú*4¹æâî¯{Þ½ò+Ám±Âpç­\q!ç5òdŸGŠ~¹ü)C;+j<Å«ðË´eä¥Çþߎ¨á3(ë\²\ëa[6VÐ4Ô*}ºÕ3 šµ f,YÚƒ¦6.<-9"ó“§VVè,gÝøŸ×•l aSHi?¼­8"òÊ,¨d&d@|TÜ-ý.v 0Ãtt7  «  µ  ¿  É  Ó  Ý  ç  ñ  û        +  7  C ZO V©  ÿ     #  /  ;  G  S  _  k  w 1_ƒ  â  î  ú     B E; = K Y g u Hƒ _Ë 4Í _ < _? &A _g (i _‘ .“ _Á &à _é &ë _&_9L;_‡ ‰ — ¥ ³ Ã Ó ã ó   # 3jC_­ ¯^¿_ Z/ ‰ ™ © ¹ É Ù é ù    ) 9 mI#Á`UN! %o 72uN§ 0Œ© ~5¶³ D -iUÞ>– 0³ŒÔ^ ` 0Œl 0]Nø 1oF 72µ 0ç B>ïw-41ET(›N§$¡¡ÔUSUS.,ÔÓK€h(€X°KÓÔ€iXò¥XXXÔÔ€iXò¥XXXò¥ÔtFinal Privacy Rule Preamble -- Discussion of CommentsN_2_N_3_N_4_N_5_N_6_N_7_N_8_N_9_N_10_N_11_N_12_N_13_N_14_N_15_N_16_http://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/docs/checklist_799.docN_17_N_18_N_19_N_20_N_21_N_22_N_23_N_24_N_25_N_26_N_27_3‡û37;?CGKOS°°N_28_N_29_N_30_N_31_N_32_ d N_2_N_3_N_4_N_5_N_6_http://www.dmaa.org/definition.htmlhttp://managedcaremag.comhttp://www.managedcaremag.comhttp://www.ohe.orghttp://www.nejm.orghttp://www.aphanet.orghttp://www.bmj.comhttp://www.bmj.comhttp://www.bmj.comhttp://www.healthcare-informatics.comN_7_N_8_N_9_N_10_N_11_N_12_N_13_N_14_N_15_N_16_N_17_N_18_http://www.ipums.org/~census2000/2000pums_bureau.pdfN_19_http://www.census.gov/mp/www/rom/msrom6af.htmlN_20_http://www.fcsm.gov/working-papers/wp22.htmlN_21_N_22_N_23_N_24_N_25_N_26_N_27_N_28_N_29_N_30_N_31_N_32_ÿU‹ÿÿÿÿ˜0&Öd9 Z‹6Times New Roman RegularaX(/"#{$ÅÅÔ€a„Ç„XaXÔò òÔ  ÔÔ Ô"ÔÔ€a„Ç„XaXÔó óg˜C:\PROGRA~1\Corel\WORDPE~1\Template\CUSTOM~1\Web\wp9web.wptC:\Program Files\Corel\WordPerfect Office 2000\Template\Custom WP Templates\Web\wp9web.wpt)!ÈÈÈÈdxdx&Öd9 Z‹&Times New Roman(/"Ú\$ÇÇÔ€aXþíXXaXÔò òÔ  ÔÔ Ô"ÔÔ€aXþíXXaXÔó óÛ†A* (/"¿D$ÆÆÔ€a¼4À»XaXÔò òÔ  ÔÔ Ô"ÔÔ€a¼4À»XaXÔó ó(›$——ÔÿÔòòÔÿÔóó3zµ37=CIOU[a­­1.1.1.1.1.1.1.1.n1.(S:SÒw$´´Ó5€°5ÓÓ xð°œXÓà…… (àÔ2‡ûÔððÔ3  Ôà0   àÓ5€°5ÓÓ xð°œXÓ:web3dhrz160 €€€d ÿÿÿd”P(*ê:i¢×+003|xðÝ ƒN§!ÝÔUSUS.,ÔÓK€h(€XKÓÔ€iXþíXXaXÔÔ€iXþíXXiXþíÔÝ  ÝÔ_ÔÝ‚e#{EÝÔ€i„Ç„XiXþíÔò òÔ  ÔÝ  ÝÝ‚e#{ÆÝÝ  ÝIII.€SECTION-BY-SECTION€DISCUSSION€OF€COMMENTS݃e#{ÆÝÔ ÔøԌРÜÜ ÐŒÔ€iXþíX„i„ÇÔó óÝ  ÝThe€following€describes€the€provisions€in€the€final€regulation,€and€the€changes€we€make€to€the€proposed€provisions€section-by-section.€Following€each€section€are€ourÐ    Ðresponses€to€the€comments€to€that€section.€This€section€of€the€preamble€is€organized€to€follow€the€corresponding€section€of€the€final€rule,€not€the€NPRM.Ð  ÐÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\2ÝÝ  ÝGENERAL€COMMENTS݃jÚ\2|ÝÔ ÔdԌРÚÚ ÐŒÔ€iXþíXXiXþíÔó óÝ  ÝWe€received€many€comments€on€the€rule€overall,€not€to€a€particular€provision.€We€respond€to€those€comments€here.€Similar€comments,€but€directed€to€a€specific€provisionÐ °° Ðin€the€proposed€rule,€are€answered€below€in€the€corresponding€section€of€this€preamble.Ð ªª ÐÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\@ÝÝ  ÝòòComments€on€the€Need€for€Privacy€Standards,€and€Effects€of€this€Regulation€on€Current€Protectionsóó݃jÚ\@ŠÝÔ ÔrԌР€ €  ЌԀiXþíXXiXþíÔó óÝ  ÝòòComment:óó€Many€commenters€expressed€the€opinion€that€federal€legislation€is€necessary€to€protect€the€privacy€of€individuals'€health€information.€One€comment€advocatedÐ V V  ÐCongressional€efforts€to€provide€a€comprehensive€federal€health€privacy€law€that€would€integrate€the€substance€abuse€regulations€with€the€privacy€regulation.Ð P P  ÐòòResponse:óó€We€agree€that€comprehensive€privacy€legislation€is€urgently€needed.€This€administration€has€urged€the€Congress€to€pass€such€legislation.€While€this€regulationÐ &&  Ðwill€improve€the€privacy€of€individuals'€health€information,€only€legislation€can€provide€the€full€array€of€privacy€protection€that€individuals€need€and€deserve.Ð     ÐòòComment:óó€Many€commenters€noted€that€they€do€not€go€to€a€physician,€or€do€not€completely€share€health€information€with€their€physician,€because€they€are€concernedÐ öö  Ðabout€who€will€have€access€to€that€information.€Many€physicians€commented€on€their€patients'€reluctance€to€share€information€because€of€fear€that€their€information€willÐ ðð  Ðlater€be€used€against€them.Ð êê  ÐòòResponse:óó€We€agree€that€strong€federal€privacy€protections€are€necessary€to€enhance€patients'€trust€in€the€health€care€system.Ð ÀÀ ÐòòComment:óó€Many€commenters€expressed€concerns€that€this€regulation€will€allow€access€to€health€information€by€those€who€today€do€not€have€such€access,€or€would€allowÐ –– Ðtheir€physician€to€disclose€information€which€may€not€lawfully€be€disclosed€today.€Many€of€these€commenters€stated€that€today,€they€consent€to€every€disclosure€of€healthÐ  Ðinformation€about€them,€and€that€absent€their€consent€the€privacy€of€their€health€information€is€"absolute."€Others€stated€that,€today,€health€information€is€disclosed€onlyÐ ŠŠ Ðpursuant€to€a€judicial€order.€Several€commenters€were€concerned€that€this€regulation€would€override€stronger€state€privacy€protection.Ð „„ ÐòòResponse:óó€This€regulation€does€not,€and€cannot,€reduce€current€privacy€protections.€The€statutory€language€of€the€HIPAA€specifically€mandates€that€this€regulation€doesÐ ZZ Ðnot€preempt€state€laws€that€are€more€protective€of€privacy.Ð TT ÐAs€discussed€in€more€detail€in€later€this€preamble,€while€many€people€believe€that€they€must€be€asked€permission€prior€to€any€release€of€health€information€about€them,Ð ** Ðcurrent€laws€generally€do€not€impose€such€a€requirement.€Similarly,€as€discussed€in€more€detail€later€in€this€preamble,€judicial€review€is€required€today€only€for€a€smallÐ $ $  Ðproportion€of€releases€of€health€information.Ð !! ÐòòComment:óó€Many€commenters€asserted€that€today,€medical€records€"belong"€to€patients.€Others€asserted€that€patients€own€their€medical€information€and€health€careÐ ô"ô" Ðproviders€and€insurance€companies€who€maintain€health€records€should€be€viewed€as€custodians€of€the€patients'€property.Ð î#î# ÐòòResponse:óó€We€do€not€intend€to€change€current€law€regarding€ownership€of€or€responsibility€for€medical€records.€In€developing€this€rule€we€reviewed€current€law€on€thisÐ Ä%Ä% Ðand€related€issues,€and€built€on€that€foundation.Ð ¾&¾& ÐUnder€state€laws,€medical€records€are€often€the€property€of€the€health€care€provider€or€medical€facility€that€created€them.€Some€state€laws€also€provide€patients€withÐ ”(”( Ðaccess€to€medical€records€or€an€ownership€interest€in€the€health€information€in€medical€records.€However,€these€laws€do€not€divest€the€health€care€provider€or€the€medicalÐ Ž)Ž) Ðfacility€of€its€ownership€interest€in€medical€records.€These€statutes€typically€provide€a€patient€the€right€to€inspect€or€copy€health€information€from€the€medical€record,€but€notÐ ˆ*ˆ* Ðthe€right€to€take€the€provider's€original€copy€of€an€item€in€the€medical€record.€If€a€particular€state€law€provides€greater€ownership€rights,€this€regulation€leaves€such€rights€inÐ ‚+‚+ Ðplace.Ð |,|,  ÐòòComment:óó€Some€commenters€argued€that€the€use€and€disclosure€of€sensitive€personal€information€must€be€strictly€regulated,€and€violation€of€such€regulations€shouldÐ R.R.! Ðsubject€an€entity€to€significant€penalties€and€sanctions.Ð L/L/" ÐòòResponse:óó€We€agree,€and€share€the€commenters'€concern€that€the€penalties€in€the€HIPAA€statute€are€not€sufficient€to€fully€protect€individuals'€privacy€interests.€The€needÐ "1"1# Ðfor€stronger€penalties€is€among€the€reasons€we€believe€Congress€should€pass€comprehensive€privacy€legislation.Ð 22$ ÐòòComment:óó€Many€commenters€expressed€the€opinion€that€the€proposed€ruled€should€provide€stricter€privacy€protections.Ð ÜÜ ÐòòResponse:óó€We€received€nearly€52,000€comments€on€the€proposed€regulation,€and€make€substantial€changes€to€the€proposal€in€response€to€those€comments.€Many€ofÐ ²² Ðthese€changes€will€strengthen€the€protections€that€were€proposed€in€the€NPRM.Ð ¬¬ ÐòòComment:óó€Many€comments€express€concerns€that€their€health€information€will€be€given€to€their€employers.Ð ‚‚ ÐòòResponse:óó€We€agree€that€employer€access€to€health€information€is€a€particular€concern.€In€this€final€regulation,€we€make€significant€changes€to€the€NPRM€that€clarify€andÐ XX Ðprovide€additional€safeguards€governing€when€and€how€the€health€plans€covered€by€this€regulation€may€disclose€health€information€to€employers.Ð RR ÐòòComment:óó€Several€commenters€argued€that€individuals€should€be€able€to€sue€for€breach€of€privacy.Ð ( (  ÐòòResponse:óó€We€agree,€but€do€not€have€the€legislative€authority€to€grant€a€private€right€of€action€to€sue€under€this€statute.€Only€Congress€can€grant€that€right.Ð þ þ  ÐÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\ÚÝÝ  ÝòòObjections€to€government€access€to€protected€health€informationóó݃jÚ\Ú$ÝÔ Ô ÔŒÐ Ô Ô  ЌԀiXþíXXiXþíÔó óÝ  ÝòòComment:óó€Many€commenters€urged€the€Department€not€to€create€a€government€database€of€health€information,€or€a€tracking€system€that€would€enable€the€government€toÐ ªª  Ðtrack€individuals€health€information.Ð ¤¤  ÐòòResponse:óó€This€regulation€does€not€create€such€a€database€or€tracking€system,€nor€does€it€enable€future€creation€of€such€a€database.€This€regulation€describes€the€ways€inÐ zz  Ðwhich€health€plans,€health€care€clearinghouses,€and€certain€health€care€providers€may€use€and€disclose€identifiable€health€information€with€and€without€the€individual'sÐ tt  Ðconsent.Ð nn  ÐòòComment:óó€Many€commenters€objected€to€government€access€to€or€control€over€their€health€information,€which€they€believe€the€proposed€regulation€would€provide.Ð DD ÐòòResponse:óó€This€regulation€does€not€increase€current€government€access€to€health€information.€This€rule€sets€minimum€privacy€standards.€It€does€not€require€disclosure€ofÐ  Ðhealth€information,€other€than€to€the€subject€of€the€records€or€for€enforcement€of€this€rule.€Health€plans€and€health€care€providers€are€free€to€use€their€own€professionalÐ  Ðethics€and€judgement€to€adopt€stricter€policies€for€disclosing€health€information.Ð  ÐòòComment:óó€Some€commenters€viewed€the€NPRM€as€creating€fewer€hurdles€for€government€access€to€protected€health€information€than€for€access€to€protected€healthÐ ää Ðinformation€by€private€organizations.€Some€health€care€providers€commented€that€the€NPRM€would€impose€substantial€new€restrictions€on€private€sector€use€andÐ ÞÞ Ðdisclosure€of€protected€health€information,€but€would€make€government€access€to€protected€health€information€easy.€One€consumer€advocacy€group€made€the€sameÐ ØØ Ðobservation.Ð ÒÒ ÐòòResponse:óó€We€acknowledge€that€many€of€the€national€priority€purposes€for€which€we€allow€disclosure€of€protected€health€information€without€consent€or€authorization€areÐ ¨ ¨  Ðfor€government€functions,€and€that€many€of€the€governmental€recipients€of€such€information€are€not€governed€by€this€rule.€It€is€the€role€of€government€to€undertake€functionsÐ ¢!¢! Ðin€the€broader€public€interest,€such€as€public€health€activities,€law€enforcement,€identification€of€deceased€individuals€through€coroners'€offices,€and€military€activities.€It€isÐ œ"œ" Ðthese€public€purposes€which€can€sometimes€outweigh€an€individual's€privacy€interest.€In€this€rule,€we€specify€the€circumstances€in€which€that€balance€is€tipped€toward€theÐ –#–# Ðpublic€interest€with€respect€to€health€information.€We€discuss€the€rationale€behind€each€of€these€permitted€disclosures€in€the€relevant€preamble€sections€below.Ð $$ ÐÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\&*ÝÝ  ÝòòMiscellaneous€Commentsóó݃jÚ\&*p*ÝÔ ÔX*ԌРf&f& ЌԀiXþíXXiXþíÔó óÝ  ÝòòComment:óó€Many€commenters€objected€to€the€establishment€of€a€unique€identifier€for€health€care€or€other€purposes.Ð <(<( ÐòòResponse:óó€This€regulation€does€not€create€an€identifier.€We€assume€these€comments€refer€to€the€unique€health€identifier€that€Congress€directed€the€Secretary€to€promulgateÐ ** Ðunder€section1173(b)€of€the€Social€Security€Act,€added€by€section€262€of€the€HIPAA.€Because€of€the€public€concerns€about€such€an€identifier,€in€the€summer€of€1998Ð  + + ÐVice€President€Gore€announced€that€the€Administration€would€not€promulgate€such€a€regulation€until€comprehensive€medical€privacy€protections€were€in€place.€In€the€fallÐ ,, Ðof€that€year,€Congress€prohibited€the€Department€from€promulgating€such€an€identifier,€and€that€prohibition€remains€in€place.€The€Department€has€no€plans€to€promulgate€aÐ --  Ðunique€health€identifier.Ð ú-ú-! ÐòòComment:óó€Many€commenters€asked€that€we€withdraw€the€proposed€regulation€and€not€publish€a€final€rule.Ð Ð/Ð/" ÐòòResponse:óó€Under€section€264€of€the€HIPAA,€the€Secretary€is€required€by€Congress€to€promulgate€a€regulation€establishing€standards€for€health€information€privacy.Ð ¦1¦1# ÐFurther,€for€the€reasons€explained€throughout€this€preamble€above,€we€believe€that€the€need€to€protect€health€information€privacy€is€urgent€and€that€this€regulation€is€in€theÐ ÜÜ Ðpublic's€interest.Ð ÖÖ ÐòòComment:óó€Many€commenters€express€the€opinion€that€their€consent€should€be€required€for€all€disclosure€of€their€health€information.Ð ¬¬ ÐòòResponse:óó€We€agree€that€consent€should€be€required€prior€to€release€of€health€information€for€many€purposes,€and€impose€such€a€requirement€in€this€regulation.€RequiringÐ ‚‚ Ðconsent€prior€to€all€release€of€health€information,€however,€would€unduly€jeopardize€public€safety€and€make€many€operations€of€the€health€care€system€impossible.€ForÐ || Ðexample,€requiring€consent€prior€to€release€of€health€information€to€a€public€health€official€who€is€attempting€to€track€the€source€of€an€outbreak€or€epidemic€could€endangerÐ vv Ðthousands€of€lives.€Similarly,€requiring€consent€before€an€oversight€official€could€audit€a€health€plan€would€make€detection€of€health€care€fraud€all€but€impossible;€it€couldÐ pp Ðtake€health€plans€months€or€years€to€locate€and€obtain€the€consent€of€all€current€and€past€enrollees,€and€the€health€plan€would€not€have€a€strong€incentive€to€do€so.€TheseÐ j j  Ðuses€of€medical€information€are€clearly€in€the€public€interest.Ð d d  ÐIn€this€regulation,€we€must€balance€individuals'€privacy€interests€against€the€legitimate€public€interests€in€certain€uses€of€health€information.€Where€there€is€an€importantÐ : :  Ðpublic€interest,€this€regulation€imposes€procedural€safeguards€that€must€be€met€prior€to€release€of€health€information,€in€lieu€of€a€requirement€for€consent.€In€some€instancesÐ 4 4  Ðthe€procedural€safeguards€consists€of€limits€on€the€circumstances€in€which€information€may€be€disclosed,€in€others€the€safeguards€consist€of€limits€on€what€information€mayÐ ..  Ðbe€disclosed,€and€in€other€cases€we€require€some€form€of€legal€process€(e.g.,€a€warrant€or€subpoena)€prior€to€release€of€health€information.€We€also€allow€disclosure€ofÐ ((  Ðhealth€information€without€consent€where€other€law€mandates€the€disclosures.€Where€such€other€law€exists,€another€public€entity€has€made€the€determination€that€the€publicÐ ""  Ðinterests€outweigh€the€individual's€privacy€interests,€and€we€do€not€upset€that€determination€in€this€regulation.€In€short,€we€tailor€the€safeguards€to€match€the€specific€natureÐ  Ðof€the€public€purpose.€The€specific€safeguards€are€explained€in€each€section€of€this€regulation€below.Ð  ÐòòComment:óó€Many€comments€address€matters€not€relevant€to€this€regulation,€such€as€alternative€fuels,€hospital€reimbursement,€and€gulf€war€syndrome.Ð ìì ÐòòResponse:óó€These€and€similar€matters€are€not€relevant€to€this€regulation€and€will€not€be€addressed€further.Р ÐòòComment:óó€A€few€commenters€questioned€why€this€level€of€detail€is€needed€in€response€to€the€HIPAA€Congressional€mandate.Ð ˜˜ ÐòòResponse:óó€This€level€of€detail€is€necessary€to€ensure€that€individuals'€rights€with€respect€to€their€health€information€are€clear,€while€also€ensuring€that€information€necessaryÐ nn Ðfor€important€public€functions,€such€as€protecting€public€health,€promoting€biomedical€research,€fighting€health€care€fraud,€and€notifying€family€members€in€disasterÐ hh Ðsituations,€will€not€be€impaired€by€this€regulation.€We€designed€this€rule€to€reflect€current€practices€and€change€some€of€them.€The€comments€and€our€fact€finding€revealedÐ bb Ðthe€complexity€of€current€health€information€practices,€and€we€believe€that€the€complexity€entailed€in€reflecting€those€practices€is€better€public€policy€than€a€perhaps€simplerÐ \\ Ðrule€that€disturbed€important€information€flows.Ð VV ÐòòComment:óó€A€few€comments€stated€that€the€goal€of€administrative€simplification€should€never€override€the€privacy€of€individuals.Ð ,, ÐòòResponse:óó€We€believe€that€privacy€is€a€necessary€component€of€administrative€simplification,€not€a€competing€interest.Ð !! ÐòòComment:óó€At€least€one€commenter€said€that€the€goal€of€administrative€simplification€is€not€well€served€by€the€proposed€rule.Ð Ø"Ø" ÐòòResponse:óó€Congress€recognized€that€privacy€is€a€necessary€component€of€administrative€simplification.€The€standardization€of€electronic€health€information€mandated€byÐ ®$®$ Ðthe€HIPAA€that€make€it€easier€to€share€that€information€for€legitimate€purposes€also€make€the€inappropriate€sharing€of€that€information€easier.€For€this€reason,€CongressÐ ¨%¨% Ðincluded€a€mandate€for€privacy€standards€in€this€section€of€the€HIPAA.€Without€appropriate€privacy€protections,€public€fear€and€instances€of€abuse€would€make€itÐ ¢&¢& Ðimpossible€for€us€to€take€full€advantage€of€the€administrative€and€costs€benefits€inherent€in€the€administrative€simplification€standards.Ð œ'œ' ÐòòComment:óó€At€least€one€commenter€asked€us€to€require€psychotherapists€to€assert€any€applicable€legal€privilege€on€patients'€behalf€when€protected€health€information€isÐ r)r) Ðrequested.Ð l*l*  ÐòòResponse:óó€Whether€and€when€to€assert€a€claim€of€privilege€on€a€patient's€behalf€is€a€matter€for€other€law€and€for€the€ethics€of€the€individual€health€care€provider.€This€is€notÐ B,B,! Ða€decision€that€can€or€should€be€made€by€the€federal€government.Ð <-<-" ÐòòComment:óó€One€commenter€called€for€HHS€to€consider€the€privacy€regulation€in€conjunction€with€the€other€HIPAA€standards.€In€particular,€this€comment€focused€on€theÐ //# Ðbelief€that€the€Security€Standards€should€be€compatible€with€the€existing€and€emerging€health€care€and€information€technology€industry€standards.Ð  0 0$ ÐòòResponse:óó€We€agree€that€both€this€regulation€and€the€final€Security€Regulation€should€be€compatible€with€existing€and€emerging€technology€industry€standards.€ThisÐ â1â1% Ðregulation€is€"technology€neutral."€We€do€not€mandate€the€use€of€any€particular€technologies,€but€rather€set€standards€which€can€be€met€through€a€variety€of€means.Ð ÜÜ ÐòòCommentóó:€Several€commenters€claimed€that€the€statutory€authority€given€under€HIPAA€cannot€provide€meaningful€privacy€protections€because€many€entities€with€accessÐ ²² Ðto€protected€health€information,€such€as€employers,€worker's€compensation€carriers,€and€life€insurance€companies,€are€not€covered€entities.€These€commenters€expressedÐ ¬¬ Ðsupport€for€comprehensive€legislation€to€close€many€of€the€existing€loopholes.Ð ¦¦ ÐòòResponseóó:€We€agree€with€the€commenters€that€comprehensive€legislation€is€necessary€to€provide€full€privacy€protection€and€have€called€for€members€of€Congress€to€passÐ || Ðsuch€legislation€to€prevent€unauthorized€and€potentially€harmful€uses€and€disclosures€of€information.Ð vv ÐÝ‚l¿DFÝÔ€i¼4À»XiXþíÔò òÔ  ÔÝ  ÝÝ‚l¿D8LÝÝ  ÝPART€160€-€SUBPART€A€-€GENERAL€PROVISIONS݃l¿D8L‚LÝÔ ÔjLԌРL L  ЌԀiXþíX»i¼4ÀÔó óÝ  ÝÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\7MÝÝ  ÝSECTION€160.103€-€DEFINITIONS݃jÚ\7MMÝÔ ÔiMԌРH H  ЌԀiXþíXXiXþíÔó óÝ  ÝÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\*NÝÝ  ÝòòBusiness€Associateóó.݃jÚ\*NtNÝÔ Ô\NԌР   ЌԀiXþíXXiXþíÔó óÝ  ÝThe€response€to€comments€on€the€definition€of€"business€partner,"€renamed€in€this€rule€as€"business€associate,"€is€included€in€the€response€to€comments€on€the€requirementsÐ ôô  Ðfor€business€associates€in€the€preamble€discussion€of€ðð€164.504.Ð îî  ÐÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\1PÝÝ  ÝòòCovered€Entityóó.݃jÚ\1P{PÝÔ ÔcPԌРÄÄ  ЌԀiXþíXXiXþíÔó óÝ  ÝòòComment:óó€A€number€of€commenters€urged€the€Department€to€expand€or€clarify€the€definition€of€"covered€entity"€to€include€certain€entities€other€than€health€careÐ šš  Ðclearinghouses,€health€plans,€and€health€care€providers€who€conduct€standard€transactions.€For€example,€several€commenters€asked€that€the€Department€generally€expandÐ ””  Ðthe€scope€of€the€rule€to€cover€all€entities€that€receive€or€maintain€individually€identifiable€health€information;€others€specifically€urged€the€Department€to€cover€employers,Ð ŽŽ Ðmarketing€firms,€and€legal€entities€that€have€access€to€individually€identifiable€health€information.€Some€commenters€asked€that€life€insurance€and€casualty€insurance€carriersÐ ˆˆ Ðbe€considered€covered€entities€for€purposes€of€this€rule.€One€commenter€recommended€that€Pharmacy€Benefit€Management€(PBM)€companies€be€considered€coveredÐ ‚‚ Ðentities€so€that€they€may€use€and€disclose€protected€health€information€without€authorization.Ð || ÐIn€addition,€a€few€commenters€asked€the€Department€to€clarify€that€the€definition€includes€providers€who€do€not€directly€conduct€electronic€transactions€if€another€entity,Ð RR Ðsuch€as€a€billing€service€or€hospital,€does€so€on€their€behalf.Ð LL ÐòòResponse:óó€We€understand€that€many€entities€may€use€and€disclose€individually€identifiable€health€information.€However,€our€jurisdiction€under€the€statute€is€limited€to€healthÐ "" Ðplans,€health€care€clearinghouses,€and€health€care€providers€who€transmit€any€health€information€electronically€in€connection€with€any€of€the€standard€financial€orÐ  Ðadministrative€transactions€in€section€1173(a)€of€the€Act.€These€are€the€entities€referred€to€in€section€1173(a)(1)€of€the€Act€and€thus€listed€in€ðð€160.103€of€the€final€rule.Ð  ÐConsequently,€once€protected€health€information€leaves€the€purview€of€one€of€these€covered€entities,€their€business€associates,€or€other€related€entities€(such€as€planÐ    Ðsponsors),€the€information€is€no€longer€afforded€protection€under€this€rule.€We€again€highlight€the€need€for€comprehensive€federal€legislation€to€eliminate€such€gaps€inÐ  ! ! Ðprivacy€protection.Ð "" ÐWe€also€provide€the€following€clarifications€with€regard€to€specific€entities.Ð Ú#Ú# ÐWe€clarify€that€employers€and€marketing€firms€are€not€covered€entities.€However,€employers€may€be€plan€sponsors€of€a€group€health€plan€that€is€a€covered€entity€under€theÐ °%°% Ðrule.€In€such€a€case,€specific€requirements€apply€to€the€group€health€plan.€See€the€preamble€on€ðð€164.504€for€a€discussion€of€specific€"firewall"€and€other€organizationalÐ ª&ª& Ðrequirements€for€group€health€plans€and€their€employer€sponsors.€The€final€rule€also€contains€provisions€addressing€when€an€insurance€issuer€providing€benefits€under€aÐ ¤'¤' Ðgroup€health€plan€may€disclose€summary€health€information€to€a€plan€sponsor.Ð ž(ž( ÐWith€regard€to€life€and€casualty€insurers,€we€understand€that€such€benefit€providers€may€use€and€disclose€individually€identifiable€health€information.€However,€CongressÐ t*t* Ðdid€not€include€life€insurers€and€casualty€insurance€carriers€as€"health€plans"€for€the€purposes€of€this€rule€and€therefore€they€are€not€covered€entities.€See€the€discussionÐ n+n+  Ðregarding€the€definition€of€"health€plan"€and€excepted€benefits.Ð h,h,! ÐIn€addition,€we€clarify€that€a€PBM€is€a€covered€entity€only€to€the€extent€that€it€meets€the€definition€of€one€or€more€of€the€entities€listed€in€ðð€160.102.€When€providingÐ >.>." Ðservices€to€patients€through€managed€care€networks,€it€is€likely€that€a€PBM€is€acting€as€a€business€associate€of€a€health€plan,€and€may€thus€use€and€disclose€protectedÐ 8/8/# Ðhealth€information€pursuant€to€the€relevant€provisions€of€this€rule.€PBMs€may€also€be€business€associates€of€health€care€providers.€See€the€preamble€sections€on€ððððÐ 2020$ Ðâ â164.502,€164.504,€and€164.506€for€discussions€of€the€specific€requirements€related€to€business€associates€and€consent.Ð ,1,1% ÐLastly,€we€clarify€that€health€care€providers€who€do€not€submit€HIPAA€transactions€in€standard€form€become€covered€by€this€rule€when€other€entities,€such€as€a€billingÐ ÜÜ Ðâ âservice€or€a€hospital,€transmit€standard€electronic€transactions€on€their€behalf.€The€provider€could€not€circumvent€these€requirements€by€assigning€the€task€to€a€contractor.Ð ÖÖ ÐòòComment:óó€Many€commenters€urged€the€Department€to€restrict€or€clarify€the€definition€of€"covered€entity"€to€exclude€certain€entities,€such€as€department-operatedÐ ¬¬ Ðhospitals€(public€hospitals);€state€Crime€Victim€Compensation€Programs;€employers;€and€certain€lines€of€insurers,€such€as€workers'€compensation€insurers,€property€andÐ ¦¦ Ðcasualty€insurers,€reinsurers,€and€stop-loss€insurers.€One€commenter€expressed€concern€that€clergy,€religious€practitioners,€and€other€faith-based€service€providers€wouldÐ    Ðhave€to€abide€by€the€rule€and€asked€that€the€Department€exempt€prayer€healing€and€non-medical€health€care.Ð šš ÐòòResponse:óó€The€Secretary€provides€the€following€clarifications€in€response€to€these€comments.€To€the€extent€that€a€"department-operated€hospital"€meets€the€definition€of€aÐ pp Ð"health€care€provider"€and€conducts€any€of€the€standard€transactions,€it€is€a€covered€entity€for€the€purposes€of€this€rule.€We€agree€that€a€state€Crime€Victim€CompensationÐ j j  ÐProgram€is€not€a€covered€entity€if€it€is€not€a€health€care€provider€that€conducts€standard€transactions,€health€plan,€or€health€care€clearinghouse.€Further,€as€describedÐ d d  Ðabove,€employers€are€not€covered€entities.Ð ^ ^  ÐIn€addition,€we€agree€that€workers'€compensation€insurers,€property€and€casualty€insurers,€reinsurers,€and€stop-loss€insurers€are€not€covered€entities,€as€they€do€not€meetÐ 4 4  Ðthe€statutory€definition€of€"health€plan."€See€further€discussion€in€the€preamble€on€ðð€160.103€regarding€the€definition€of€"health€plan."€However,€activities€related€to€ceding,Ð ..  Ðsecuring,€or€placing€a€contract€for€reinsurance,€including€stop-loss€insurance,€are€health€care€operations€in€the€final€rule.€As€such,€reinsurers€and€stop-loss€insurers€mayÐ ((  Ðobtain€protected€health€information€from€covered€entities.Ð ""  ÐAlso,€in€response€to€the€comment€regarding€religious€practitioners,€the€Department€clarifies€that€"health€care"€as€defined€under€the€rule€does€not€include€methods€of€healingÐ øø Ðthat€are€solely€spiritual.€Therefore,€clergy€or€other€religious€practitioners€that€provide€solely€religious€healing€services€are€not€health€care€providers€within€the€meaning€of€thisÐ òò Ðrule,€and€consequently€not€covered€entities€for€the€purposes€of€this€rule.Ð ìì ÐòòComment:óó€A€few€commenters€expressed€general€uncertainty€and€requested€clarification€as€to€whether€certain€entities€were€covered€entities€for€the€purposes€of€this€rule.Р ÐOne€commenter€was€uncertain€as€to€whether€the€rule€applies€to€certain€social€service€entities,€in€addition€to€clinical€social€workers€that€the€commenter€believes€areÐ ¼¼ Ðproviders.€Other€commenters€asked€whether€researchers€or€non-governmental€entities€that€collect€and€analyze€patient€data€to€monitor€and€evaluate€quality€of€care€areÐ ¶¶ Ðcovered€entities.€Another€commenter€requested€clarification€regarding€the€definition's€application€to€public€health€agencies€that€also€are€health€care€providers€as€well€asÐ °° Ðhow€the€rule€affects€public€health€agencies€in€their€data€collection€from€covered€entities.Ð ªª ÐòòResponse:óó€Whether€the€professionals€described€in€these€comments€are€covered€by€this€rule€depends€on€the€activities€they€undertake,€not€on€their€profession€or€degree.Ð €€ ÐThe€definitions€in€this€rule€are€based€on€activities€and€functions,€not€titles.€For€example,€a€social€service€worker€whose€activities€meet€this€rule's€definition€of€health€care€willÐ zz Ðbe€a€health€care€provider.€If€that€social€service€worker€also€transmits€information€in€a€standard€HIPAA€transaction,€he€or€she€will€be€a€covered€health€entity€under€this€rule.Ð tt ÐAnother€social€service€worker€may€provide€services€that€do€not€meet€the€rule's€definition€of€health€care,€or€may€not€transmit€information€in€a€standard€transaction.€Such€aÐ nn Ðsocial€service€worker€is€not€a€covered€entity€under€this€rule.€Similarly,€researchers€in€and€of€themselves€are€not€covered€entities.€However,€researchers€may€also€be€healthÐ hh Ðcare€providers€if€they€provide€health€care.€In€such€cases,€the€persons,€or€entities€in€their€role€as€health€care€providers€may€be€covered€entities€if€they€conduct€standardÐ b b  Ðtransactions.Ð \!\! ÐWith€regard€to€public€health€agencies€that€are€also€health€care€providers,€the€health€care€provider€"component"€of€the€agency€is€the€covered€entity€if€that€componentÐ 2#2# Ðconducts€standard€transactions.€See€discussion€of€"health€care€components"€below.€As€to€the€data€collection€activities€of€a€public€health€agency,€the€final€rule€in€ððÐ ,$,$ Ð164.512(b)€permits€a€covered€entity€to€disclose€protected€health€information€to€public€health€authorities€under€specified€circumstances,€and€permits€public€health€agenciesÐ &%&% Ðthat€are€also€covered€entities€to€use€protected€health€information€for€these€purposes.€See€ðð€164.512(b)€for€further€details.Ð  & &  ÐòòComment:óó€A€few€commenters€requested€that€the€Department€clarify€that€device€manufacturers€are€not€covered€entities.€They€stated€that€the€proposal€did€not€provideÐ ö'ö'! Ðenough€guidance€in€cases€where€the€"manufacturer€supplier"€has€only€one€part€of€its€business€that€acts€as€the€"supplier,"€and€additional€detail€is€needed€about€theÐ ð(ð(" Ðrelationship€of€the€"supplier€component"€of€the€company€to€the€rest€of€the€business.€Similarly,€another€commenter€asserted€that€drug,€biologics,€and€device€manufacturersÐ ê)ê)# Ðshould€not€be€covered€entities€simply€by€virtue€of€their€manufacturing€activities.Ð ä*ä*$ ÐòòResponse:óó€We€clarify€that€if€a€supplier€manufacturer€is€a€Medicare€supplier,€then€it€is€a€health€care€provider,€and€it€is€a€covered€entity€if€it€conducts€standard€transactions.Ð º,º,% ÐFurther,€we€clarify€that€a€manufacturer€of€supplies€related€to€the€health€of€a€particular€individual,€e.g.,€prosthetic€devices,€is€a€health€care€provider€because€the€manufacturerÐ ´-´-& Ðis€providing€"health€care"€as€defined€in€the€rule.€However,€that€manufacturer€is€a€covered€entity€only€if€it€conducts€standard€transactions.€We€do€not€intend€that€aÐ ®.®.' Ðmanufacturer€of€supplies€that€are€generic€and€not€customized€or€otherwise€specifically€designed€for€particular€individuals,€e.g.,€ace€bandages€for€a€hospital,€is€a€health€careÐ ¨/¨/( Ðprovider.€Such€a€manufacturer€is€not€providing€"health€care"€as€defined€in€the€rule€and€is€therefore€not€a€covered€entity.€We€note€that,€even€if€such€a€manufacturer€is€aÐ ¢0¢0) Ðâ âcovered€entity,€it€may€be€an€'indirect€treatment€provider'€under€this€rule,€and€thus€not€subject€to€all€of€the€rule's€requirements.Ð œ1œ1* ÐWith€regard€to€a€"supplier€component,"€the€final€rule€addresses€the€status€of€the€unit€or€unit(s)€of€a€larger€entity€that€constitute€a€"health€care€component."€See€furtherÐ ÜÜ Ðâ âdiscussion€under€ðð€164.504€of€this€preamble.Ð ÖÖ ÐFinally,€we€clarify€that€drug,€biologics,€and€device€manufacturers€are€not€health€care€providers€simply€by€virtue€of€their€manufacturing€activities.€The€manufacturer€must€beÐ ¬¬ Ðproviding€health€care€consistent€with€the€final€rule's€definition€in€order€to€be€considered€a€health€care€provider.Ð ¦¦ ÐòòComment:€óóA€few€commenters€asked€that€the€Department€clarify€that€pharmaceutical€manufacturers€are€not€covered€entities.€It€was€explained€that€pharmaceuticalÐ || Ðmanufacturers€provide€support€and€guidance€to€doctors€and€patients€with€respect€to€the€proper€use€of€their€products,€provide€free€products€for€doctors€to€distribute€toÐ vv Ðpatients,€and€operate€charitable€programs€that€provide€pharmaceutical€drugs€to€patients€who€cannot€afford€to€buy€the€drugs€they€need.Ð pp ÐòòResponse:óó€A€pharmaceutical€manufacturer€is€only€a€covered€entity€if€the€manufacturer€provides€"health€care"€according€to€the€rule's€definition€and€conducts€standardÐ F F  Ðtransactions.€In€the€above€case,€a€pharmaceutical€manufacturer€that€provides€support€and€guidance€to€doctors€and€patients€regarding€the€proper€use€of€their€products€isÐ @ @  Ðproviding€"health€care"€for€the€purposes€of€this€rule,€and€therefore,€is€a€health€care€provider€to€the€extent€that€it€provides€such€services.€The€pharmaceutical€manufacturerÐ : :  Ðthat€is€a€health€care€provider€is€only€a€covered€entity,€however,€if€it€conducts€standard€transactions.€We€note€that€this€rule€permits€a€covered€entity€to€disclose€protectedÐ 4 4  Ðhealth€information€to€any€person€for€treatment€purposes,€without€specific€authorization€from€the€individual.€Therefore,€a€covered€health€care€provider€is€permitted€toÐ ..  Ðdisclose€protected€health€information€to€a€pharmaceutical€manufacturer€for€treatment€purposes.€Providing€free€samples€to€a€health€care€provider€does€not€in€itself€constituteÐ ((  Ðhealth€care.€For€further€analysis€of€pharmacy€assistance€programs,€see€response€to€comment€on€ðð€164.501,€definition€of€"payment."Ð ""  ÐòòCommentóó:€Several€commenters€asked€about€the€definition€of€"covered€entity"€and€its€application€to€health€care€entities€within€larger€organizations.Ð øø ÐòòResponseóó:€A€detailed€discussion€of€the€final€rule's€organizational€requirements€and€firewall€restrictions€for€"health€care€components"€of€larger€entities,€as€well€as€forÐ ÎÎ Ðaffiliated,€and€other€entities€is€found€at€the€discussion€of€ðð€164.504€of€this€preamble.€The€following€responses€to€comments€provide€additional€information€with€respect€toÐ ÈÈ Ðparticular€"component€entity"€circumstances.Р ÐòòCommentóó:€Several€commenters€asked€that€we€clarify€the€definition€of€covered€entity€to€state€that€with€respect€to€persons€or€organizations€that€provide€health€care€or€haveÐ ˜˜ Ðcreated€health€plans€but€are€primarily€engaged€in€other€unrelated€businesses,€the€term€"covered€entity"€encompasses€only€the€health€care€components€of€the€entity.Ð ’’ ÐSimilarly,€others€recommended€that€only€the€component€of€a€government€agency€that€is€a€provider,€health€plan,€or€clearinghouse€should€be€considered€a€covered€entity.Ð ŒŒ ÐOther€commenters€requested€that€we€revise€proposed€ðð€160.102€to€apply€only€to€the€component€of€an€entity€that€engages€in€the€transactions€specified€in€the€rule.Ð bb ÐCommenters€stated€that€companies€should€remain€free€to€employ€licensed€health€care€providers€and€to€enter€into€corporate€relationships€with€provider€institutions€withoutÐ \\ Ðfear€of€being€considered€to€be€a€covered€entity.€Another€commenter€suggested€that€the€regulation€not€apply€to€the€provider-employee€or€employer€when€neither€theÐ VV Ðprovider€nor€the€company€are€a€covered€entity.Ð PP ÐSome€commenters€specifically€argued€that€the€definition€of€"covered€entity"€did€not€contemplate€an€integrated€health€care€system€and€one€commenter€stated€that€theÐ & &  Ðproposal€would€disrupt€the€multi-disciplinary,€collaborative€approach€that€many€take€to€health€care€today€by€treating€all€components€as€separate€entities.€Commenters,Ð  ! ! Ðtherefore,€recommended€that€the€rule€treat€the€integrated€entity,€not€its€constituent€parts,€as€the€covered€entity.Ð "" ÐA€few€commenters€asked€that€the€Department€further€clarify€the€definition€with€respect€to€the€unique€organizational€models€and€relationships€of€academic€medical€centersÐ ð#ð# Ðand€their€parent€universities€and€the€rules€that€govern€information€exchange€within€the€institution.€One€commenter€asked€whether€faculty€physicians€who€are€paid€by€aÐ ê$ê$ Ðmedical€school€or€faculty€practice€plan€and€who€are€on€the€medical€staff€of,€but€not€paid€directly€by,€a€hospital€are€included€within€the€covered€entity.€Another€commenterÐ ä%ä% Ðstated€that€it€appears€that€only€the€health€center€at€an€academic€institution€is€the€covered€entity.€Uncertainty€was€also€expressed€as€to€whether€other€components€of€theÐ Þ&Þ& Ðinstitution€that€might€create€protected€health€information€only€incidentally€through€the€conduct€of€research€would€also€be€covered.Ð Ø'Ø'  ÐòòResponse:óó€The€Department€understands€that€in€today's€health€care€industry,€the€relationships€among€health€care€entities€and€non-health€care€organizations€are€highlyÐ ®)®)! Ðcomplex€and€varied.€Accordingly,€the€final€rule€gives€covered€entities€some€flexibility€to€segregate€or€aggregate€its€operations€for€purposes€of€the€application€of€this€rule.Ð ¨*¨*" ÐThe€new€component€entity€provision€can€be€found€at€ðððð€164.504(b)-(c).€In€response€to€the€request€for€clarification€on€whether€the€rule€would€apply€to€a€researchÐ ¢+¢+# Ðcomponent€of€the€covered€entity,€we€point€out€that€if€the€research€activities€fall€outside€of€the€health€care€component€they€would€not€be€subject€to€the€rule.€OneÐ œ,œ,$ Ðorganization€may€have€one€or€several€"health€care€component(s)"€that€each€perform€one€or€more€of€the€health€care€functions€of€a€covered€entity,€i.e.,€health€care€provider,Ð –-–-% Ðhealth€plan,€health€care€clearinghouse.€In€addition,€the€final€rule€permits€covered€entities€that€are€affiliated,€i.e.,€share€common€ownership€or€control,€to€designateÐ ..& Ðthemselves,€or€their€health€care€components,€together€to€be€a€single€covered€entity€for€purposes€of€the€rule.Ð Š/Š/' ÐIt€appears€from€the€comments€that€there€is€not€a€common€understanding€of€the€meaning€of€"integrated€delivery€system."€Arrangements€that€apply€this€label€to€themselvesÐ `1`1( Ðoperate€and€share€information€many€different€ways,€and€may€or€may€not€be€financially€or€clinically€integrated.€In€some€cases,€multiple€entities€hold€themselves€out€as€oneÐ Z2Z2) Ðenterprise€and€engage€together€in€clinical€or€financial€activities.€In€others,€separate€entities€share€information€but€do€not€provide€treatment€together€or€share€financial€risk.Ð ÜÜ ÐMany€health€care€providers€participate€in€more€than€one€such€arrangement.Ð ÖÖ ÐTherefore,€we€do€not€include€a€separate€category€of€'covered€entity'€under€this€rule€for€"integrated€delivery€systems"€but€instead€accommodate€the€operations€of€theseÐ ¬¬ Ðvaried€arrangements€through€the€functional€provisions€of€the€rule.€For€example,€covered€entities€that€operate€as€'organized€health€care€arrangements'€as€defined€in€this€ruleÐ ¦¦ Ðmay€share€protected€health€information€for€the€operation€of€such€arrangement€without€becoming€business€associates€of€one€another.€Similarly,€the€regulation€does€notÐ    Ðrequire€a€business€associate€arrangement€when€protected€health€information€is€shared€for€purposes€of€providing€treatment.€The€application€of€this€rule€to€any€particularÐ šš Ð'integrated€system'€will€depend€on€the€nature€of€the€common€activities€the€participants€in€the€system€perform.€When€the€participants€in€such€an€arrangement€are€'affiliated'Ð ”” Ðas€defined€in€this€rule,€they€may€consider€themselves€a€single€covered€entity€(see€ðð€164.€504).Ð ŽŽ ÐThe€arrangements€between€academic€health€centers,€faculty€practice€plans,€universities,€and€hospitals€are€similarly€diverse.€We€cannot€describe€a€blanket€rule€that€coversÐ d d  Ðall€such€arrangements.€The€application€of€this€rule€will€depend€on€the€purposes€for€which€the€participants€in€such€arrangements€share€protected€health€information,€whetherÐ ^ ^  Ðsome€or€all€participants€are€under€common€ownership€or€control,€and€similar€matters.€We€note€that€physicians€who€have€staff€privileges€at€a€covered€hospital€do€notÐ X X  Ðbecome€part€of€that€hospital€covered€entity€by€virtue€of€having€such€privileges.Ð R R  ÐWe€reject€the€recommendation€to€apply€the€rule€only€to€components€of€an€entity€that€engage€in€the€transactions.€This€would€omit€as€covered€entities,€for€example,€theÐ ((  Ðhealth€plan€components€that€do€not€directly€engage€in€the€transactions,€including€components€that€engage€in€important€health€plan€functions€such€as€coverage€determinationsÐ ""  Ðand€quality€review.€Indeed,€we€do€not€believe€that€the€statute€permits€this€result€with€respect€to€health€plans€or€health€care€clearinghouses€as€a€matter€of€negativeÐ  Ðimplication€from€section€1172(a)(3).€We€clarify€that€only€a€health€care€provider€must€conduct€transactions€to€be€a€covered€entity€for€purposes€of€this€rule.Ð  ÐWe€also€clarify€that€health€care€providers€(such€as€doctors€or€nurses)€who€work€for€a€larger€organization€and€do€not€conduct€transactions€on€their€own€behalf€areÐ ìì Ðworkforce€members€of€the€covered€entity,€not€covered€entities€themselves.Ð ææ ÐòòComment:€óóA€few€commenters€asked€the€Department€to€clarify€the€definition€to€provide€that€a€multi-line€insurer€that€sells€insurance€coverages,€some€of€which€do€andÐ ¼¼ Ðothers€which€do€not€meet€the€definition€of€"health€plan,"€is€not€a€covered€entity€with€respect€to€actions€taken€in€connection€with€coverages€that€are€not€"health€plans."Ð ¶¶ ÐòòResponse:óó€The€final€rule€clarifies€that€the€requirements€below€apply€only€to€the€organizational€unit€or€units€of€the€organization€that€are€the€"health€care€component"€of€aÐ ŒŒ Ðcovered€entity,€where€the€"covered€functions"€are€not€the€primary€functions€of€the€entity.€Therefore,€for€a€multi-line€insurer,€the€"health€care€component"€is€the€insuranceÐ †† Ðline(s)€that€conduct,€or€support€the€conduct€of,€the€health€care€function€of€the€covered€entity.€Also,€it€should€be€noted€that€excepted€benefits,€such€as€life€insurance,€are€notÐ €€ Ðincluded€in€the€definition€of€"health€plan."€(See€preamble€discussion€of€ðð€164.504).Ð zz ÐòòCommentóó:€A€commenter€questioned€whether€the€Health€Care€Financing€Administration€(HCFA)€is€a€covered€entity€and€how€HCFA€will€share€data€with€MedicareÐ PP Ðmanaged€care€organizations.€The€commenter€also€questioned€why€the€regulation€must€apply€to€Medicaid€since€the€existing€Medicaid€statute€requires€that€states€haveÐ JJ Ðprivacy€standards€in€place.€It€was€also€requested€that€the€Department€provide€a€definition€of€"health€plan"€to€clarify€that€state€Medicaid€Programs€are€considered€as€such.Ð D D  ÐòòResponse:€óóHCFA€is€a€covered€entity€because€it€administers€Medicare€and€Medicaid,€which€are€both€listed€in€the€statute€as€health€plans.€Medicare€managed€careÐ "" Ðorganizations€are€also€covered€entities€under€this€regulation.€As€noted€elsewhere€in€this€preamble,€covered€entities€that€jointly€administer€a€health€plan,€such€as€Medicare€+Ð ## ÐChoice,€are€both€covered€entities,€and€are€not€business€associates€of€each€other€by€virtue€of€such€joint€administration.Ð $$ ÐWe€do€not€exclude€state€Medicaid€programs.€Congress€explicitly€included€the€Medicaid€program€as€a€covered€health€plan€in€the€HIPAA€statute.Ð ä%ä% ÐòòComment:óó€A€commenter€asked€the€Department€to€provide€detailed€guidance€as€to€when€providers,€plans,€and€clearinghouses€become€covered€entities.€The€commenterÐ º'º' Ðprovided€the€following€example:€if€a€provider€submits€claims€only€in€paper€form,€and€a€coordination€of€benefits€(COB)€transaction€is€created€due€to€other€insuranceÐ ´(´(  Ðcoverage,€will€the€original€provider€need€to€be€notified€that€the€claim€is€now€in€electronic€form,€and€that€it€has€become€a€covered€entity?€Another€commenter€voicedÐ ®)®)! Ðconcern€as€to€whether€physicians€who€do€not€conduct€electronic€transactions€would€become€covered€entities€if€another€entity€using€its€records€downstream€transmitsÐ ¨*¨*" Ðinformation€in€connection€with€a€standard€transaction€on€their€behalf.Ð ¢+¢+# ÐòòResponse:óó€We€clarify€that€health€care€providers€who€submit€the€transactions€in€standard€electronic€form,€health€plans,€and€health€care€clearinghouses€are€covered€entities€ifÐ x-x-$ Ðthey€meet€the€respective€definitions.€Health€care€providers€become€subject€to€the€rule€if€they€conduct€standard€transactions.€In€the€above€example,€the€health€care€providerÐ r.r.% Ðwould€not€be€a€covered€entity€if€the€coordination€of€benefits€transaction€was€generated€by€a€payor.Ð l/l/& ÐWe€also€clarify€that€health€care€providers€who€do€not€submit€transactions€in€standard€form€become€covered€by€this€rule€when€other€entities,€such€as€a€billing€service€or€aÐ B1B1' Ðhospital,€transmit€standard€electronic€transactions€on€the€providers'€behalf.€However,€where€the€downstream€transaction€is€not€conducted€on€behalf€of€the€health€careÐ <2<2( Ðprovider,€the€provider€does€not€become€a€covered€entity€due€to€the€downstream€transaction.Ð ÜÜ ÐòòComment:óó€Several€commenters€discussed€the€relationship€between€section€1179€of€the€Act€and€the€privacy€regulations.€One€commenter€suggested€that€HHS€retain€theÐ ²² Ðstatement€that€a€covered€entity€means€"the€entities€to€which€part€C€of€title€XI€of€the€Act€applies."€In€particular,€the€commenter€observed€that€section€1179€of€the€ActÐ ¬¬ Ðprovides€that€part€C€of€title€XI€of€the€Act€does€not€apply€to€financial€institutions€or€to€entities€acting€on€behalf€of€such€institutions€that€are€covered€by€the€section€1179Ð ¦¦ Ðexemption.€Thus,€under€the€definition€of€covered€entity,€they€comment€that€financial€institutions€and€other€entities€that€come€within€the€scope€of€the€section€1179€exemptionÐ    Ðare€appropriately€not€covered€entities.Ð šš ÐOther€commenters€maintained€that€section€1179€of€the€Act€means€that€the€Act's€privacy€requirements€do€not€apply€to€the€request€for,€or€the€use€or€disclosure€of,Ð pp Ðinformation€by€a€covered€entity€with€respect€to€payment:€(a)€for€transferring€receivables;€(b)€for€auditing;€(c)€in€connection€with€-€(i)€a€customer€dispute;€or€(ii)€an€inquiryÐ j j  Ðfrom€or€to€a€customer;€(d)€in€a€communication€to€a€customer€of€the€entity€regarding€the€customer's€transactions€payment€card,€account,€check,€or€electronic€funds€transfer;Ð d d  Ð(e)€for€reporting€to€consumer€reporting€agencies;€or€(f)€for€complying€with:€(i)€a€civil€or€criminal€subpoena;€or€(ii)€a€federal€or€state€law€regulating€the€entity.€TheseÐ ^ ^  Ðcompanies€expressed€concern€that€the€proposed€rule€did€not€include€the€full€text€of€section€1179€when€discussing€the€list€of€activities€that€were€exempt€from€the€rule'sÐ X X  Ðrequirements.€Accordingly,€they€recommended€including€in€the€final€rule€either€a€full€listing€of€or€a€reference€to€section€1179's€full€list€of€exemptions.€Furthermore,€theseÐ R R  Ðfirms€opposed€applying€the€proposed€rule's€minimum€necessary€standard€for€disclosure€of€protected€health€information€to€financial€institutions€because€of€section€1179.Ð LL  ÐThese€commenters€suggest€that€in€light€of€section€1179,€HHS€lacks€the€authority€to€impose€restrictions€on€financial€institutions€and€other€entities€when€they€engage€inÐ ""  Ðactivities€described€in€that€section.€One€commenter€expressed€concern€that€even€though€proposed€ðð€164.510(i)€would€have€permitted€covered€entities€to€disclose€certainÐ  Ðinformation€to€financial€institutions€for€banking€and€payment€processes,€it€did€not€state€clearly€that€financial€institutions€and€other€entities€described€in€section€1179€areÐ  Ðexempt€from€the€rule's€requirements.Ð  ÐòòResponse:óó€We€interpret€section€1179€of€the€Act€to€mean€that€entities€engaged€in€the€activities€of€a€financial€institution,€and€those€acting€on€behalf€of€a€financial€institution,Ð ææ Ðare€not€subject€to€this€regulation€when€they€are€engaged€in€authorizing,€processing,€clearing,€settling,€billing,€transferring,€reconciling,€or€collecting€payments€for€a€financialÐ àà Ðinstitution.€The€statutory€reference€to€12€U.S.C.€3401€indicates€that€Congress€chose€to€adopt€the€definition€of€financial€institutions€found€in€the€Right€to€Financial€PrivacyÐ ÚÚ ÐAct,€which€defines€financial€institutions€as€any€office€of€a€bank,€savings€bank,€card€issuer,€industrial€loan€company,€trust€company,€savings€association,€building€and€loan,Ð ÔÔ Ðhomestead€association,€cooperative€bank,€credit€union,€or€consumer€finance€institution€located€in€the€United€States€or€one€of€its€Territories.€Thus,€when€we€use€the€termÐ ÎÎ Ð"financial€institution"€in€this€regulation,€we€turn€to€the€definition€with€which€Congress€provided€us.€We€interpret€this€provision€to€mean€that€when€a€financial€institution,€or€itsÐ ÈÈ Ðagent€on€behalf€of€the€financial€institution,€conducts€the€activities€described€in€section€1179,€the€privacy€regulation€will€not€govern€the€activity.Р ÐIf,€however,€these€activities€are€performed€by€a€covered€entity€or€by€another€entity,€including€a€financial€institution,€on€behalf€of€a€covered€entity,€the€activities€are€subject€toÐ ˜˜ Ðthis€rule.€For€example,€if€a€bank€operates€the€accounts€payable€system€or€other€"back€office"€functions€for€a€covered€health€care€provider,€that€activity€is€not€described€inÐ ’’ Ðsection€1179.€In€such€instances,€because€the€bank€would€meet€the€rule's€definition€of€"business€associate,"€the€provider€must€enter€into€a€business€associate€contract€withÐ ŒŒ Ðthe€bank€before€disclosing€protected€health€information€pursuant€to€this€relationship.€However,€if€the€same€provider€maintains€an€account€through€which€he/she€cashesÐ †† Ðchecks€from€patients,€no€business€associate€contract€would€be€necessary€because€the€bank's€activities€are€not€undertaken€for€or€on€behalf€of€the€covered€entity,€and€fallÐ € €  Ðwithin€the€scope€of€section€1179.€In€part€to€give€effect€to€section€1179,€in€this€rule€we€do€not€consider€a€financial€institution€to€be€acting€on€behalf€of€a€covered€entity€whenÐ z!z! Ðit€processes€consumer-conducted€financial€transactions€by€debit,€credit€or€other€payment€card,€clears€checks,€initiates€or€processes€electronic€funds€transfers,€or€conductsÐ t"t" Ðany€other€activity€that€directly€facilitates€or€effects€the€transfer€of€funds€for€compensation€for€health€care.Ð n#n# ÐWe€do€not€agree€with€the€comment€that€section€1179€of€the€Act€means€that€the€privacy€regulation's€requirements€cannot€apply€to€the€activities€listed€in€that€section;€rather,Ð D%D%  Ðit€means€that€the€entities€expressly€mentioned,€financial€institutions€(as€defined€in€the€Right€to€Financial€Privacy€Act),€and€their€agents€that€engage€in€the€listed€activities€forÐ >&>&! Ðthe€financial€institution€are€not€within€the€scope€of€the€regulation.€Nor€do€we€interpret€section€1179€to€support€an€exemption€for€disclosures€to€financial€institutions€from€theÐ 8'8'" Ðminimum€necessary€provisions€of€this€regulation.Ð 2(2(# ÐòòComment:óó€One€commenter€recommended€that€HHS€include€a€definition€of€"entity"€in€the€final€rule€because€HIPAA€did€not€define€it.€The€commenter€explained€that€in€aÐ **$ Ðmodern€health€care€environment,€the€organization€acting€as€the€health€plan€or€health€care€provider€may€involve€many€interrelated€corporate€entities€and€that€this€could€leadÐ ++% Ðto€difficulties€in€determining€what€"entities"€are€actually€subject€to€the€regulation.Ð ü+ü+& ÐòòResponse:óó€We€reject€the€commenter's€suggestion.€We€believe€it€is€clear€in€the€final€rule€that€the€entities€subject€to€the€regulation€are€those€listed€at€ðð€160.102.€However,Ð Ò-Ò-' Ðwe€acknowledge€that€how€the€rule€applies€to€integrated€or€other€complex€health€systems€needs€to€be€addressed;€we€have€done€so€in€ðð€164.504€and€in€other€provisions,Ð Ì.Ì.( Ðsuch€as€those€addressing€organized€health€care€arrangements.Ð Æ/Æ/) Ðâ âòòCommentóó:€The€preamble€should€clarify€that€self-insured€group€health€and€workmen's€compensation€plans€are€not€covered€entities€or€business€partners.Ð œ1œ1* ÐòòResponseóó:€In€the€preamble€to€the€proposed€rule€we€stated€that€certain€types€of€insurance€entities,€such€as€workers'€compensation,€would€not€be€covered€entities€under€theÐ ÜÜ Ðâ ârule.€We€do€not€change€this€position€in€this€final€rule.€The€statutory€definition€of€health€plan€does€not€include€workers'€compensation€products,€and€the€regulatory€definitionÐ ÖÖ Ðof€the€term€specifically€excludes€them.€However,€HIPAA€specifically€includes€most€group€health€plans€within€the€definition€of€"health€plan."Ð ÐÐ ÐòòComment:óó€A€health€insurance€issuer€asserted€that€health€insurers€and€third€party€administrators€are€usually€required€by€employers€to€submit€reports€describing€the€volume,Ð ¦¦ Ðamount,€payee,€basis€for€services€rendered,€types€of€claims€paid€and€services€for€which€payment€was€requested€on€behalf€of€it€covered€employees.€They€recommendedÐ    Ðthat€the€rule€permit€the€disclosure€of€protected€health€information€for€such€purposes.Ð šš ÐòòResponseóó:€We€agree€that€health€plans€should€be€able€to€disclose€protected€health€information€to€employers€sponsoring€health€plans€under€certain€circumstances.€SectionÐ pp Ð164.504(f)€explains€the€conditions€under€which€protected€health€information€may€be€disclosed€to€plan€sponsors.€We€believe€that€this€provision€gives€sponsors€access€toÐ j j  Ðthe€information€they€need,€but€protects€individual's€information€to€the€extent€possible€under€our€legislative€authority.Ð d d  ÐÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\½ÚÝÝ  ÝòòGroup€Health€Planóó.݃jÚ\½ÚÛÝÔ ÔïÚԌР: :  ЌԀiXþíXXiXþíÔó óÝ  ÝFor€response€to€comments€relating€to€"group€health€plan,"€see€the€response€to€comments€on€"health€plan"€below€and€the€response€to€comments€on€ðð€164.504.Ð   ÐÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\[ÜÝÝ  ÝòòHealth€Careóó.݃jÚ\[Ü¥ÜÝÔ ÔÜԌРææ  ÐŒÔ€iXþíXXiXþíÔó óÝ  ÝòòCommentóó:€A€number€of€commenters€asked€that€we€include€disease€management€activities€and€other€similar€health€improvement€programs,€such€as€preventive€medicine,Ð ¼¼  Ðhealth€education€services€and€maintenance,€health€and€case€management,€and€risk€assessment,€in€the€definition€of€"health€care."€Commenters€maintained€that€the€ruleÐ ¶¶  Ðshould€avoid€limiting€technological€advances€and€new€health€care€trends€intended€to€improve€patient€"health€care."Ð °° ÐòòResponseóó:€Review€of€these€and€other€comments,€and€our€fact-finding,€indicate€that€there€are€multiple,€different,€understandings€of€the€definition€of€these€terms.€Therefore,Ð †† Ðrather€than€create€a€blanket€rule€that€includes€such€terms€in€or€excludes€such€terms€from€the€definition€of€"health€care,"€we€define€health€care€based€on€the€underlyingÐ €€ Ðactivities€that€constitute€health€care.€The€activities€described€by€these€commenters€are€considered€'health€care'€under€this€rule€to€the€extent€that€they€meet€this€functionalÐ zz Ðdefinition.€Listing€activities€by€label€or€title€would€create€the€risk€that€important€activities€would€be€left€out€and,€given€the€lack€of€consensus€on€what€these€terms€mean,Ð tt Ðcould€also€create€confusion.Ð nn ÐòòCommentóó:€Several€commenters€urged€that€the€Department€clarify€that€the€activities€necessary€to€procure€and€distribute€eyes€and€eye€tissue€will€not€be€hampered€by€theÐ DD Ðrule.€Some€of€these€commenters€explicitly€requested€that€we€include€"eyes€and€eye€tissue"€in€the€list€of€procurement€biologicals€as€well€as€"eye€procurement"€in€theÐ >> Ðdefinition€of€"health€care."€In€addition,€it€was€argued€that€"administration€to€patients"€be€excluded€in€the€absence€of€a€clear€definition.€Also,€commenters€recommended€thatÐ 88 Ðthe€definition€include€other€activities€associated€with€the€transplantation€of€organs,€such€as€processing,€screening,€and€distribution.Ð 22 ÐòòResponseóó:€We€delete€from€the€definition€of€"health€care"€activities€related€to€the€procurement€or€banking€of€blood,€sperm,€organs,€or€any€other€tissue€for€administration€toÐ    Ðpatients.€We€do€so€because€persons€who€make€such€donations€are€not€seeking€to€be€treated,€diagnosed,€or€assessed€or€otherwise€seeking€health€care€for€themselves,€butÐ !! Ðare€seeking€to€contribute€to€the€health€care€of€others.€In€addition,€the€nature€of€these€activities€entails€a€unique€kind€of€information€sharing€and€tracking€necessary€toÐ ü!ü! Ðsafeguard€the€nation's€organ€and€blood€supply,€and€those€seeking€to€donate€are€aware€that€this€information€sharing€will€occur.€Consequently,€such€procurement€or€bankingÐ ö"ö" Ðactivities€are€not€considered€health€care€and€the€organizations€that€perform€such€activities€are€not€considered€health€care€providers€for€purposes€of€this€rule.Ð ð#ð# ÐWith€respect€to€disclosure€of€protected€health€information€by€covered€entities€to€facilitate€cadaveric€organ€and€tissue€donation,€the€final€rule€explicitly€permits€a€coveredÐ Æ%Æ% Ðentity€to€disclose€protected€health€information€without€authorization,€consent,€or€agreement€to€organ€procurement€organizations€or€other€entities€engaged€in€theÐ À&À& Ðprocurement,€banking,€or€transplantation€of€cadaveric€organs,€eyes,€or€tissue€for€the€purpose€of€facilitating€donation€and€transplantation.€See€ðð€164.512(h).€We€do€notÐ º'º' Ðinclude€blood€or€sperm€banking€in€this€provision€because,€for€those€activities,€there€is€direct€contact€with€the€donor,€and€thus€opportunity€to€obtain€the€individual'sÐ ´(´(  Ðauthorization.Ð ®)®)! ÐòòCommentóó:€A€large€number€of€commenters€urged€that€the€term€"assessment"€be€included€in€the€list€of€services€in€the€definition,€as€"assessment"€is€used€to€determine€theÐ „+„+" Ðbaseline€health€status€of€an€individual.€It€was€explained€that€assessments€are€conducted€in€the€initial€step€of€diagnosis€and€treatment€of€a€patient.€If€assessment€is€notÐ ~,~,# Ðincluded€in€the€list€of€services,€they€pointed€out€that€the€services€provided€by€occupational€health€nurses€and€employee€health€information€may€not€be€covered.Ð x-x-$ ÐòòResponse:óó€We€agree€and€have€added€the€term€"assessment"€to€the€definition€to€clarify€that€this€activity€is€considered€"health€care"€for€the€purposes€of€the€rule.Ð N/N/% ÐòòComment:óó€One€commenter€asked€that€we€revise€the€definition€to€explicitly€exclude€plasmapheresis€from€paragraph€(3)€of€the€definition.€It€was€explained€thatÐ $1$1& Ðplasmapheresis€centers€do€not€have€direct€access€to€health€care€recipients€or€their€health€information,€and€that€the€limited€health€information€collected€about€plasma€donorsÐ 22' Ðis€not€used€to€provide€health€care€services€as€indicated€by€the€definition€of€health€care.Ð ÜÜ ÐòòResponse:óó€We€address€the€commenters'€concerns€by€removing€the€provision€related€to€procurement€and€banking€of€human€products€from€the€definition.Ð ²² ÐÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\—ñÝÝ  ÝòòHealth€Care€Clearinghouseóó.݃jÚ\—ñáñÝÔ ÔÉñԌРˆˆ ЌԀiXþíXXiXþíÔó óÝ  ÝòòComment:óó€The€largest€set€of€comments€relating€to€health€care€clearinghouses€focused€on€our€proposal€to€exempt€health€care€clearinghouses€from€the€patient€notice€andÐ ^^ Ðaccess€rights€provisions€of€the€regulation.€In€our€NPRM,€we€proposed€to€exempt€health€care€clearinghouses€from€certain€provisions€of€the€regulation€that€deal€with€theÐ XX Ðcovered€entities'€notice€of€information€practices€and€consumers'€rights€to€inspect,€copy,€and€amend€their€records.€The€rationale€for€this€exemption€was€based€on€our€beliefÐ RR Ðthat€health€care€clearinghouses€engage€primarily€in€business-to-business€transactions€and€do€not€initiate€or€maintain€direct€relationships€with€individuals.€We€proposed€thisÐ L L  Ðposition€with€the€caveat€that€the€exemptions€would€be€void€for€any€health€care€clearinghouse€that€had€direct€contact€with€individuals€in€a€capacity€other€than€that€of€aÐ F F  Ðbusiness€partner.€In€addition,€we€indicated€that,€in€most€instances,€clearinghouses€also€would€be€considered€business€partners€under€this€rule€and€would€be€bound€by€theirÐ @ @  Ðcontracts€with€covered€plans€and€providers.€They€also€would€be€subject€to€the€notice€of€information€practices€developed€by€the€plans€and€providers€with€whom€theyÐ : :  Ðcontract.Ð 4 4  ÐCommenters€stated€that,€although€health€care€clearinghouses€do€not€have€direct€contact€with€individuals,€they€do€have€individually€identifiable€health€information€that€mayÐ     Ðbe€subject€to€misuse€or€inappropriate€disclosure.€They€expressed€concern€that€we€were€proposing€to€exempt€health€care€clearinghouses€from€all€or€many€aspects€of€theÐ   Ðregulation.€These€commenters€suggested€that€we€either€delete€the€exemption€or€make€it€very€narrow,€specific€and€explicit€in€the€final€regulatory€text.Ð þþ  ÐClearinghouse€commenters,€on€the€other€hand,€were€in€agreement€with€our€proposal,€including€the€exemption€provision€and€the€provision€that€the€exemption€is€voidedÐ ÔÔ Ðwhen€the€entity€does€have€direct€contact€with€individuals.€They€also€stated€that€a€health€care€clearinghouse€that€has€a€direct€contact€with€individuals€is€no€longer€a€healthÐ ÎÎ Ðcare€clearinghouse€as€defined€and€should€be€subject€to€all€requirements€of€the€regulation.Ð ÈÈ ÐòòResponse:óó€In€the€final€rule,€where€a€clearinghouse€creates€or€receives€protected€health€information€as€a€business€associate€of€another€covered€entity,€we€maintain€theÐ žž Ðexemption€for€health€care€clearinghouses€from€certain€provisions€of€the€regulation€dealing€with€the€notice€of€information€practices€and€patient's€direct€access€rights€toÐ ˜˜ Ðinspect,€copy€and€amend€records€(ðððð€164.524€and€164.526),€on€the€grounds€that€a€health€care€clearinghouse€is€engaged€in€business-to-business€operations,€and€is€notÐ ’’ Ðdealing€directly€with€individuals.€Moreover,€as€business€associates€of€plans€and€providers,€health€care€clearinghouses€are€bound€by€the€notices€of€information€practices€ofÐ ŒŒ Ðthe€covered€entities€with€whom€they€contract.Ð †† ÐWhere€a€health€care€clearinghouse€creates€or€receives€protected€health€information€other€than€as€a€business€associate,€however,€it€must€comply€with€all€the€standards,Ð \\ Ðrequirements,€and€implementation€specifications€of€the€rule.€We€describe€and€delimit€the€exact€nature€of€the€exemption€in€the€regulatory€text.€See€ðð€164.500(b).€We€willÐ VV Ðmonitor€developments€in€this€sector€should€the€basic€business-to-business€relationship€change.Ð PP ÐòòComment:€óóA€number€of€comments€relate€to€the€proposed€definition€of€health€care€clearinghouse.€Many€commenters€suggested€that€we€expand€the€definition.€TheyÐ & &  Ðsuggested€that€additional€types€of€entities€be€included€in€the€definition€of€health€care€clearinghouse,€specifically€medical€transcription€services,€billing€services,€codingÐ  ! ! Ðservices,€and€"intermediaries."€One€commenter€suggested€that€the€definition€be€expanded€to€add€entities€that€receive€standard€transactions,€process€them€and€clean€themÐ "" Ðup,€and€then€send€them€on,€without€converting€them€to€any€standard€format.€Another€commenter€suggested€that€the€health€care€clearinghouse€definition€be€expanded€toÐ ## Ðinclude€entities€that€do€not€perform€translation€but€may€receive€protected€health€information€in€a€standard€format€and€have€access€to€that€information.€Another€commenterÐ $$ Ðstated€that€the€list€of€covered€entities€should€include€any€organization€that€receives€or€maintains€individually€identifiable€health€information.€One€organization€recommendedÐ %% Ðthat€we€expand€the€health€care€clearinghouse€definition€to€include€the€concept€of€a€research€data€clearinghouse,€which€would€collect€individually€identifiable€healthÐ && Ðinformation€from€other€covered€entities€to€generate€research€data€files€for€release€as€de-identified€data€or€with€appropriate€confidentiality€safeguards.€One€commenterÐ ü&ü&  Ðstated€that€HHS€had€gone€beyond€Congressional€intent€by€including€billing€services€in€the€definition.Ð ö'ö'! ÐòòResponse:óó€We€cannot€expand€the€definition€of€"health€care€clearinghouse"€to€cover€entities€not€covered€by€the€definition€of€this€term€in€the€statute.€In€the€final€regulation,Ð Ì)Ì)" Ðwe€make€a€number€of€changes€to€address€public€comments€relating€to€definition.€We€modify€the€definition€of€health€care€clearinghouse€to€conform€to€the€definitionÐ Æ*Æ*# Ðpublished€in€the€Transactions€Rule€(with€the€addition€of€a€few€words,€as€noted€above).€We€clarify€in€the€preamble€that,€while€the€term€"health€care€clearinghouse"€may€haveÐ À+À+$ Ðother€meanings€and€connotations€in€other€contexts,€for€purposes€of€this€regulation€an€entity€is€considered€a€health€care€clearinghouse€only€to€the€extent€that€it€actually€meetsÐ º,º,% Ðthe€criteria€in€our€definition.€Entities€performing€other€functions€but€not€meeting€the€criteria€for€a€health€care€clearinghouse€are€not€clearinghouses,€although€they€may€beÐ ´-´-& Ðbusiness€associates.€Billing€services€are€included€in€the€regulatory€definition€of€"health€care€clearinghouse,"€if€they€perform€the€specified€clearinghouse€functions.€AlthoughÐ ®.®.' Ðwe€have€not€added€or€deleted€any€entities€from€our€original€definition,€we€will€monitor€industry€practices€and€may€add€other€entities€in€the€future€as€changes€occur€in€theÐ ¨/¨/( Ðhealth€system.Ð ¢0¢0) ÐòòComment:óó€Several€commenters€suggested€that€we€clarify€that€an€entity€acting€solely€as€a€conduit€through€which€individually€identifiable€health€information€is€transmitted€orÐ x2x2* Ðthrough€which€protected€health€information€flows€but€is€not€stored€is€not€a€covered€entity,€e.g.,€a€telephone€company€or€Internet€Service€Provider.€Other€commentersÐ ÜÜ Ðindicated€that€once€a€transaction€leaves€a€provider€or€plan€electronically,€it€may€flow€through€several€entities€before€reaching€a€clearinghouse.€They€asked€that€theÐ ÖÖ Ðregulation€protect€the€information€in€that€interim€stage,€just€as€the€security€NPRM€established€a€chain€of€trust€arrangement€for€such€a€network.€Others€noted€that€theseÐ ÐÐ Ð"conduit"€entities€are€likely€to€be€business€partners€of€the€provider,€clearinghouse€or€plan,€and€we€should€clarify€that€they€are€subject€to€business€partner€obligations€as€inÐ ÊÊ Ðthe€proposed€Security€Rule.Ð ÄÄ ÐòòResponse:óó€We€clarify€that€entities€acting€as€simple€and€routine€communications€conduits€and€carriers€of€information,€such€as€telephone€companies€and€Internet€ServiceÐ šš ÐProviders,€are€not€clearinghouses€as€defined€in€the€rule€unless€they€carry€out€the€functions€outlined€in€our€definition.€Similarly,€we€clarify€that€value€added€networks€andÐ ”” Ðswitches€are€not€health€care€clearinghouses€unless€they€carry€out€the€functions€outlined€in€the€definition,€and€clarify€that€such€entities€may€be€business€associates€if€they€meetÐ ŽŽ Ðthe€definition€in€the€regulation.Ð ˆ ˆ  ÐòòComment:óó€Several€commenters,€including€the€large€clearinghouses€and€their€trade€associations,€suggested€that€we€not€treat€health€care€clearinghouses€as€playing€a€dualÐ ^ ^  Ðrole€as€covered€entity€and€business€partner€in€the€final€rule€because€such€a€dual€role€causes€confusion€as€to€which€rules€actually€apply€to€clearinghouses.€In€their€view,€theÐ X X  Ðdefinition€of€health€care€clearinghouse€is€sufficiently€clear€to€stand€alone€and€identify€a€health€care€clearinghouse€as€a€covered€entity,€and€allows€health€care€clearinghousesÐ R R  Ðto€operate€under€one€consistent€set€of€rules.€òòResponse:óó€For€reasons€explained€in€ðð€164.504€of€this€preamble,€we€do€not€create€an€exception€to€the€business€associateÐ LL  Ðrequirements€when€the€business€associate€is€also€a€covered€entity.€We€retain€the€concept€that€a€health€care€clearinghouse€may€be€a€covered€entity€and€a€business€associateÐ FF  Ðof€a€covered€entity€under€the€regulation.€As€business€associates,€they€would€be€bound€by€their€contracts€with€covered€plans€and€providers.Ð @@ ÐÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\®ÝÝ  ÝòòHealth€Care€Provideróó.݃jÚ\®øÝÔ ÔàԌР ЌԀiXþíXXiXþíÔó óÝ  ÝòòComment:óó€One€commenter€pointed€out€that€the€preamble€referred€to€the€obligations€of€providers€and€did€not€use€the€term,€"covered€entity,"€and€thus€created€ambiguityÐ ìì Ðabout€the€obligations€of€health€care€providers€who€may€be€employed€by€persons€other€than€covered€entities,€e.g.,€pharmaceutical€companies.€It€was€suggested€that€aÐ ææ Ðbetter€reading€of€the€statute€and€rule€is€that€where€neither€the€provider€nor€the€company€is€a€covered€entity,€the€rule€does€not€impose€an€obligation€on€either€theÐ àà Ðprovider-employee€or€the€employer.Ð ÚÚ ÐòòResponse:óó€We€agree.€We€use€the€term€"covered€entity"€whenever€possible€in€the€final€rule,€except€for€the€instances€where€the€final€rule€treats€the€entities€differently,€orÐ °° Ðwhere€use€of€the€term€"health€care€provider"€is€necessary€for€purposes€of€illustrating€an€example.Ð ªª ÐòòComment:óó€Several€commenters€stated€that€the€proposal's€definition€was€broad,€unclear,€and/or€confusing.€Further,€we€received€many€comments€requesting€clarification€asÐ €€ Ðto€whether€specific€entities€or€persons€were€"health€care€providers"€for€the€purposes€of€our€rule.€One€commenter€questioned€whether€affiliated€members€of€a€health€careÐ zz Ðgroup€(even€though€separate€legal€entities)€would€be€considered€as€one€primary€health€care€provider.Ð tt ÐòòResponse:óó€We€permit€legally€distinct€covered€entities€that€share€common€ownership€or€control€to€designate€themselves€together€to€be€a€single€covered€entity.€SuchÐ JJ Ðorganizations€may€promulgate€a€single€shared€notice€of€information€practices€and€a€consent€form.€For€more€detailed€information,€see€the€preamble€discussion€of€ððÐ D D  Ð164.504(d).Ð >!>! ÐWe€understand€the€need€for€additional€guidance€on€whether€specific€entities€or€persons€are€health€care€providers€under€the€final€rule.€We€provide€guidance€below€and€willÐ ## Ðprovide€additional€guidance€as€the€rule€is€implemented.Ð $$ ÐòòComment:óó€One€commenter€observed€that€sections€1171(3),€1861(s)€and€1861(u)€of€the€Act€do€not€include€pharmacists€in€the€definition€of€health€care€provider€orÐ ä%ä% Ðpharmacist€services€in€the€definition€of€"medical€or€other€health€services,"€and€questioned€whether€pharmacists€were€covered€by€the€rule.Ð Þ&Þ& ÐòòResponse:óó€The€statutory€definition€of€"health€care€provider"€at€section€1171(3)€includes€"any€other€person€or€organization€who€furnishes,€bills,€or€is€paid€for€health€care€inÐ ´(´(  Ðthe€normal€course€of€business."€Pharmacists'€services€are€clearly€within€this€statutory€definition€of€"health€care."€There€is€no€basis€for€excluding€pharmacists€who€meet€theseÐ ®)®)! Ðstatutory€criteria€from€this€regulation€.Ð ¨*¨*" ÐòòComment:óó€Some€commenters€recommended€that€the€scope€of€the€definition€be€broadened€or€clarified€to€cover€additional€persons€or€organizations.€Several€commentersÐ ~,~,# Ðargued€for€expanding€the€reach€of€the€health€care€provider€definition€to€cover€entities€such€as€state€and€local€public€health€agencies,€maternity€support€services€(providedÐ x-x-$ Ðby€nutritionists,€social€workers,€and€public€health€nurses€and€the€Special€Supplemental€Nutrition€Program€for€Women,€Infants€and€Children),€and€those€companies€thatÐ r.r.% Ðconduct€cost-effectiveness€reviews,€risk€management,€and€benchmarking€studies.€One€commenter€queried€whether€auxiliary€providers€such€as€child€play€therapists,€andÐ l/l/& Ðspeech€and€language€therapists€are€considered€to€be€health€care€providers.€Other€commenters€questioned€whether€"alternative"€or€"complementary"€providers,€such€asÐ f0f0' Ðâ ânaturopathic€physicians€and€acupuncturists€would€be€considered€health€care€providers€covered€by€the€rule.Ð `1`1( ÐòòResponse:óó€As€with€other€aspects€of€this€rule,€we€do€not€define€"health€care€provider"€based€on€the€title€or€label€of€the€professional.€The€professional€activities€of€theseÐ ÜÜ Ðâ âkinds€of€providers€vary;€a€person€is€a€"health€care€provider"€if€those€activities€are€consistent€with€the€rule's€definition€of€"health€care€provider."€Thus,€health€care€providersÐ ÖÖ Ðinclude€persons,€such€as€those€noted€by€the€commenters,€to€the€extent€that€they€meet€the€definition.€We€note€that€health€care€providers€are€only€subject€to€this€rule€if€theyÐ ÐÐ Ðconduct€certain€transactions.€See€the€definition€of€"covered€entity."Ð ÊÊ ÐHowever€companies€that€conduct€cost-effectiveness€reviews,€risk€management,€and€benchmarking€studies€are€not€health€care€providers€for€the€purposes€of€this€rule€unlessÐ    Ðthey€perform€other€functions€that€meet€the€definition.€These€entities€would€be€business€associates€if€they€perform€such€activities€on€behalf€of€a€covered€entity.Ð šš ÐòòComment:óó€Another€commenter€recommended€that€the€Secretary€expand€the€definition€of€health€care€provider€to€cover€health€care€providers€who€transmit€or€"or€receive"Ð pp Ðany€health€care€information€in€electronic€form.Ð j j  ÐòòResponse:óó€We€do€not€accept€this€suggestion.€Section€1172(a)(3)€states€that€providers€that€"transmit"€health€information€in€connection€with€one€of€the€HIPAA€transactionsÐ @ @  Ðare€covered,€but€does€not€use€the€term€"receive"€or€a€similar€term.Ð : :  ÐòòComment:óó€Some€comments€related€to€online€companies€as€health€care€providers€and€covered€entities.€One€commenter€argued€that€there€was€no€reason€"why€an€InternetÐ   Ðpharmacy€should€not€also€be€covered"€by€the€rule€as€a€health€care€provider.€Another€commenter€stated€that€online€health€care€service€and€content€companies,€includingÐ     Ðonline€medical€record€companies,€should€be€covered€by€the€definition€of€health€care€provider.€Another€commenter€pointed€out€that€the€definitions€of€covered€entities€coverÐ   Ð"Internet€providers€who€'bill'€or€are€'paid'€for€health€care€services€or€supplies,€but€not€those€who€finance€those€services€in€other€ways,€such€as€through€sale€of€identifiableÐ þþ  Ðhealth€information€or€advertising."€It€was€pointed€out€that€thousands€of€Internet€sites€use€information€provided€by€individuals€who€access€the€sites€for€marketing€or€otherÐ øø Ðpurposes.Ð òò ÐòòResponse:óó€We€agree€that€online€companies€are€covered€entities€under€the€rule€if€they€otherwise€meet€the€definition€of€health€care€provider€or€health€plan€and€satisfy€theÐ ÈÈ Ðother€requirements€of€the€rule,€i.e.,€providers€must€also€transmit€health€information€in€electronic€form€in€connection€with€a€HIPAA€transaction.€We€restate€here€the€languageР Ðin€the€preamble€to€the€proposed€rule€that€"An€individual€or€organization€that€bills€and/or€is€paid€for€health€care€services€or€supplies€in€the€normal€course€of€business,€suchÐ ¼¼ Ðas...an€'online'€pharmacy€accessible€on€the€Internet,€is€also€a€health€care€provider€for€purposes€of€this€statute"€(64€FR€59930).Ð ¶¶ ÐòòComment:óó€We€received€many€comments€related€to€the€reference€to€"health€clinic€or€licensed€health€care€professional€located€at€a€school€or€business€in€the€preamble'sÐ ŒŒ Ðdiscussion€of€"health€care€provider."€It€was€stated€that€including€"licensed€health€care€professionals€located€at€a€school€or€business"€highlights€the€need€for€these€individualsÐ †† Ðto€understand€they€have€the€authority€to€disclose€information€to€the€Social€Security€Administration€(SSA)€without€authorization.Ð €€ ÐHowever,€several€commenters€urged€HHS€to€create€an€exception€for€or€delete€that€reference€in€the€preamble€discussion€to€primary€and€secondary€schools€because€ofÐ VV Ðemployer€or€business€partner€relationships.€One€federal€agency€suggested€that€the€reference€"licensed€health€care€professionals€located€at€a€[school]"€be€deleted€from€theÐ PP Ðpreamble€because€the€definition€of€health€care€provider€does€not€include€a€reference€to€schools.€The€commenter€also€suggested€that€the€Secretary€consider:€addingÐ JJ Ðlanguage€to€the€preamble€to€clarify€that€the€rules€do€not€apply€to€clinics€or€school€health€care€providers€that€only€maintain€records€that€have€been€excepted€from€theÐ D D  Ðdefinition€of€protected€health€information,€adding€an€exception€to€the€definition€of€covered€entities€for€those€schools,€and€limiting€paperwork€requirements€for€these€schools.Ð >!>! ÐAnother€commenter€argued€for€deleting€references€to€schools€because€the€proposed€rule€appeared€to€supersede€or€create€ambiguity€as€to€the€Family€Educational€RightsÐ 8"8" Ðand€Privacy€Act€(FERPA),€which€gives€parents€the€right€to€access€"education"€and€health€records€of€their€unemancipated€minor€children.€However,€in€contrast,€oneÐ 2#2# Ðcommenter€supported€the€inclusion€of€health€care€professionals€who€provide€services€at€schools€or€businesses.Ð ,$,$ ÐòòResponse:óó€We€realize€that€our€discussion€of€schools€in€the€NPRM€may€have€been€confusing.€Therefore,€we€address€these€concerns€and€set€forth€our€policy€regardingÐ && Ðprotected€health€information€in€educational€agencies€and€institutions€in€the€"Relationship€to€Other€Federal€Laws"€discussion€of€FERPA,€above.Ð ü&ü&  ÐòòComment:óó€Many€commenters€urged€that€direct€contact€with€the€patient€be€necessary€for€an€entity€to€be€considered€a€health€care€provider.€Commenters€suggested€thatÐ Ò(Ò(! Ðpersons€and€organizations€that€are€remote€to€the€patient€and€have€no€direct€contact€should€not€be€considered€health€care€providers.€Several€commenters€argued€that€theÐ Ì)Ì)" Ðdefinition€of€health€care€provider€covers€a€person€that€provides€health€care€services€or€supplies€only€when€the€provider€furnishes€to€or€bills€the€patient€directly.€It€wasÐ Æ*Æ*# Ðstated€that€the€Secretary€did€not€intend€that€manufacturers,€such€as€pharmaceutical,€biologics,€and€device€manufacturers,€health€care€suppliers,€medical-surgical€supplyÐ À+À+$ Ðdistributors,€health€care€vendors€that€offer€medical€record€documentation€templates€and€that€typically€do€not€deal€directly€with€the€patient,€be€considered€health€careÐ º,º,% Ðproviders€and€thus€covered€entities.€However,€in€contrast,€one€commenter€argued€that,€as€an€in€vitro€diagnostics€manufacturer,€it€should€be€covered€as€a€health€careÐ ´-´-& Ðprovider.Ð ®.®.' ÐòòResponse:óó€We€disagree€with€the€comments€that€urged€that€direct€dealings€with€an€individual€be€a€prerequisite€to€meeting€the€definition€of€health€care€provider.€ManyÐ „0„0( Ðproviders€included€in€the€statutory€definition€of€provider,€such€as€clinical€labs,€do€not€have€direct€contact€with€patients.€Further,€the€use€and€disclosure€of€protected€healthÐ ~1~1) Ðinformation€by€indirect€treatment€providers€can€have€a€significant€effect€on€individuals'€privacy.€We€acknowledge,€however,€that€providers€who€treat€patients€only€indirectlyÐ x2x2* Ðneed€not€have€the€full€array€of€responsibilities€as€direct€treatment€providers,€and€modify€the€NPRM€to€make€this€distinction€with€respect€to€several€provisions€(see,€forÐ ÜÜ Ðexample€ðð€164.506€regarding€consent).€We€also€clarify€that€manufacturers€and€health€care€suppliers€who€are€considered€providers€by€Medicare€are€providers€under€thisÐ ÖÖ Ðrule.Ð ÐÐ ÐòòComment:óó€Some€commenters€suggested€that€blood€centers€and€plasma€donor€centers€that€collect€and€distribute€source€plasma€not€be€considered€covered€health€careÐ ¦¦ Ðproviders€because€the€centers€do€not€provide€"health€care€services"€and€the€blood€donors€are€not€"patients"€seeking€health€care.€Similarly,€commenters€expressed€concernÐ    Ðthat€organ€procurement€organizations€might€be€considered€health€care€providers.Ð šš ÐòòResponse:óó€We€agree€and€have€deleted€from€the€definition€of€"health€care"€the€term€"procurement€or€banking€of€blood,€sperm,€organs,€or€any€other€tissue€for€administrationÐ pp Ðto€patients."€See€prior€discussion€under€"health€care."Ð j j  ÐòòComment:óó€Several€commenters€proposed€to€restrict€coverage€to€only€those€providers€who€furnished€and€were€paid€for€services€and€supplies.€It€was€argued€that€aÐ @ @  Ðsalaried€employee€of€a€covered€entity,€such€as€a€hospital-based€provider,€should€not€be€covered€by€the€rule€because€that€provider€would€be€subject€both€directly€to€theÐ : :  Ðrule€as€a€covered€entity€and€indirectly€as€an€employee€of€a€covered€entity.Ð 4 4  ÐòòResponse:óó€The€"dual"€direct€and€indirect€situation€described€in€these€comments€can€arise€only€when€a€health€care€provider€conducts€standard€HIPAA€transactions€both€forÐ     Ðitself€and€for€its€employer.€For€example,€when€the€services€of€a€provider€such€as€a€hospital-based€physician€are€billed€through€a€standard€HIPAA€transaction€conductedÐ   Ðfor€the€employer,€in€this€example€the€hospital,€the€physician€does€not€become€a€covered€provider.€Only€when€the€provider€uses€a€standard€transaction€on€its€own€behalfÐ þþ  Ðdoes€he€or€she€become€a€covered€health€care€provider.€Thus,€the€result€is€typically€as€suggested€by€this€commenter.€When€a€hospital-based€provider€is€not€paid€directly,Ð øø Ðthat€is,€when€the€standard€HIPAA€transaction€is€not€on€its€behalf,€it€will€not€become€a€covered€provider.Ð òò ÐòòComment:óó€Other€commenters€argued€that€an€employer€who€provides€health€care€services€to€its€employees€for€whom€it€neither€bills€the€employee€nor€pays€for€the€healthÐ ÈÈ Ðcare€should€not€be€considered€health€care€providers€covered€by€the€proposed€rule.Р ÐòòResponse:óó€We€clarify€that€the€employer€may€be€a€health€care€provider€under€the€rule,€and€may€be€covered€by€the€rule€if€it€conducts€standard€transactions.€The€provisionsÐ ˜˜ Ðof€ðð€164.504€may€also€apply.Ð ’’ ÐòòComment:€óóSome€commenters€were€confused€about€the€preamble€statement:€"in€order€to€implement€the€principles€in€the€Secretary's€Recommendations,€we€must€imposeÐ hh Ðany€protections€on€the€health€care€providers€that€use€and€disclose€the€information,€rather€than€on€the€researcher€seeking€the€information,"€with€respect€to€the€rule's€policyÐ bb Ðthat€a€researcher€who€provides€care€to€subjects€in€a€trial€will€be€considered€a€health€care€provider.€Some€commenters€were€also€unclear€about€whether€the€individualÐ \\ Ðresearcher€providing€health€care€to€subjects€in€a€trial€would€be€considered€a€health€care€provider€or€whether€the€researcher's€home€institution€would€be€considered€a€healthÐ VV Ðcare€provider€and€thus€subject€to€the€rule.Ð PP ÐòòResponse:€óóWe€clarify€that,€in€general,€a€researcher€is€also€a€health€care€provider€if€the€researcher€provides€health€care€to€subjects€in€a€clinical€research€study€and€otherwiseÐ & &  Ðmeets€the€definition€of€"health€care€provider"€under€the€rule.€However,€a€health€care€provider€is€only€a€covered€entity€and€subject€to€the€rule€if€that€provider€conductsÐ  ! ! Ðstandard€transactions.€With€respect€to€the€above€preamble€statement,€we€meant€that€our€jurisdiction€under€the€statute€is€limited€to€covered€entities.€Therefore,€we€cannotÐ "" Ðapply€any€restrictions€or€requirements€on€a€researcher€in€that€person's€role€as€a€researcher.€However,€if€a€researcher€is€also€a€health€care€provider€that€conducts€standardÐ ## Ðtransactions,€that€researcher/provider€is€subject€to€the€rule€with€regard€to€its€provider€activities.Ð $$ ÐAs€to€applicability€to€a€researcher/provider€versus€the€researcher's€home€institution,€we€provide€the€following€guidance.€The€rule€applies€to€the€researcher€as€a€coveredÐ ä%ä% Ðentity€if€the€researcher€is€a€health€care€provider€who€conducts€standard€transactions€for€services€on€his€or€her€own€behalf,€regardless€of€whether€he€or€she€is€part€of€aÐ Þ&Þ& Ðlarger€organization.€However,€if€the€services€and€transactions€are€conducted€on€behalf€of€the€home€institution,€then€the€home€institution€is€the€covered€entity€for€purposes€ofÐ Ø'Ø'  Ðthe€rule€and€the€researcher/provider€is€a€workforce€member,€not€a€covered€entity.Ð Ò(Ò(! ÐòòComment:óó€One€commenter€expressed€confusion€about€those€instances€when€a€health€care€provider€was€a€covered€entity€one€day,€and€one€who€"works€under€a€contract"Ð ¨*¨*" Ðfor€a€manufacturer€the€next€day.Ð ¢+¢+# ÐòòResponse:óó€If€persons€are€covered€under€the€rule€in€one€role,€they€are€not€necessarily€covered€entities€when€they€participate€in€other€activities€in€another€role.€For€example,Ð x-x-$ Ðthat€person€could€be€a€covered€health€care€provider€in€a€hospital€one€day€but€the€next€day€read€research€records€for€a€different€employer.€In€its€role€as€researcher,€theÐ r.r.% Ðperson€is€not€covered,€and€protections€do€not€apply€to€those€research€records.Ð l/l/& ÐòòComment:óó€One€commenter€suggested€that€the€Secretary€modify€proposed€ðð€160.102,€to€add€the€following€clause€at€the€end€(after€(c))€(regarding€health€care€provider),Ð B1B1' Ð"With€respect€to€any€entity€whose€òòprimaryóóbusiness€is€not€that€of€a€health€plan€or€health€care€provider€licensed€under€the€applicable€laws€of€any€state,€the€standards,Ð <2<2( Ðrequirements,€and€implementation€specifications€of€this€subchapter€shall€apply€solely€to€the€component€of€the€entity€that€engages€in€the€transactions€specified€in€[ðð]Ð ÜÜ Ð160.103."€(Emphasis€added.)€Another€commenter€also€suggested€that€the€definition€of€"covered€entity"€be€revised€to€mean€entities€that€are€"primarily€or€exclusivelyÐ ÖÖ Ðengaged€in€health€care-related€activities€as€a€health€plan,€health€care€provider,€or€health€care€clearinghouse."Ð ÐÐ ÐòòResponse:óó€The€Secretary€rejects€these€suggestions€because€they€will€impermissibly€limit€the€entities€covered€by€the€rule.€An€entity€that€is€a€health€plan,€health€careÐ ¦¦ Ðprovider,€or€health€care€clearinghouse€meets€the€statutory€definition€of€covered€entity€regardless€of€how€much€time€is€devoted€to€carrying€out€health€care-related€functions,Ð    Ðor€regardless€of€what€percentage€of€their€total€business€applies€to€health€care-related€functions.Ð šš ÐòòComment:óó€Several€commenters€sought€to€distinguish€a€health€care€provider€from€a€business€partner€as€proposed€in€the€NPRM.€For€example,€a€number€of€commentersÐ pp Ðargued€that€disease€managers€that€provide€services€"on€behalf€of"€health€plans€and€health€care€providers,€and€case€managers€(a€variation€of€a€disease€management€service)Ð j j  Ðare€business€partners€and€not€"health€care€providers."€Another€commenter€argued€that€a€disease€manager€should€be€recognized€(presumably€as€a€covered€entity)€becauseÐ d d  Ðof€its€involvement€from€the€physician-patient€level€through€complex€interactions€with€health€care€providers.Ð ^ ^  ÐòòResponse:óó€To€the€extent€that€a€disease€or€case€manager€provides€services€on€behalf€of€or€to€a€covered€entity€as€described€in€the€rule's€definition€of€business€associate,€theÐ 4 4  Ðdisease€or€case€manager€is€a€business€associate€for€purposes€of€this€rule.€However,€if€services€provided€by€the€disease€or€case€manager€meet€the€definition€of€treatmentÐ ..  Ðand€the€person€otherwise€meets€the€definition€of€"health€care€provider,"€such€a€person€is€a€health€care€provider€for€purposes€of€this€rule.Ð ((  ÐòòComment:óó€One€commenter€argued€that€pharmacy€employees€who€assist€pharmacists,€such€as€technicians€and€cashiers,€are€not€business€partners.Ð þþ  ÐòòResponse:óó€We€agree.€Employees€of€a€pharmacy€that€is€a€covered€entity€are€workforce€members€of€that€covered€entity€for€purposes€of€this€rule.Ð ÔÔ ÐòòComment:óó€A€number€of€commenters€requested€that€we€clarify€the€definition€of€health€care€provider€("...who€furnishes,€bills,€or€is€paid€for€health€care€services€or€suppliesÐ ªª Ðin€the€normal€course€of€business")€by€defining€the€various€terms€"furnish",€"supply",€and€"in€the€normal€course€of€business."€For€instance,€it€was€stated€that€this€would€helpÐ ¤¤ Ðemployers€recognize€when€services€such€as€an€employee€assistance€program€constituted€health€care€covered€by€the€rule.Ð žž ÐòòResponse:óó€Although€we€understand€the€concern€expressed€by€the€commenters,€we€decline€to€follow€their€suggestion€to€define€terms€at€this€level€of€specificity.€These€termsÐ tt Ðare€in€common€use€today,€and€an€attempt€at€specific€definition€would€risk€the€inadvertent€creations€of€conflict€with€industry€practices.€There€is€a€significant€variation€in€theÐ nn Ðway€employers€structure€their€employee€assistance€programs€(EAPs)€and€the€type€of€services€that€they€provide.€If€the€EAP€provides€direct€treatment€to€individuals,€it€mayÐ hh Ðbe€a€health€care€provider.Ð bb ÐÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\,mÝÝ  ÝòòHealth€Informationóó.݃jÚ\,mvmÝÔ Ô^mԌР88 ЌԀiXþíXXiXþíÔó óÝ  ÝThe€response€to€comments€on€health€information€is€included€in€the€response€to€comments€on€individually€identifiable€health€information,€in€the€preamble€discussion€of€ððÐ  Ð164.501.Ð    ÐÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\÷nÝÝ  ÝòòHealth€Planóó.݃jÚ\÷nAoÝÔ Ô)oԌРÞ!Þ! ЌԀiXþíXXiXþíÔó óÝ  ÝòòComment:óó€One€commenter€suggested€that€to€eliminate€any€ambiguity,€the€Secretary€should€clarify€that€the€catch-all€category€under€the€definition€of€health€plan€includesÐ ´#´# Ð"24-hour€coverage€plans"€(whether€insured€or€self-insured)€that€integrate€traditional€employee€health€benefits€coverage€and€workers'€compensation€coverage€for€theÐ ®$®$ Ðtreatment€of€on-the-job€injuries€and€illnesses€under€one€program.€It€was€stated€that€this€clarification€was€essential€if€the€Secretary€persisted€in€excluding€workers'Ð ¨%¨% Ðcompensation€from€the€final€rule.Ð ¢&¢& ÐòòResponse:óó€We€understand€concerns€that€such€plans€may€use€and€disclose€individually€identifiable€health€information.€We€therefore€clarify€that€to€the€extent€that€24-hourÐ x(x( Ðcoverage€plans€have€a€health€care€component€that€meets€the€definition€of€"health€plan"€in€the€final€rule,€such€components€must€abide€by€the€provisions€of€the€final€rule.€InÐ r)r) Ðthe€final€rule,€we€have€added€a€new€provision€to€ðð€164.512€that€permits€covered€entities€to€disclose€information€under€workers'€compensation€and€similar€laws.€A€healthÐ l*l*  Ðplan€that€is€a€24-hour€plan€is€permitted€to€make€disclosures€as€necessary€to€comply€with€such€laws.Ð f+f+! ÐòòComment:óó€A€number€of€commenters€urged€that€certain€types€of€insurance€entities,€such€as€workers'€compensation€and€automobile€insurance€carriers,€property€andÐ <-<-" Ðcasualty€insurance€health€plans,€and€certain€forms€of€limited€benefits€coverage,€be€included€in€the€definition€of€"health€plan."€It€was€argued€that€consumers€deserve€the€sameÐ 6.6.# Ðprotection€with€respect€to€their€health€information,€regardless€of€the€entity€using€it,€and€that€it€would€be€inequitable€to€subject€health€insurance€carriers€to€more€stringentÐ 0/0/$ Ðstandards€than€other€types€of€insurers€that€use€individually€identifiable€health€information.Ð *0*0% ÐòòResponse:óó€The€Congress€did€not€include€these€programs€in€the€definition€of€a€"health€plan"€under€section€1171€of€the€Act.€Further,€HIPAA's€legislative€history€shows€thatÐ 22& Ðthe€House€Report's€(H.€Rep.€104-496)€definition€of€"health€plan"€originally€included€certain€benefit€programs,€such€as€workers'€compensation€and€liability€insurance,€butÐ ÜÜ Ðwas€later€amended€to€clarify€the€definition€and€remove€these€programs.€Thus,€since€the€statutory€definition€of€a€health€plan€both€on€its€face€and€through€legislative€historyÐ ÖÖ Ðevidence€Congress'€intention€to€exclude€such€programs,€we€do€not€have€the€authority€to€require€that€these€programs€comply€with€the€standards.€We€have€added€explicitÐ ÐÐ Ðlanguage€to€the€final€rule€which€excludes€the€excepted€benefit€programs,€as€defined€in€section€2971(c)(1)€of€the€PHS€Act,€42€U.S.C.€300gg-91(c)(1).Ð ÊÊ ÐòòComment:óó€Some€commenters€urged€HHS€to€include€entities€such€as€stop€loss€insurers€and€reinsurers€in€the€definition€of€"health€plan."€It€was€observed€that€such€entitiesÐ    Ðhave€come€to€play€important€roles€in€managed€care€delivery€systems.€They€asserted€that€increasingly,€capitated€health€plans€and€providers€contract€with€their€reinsurersÐ šš Ðand€stop€loss€carriers€to€medically€manage€their€high€cost€outlier€cases€such€as€organ€and€bone€marrow€transplants,€and€therefore€should€be€specifically€cited€as€subject€toÐ ”” Ðthe€regulations.Ð ŽŽ ÐòòResponse:óó€Stop-loss€and€reinsurers€do€not€meet€the€statutory€definition€of€health€plan.€They€do€not€provide€or€pay€for€the€costs€of€medical€care,€as€described€in€theÐ d d  Ðstatute,€but€rather€insure€health€plans€and€providers€against€unexpected€losses.€Therefore,€we€cannot€include€them€as€health€plans€in€the€regulation.Ð ^ ^  ÐòòComment:óó€A€commenter€asserted€that€there€is€a€significant€discrepancy€between€the€effect€of€the€definition€of€"group€health€plan"€as€proposed€in€ðð€160.103,€and€theÐ 4 4  Ðanticipated€impact€in€the€cost€estimates€of€the€proposed€rule€at€64€FR€60014.€Paragraph€(1)€of€the€proposed€definition€of€"health€plan"€defined€a€"group€health€plan"€as€anÐ ..  ÐERISA-defined€employee€welfare€benefit€plan€that€provides€medical€care€and€that:€"(i)€Has€50€or€more€participants,ð  ðor(ii)€Is€administered€by€an€entity€other€than€theÐ ((  Ðemployer€that€established€and€maintains€the€plan[.]"€(emphasis€added)€According€to€this€commenter,€under€this€definition,€the€only€insured€or€self-insured€ERISA€plans€thatÐ ""  Ðwould€not€be€regulated€"health€plans"€would€be€those€that€have€less€than€50€participantsð  ðandare€self€administered.Ð  ÐThe€commenter€presumed€that€the€we€had€intended€to€exclude€from€the€definition€of€"health€plan"€(and€from€coverage€under€the€proposed€rule)€all€ERISA€plans€that€areÐ òò Ðsmall€(less€than€50€participants)ð  ðorare€administered€by€a€third€party,€whether€large€or€small,€based€on€the€statement€at€64€FR€60014,€note€18.€That€footnote€stated€that€theÐ ìì ÐDepartment€had€"not€included€the€3.9€million€'other'€employer-health€plans€listed€in€HCFA's€administrative€simplification€regulations€because€these€plans€are€administeredÐ ææ Ðby€a€third€party.€The€proposed€regulation€will€not€regulate€the€employer€plans€but€will€regulate€the€third€party€administrators€of€the€plan."€The€commenter€urged€us€not€toÐ àà Ðrepeat€the€statutory€definition,€and€to€adopt€the€policy€implied€in€the€footnote.Ð ÚÚ ÐòòResponse:óó€We€agree€with€the€commenter's€observation€that€footnote€18€(64€FR€60014)€was€inconsistent€with€the€proposed€definition.€We€erred€in€drafting€that€note.€TheÐ °° Ðdefinition€of€"group€health€plan"€is€adopted€from€the€statutory€definition€at€section€1171(5)(A),€and€excludes€from€the€rule€as€"health€plans"€only€the€few€insured€orÐ ªª Ðself-insured€ERISA€plans€that€have€less€than€50€participantsð  ðandare€self€administered.€We€reject€the€commenter's€proposed€change€to€the€definition€as€inconsistent€with€theÐ ¤¤ Ðstatute.Ð žž ÐòòComment:óó€A€number€of€insurance€companies€asked€that€long€term€care€insurance€policies€be€excluded€from€the€definition€of€"health€plan."€It€was€argued€that€such€policiesÐ tt Ðdo€not€provide€sufficiently€comprehensive€coverage€of€the€cost€of€medical€care,€and€are€limited€benefit€plans€that€provide€or€pay€for€the€cost€of€custodial€and€other€relatedÐ nn Ðservices€in€connection€with€a€long€term,€chronic€illness€or€disability.Ð hh ÐThese€commenters€asserted€that€HIPAA€recognizes€this€nature€of€long€term€care€insurance,€observing€that,€with€respect€to€HIPAA's€portability€requirements,€CongressÐ >!>! Ðenacted€a€series€of€exclusions€for€certain€defined€types€of€health€plan€arrangements€that€do€not€typically€provide€comprehensive€coverage.€They€maintained€that€CongressÐ 8"8" Ðrecognized€that€long€term€care€insurance€is€excluded,€so€long€as€it€is€not€a€part€of€a€group€health€plan.€Where€a€long€term€care€policy€is€offered€separately€from€a€groupÐ 2#2# Ðhealth€plan€it€is€considered€an€excepted€benefit€and€is€not€subject€to€the€portability€and€guarantee€issue€requirements€of€HIPAA.€Although€this€exception€does€not€appearÐ ,$,$ Ðin€the€Administrative€Simplification€provisions€of€HIPAA,€it€was€asserted€that€it€is€guidance€with€respect€to€the€treatment€of€long€term€care€insurance€as€a€limited€benefitÐ &%&% Ðcoverage€and€not€as€coverage€that€is€so€"sufficiently€comprehensive"€that€it€is€to€be€treated€in€the€same€manner€as€a€typical,€comprehensive€major€medical€health€planÐ  & &  Ðarrangement.Ð ''! ÐAnother€commenter€offered€a€different€perspective€observing€that€there€are€some€long-term€care€policies€that€do€not€pay€for€medical€care€and€therefore€are€not€"healthÐ ð(ð(" Ðplans."€It€was€noted€that€most€long-term€care€policies€are€reimbursement€policies-that€is,€they€reimburse€the€policyholder€for€the€actual€expenses€that€the€insured€incurs€forÐ ê)ê)# Ðlong-term€care€services.€To€the€extent€that€these€constitute€"medical€care,"€this€commenter€presumed€that€these€policies€would€be€considered€"health€plans."€OtherÐ ä*ä*$ Ðlong-term€care€policies,€they€pointed€out,€simply€pay€a€fixed€dollar€amount€when€the€insured€becomes€chronically€ill,€without€regard€to€the€actual€cost€of€any€long-term€careÐ Þ+Þ+% Ðservices€received,€and€thus€are€similar€to€fixed€indemnity€critical€illness€policies.€The€commenter€suggested€that€while€there€was€an€important€distinction€between€indemnityÐ Ø,Ø,& Ðbased€long-term€care€policies€and€expenses€based€long-term€care€policies,€it€may€be€wise€to€exclude€òòallóó€long-term€care€policies€from€the€scope€of€the€rule€to€achieveÐ Ò-Ò-' Ðconsistency€with€HIPAA.Ð Ì.Ì.( ÐòòResponse:óó€We€disagree.€The€statutory€language€regarding€long-term€care€policies€in€the€portability€title€of€HIPAA€is€different€from€the€statutory€language€regardingÐ ¢0¢0) Ðlong-term€care€policies€in€the€Administrative€Simplification€title€of€HIPAA.€Section€1171(5)(G)€of€the€Act€means€that€issuers€of€long-term€care€policies€are€consideredÐ œ1œ1* Ðhealth€plans€for€purposes€of€administrative€simplification.€We€also€interpret€the€statute€as€authorizing€the€Secretary€to€exclude€nursing€home€fixed-indemnity€policies,€not€allÐ –2–2+ Ðlong-term€care€policies,€from€the€definition€of€"health€plan,"€if€she€determines€that€these€policies€do€not€provide€"sufficiently€comprehensive€coverage€of€a€benefit"€to€beÐ ÜÜ Ðtreated€as€a€health€plan€(see€section€1171€of€the€Act).€We€interpret€the€term€"comprehensive"€to€refer€to€the€breadth€or€scope€of€coverage€of€a€policy.€"Comprehensive"Ð ÖÖ Ðpolicies€are€those€that€cover€a€range€of€possible€service€options.€Since€nursing€home€fixed€indemnity€policies€are,€by€their€own€terms,€limited€to€payments€made€solely€forÐ ÐÐ Ðnursing€facility€care,€we€have€determined€that€they€should€not€be€included€as€health€plans€for€the€purposes€of€the€HIPAA€regulations.€The€Secretary,€therefore,€explicitlyÐ ÊÊ Ðexcluded€nursing€home€fixed-indemnity€policies€from€the€definition€of€"health€plan"€in€the€Transactions€Rule,€and€this€exclusion€is€thus€reflected€in€this€final€rule.€Issuers€ofÐ ÄÄ Ðother€long-term€care€policies€are€considered€to€be€health€plans€under€this€rule€and€the€Transactions€Rule.Ð ¾¾ ÐòòComment:óó€One€commenter€was€concerned€about€the€potential€impact€of€the€proposed€regulations€on€"unfunded€health€plans,"€which€the€commenter€described€asÐ ”” Ðprograms€used€by€smaller€companies€to€provide€their€associates€with€special€employee€discounts€or€other€membership€incentives€so€that€they€can€obtain€health€care,Ð ŽŽ Ðincluding€prescription€drugs,€at€reduced€prices.€The€commenter€asserted€that€if€these€discount€and€membership€incentive€programs€were€covered€by€the€regulation,€manyÐ ˆ ˆ  Ðsmaller€employers€might€discontinue€offering€them€to€their€employees,€rather€than€deal€with€the€administrative€burdens€and€costs€of€complying€with€the€rule.Ð ‚ ‚  ÐòòResponse:óó€Only€those€special€employee€discounts€or€membership€incentives€that€are€"employee€welfare€benefit€plans"€as€defined€in€section€3(1)€of€the€EmployeeÐ X X  ÐRetirement€Income€Security€Act€of€1974,€29€U.S.C.€1002(1),€and€provide€"medical€care"€(as€defined€in€section€2791(a)(2)€of€the€Public€Health€Service€Act,€42€U.S.C.Ð R R  Ð300gg-91(a)(2)),€are€health€plans€for€the€purposes€of€this€rule.€Discount€or€membership€incentive€programs€that€are€not€group€health€plans€are€not€covered€by€the€rule.Ð LL  ÐòòComment:óó€Several€commenters€agreed€with€the€proposal€to€exclude€"excepted€benefits"€such€as€disability€income€insurance€policies,€fixed€indemnity€critical€illnessÐ ""  Ðpolicies,€and€per€diem€long-term€care€policies€from€the€definition€of€"health€plan,"€but€were€concerned€that€the€language€of€the€proposed€rule€did€not€fully€reflect€this€intent.Ð  ÐThey€asserted€that€clarification€was€necessary€in€order€to€avoid€confusion€and€costs€to€both€consumers€and€insurers.Ð  ÐOne€commenter€stated€that,€while€HHS€did€not€intend€for€the€rule€to€apply€to€every€type€of€insurance€coverage€that€paid€for€medical€care,€the€language€of€the€proposedÐ ìì Ðrule€did€not€bear€this€out.€The€problem,€it€was€asserted,€is€that€under€the€proposed€rule€any€insurance€policy€that€pays€for€"medical€care"€would€technically€be€a€"healthÐ ææ Ðplan."€It€was€argued€that€despite€the€statements€in€the€narrative,€there€are€no€provisions€that€would€exempt€any€of€the€"excepted€benefits"€from€the€definition€of€"healthÐ àà Ðcare."€It€was€stated€that:Although€(with€the€exception€of€long-term€care€insurance),€the€proposed€rule€does€not€include€the€'excepted€benefits'€in€its€list€of€sixteen€examplesÐ ÚÚ Ðof€a€health€plan€(proposed€45€CFR€160.104),€it€does€not€explicitly€exclude€them€either.€Because€these€types€of€policies€in€some€instances€pay€benefits€that€could€beÐ ÔÔ Ðconstrued€as€payments€for€medical€care,€we€are€concerned€by€the€fact€that€they€are€not€explicitly€excluded€from€the€definition€of€'health€plan'€or€the€requirements€of€theÐ ÎÎ Ðproposed€rule."Several€commenters€proposed€that€HHS€adopt€the€same€list€of€"excepted€benefits"€contained€in€29€U.S.C.€1191b,€suggesting€that€they€could€be€adoptedÐ ÈÈ Ðeither€as€exceptions€to€the€definition€of€"health€plan"€or€as€exceptions€to€the€requirements€imposed€on€"health€plans."€They€asserted€that€this€would€promote€consistency€inР Ðthe€federal€regulatory€structure€for€health€plans.Ð ¼¼ ÐIt€was€suggested€that€HHS€clarify€whether€the€definition€of€health€plan,€particularly€the€"group€health€plan"€and€"health€insurance€issuer"€components,€includes€a€disabilityÐ ’’ Ðplan€or€disability€insurer.€It€was€noted€that€a€disability€plan€or€disability€insurer€may€cover€only€income€lost€from€disability€and,€as€mentioned€above,€some€rehabilitationÐ ŒŒ Ðservices,€or€a€combination€of€lost€income,€rehabilitation€services€and€medical€care.€The€commenter€suggested€that€in€addressing€this€coverage€issue,€it€may€be€useful€toÐ †† Ðrefer€to€the€definitions€of€group€health€plan,€health€insurance€issuer€and€medical€care€set€forth€in€Part€I€of€HIPAA,€which€the€statutory€provisions€of€the€AdministrativeÐ € €  ÐSimplification€subtitle€expressly€reference.€See€42€U.S.C.€1320d(5)(A)€and(B).Ð z!z! ÐòòResponse:óó€We€agree€that€the€NPRM€may€have€been€ambiguous€regarding€the€types€of€plans€the€rule€covers.€To€remedy€this€confusion,€we€have€added€language€thatÐ P#P# Ðspecifically€excludes€from€the€definition€any€policy,€plan,€or€program€providing€or€paying€the€cost€of€the€excepted€benefits,€as€defined€in€section€2971(c)(1)€of€the€PHSÐ J$J$ ÐAct,€42€U.S.C.€300gg-91(c)(1).€As€defined€in€the€statute,€this€includes€but€is€not€limited€to€benefits€under€one€or€more€(or€any€combination€thereof)€of€the€following:Ð D%D%  Ðcoverage€only€for€accident,€or€disability€income€insurance,€or€any€combination€thereof;€liability€insurance,€including€general€liability€insurance€and€automobile€liabilityÐ >&>&! Ðinsurance;€and€workers'€compensation€or€similar€insurance.Ð 8'8'" ÐHowever,€the€other€excepted€benefits€as€defined€in€section€2971(c)(2)€of€the€PHS€Act,€42€U.S.C.€300gg-91(c)(2),€such€as€limited€scope€dental€or€vision€benefits,€notÐ ))# Ðexplicitly€excepted€from€the€regulation€could€be€considered€"health€plans"€under€paragraph€(1)(xvii)€of€the€definition€of€"health€plan"€in€the€final€rule€if€and€to€the€extent€thatÐ **$ Ðthey€meet€the€criteria€for€the€definition€of€"health€plan."€Such€plans,€unlike€the€programs€and€plans€listed€at€section€2971(c)(1),€directly€and€exclusively€provide€healthÐ ++% Ðinsurance,€even€if€limited€in€scope.Ð ü+ü+& ÐòòComment:óó€One€commenter€recommended€that€the€Secretary€clarify€that€"health€plan"€does€not€include€property€and€casualty€benefit€providers.€The€commenter€stated€thatÐ Ò-Ò-' Ðthe€clarifying€language€is€needed€given€the€"catchall"€category€of€entities€defined€as€"any€other€individual€plan€or€group€health€plan,€or€combination€thereof,€that€provides€orÐ Ì.Ì.( Ðpays€for€the€cost€of€medical€care,"€and€asserted€that€absent€clarification€there€could€be€serious€confusion€as€to€whether€property€and€casualty€benefit€providers€are€"healthÐ Æ/Æ/) Ðplans"€under€the€rule.Ð À0À0* ÐòòResponse:óó€We€agree€and€as€described€above€have€added€language€to€the€final€rule€to€clarify€that€the€"excepted€benefits"€as€defined€under€42€U.S.C.€300gg-91(c)(1),Ð –2–2+ Ðwhich€includes€liability€programs€such€as€property€and€casualty€benefit€providers,€are€not€health€plans€for€the€purposes€of€this€rule.Ð ÜÜ ÐòòComment:óó€Some€commenters€recommended€that€the€Secretary€replace€the€term€"medical€care"€with€"health€care."€It€was€observed€that€"health€care"€was€defined€in€theÐ ²² Ðproposal,€and€that€this€definition€was€used€to€define€what€a€health€care€provider€does.€However,€they€observed€that€the€definition€of€"health€plan"€refers€to€the€provision€ofÐ ¬¬ Ðor€payment€for€"medical€care,"€which€is€not€defined.€Another€commenter€recommended€that€HHS€add€the€parenthetical€phrase€"as€such€term€is€defined€in€section€2791€ofÐ ¦¦ Ðthe€Public€Health€Service€Act"€after€the€phrase€"medical€care."Ð    ÐòòResponse:óó€We€disagree€with€the€first€recommendation.€We€understand€that€the€term€"medical€care"€can€be€easily€confused€with€the€term€"health€care."€However,€the€twoÐ vv Ðterms€are€not€synonymous.€The€term€"medical€care"€is€a€statutorily€defined€term€and€its€use€is€critical€in€making€a€determination€as€to€whether€a€health€plan€is€considered€aÐ pp Ð"health€plan"€for€purposes€of€administrative€simplification.€In€addition,€since€the€term€"medical€care"€is€used€in€the€regulation€only€in€the€context€of€the€definition€of€"healthÐ j j  Ðplan"€and€we€believe€that€its€inclusion€in€the€regulatory€text€may€cause€confusion,€we€did€not€add€a€definition€of€"medical€care"€in€the€final€rule.€However,€consistent€withÐ d d  Ðthe€second€recommendation€above,€the€statutory€cite€for€"medical€care"€was€added€to€the€definition€of€"health€plan"€in€the€Transactions€Rule,€and€thus€is€reflected€in€thisÐ ^ ^  Ðfinal€rule.Ð X X  ÐòòComment:óó€A€number€of€commenters€urged€that€the€Secretary€define€more€narrowly€what€characteristics€would€make€a€government€program€that€pays€for€specific€healthÐ ..  Ðcare€services€a€"health€plan."€Commenters€argued€that€there€are€many€"payment"€programs€that€should€not€be€included,€as€discussed€below,€and€that€if€no€distinctions€wereÐ ((  Ðmade,€"health€plan"€would€mean€the€same€as€"purchaser"€or€even€"payor."Ð ""  ÐCommenters€asserted€that€there€are€a€number€of€state€programs€that€pay€for€"health€care"€(as€defined€in€the€rule)€but€that€are€not€health€plans.€They€said€that€examplesÐ øø Ðinclude€the€WIC€program€(Special€Supplemental€Nutrition€Program€for€Women,€Infants,€and€Children)€which€pays€for€nutritional€assessment€and€counseling,€among€otherÐ òò Ðservices;€the€AIDS€Client€Services€Program€(including€AIDS€prescription€drug€payment)€under€the€federal€Ryan€White€Care€Act€and€state€law;€the€distribution€of€federalÐ ìì Ðfamily€planning€funds€under€Title€X€of€the€Public€Health€Services€Act;€and€the€breast€and€cervical€health€program€which€pays€for€cancer€screening€in€targeted€populations.Ð ææ ÐCommenters€argued€that€these€are€not€insurance€plans€and€do€not€fall€within€the€"health€plan"€definition's€list€of€examples,€all€of€which€are€either€insurance€or€broad-scopeÐ àà Ðprograms€of€care€under€a€contract€or€statutory€entitlement.€However,€paragraph€(16)€in€that€list€opens€the€door€to€broader€interpretation€through€the€catchall€phrase,€"anyÐ ÚÚ Ðother€individual€or€group€plan€that€provides€or€pays€for€the€cost€of€medical€care."€Commenters€assert€that€clarification€is€needed.Ð ÔÔ ÐA€few€commenters€stated€that€other€state€agencies€often€work€in€partnership€with€the€state€Medicaid€program€to€implement€certain€Medicaid€benefits,€such€as€maternityÐ ªª Ðsupport€services€and€prenatal€genetics€screening.€They€concluded€that€while€this€probably€makes€parts€of€the€agency€the€"business€partner"€of€a€covered€entity,€they€wereÐ ¤¤ Ðuncertain€whether€it€also€makes€the€same€agency€parts€a€"health€plan"€as€well.Ð žž ÐòòResponse:óó€We€agree€with€the€commenters€that€clarification€is€needed€as€to€the€rule's€application€to€government€programs€that€pay€for€health€care€services.€Accordingly,€inÐ tt Ðthe€final€rule€we€have€excepted€from€the€definition€of€"health€plan"€a€government€funded€program€which€does€not€have€as€its€principal€purpose€the€provision€of,€or€paymentÐ nn Ðfor,€the€cost€of€health€care€or€which€has€as€its€principal€purpose€the€provision,€either€directly€or€by€grant,€of€health€care.€For€example,€the€principal€purpose€of€the€WICÐ hh Ðprogram€is€not€to€provide€or€pay€for€the€cost€of€health€care,€and€thus,€the€WIC€program€is€not€a€health€plan€for€purposes€of€this€rule.€The€program€of€health€care€servicesÐ b b  Ðfor€individuals€detained€by€the€INS€provides€health€care€directly,€and€so€is€not€a€health€plan.€Similarly,€the€family€planning€program€authorized€by€Title€X€of€the€PublicÐ \!\! ÐHealth€Service€Act€pays€for€care€exclusively€through€grants,€and€so€is€not€a€health€plan€under€this€rule.€These€programs€(the€grantees€under€the€Title€X€program)€may€be€orÐ V"V" Ðinclude€health€care€providers€and€may€be€covered€entities€if€they€conduct€standard€transactions.Ð P#P# ÐWe€further€clarify€that,€where€a€public€program€meets€the€definition€of€"health€plan,"€the€government€agency€that€administers€the€program€is€the€covered€entity.€Where€twoÐ &%&% Ðagencies€administer€a€program€jointly,€they€are€both€a€health€plan.€For€example,€both€the€Health€Care€Financing€Administration€and€the€insurers€that€offers€aÐ  & &  ÐMedicare+Choice€plan€are€"health€plans"€with€respect€to€Medicare€beneficiaries.€An€agency€that€does€not€administer€a€program€but€which€provides€services€for€such€aÐ ''! Ðprogram€is€not€a€covered€entity€by€virtue€of€providing€such€services.€Whether€an€agency€providing€services€is€a€business€associate€of€the€covered€entity€depends€onÐ ((" Ðwhether€its€functions€for€the€covered€entity€meet€the€definition€of€business€associate€in€ðð€164.501€and,€in€the€example€described€by€this€comment,€in€particular€on€whetherÐ ))# Ðthe€arrangement€falls€into€the€exception€in€ðð€164.504(e)(1)(ii)(C)€for€government€agencies€that€collect€eligibility€or€enrollment€information€for€covered€governmentÐ **$ Ðprograms.Ð ++% ÐòòComment:óó€Some€commenters€expressed€support€for€retaining€the€category€in€paragraph€(16)€of€the€proposal's€definition:€"Any€other€individual€or€group€health€plan,€orÐ Ø,Ø,& Ðcombination€thereof,€that€provides€or€pays€for€the€cost€of€medical€care."€Others€asked€that€the€Secretary€clarify€this€category.€One€commenter€urged€that€the€final€ruleÐ Ò-Ò-' Ðclearly€define€which€plans€would€meet€the€criteria€for€this€category.Ð Ì.Ì.( ÐòòResponse:óó€As€described€in€the€proposed€rule,€this€category€implements€the€language€at€the€beginning€of€the€statutory€definition€of€the€term€"health€plan":€"The€term€'healthÐ ¢0¢0) Ðplan'€means€an€individual€or€group€plan€that€provides,€or€pays€the€cost€of,€medical€care...€Such€term€includes€the€following,€and€any€combination€thereof..."€This€statutoryÐ œ1œ1* Ðlanguage€is€general,€not€specific,€and€as€such,€we€are€leaving€it€general€in€the€final€rule.€However,€as€described€above,€we€add€explicit€language€which€excludes€certainÐ –2–2+ Ð"excepted€benefits"€from€the€definition€of€"health€plan"€in€an€effort€to€clarify€which€plans€are€not€health€plans€for€the€purposes€of€this€rule.€Therefore,€to€the€extent€that€aÐ ÜÜ Ðcertain€benefits€plan€or€program€otherwise€meets€the€definition€of€"health€plan"€and€is€not€explicitly€excepted,€that€program€or€plan€is€considered€a€"health€plan"€underÐ ÖÖ Ðparagraph€(1)(xvii)€of€the€final€rule.Ð ÐÐ ÐòòComment:óó€A€commenter€explained€that€HIPAA€defines€a€group€health€plan€by€expressly€cross-referencing€the€statutory€sections€in€the€PHS€Act€and€the€EmployeeÐ ¦¦ ÐRetirement€Income€Security€Act€of€1974€(ERISA),€29€U.S.C.€1001,€et€seq.,€which€define€the€terms€"group€health€plan,"€"employee€welfare€benefit€plan"€and€"participant."Ð    ÐSee€29€U.S.C.€1002(l)€(definition€of€"employee€welfare€benefit€plan,"€which€is€the€core€of€the€definition€of€group€health€plan€under€both€ERISA€and€the€PHS€Act);€29Ð šš ÐU.S.C.€100217)€(definition€of€participant);€29€U.S.C.€1193(a)€(definition€of€"group€health€plan,"€which€is€identical€to€that€in€section€2791(a)€of€the€PHS€Act).Ð ”” ÐIt€was€pointed€out€that€the€preamble€and€the€text€of€the€proposed€rule€both€limit€the€definition€of€all€three€terms€to€their€current€definitions.€The€commenter€reasoned€thatÐ j j  Ðsince€the€ERISA€definitions€may€change€over€time€through€statutory€amendment,€Department€of€Labor€regulations€or€judicial€interpretation,€it€would€not€be€clear€whatÐ d d  Ðpoint€in€time€is€to€be€considered€current.€Therefore,€they€suggested€deleting€references€to€"current"€or€"currently"€in€the€preamble€and€in€the€regulation€with€respect€to€theseÐ ^ ^  Ðthree€ERISA€definitions.Ð X X  ÐIn€addition,€the€commenter€stated€that€as€the€preamble€to€the€NPRM€correctly€reflected,€HIPAA€expressly€cross-references€ERISA's€definition€of€"participant"€in€sectionÐ ..  Ð3(7)€of€ERISA,€29€U.S.C.€1002(7).€42€U.S.C.€1320d(5)(A).€The€text€of€the€privacy€regulation,€however,€omits€this€cross-reference.€It€was€suggested€that€the€referenceÐ ((  Ðto€section€3(7)€of€ERISA,€defining€"participant,"€be€included€in€the€regulation.Ð ""  ÐFinally,€HIPAA€incorporates€the€definition€of€a€group€health€plan€as€set€forth€in€section€2791(a)€of€the€PHS€Act,€42€U.S.C.€300gg-91(a)(l).€That€definition€refers€to€theÐ øø Ðprovision€of€medical€care€"directly€or€through€insurance,€reimbursement,€or€otherwise."€The€word€"reimbursement"€is€omitted€in€both€the€preamble€and€the€text€of€theÐ òò Ðregulation;€the€commenter€suggested€restoring€it€to€both.Ð ìì ÐòòResponse:óó€We€agree.€These€changes€were€made€to€the€definition€of€"health€plan"€as€promulgated€in€the€Transactions€Rule,€and€are€reflected€in€this€final€rule.Р ÐÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\PÜÝÝ  ÝòòSmall€Health€Planóó.݃jÚ\PÜšÜÝÔ Ô‚ÜԌР˜˜ ЌԀiXþíXXiXþíÔó óÝ  ÝòòComment:óó€One€commenter€recommended€that€we€delete€the€reference€to€$5€million€in€the€definition€and€instead€define€a€"small€health€plan"€as€a€health€plan€with€fewerÐ nn Ðthan€50€participants.€It€was€stated€that€using€a€dollar€limitation€to€define€a€"small€health€plan"€is€not€meaningful€for€self-insured€plans€and€some€other€types€of€health€planÐ hh Ðcoverage€arrangements.€A€commenter€pointed€out€that€the€general€definition€of€a€health€plan€refers€to€"50€or€more€participants,"€and€that€using€a€dollar€factor€to€define€aÐ bb Ð"small€health€plan"€would€be€inconsistent€with€this€definition.Ð \\ ÐòòResponse:óó€We€disagree.€The€Small€Business€Administration€(SBA)€promulgates€size€standards€that€indicate€the€maximum€number€of€employees€or€annual€receipts€allowedÐ 22 Ðfor€a€concern€(13€CFR€121.105)€and€its€affiliates€to€be€considered€"small."€The€size€standards€themselves€are€expressed€either€in€number€of€employees€or€annual€receiptsÐ ,, Ð(13€CFR€121.201).€The€size€standards€for€compliance€with€programs€of€other€agencies€are€those€for€SBA€programs€which€are€most€comparable€to€the€programs€of€suchÐ & &  Ðother€agencies,€unless€otherwise€agreed€by€the€agency€and€the€SBA€(13€CFR€121.902).€With€respect€to€the€insurance€industry,€the€SBA€has€specified€that€annual€receiptsÐ  ! ! Ðof€$5€million€is€the€maximum€allowed€for€a€concern€and€its€affiliates€to€be€considered€small€(13€CFR€121.201).€Consequently,€we€retain€the€proposal's€definition€in€the€finalÐ "" Ðrule€to€be€consistent€with€SBA€requirements.Ð ## ÐWe€understand€there€may€be€some€confusion€as€to€the€meaning€of€"annual€receipts"€when€applied€to€a€health€plan.€For€our€purposes,€therefore,€we€consider€"pureÐ ê$ê$ Ðpremiums"€to€be€equivalent€to€"annual€receipts."Ð ä%ä% ÐÝ‚jÚ\GÝÔ€iXþíXXiXþíÔò òÔ  ÔÝ  ÝÝ‚jÚ\ºäÝÝ  ÝòòWorkforceóó.݃jÚ\ºäåÝÔ ÔìäԌРº'º' ЌԀiXþíXXiXþí